Add depends_on for bucket encryption (nebari-dev#2615)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
MetroStar · Aug 8, 2024 · 7c61dd6 · 7c61dd6
1 parent a65ff53
commit 7c61dd6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf
@@ -17,6 +17,14 @@ resource "aws_s3_bucket" "main" {
   }, var.tags)
 }
 
+resource "aws_s3_bucket_public_access_block" "main" {
+  bucket                  = aws_s3_bucket.main.id
+  ignore_public_acls      = true
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
   bucket = aws_s3_bucket.main.id
 
@@ -26,12 +34,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
       sse_algorithm     = "aws:kms"
     }
   }
-}
-
-resource "aws_s3_bucket_public_access_block" "main" {
-  bucket                  = aws_s3_bucket.main.id
-  ignore_public_acls      = true
-  block_public_acls       = true
-  block_public_policy     = true
-  restrict_public_buckets = true
+  // AWS may return HTTP 409 if PutBucketEncryption is called immediately after S3
+  // bucket creation. Adding dependency avoids concurrent requests.
+  depends_on = [aws_s3_bucket_public_access_block.main]
 }
diff --git a/src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf b/src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf
@@ -20,6 +20,14 @@ resource "aws_s3_bucket" "terraform-state" {
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "terraform-state" {
+  bucket                  = aws_s3_bucket.terraform-state.id
+  ignore_public_acls      = true
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "terraform-state" {
   bucket = aws_s3_bucket.terraform-state.id
 
@@ -29,14 +37,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "terraform-state"
       sse_algorithm     = "aws:kms"
     }
   }
-}
-
-resource "aws_s3_bucket_public_access_block" "terraform-state" {
-  bucket                  = aws_s3_bucket.terraform-state.id
-  ignore_public_acls      = true
-  block_public_acls       = true
-  block_public_policy     = true
-  restrict_public_buckets = true
+  # // AWS may return HTTP 409 if PutBucketEncryption is called immediately after S3
+  # bucket creation. Adding dependency avoids concurrent requests.
+  depends_on = [aws_s3_bucket_public_access_block.terraform-state]
 }
 
 resource "aws_dynamodb_table" "terraform-state-lock" {