search

aws-controllers-k8s / community

AWS Controllers for Kubernetes (ACK) is a project enabling you to manage AWS services from Kubernetes
https://aws-controllers-k8s.github.io/community/
Apache License 2.0
2.43k stars 256 forks source link

S3 Controller - repeat reconciling #2070

Open stefanmcshane opened 6 months ago

stefanmcshane commented 6 months ago

Describe the bug When updating the bucket policy of an S3 bucket, the reconciler applies the change continuously. This was flagged by our cloudwatch alarms. The apply was successful from ACK, however ACK continuously tries to apply what should be a no-op change

Steps to reproduce

  1. Create S3 Bucket with policy
  2. Add a deny statement
  3. See changes applied every reconcile period

Expected outcome No-op after first apply

Environment

The following is the policy that specify policy that was applied, where we only added the 3rd statement entry. The previous policy only contained the first 2 statements. Removing the 3rd policy afterwards, continues to trigger the cloudwatch alarm

        "bucketPolicy": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "s3:GetBucketAcl",
                    "Condition": {
                        "StringEquals": {
                            "aws:SourceArn": "arn:aws:cloudtrail:us-east-1:XXXXX:trail/trail-UID"
                        }
                    },
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Resource": "arn:aws:s3:::aws-cloudtrail-logs-UID",
                    "Sid": "AWSCloudTrailAclCheck20150319"
                },
                {
                    "Action": "s3:PutObject",
                    "Condition": {
                        "StringEquals": {
                            "aws:SourceArn": "arn:aws:cloudtrail:us-east-1:XXXXXX:trail/trail-UID",
                            "s3:x-amz-acl": "bucket-owner-full-control"
                        }
                    },
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "cloudtrail.amazonaws.com"
                    },
                    "Resource": "arn:aws:s3:::aws-cloudtrail-logs-UID/AWSLogs/XXXXXX/*",
                    "Sid": "AWSCloudTrailWrite20150319"
                },
                {
                    "Action": "s3:PutObject",
                    "Condition": {
                        "StringNotEquals": {
                            "s3:x-amz-server-side-encryption": "AES256"
                        }
                    },
                    "Effect": "Deny",
                    "Principal": "*",
                    "Resource": "arn:aws:s3:::aws-cloudtrail-logs-UID/*",
                    "Sid": "enforce-encryption-method"
                }
            ]
        },
ack-bot commented 1 week ago

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale