From 7a58eefa1e50080952bca3505c743e86956018b0 Mon Sep 17 00:00:00 2001 From: Vahor Date: Mon, 25 Dec 2023 22:40:25 +0100 Subject: [PATCH] fix: add s3 permissions on api user --- src/aws/resources/files-bucket.ts | 137 +++++++++++++++++------------ src/aws/resources/static-bucket.ts | 17 ++-- src/aws/users/api-pulumi.ts | 11 +++ 3 files changed, 103 insertions(+), 62 deletions(-) diff --git a/src/aws/resources/files-bucket.ts b/src/aws/resources/files-bucket.ts index d0fe0c9..709eb7c 100644 --- a/src/aws/resources/files-bucket.ts +++ b/src/aws/resources/files-bucket.ts @@ -1,64 +1,91 @@ import * as aws from '@pulumi/aws'; import * as cloudflare from '@pulumi/cloudflare'; -import { env } from '../../env'; +import {env} from '../../env'; export const createFilesBucket = () => { - const bucket = new aws.s3.Bucket('files.pedaki.fr', { - bucket: 'files.pedaki.fr', - acl: 'private', - serverSideEncryptionConfiguration: { - rule: { - applyServerSideEncryptionByDefault: { - sseAlgorithm: 'aws:kms', + const bucket = new aws.s3.Bucket('files.pedaki.fr', { + bucket: 'files.pedaki.fr', + acl: 'private', + serverSideEncryptionConfiguration: { + rule: { + applyServerSideEncryptionByDefault: { + sseAlgorithm: 'aws:kms', + }, + bucketKeyEnabled: true, + }, }, - bucketKeyEnabled: true, - }, - }, - }); + }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('files.pedaki.fr-publicAccessBlock', { - bucket: bucket.id, - blockPublicAcls: false, - blockPublicPolicy: false, - ignorePublicAcls: false, - restrictPublicBuckets: false, - }); + const publicAccessBlock = new aws.s3.BucketPublicAccessBlock( + 'files.pedaki.fr-publicAccessBlock', + { + bucket: bucket.id, + blockPublicAcls: false, + blockPublicPolicy: false, + ignorePublicAcls: false, + restrictPublicBuckets: false, + }, + ); - const policy = new aws.s3.BucketPolicy( - 'files-bucket-policy', - { - bucket: bucket.id, - policy: bucket.arn.apply(arn => - JSON.stringify({ - // all files should be encrypted - Version: '2012-10-17', - Statement: [ - { - Sid: 'DenyUnEncryptedObjectUploads', - Effect: 'Deny', - Principal: '*', - Action: 's3:PutObject', - Resource: `${arn}/*`, - Condition: { - StringNotEquals: { - 's3:x-amz-server-side-encryption': 'aws:kms', - }, - }, - }, - ], - }), - ), - }, - { dependsOn: [publicAccessBlock] }, - ); + const policy = new aws.s3.BucketPolicy( + 'files-bucket-policy', + { + bucket: bucket.id, + policy: bucket.arn.apply(arn => + JSON.stringify({ + // all files should be encrypted + Version: '2012-10-17', + Statement: [ + { + Sid: 'DenyUnEncryptedObjectUploads', + Effect: 'Deny', + Principal: '*', + Action: 's3:PutObject', + Resource: `${arn}/*`, + Condition: { + StringNotEquals: { + 's3:x-amz-server-side-encryption': 'aws:kms', + }, + }, + }, + { + Sid: 'AllowPublicReadAccess', + Effect: 'Allow', + Principal: '*', + Action: 's3:GetObject', + Resource: `${arn}/*`, + Condition: { + StringEquals: { + 's3:ExistingObjectTag/public': 'true', + }, + }, + }, + { + Sid: 'DenyPublicReadAccess', + Effect: 'Deny', + Principal: '*', + Action: 's3:GetObject', + Resource: `${arn}/*`, + Condition: { + StringNotEquals: { + 's3:ExistingObjectTag/public': 'true', + }, + }, + } + ], + }), + ), + }, + {dependsOn: [publicAccessBlock]}, + ); - const record = new cloudflare.Record('files.pedaki.fr', { - name: 'files', - type: 'CNAME', - value: bucket.bucketDomainName, - zoneId: env.CLOUDFLARE_ZONE_ID, - proxied: true, - ttl: 1, // TTL must be set to 1 when proxied is true - comment: `pulumi (infrastructure repo)`, - }); + const record = new cloudflare.Record('files.pedaki.fr', { + name: 'files', + type: 'CNAME', + value: bucket.bucketDomainName, + zoneId: env.CLOUDFLARE_ZONE_ID, + proxied: true, + ttl: 1, // TTL must be set to 1 when proxied is true + comment: `pulumi (infrastructure repo)`, + }); }; diff --git a/src/aws/resources/static-bucket.ts b/src/aws/resources/static-bucket.ts index 1f8dc54..13be904 100644 --- a/src/aws/resources/static-bucket.ts +++ b/src/aws/resources/static-bucket.ts @@ -7,13 +7,16 @@ export const createStaticBucket = () => { bucket: 'static.pedaki.fr', }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('static.pedaki.fr-publicAccessBlock', { - bucket: bucket.id, - blockPublicAcls: false, - blockPublicPolicy: false, - ignorePublicAcls: false, - restrictPublicBuckets: false, - }); + const publicAccessBlock = new aws.s3.BucketPublicAccessBlock( + 'static.pedaki.fr-publicAccessBlock', + { + bucket: bucket.id, + blockPublicAcls: true, + ignorePublicAcls: true, + blockPublicPolicy: false, + restrictPublicBuckets: false, + }, + ); const _ = new aws.s3.BucketPolicy( 'static-bucket-policy', diff --git a/src/aws/users/api-pulumi.ts b/src/aws/users/api-pulumi.ts index 890c4a8..d4d32a9 100644 --- a/src/aws/users/api-pulumi.ts +++ b/src/aws/users/api-pulumi.ts @@ -60,6 +60,17 @@ export const createApiPulumiUser = () => { Effect: 'Allow', Resource: '*', }, + { + Sid: 'AllowS3', + Action: ['s3:*'], + Effect: 'Allow', + Resource: [ + 'arn:aws:s3:::files.pedaki.fr', + 'arn:aws:s3:::files.pedaki.fr/*', + 'arn:aws:s3:::static.pedaki.fr', + 'arn:aws:s3:::static.pedaki.fr/*', + ], + }, ], }, });