From 7c61dd60ffac8abf923b82f777b5b761d5cdeb52 Mon Sep 17 00:00:00 2001 From: "Vinicius D. Cerutti" <51954708+viniciusdc@users.noreply.github.com> Date: Thu, 8 Aug 2024 13:05:16 -0300 Subject: [PATCH] Add `depends_on` for bucket encryption (#2615) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .../template/aws/modules/s3/main.tf | 19 +++++++++++-------- .../aws/modules/terraform-state/main.tf | 19 +++++++++++-------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf index 54167d3ce..1af76c8a0 100644 --- a/src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf +++ b/src/_nebari/stages/infrastructure/template/aws/modules/s3/main.tf @@ -17,6 +17,14 @@ resource "aws_s3_bucket" "main" { }, var.tags) } +resource "aws_s3_bucket_public_access_block" "main" { + bucket = aws_s3_bucket.main.id + ignore_public_acls = true + block_public_acls = true + block_public_policy = true + restrict_public_buckets = true +} + resource "aws_s3_bucket_server_side_encryption_configuration" "main" { bucket = aws_s3_bucket.main.id @@ -26,12 +34,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "main" { sse_algorithm = "aws:kms" } } -} - -resource "aws_s3_bucket_public_access_block" "main" { - bucket = aws_s3_bucket.main.id - ignore_public_acls = true - block_public_acls = true - block_public_policy = true - restrict_public_buckets = true + // AWS may return HTTP 409 if PutBucketEncryption is called immediately after S3 + // bucket creation. Adding dependency avoids concurrent requests. + depends_on = [aws_s3_bucket_public_access_block.main] } diff --git a/src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf b/src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf index dccf229cc..2931f153b 100644 --- a/src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf +++ b/src/_nebari/stages/terraform_state/template/aws/modules/terraform-state/main.tf @@ -20,6 +20,14 @@ resource "aws_s3_bucket" "terraform-state" { } } +resource "aws_s3_bucket_public_access_block" "terraform-state" { + bucket = aws_s3_bucket.terraform-state.id + ignore_public_acls = true + block_public_acls = true + block_public_policy = true + restrict_public_buckets = true +} + resource "aws_s3_bucket_server_side_encryption_configuration" "terraform-state" { bucket = aws_s3_bucket.terraform-state.id @@ -29,14 +37,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "terraform-state" sse_algorithm = "aws:kms" } } -} - -resource "aws_s3_bucket_public_access_block" "terraform-state" { - bucket = aws_s3_bucket.terraform-state.id - ignore_public_acls = true - block_public_acls = true - block_public_policy = true - restrict_public_buckets = true + # // AWS may return HTTP 409 if PutBucketEncryption is called immediately after S3 + # bucket creation. Adding dependency avoids concurrent requests. + depends_on = [aws_s3_bucket_public_access_block.terraform-state] } resource "aws_dynamodb_table" "terraform-state-lock" {