cfn-sphere/cfn-sphere

cf sync hanging for s3 bucket policy

dchetwynd opened this issue · 1 comments

dchetwynd commented

Hi,

I'm running cfn-sphere 0.1.35 on Mac OS X 10.11.6. I have the following single stack template that creates an S3 bucket and a policy for that bucket:

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket and policy to test hanging behaviour
Resources:
  hangS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: '|ref|AWS::StackName'
  hangS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: '|ref|hangS3Bucket'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Action:
              - 's3:GetObject'
            Effect: 'Allow'
            Resource:
              Fn::Join:
                - ""
                -
                  - "arn:aws:s3:::"
                  - '|ref|hangS3Bucket'
                  - "/*"
            Principal: '*'

When I run this with cf sync, the s3 bucket is created in about 30 seconds, but then the bucket policy hangs for 9 minutes 30 seconds until timing out.

If I modify the template slightly to be:

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket and policy to test hanging behaviour
Resources:
  hangS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: '|ref|AWS::StackName'
  hangS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: '|ref|hangS3Bucket'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Action:
              - 's3:GetObject'
            Effect: 'Allow'
            Resource:
              Fn::Join:
                - ""
                -
                  - "arn:aws:s3:::"
                  -
                    Ref: "hangS3Bucket"
                  - "/*"
            Principal: '*'

then there is no hanging at all, with the S3 bucket and the bucket policy being created in 37 seconds.

The only difference between these two templates is that the first uses '|ref|hangS3Bucket' within an Fn::Join statement inside the bucket policy document resource and the second uses Ref: "hangS3Bucket" instead.

Does using the '|ref|resource_id' style of referencing cause hanging behaviour within an Fn::Join statement? Running the first stack template does not give any errors about invalid template syntax, but merely runs for 10 minutes with no output after "hangS3BucketPolicy: CREATE_IN_PROGRESS:" and then times out.

marco-hoyer commented

There is a bug in the template transformation code which leads to ignored "|something|" macros if they are wrapped in a list of lists. This produces an unmodified |Ref|value value in the resulting template json which seems to be a problem for some services not failing early.