fix: CloudFormation timeout if $AWS_ENDPOINT_URL_S3 is set during cdk deploy (#933)

rix0rrr · web-flow · commit 5effc9f1f6c8 · 2025-11-14T09:37:10.000Z
The CLI asks the SDK for the URL to an S3 bucket, in order to pass it to CloudFormation. CloudFormation will then attempt to contact S3 on that URL in order to download the template. A feature of the the SDK is to respect the `$AWS_ENDPOINT_URL_S3` environment variable, which can be used to override the S3 endpoint that the SDK will hit; you might use this if you have private VPC endpoints for a number of AWS services. The problem arises that `$AWS_ENDPOINT_URL_S3` also affects the URL that the CDK CLI passes to CloudFormation. This will most likely be an endpoint that is not routable for CloudFormation like `https://vpce-xxx.s3.us-east-1.vpce.amazonaws.com`, and CloudFormation will time out waiting for the template download. To get around this, we will temporarily unset `$AWS_ENDPOINT_URL_S3` for the duration of calling the SDK to provide us with a URL. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
diff --git a/packages/@aws-cdk/toolkit-lib/lib/api/cloudformation/template-body-parameter.ts b/packages/@aws-cdk/toolkit-lib/lib/api/cloudformation/template-body-parameter.ts
@@ -99,9 +99,21 @@ export async function makeBodyParameter(
  *
  * Replaces environment placeholders (which this field may contain),
  * and reformats s3://.../... urls into S3 REST URLs (which CloudFormation
- * expects)
+ * expects).
+ *
+ * We need to return the official region- and partition-specific URL for AWS S3
+ * here, so we use the SDK's information about endpoints. At the same time, the
+ * SDK allows overriding this URL by setting an environment variable
+ * (specifically $AWS_ENDPOINT_URL_S3) but we want to *not* honor that, because
+ * there's a 99.9% chance this URL will not be routable from AWS CloudFormation.
+ *
+ * To allow for the off chance that someone is running this tool against a
+ * custom build of CloudFormation that does need a specific S3 endpoint passed
+ * to it, we'll introduce a new environment variable that we'll respect instead:
+ *
+ *  AWS_ENDPOINT_URL_S3_FOR_CLOUDFORMATION
  */
-async function restUrlFromManifest(url: string, environment: Environment): Promise<string> {
+export async function restUrlFromManifest(url: string, environment: Environment): Promise<string> {
   const doNotUseMarker = '**DONOTUSE**';
   const region = environment.region;
   // This URL may contain placeholders, so still substitute those.
@@ -127,13 +139,26 @@ async function restUrlFromManifest(url: string, environment: Environment): Promi
   const bucketName = s3Url[1];
   const objectKey = s3Url[2];
 
-  // SDK v3 no longer allows for getting endpoints from only region.
-  // A command and client config must now be provided.
-  const s3 = new S3Client({ region });
-  const endpoint = await getEndpointFromInstructions({}, HeadObjectCommand, {
-    ...s3.config,
-  });
-  endpoint.url.hostname;
+  const originalOverrideS3Endpoint = process.env.AWS_ENDPOINT_URL_S3;
+  setEnv('AWS_ENDPOINT_URL_S3', process.env.AWS_ENDPOINT_URL_S3_FOR_CLOUDFORMATION);
+  try {
+    // SDK v3 no longer allows for getting endpoints from only region.
+    // A command and client config must now be provided.
+    const s3 = new S3Client({ region });
+    const endpoint = await getEndpointFromInstructions({}, HeadObjectCommand, {
+      ...s3.config,
+    });
+
+    return `${endpoint.url.origin}/${bucketName}/${objectKey}`;
+  } finally {
+    setEnv('AWS_ENDPOINT_URL_S3', originalOverrideS3Endpoint);
+  }
+}
 
-  return `${endpoint.url.origin}/${bucketName}/${objectKey}`;
+function setEnv(name: string, value: string | undefined) {
+  if (value) {
+    process.env[name] = value;
+  } else {
+    delete process.env[name];
+  }
 }
diff --git a/packages/@aws-cdk/toolkit-lib/test/api/cloudformation/template-body-parameter.test.ts b/packages/@aws-cdk/toolkit-lib/test/api/cloudformation/template-body-parameter.test.ts
@@ -0,0 +1,27 @@
+import { restUrlFromManifest } from '../../../lib/api/cloudformation/template-body-parameter';
+
+test('restUrlFromManifest ignores AWS_ENDPOINT_URL_S3', async () => {
+  process.env.AWS_ENDPOINT_URL_S3 = 'https://boop.com/';
+  try {
+    await expect(restUrlFromManifest('s3://my-bucket/object', {
+      account: '123456789012',
+      region: 'us-east-1',
+      name: 'env',
+    })).resolves.toEqual('https://s3.us-east-1.amazonaws.com/my-bucket/object');
+  } finally {
+    delete process.env.AWS_ENDPOINT_URL_S3;
+  }
+});
+
+test('restUrlFromManifest respects AWS_ENDPOINT_URL_S3_FOR_CLOUDFORMATION', async () => {
+  process.env.AWS_ENDPOINT_URL_S3_FOR_CLOUDFORMATION = 'https://boop.com/';
+  try {
+    await expect(restUrlFromManifest('s3://my-bucket/object', {
+      account: '123456789012',
+      region: 'us-east-1',
+      name: 'env',
+    })).resolves.toEqual('https://boop.com/my-bucket/object');
+  } finally {
+    delete process.env.AWS_ENDPOINT_URL_S3_FOR_CLOUDFORMATION;
+  }
+});
