chore(assets): make error less ominous (#18067)

rix0rrr · web-flow · commit 60cf9607ef06 · 2021-12-17T13:26:22.000Z
`cdk-assets` tries to opportunistically read the bucket's encryption
settings and mirror those out into the `PutObject` call, so that a
commonly-used SCP can confirm that there are no unencryped uploads
to S3 buckets, ever. When this read-out fails, we print an error
message at `debug` severity to let users know what's up.

Unfortunately, the error message was very scary and makes users
wonder what is going on:

&gt; Why do I get a debug: ACCES_DENIED error there? Is it a problem?
&gt;
&gt; ```
&gt; verbose: [0%] debug: ACCES_DENIED for getting encryption of bucket
&gt; 'cdk-hnb659fds-assets-111111111111-us-east-1'. Either wrong account
&gt; 111111111111 or s3:GetEncryptionConfiguration not set for cdk role. Try
&gt; "cdk bootstrap" again.
&gt; ```

Make the error message more clearly indicate that this is a failure
in an opportunistic code path and there's no direct action required:

```
Could not read encryption settings of bucket
'cdk-hnb659fds-assets-111111111111-us-east-1': uploading with default
settings ("cdk bootstrap" to version 9 if your organization's policies
prevent a successful upload or to get rid of this message).
```


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/cdk-assets/lib/private/handlers/files.ts b/packages/cdk-assets/lib/private/handlers/files.ts
@@ -62,7 +62,7 @@ export class FileAssetHandler implements IAssetHandler {
         this.host.emitMessage(EventType.DEBUG, `No bucket named '${destination.bucketName}'. Is account ${await account()} bootstrapped?`);
         break;
       case BucketEncryption.ACCES_DENIED:
-        this.host.emitMessage(EventType.DEBUG, `ACCES_DENIED for getting encryption of bucket '${destination.bucketName}'. Either wrong account ${await account()} or s3:GetEncryptionConfiguration not set for cdk role. Try "cdk bootstrap" again.`);
+        this.host.emitMessage(EventType.DEBUG, `Could not read encryption settings of bucket '${destination.bucketName}': uploading with default settings ("cdk bootstrap" to version 9 if your organization's policies prevent a successful upload or to get rid of this message).`);
         break;
     }
 
diff --git a/packages/cdk-assets/test/files.test.ts b/packages/cdk-assets/test/files.test.ts
@@ -244,9 +244,6 @@ test('no server side encryption header if access denied for bucket encryption',
   expect(aws.mockS3.upload).toHaveBeenCalledWith(expect.not.objectContaining({
     ServerSideEncryption: 'AES256',
   }));
-
-  // Error message references target_account, not current_account
-  expect(progressListener.messages).toContainEqual(expect.stringMatching(/ACCES_DENIED.*target_account/));
 });
 
 test('correctly looks up content type', async () => {

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ export class FileAssetHandler implements IAssetHandler {`
`62`	`62`	this.host.emitMessage(EventType.DEBUG, `No bucket named '${destination.bucketName}'. Is account ${await account()} bootstrapped?`);
`63`	`63`	`break;`
`64`	`64`	`case BucketEncryption.ACCES_DENIED:`
`65`		- this.host.emitMessage(EventType.DEBUG, `ACCES_DENIED for getting encryption of bucket '${destination.bucketName}'. Either wrong account ${await account()} or s3:GetEncryptionConfiguration not set for cdk role. Try "cdk bootstrap" again.`);
	`65`	+ this.host.emitMessage(EventType.DEBUG, `Could not read encryption settings of bucket '${destination.bucketName}': uploading with default settings ("cdk bootstrap" to version 9 if your organization's policies prevent a successful upload or to get rid of this message).`);
`66`	`66`	`break;`
`67`	`67`	`}`
`68`	`68`