Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 Delete Bucket Contents Extension fails to delete versioned buckets #270

Open
pbneamtu opened this issue Feb 28, 2025 · 0 comments
Open

S3 Delete Bucket Contents Extension fails to delete versioned buckets #270

pbneamtu opened this issue Feb 28, 2025 · 0 comments
Labels
question Further information is requested

Comments

@pbneamtu
Copy link

The AWS CloudFormation extension AwsCommunity-S3-DeleteBucketContents is not working as expected when trying to delete S3 buckets with versioning enabled. After reviewing the extension's code, it appears to have logic for handling versioned buckets, but the functionality isn't working in practice.

Current Behavior

  • The extension successfully deletes contents of non-versioned buckets
  • When attempting to delete a versioned bucket, the operation fails with the error: 
    "The bucket you tried to delete is not empty. You must delete all versions in the bucket."

Investigation Done

  • I've reviewed the extension's code which appears to include logic for handling bucket versions
  • The IAM role includes the necessary s3:ListBucketVersions permission
  • Despite this, the versioned bucket deletion is not working as expected

Expected Behavior

The extension should be able to delete all contents, including all versions of objects, from an S3 bucket before deletion.

Configuration Used

"s3deletebucketextenion": {
  "Type": "AWS::CloudFormation::TypeActivation",
  "Properties": {
    "Type": "RESOURCE",
    "PublicTypeArn": {
      "Fn::Sub": "arn:aws:cloudformation:${AWS::Region}::type/resource/c830e97710da0c9954d80ba8df021e5439e7134b/AwsCommunity-S3-DeleteBucketContents"
    },
    "ExecutionRoleArn": "${RoleArn}",
    "AutoUpdate": true
  }
}

IAM Permissions

The extension is configured with the following permissions:

{
  "Effect": "Allow",
  "Action": [
    "s3:DeleteObject",
    "s3:GetBucketTagging",
    "s3:ListBucket",
    "s3:ListBucketVersions",
    "s3:PutBucketTagging",
    "cloudformation:ListExports"
  ],
  "Resource": "*"
}

Questions

  1. Is this a known limitation of the extension?
  2. Could this be a version mismatch issue between the code and the deployed extension?
  3. Are there any additional configurations needed to enable version deletion?
  4. Are additional permissions required that aren't documented?

Environment

  • Latest version of the AWS CloudFormation extension
@pbneamtu pbneamtu added the question Further information is requested label Feb 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pbneamtu