Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAppS3BucketPolicy fails as of April 2023 #47

Open
vzaluckis opened this issue Apr 22, 2023 · 2 comments
Open

WebAppS3BucketPolicy fails as of April 2023 #47

vzaluckis opened this issue Apr 22, 2023 · 2 comments

Comments

@vzaluckis
Copy link

Hi.
I am facing an issue trying to deploy a full-stack serverless application that used to work to another AWS account. The error is

Error:
CREATE_FAILED: WebAppS3BucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

I have spent some time trying to understand what's going on, and found these articles:

I tried creating a simple CloudFormation stack with just a bucket and a policy, made sure the Block Public Access setting is turned off for my IAM account and the Root account, and the template failed with the same error! Inspecting the created bucket I see that despite all the account settings it still has a Block Public Access setting on by default!

I believe the resource template and the policy preparation code must be changed to specify this setting explicitly for the app bucket. Can you do this? I have several projects depending on fullstack-serverless, it will be very unfortunate if I will not be able to deploy them anymore.

Thanks in advance!
@vzaluckis
Copy link
Author

For anyone interested in a quick workaround, I have implemented a custom plugin that you add to the end of your plugins list. It fixes the policy creation problem for now, but I believe it is still not a solution, but rather a workaround.

"use strict";

const _ = require('lodash');

class FixS3PublicAccessPlugin {
  constructor(serverless) {
    this.error = serverless.classes.Error;
    this.serverless = serverless;

    this.hooks = {
      'before:aws:package:finalize:mergeCustomProviderResources': this.fixAppBucketPublicAccess.bind(this)
    };
  }

  fixAppBucketPublicAccess() {
    const baseResources = this.serverless.service.provider.compiledCloudFormationTemplate;
    const isSinglePageApp = !!this.serverless.service.custom.fullstack?.singlePageApp;

    if (!isSinglePageApp) {
      const bucketConfigProps = baseResources.Resources?.WebAppS3Bucket?.Properties;
      if (!bucketConfigProps)
        throw new this.error("WebAppS3Bucket resource is not defined. Move this plugin lower in the plugins list.");

      this.serverless.cli.log(`Fixing WebApp bucket access ...`);

      bucketConfigProps.PublicAccessBlockConfiguration = {
        BlockPublicAcls: false,
        BlockPublicPolicy: false,
        IgnorePublicAcls: false,
        RestrictPublicBuckets: false
      };
    }

    return baseResources;
  }
}

module.exports = FixS3PublicAccessPlugin;

@sc0ttdav3y
Copy link

I started using this plugin in December 2023 and I expected to see this, but for me it's working without the need for any workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sc0ttdav3y @vzaluckis