|
1 | 1 | import * as iam from '@aws-cdk/aws-iam'; |
2 | 2 | import * as logs from '@aws-cdk/aws-logs'; |
3 | 3 | import * as s3 from '@aws-cdk/aws-s3'; |
4 | | -import { IResource, PhysicalName, RemovalPolicy, Resource, FeatureFlags, Stack } from '@aws-cdk/core'; |
| 4 | +import { IResource, PhysicalName, RemovalPolicy, Resource, FeatureFlags, Stack, CfnResource } from '@aws-cdk/core'; |
5 | 5 | import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api'; |
6 | 6 | import { Construct } from 'constructs'; |
7 | 7 | import { CfnFlowLog } from './ec2.generated'; |
@@ -252,7 +252,6 @@ class S3Destination extends FlowLogDestination { |
252 | 252 | encryption: s3.BucketEncryption.UNENCRYPTED, |
253 | 253 | removalPolicy: RemovalPolicy.RETAIN, |
254 | 254 | }); |
255 | | - |
256 | 255 | } else { |
257 | 256 | s3Bucket = this.props.s3Bucket; |
258 | 257 | } |
@@ -690,6 +689,18 @@ export class FlowLog extends FlowLogBase { |
690 | 689 | logDestination, |
691 | 690 | }); |
692 | 691 |
|
| 692 | + // VPC service implicitly tries to create a bucket policy when adding a vpc flow log. |
| 693 | + // To avoid the race condition, we add an explicit dependency here. |
| 694 | + if (this.bucket?.policy?.node.defaultChild instanceof CfnResource) { |
| 695 | + flowLog.addDependency(this.bucket?.policy.node.defaultChild); |
| 696 | + } |
| 697 | + |
| 698 | + // we must remove a flow log configuration first before deleting objects. |
| 699 | + const deleteObjects = this.bucket?.node.tryFindChild('AutoDeleteObjectsCustomResource')?.node.defaultChild; |
| 700 | + if (deleteObjects instanceof CfnResource) { |
| 701 | + flowLog.addDependency(deleteObjects); |
| 702 | + } |
| 703 | + |
693 | 704 | this.flowLogId = flowLog.ref; |
694 | 705 | this.node.defaultChild = flowLog; |
695 | 706 | } |
|
0 commit comments