Skip to content

fix: enable node-fips compatible body checksums for S3#31883

Merged
mergify[bot] merged 3 commits intomainfrom
mrgrain/fix/fips-config
Oct 24, 2024
Merged

fix: enable node-fips compatible body checksums for S3#31883
mergify[bot] merged 3 commits intomainfrom
mrgrain/fix/fips-config

Conversation

@mrgrain
Copy link
Copy Markdown
Contributor

@mrgrain mrgrain commented Oct 24, 2024
edited
Loading

Issue # (if applicable)

Internal reference: D166315367

Reason for this change

In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
However by default the S3 client is using an MD5 checksum for content integrity checking.
This causes any S3 upload operation to fail with a cryptography error.

Description of changes

We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
of the AWS SDKv3 and is a safe choice for all users.

Description of how you validated changes

For non-FIPS users, we have verified functionality via cli-integ-tests.
For FIPS users, we have manually verified cdk deploy is now working in a FIPS enabled environment.
We have also verified the configuration with the affected customer.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@mrgrain mrgrain added the pr/do-not-merge This PR should not be merged at this time. label Oct 24, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 24, 2024 13:46
@github-actions github-actions bot added the p2 label Oct 24, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 24, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 24, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation added the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 24, 2024
@mrgrain mrgrain added pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes and removed pr/needs-cli-test-run This PR needs CLI tests run against it. labels Oct 24, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 24, 2024
@mrgrain mrgrain force-pushed the mrgrain/fix/fips-config branch from d822edb to 340879e Compare October 24, 2024 15:31
@mrgrain mrgrain marked this pull request as ready for review October 24, 2024 15:42
@mrgrain mrgrain removed the pr/do-not-merge This PR should not be merged at this time. label Oct 24, 2024
@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Oct 24, 2024

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@mrgrain mrgrain added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label Oct 24, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 24, 2024 18:10

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 24, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Oct 24, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Oct 24, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: fea19a6
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 4f29c1d into main Oct 24, 2024
@mergify mergify bot deleted the mrgrain/fix/fips-config branch October 24, 2024 18:44
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Oct 24, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 24, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rix0rrr rix0rrr rix0rrr approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mrgrain @aws-cdk-automation @rix0rrr