CloudFormation stack deployment fails intermittently when adding a bucket policy (PutBucketPolicy) and EventBridge notifications (PutBucketNotification) to a S3 bucket with CDK due to race condition.
Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (OperationAborted) when calling the PutBucketNotificationConfiguration operation: A conflicting conditional operation is currently in progress against this resource. Please try again.. See the details in CloudWatch Log Stream: 2023/10/17/[$LATEST]9f69597966xxxxa8449646270045 (RequestId: 2xx08c-74ad-4317-8a30-83xxxf2dc9)
Below is my CDK code of using S3 Bucket construct with eventBridgeEnabled: true and adding the policy after creating the bucket.
export class S3Bucket extends s3.Bucket {
constructor(scope: Construct, id: string, props: S3BucketProperties) {
super(scope, id, {
...props,
removalPolicy: cdk.RemovalPolicy.DESTROY,
encryption: s3.BucketEncryption.KMS,
encryptionKey: props.encryptionKey,
eventBridgeEnabled: true,
});
}
}
this.s3Bucket = new S3Bucket(this, 'bucket', {
encryptionKey,
});
this.s3Bucket.addToResourcePolicy(
createS3BucketSSLRequestsOnlyPolicyStatement(
this.s3Bucket.bucketArn
)
);
Any fix or workaround for this issue?
There is an open issue on the cdk git with policy and notification conflicts. Although the issue is still open, there is a workaround for your specific use case.
This comment provides the full code sample. The important part is that you add a dependency between your notifications and your bucket policy, so the notifications will only be added once the policy has finished being added.