-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
❗ NOTICE (ses-actions): AmazonSimpleEmailService; Status Code: 400; Error Code: InvalidS3Configuration, S3 ReceiptRule cannot be created #30143
Comments
Hi @Zetten , thanks for reaching out. I am able to repro this error while deploying with CDK 2.141. But I noticed this PR caused changes in S3 policy in CDK 2.139 which might have led to the error being seen here.
let me know if deploying with CDK 2.138 also works for you |
Hi @khushail , 2.138 does not work for me, but I found another workaround by create the bucket in somewhere else, then use
to apply to the S3 action |
I'm seeing the same issue, rolling back to 2.138.0 addresses the issue for me. I'm creating the bucket in the same stack as my receipt rules. I wonder if a way to inhibit automatic policy being created would help here? Or deferring whatever test that checks that S3 is able to be written to is deferred until after the bucket policy is set. Though I think this is an SES API so that might not be possible. |
Hi @khushail, thanks for the suggestion. For me downgrading to Our project adopted a slightly different workaround from @CZhang1997, although still using a separate stack - we create the ruleset and bucket, and manually create a bucket policy which allows a wildcard of I agree with @sudoplatform-engineering's suggestion that being able to disable the policy creation should allow other workarounds with manual dependency ordering (as well as custom policies in general), but (perhaps naively) it feels like it should be possible with the implicit creation. |
At our side, just as for @sudoplatform-engineering , downgrading to |
We see the same bug on our side. Downgrading to |
Seeing the same issue. I downgraded from |
Downgrading is "workaround", not a fix. It locks you on a specific version. |
chore: notice for aws/aws-cdk#30143
|
### Issue # (if applicable) Closes #[30143](#30143). ### Reason for this change Fix the below deployment failure Deployment fails with a Could not write to bucket error: 1:36:13 PM | CREATE_FAILED | AWS::SES::ReceiptRule | TestRuleSetStoreToBucketRule3E41D5CF Could not write to bucket: reprosess3rulestack-testemailstoref58b593c-dxh45g1m3y6b (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: InvalidS3Configuration; Request ID: 817f5520-748b-4bae-b347-ec68df52b675; Proxy: null) This PR reverts the changes introduced in PR #29833 ### Description of changes This PR reverts the change that was made in CDK v2.139.0 to reduce overly broad permissions allocated to SES for the S3 receipt rule action. This resulted in deployment failure where SES is unable to write to s3 bucket. ### Description of how you validated changes Dry-run for integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #[30143](#30143). ### Reason for this change Fix the below deployment failure Deployment fails with a Could not write to bucket error: 1:36:13 PM | CREATE_FAILED | AWS::SES::ReceiptRule | TestRuleSetStoreToBucketRule3E41D5CF Could not write to bucket: reprosess3rulestack-testemailstoref58b593c-dxh45g1m3y6b (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: InvalidS3Configuration; Request ID: 817f5520-748b-4bae-b347-ec68df52b675; Proxy: null) This PR reverts the changes introduced in PR #29833 ### Description of changes This PR reverts the change that was made in CDK v2.139.0 to reduce overly broad permissions allocated to SES for the S3 receipt rule action. This resulted in deployment failure where SES is unable to write to s3 bucket. ### Description of how you validated changes Dry-run for integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
UpdateWe've merged the revert PR ( Reference here ) to fix this issue, this will be released as part of version |
Closing NotesFix released in version https://github.com/aws/aws-cdk/releases/tag/v2.143.1 |
|
…0375) ### Issue # (if applicable) Closes #[30143](aws#30143). ### Reason for this change Fix the below deployment failure Deployment fails with a Could not write to bucket error: 1:36:13 PM | CREATE_FAILED | AWS::SES::ReceiptRule | TestRuleSetStoreToBucketRule3E41D5CF Could not write to bucket: reprosess3rulestack-testemailstoref58b593c-dxh45g1m3y6b (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: InvalidS3Configuration; Request ID: 817f5520-748b-4bae-b347-ec68df52b675; Proxy: null) This PR reverts the changes introduced in PR aws#29833 ### Description of changes This PR reverts the change that was made in CDK v2.139.0 to reduce overly broad permissions allocated to SES for the S3 receipt rule action. This resulted in deployment failure where SES is unable to write to s3 bucket. ### Description of how you validated changes Dry-run for integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Please add your +1 👍 to let us know you have encountered this
Status: 'IN-PROGRESS'
Describe the bug
When calling
IReceiptRuleSet. addRule
with an S3 action it doesn't seem possible to deploy the rule.Expected Behavior
The receipt rule with S3 action is added to the requested ruleset.
Current Behavior
Deployment fails with a
Could not write to bucket
error:Reproduction Steps
I've created a reproducing project here: https://github.com/Zetten/repro-ses-s3-rule
The S3 bucket is set up with my project's defaults, but the error is identical without any other props, i.e. it fails even if I set no encryption, versioning, lifecycle rules.
The relevant call to
addRule
:Possible Solution
The same error is received in the AWS SES console when adding a receipt rule without having previously set up the access policy.
Therefore the problem may be related to resource ordering - the S3 BucketPolicy is perhaps not created before the ReceiptRule. I note that this sounds very similar to #3726 which was resolved some years ago. The S3 action seems to carry the required policy itself, so perhaps it's a missing dependency?
Additional Information/Context
The issue does not seem explicitly related to the use of an existing ReceiptRuleSet (i.e.
ReceiptRuleSet.fromReceiptRuleSetName
) - the same error is observed when creatng a new one withconst receiptRuleSet = new ses.ReceiptRuleSet(this, 'StoreToBucketRuleSet');
.Additionally, manually setting a dependency as mentioned in #3726 via:
fails due to a circular dependency (even with
autoDeleteObjects: false
):or
CDK CLI Version
2.141.0 (build 3d1c06e)
Related Issues:
#29811
Framework Version
No response
Node.js Version
18.20.2
OS
Linux
Language
TypeScript
Language Version
TypeScript (5.4.5)
Other information
No response
The text was updated successfully, but these errors were encountered: