search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.1k stars 53 forks source link

Intermittent "conflicting conditional operation" error when applying bucket policy #1954

Open carlhester opened 4 months ago

carlhester commented 4 months ago

Name of the resource

AWS::S3::BucketPolicy

Resource Name

No response

Issue Description

When deploying a cloudformation stack containing a custom bucket policy for a bucket that is used for VPC Flow Logs, or Route 53 Resolver Query Logs, the deployment will occasionally fail on the bucket policy resource with an error such as 

Resource handler returned message: "A conflicting conditional operation is currently in progress against this resource. Please try again. (Service: S3, Status Code: 409, Request ID: <REDACTED>, Extended Request ID: <REDACTED>)" (RequestToken: <REDACTED>, HandlerErrorCode: GeneralServiceException)

We have deployed this configuration over 3500 times across 2500+ accounts and have encountered this error in roughly 4% of attempts. Our fix is to delete the stack and retry with no changes, which usually works.

I suspect this is due to both VPC Flow and R53 RQLC attempting to add their own automatic configurations to the bucket while cloudformation is attempting to attach the the provided bucket policy.

Here is a sample cfn we have used to reproduce this issue with a VPC Flow configuration. cfn.json

The event in cloudformation with the failure error message is for the "VpcFlowS3BucketPolicy" resource.

Expected Behavior

The provided custom bucket policy should apply without the S3 "conflicting conditional operation" error.

Observed Behavior

The error "A conflicting conditional operation is currently in progress against this resource. Please try again." is returned in a small percentage of cases.

Test Cases

The attached cfn.json file was deployed approximately 20 times and failed twice with this error.

Other Details

This error message is often cited as being related to creating a bucket with the same name as a recently deleted bucket. This does not apply in our case, since the bucket name is generated to be unique each time and we have observed that the bucket creates successfully - It's the policy that causes the error.

carlhester commented 4 months ago

After some more testing - I noticed that if I force the BucketPolicy to depend on the VPCFlowLog, then the stack fails on BucketPolicy creation with an error stating that "The bucket policy already exists on bucket mystack-vpcflows3bucket-4wwpr0qnugzm." 

 "VpcFlowS3BucketPolicy": {
            "Type": "AWS::S3::BucketPolicy",
            "DependsOn": "VPCFlowLog",

If I change the order and force the VPCFlowLog to depend on the BucketPolicy, I have not yet encountered the failure.

        "VPCFlowLog": {
            "Type": "AWS::EC2::FlowLog",
            "DependsOn": "VpcFlowS3BucketPolicy",