From 8b96cf5303f7f136e1b79314996d21a6cf4d679c Mon Sep 17 00:00:00 2001 From: Edmund Miller Date: Mon, 5 Aug 2024 15:01:12 -0500 Subject: [PATCH 1/6] fix(test-datasets): Add public-read ACL --- pulumi/test_datasets/__main__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/pulumi/test_datasets/__main__.py b/pulumi/test_datasets/__main__.py index 6d325ee..6b0a594 100644 --- a/pulumi/test_datasets/__main__.py +++ b/pulumi/test_datasets/__main__.py @@ -7,6 +7,7 @@ "test-datasets-bucket", arn="arn:aws:s3:::nf-core-test-datasets", bucket="nf-core-test-datasets", + acl="public-read", cors_rules=[ aws.s3.BucketCorsRuleArgs( allowed_headers=["*"], From b12a449bc330cd10b1ac443b9a135aab9f3feadc Mon Sep 17 00:00:00 2001 From: Edmund Miller Date: Tue, 6 Aug 2024 14:48:05 -0500 Subject: [PATCH 2/6] chore: Import PublicAccessBlock pulumi import aws:s3/bucketPublicAccessBlock:BucketPublicAccessBlock test-datasets-bucket-publicaccessblock nf-core-test-datasets --- pulumi/test_datasets/__main__.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pulumi/test_datasets/__main__.py b/pulumi/test_datasets/__main__.py index 6b0a594..ec5aa2b 100644 --- a/pulumi/test_datasets/__main__.py +++ b/pulumi/test_datasets/__main__.py @@ -38,6 +38,12 @@ ), ) +test_datasets_bucket_publicaccessblock = aws.s3.BucketPublicAccessBlock( + "test-datasets-bucket-publicaccessblock", + bucket="nf-core-test-datasets", + opts=pulumi.ResourceOptions(protect=True), +) + # Define the policy which allows users to put objects in the S3 bucket policy = aws.iam.Policy( "bucketPutPolicy", From 08ea4066abd539532f7d7aec7a6ce16bd0f71a74 Mon Sep 17 00:00:00 2001 From: Edmund Miller Date: Tue, 6 Aug 2024 14:58:14 -0500 Subject: [PATCH 3/6] fix: Add public bucket policy --- pulumi/test_datasets/__main__.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/pulumi/test_datasets/__main__.py b/pulumi/test_datasets/__main__.py index ec5aa2b..60dee26 100644 --- a/pulumi/test_datasets/__main__.py +++ b/pulumi/test_datasets/__main__.py @@ -1,5 +1,6 @@ """An AWS Python Pulumi program""" +import json import pulumi import pulumi_aws as aws @@ -44,6 +45,28 @@ opts=pulumi.ResourceOptions(protect=True), ) +# Step 2: Create a bucket policy for public read access +public_read_policy = json.dumps( + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", # Allow access to anyone + "Action": ["s3:GetObject"], + "Resource": [ + f"arn:aws:s3:::{test_datasets_bucket.id}/*" + ], # Access all objects in the bucket + } + ], + } +) + +# Step 3: Apply the bucket policy to the bucket +bucket_policy = aws.s3.BucketPolicy( + "testData-bucketPolicy", bucket=test_datasets_bucket.id, policy=public_read_policy +) + # Define the policy which allows users to put objects in the S3 bucket policy = aws.iam.Policy( "bucketPutPolicy", From 79288e1f4686ffeb15dfa7c46bf81fa587a65768 Mon Sep 17 00:00:00 2001 From: Edmund Miller Date: Tue, 6 Aug 2024 16:43:01 -0500 Subject: [PATCH 4/6] refactor: Use lambda to get arn and ListBucket. Ya know, the important stuff... --- pulumi/test_datasets/__main__.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pulumi/test_datasets/__main__.py b/pulumi/test_datasets/__main__.py index 60dee26..7f1e8f6 100644 --- a/pulumi/test_datasets/__main__.py +++ b/pulumi/test_datasets/__main__.py @@ -53,9 +53,12 @@ { "Effect": "Allow", "Principal": "*", # Allow access to anyone - "Action": ["s3:GetObject"], + "Action": [ + "s3:GetObject", + "s3:ListBucket", + ], "Resource": [ - f"arn:aws:s3:::{test_datasets_bucket.id}/*" + test_datasets_bucket.arn.apply(lambda arn: f"{arn}/*"), ], # Access all objects in the bucket } ], From 708814c02c013b8f22d4d7986398de87d517dbcc Mon Sep 17 00:00:00 2001 From: Edmund Miller Date: Tue, 6 Aug 2024 16:56:19 -0500 Subject: [PATCH 5/6] fix: Use aws.iam.get_policy_document_output --- pulumi/test_datasets/__main__.py | 40 ++++++++++++++------------------ 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/pulumi/test_datasets/__main__.py b/pulumi/test_datasets/__main__.py index 7f1e8f6..8285d24 100644 --- a/pulumi/test_datasets/__main__.py +++ b/pulumi/test_datasets/__main__.py @@ -1,6 +1,5 @@ """An AWS Python Pulumi program""" -import json import pulumi import pulumi_aws as aws @@ -45,29 +44,26 @@ opts=pulumi.ResourceOptions(protect=True), ) -# Step 2: Create a bucket policy for public read access -public_read_policy = json.dumps( - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": "*", # Allow access to anyone - "Action": [ - "s3:GetObject", - "s3:ListBucket", - ], - "Resource": [ - test_datasets_bucket.arn.apply(lambda arn: f"{arn}/*"), - ], # Access all objects in the bucket - } - ], - } +allow_access_from_anyone = aws.iam.get_policy_document_output( + statements=[ + { + "principals": [{"identifiers": ["*"], "type": "AWS"}], + "actions": [ + "s3:GetObject", + "s3:ListBucket", + ], + "resources": [ + test_datasets_bucket.arn, + test_datasets_bucket.arn.apply(lambda arn: f"{arn}/*"), + ], + } + ] ) -# Step 3: Apply the bucket policy to the bucket -bucket_policy = aws.s3.BucketPolicy( - "testData-bucketPolicy", bucket=test_datasets_bucket.id, policy=public_read_policy +allow_access_from_anyone_bucket_policy = aws.s3.BucketPolicy( + "allow_access_from_anyone", + bucket=test_datasets_bucket.id, + policy=allow_access_from_anyone.json, ) # Define the policy which allows users to put objects in the S3 bucket From a0b3f3bbc97b73d779f807c843f9c8b21e6b877c Mon Sep 17 00:00:00 2001 From: Edmund Miller Date: Wed, 7 Aug 2024 08:42:47 -0500 Subject: [PATCH 6/6] style: Fix mypy --- pulumi/test_datasets/__main__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pulumi/test_datasets/__main__.py b/pulumi/test_datasets/__main__.py index 8285d24..e3dadb3 100644 --- a/pulumi/test_datasets/__main__.py +++ b/pulumi/test_datasets/__main__.py @@ -41,7 +41,7 @@ test_datasets_bucket_publicaccessblock = aws.s3.BucketPublicAccessBlock( "test-datasets-bucket-publicaccessblock", bucket="nf-core-test-datasets", - opts=pulumi.ResourceOptions(protect=True), + opts=pulumi.ResourceOptions(protect=True), # type: ignore[attr-defined] ) allow_access_from_anyone = aws.iam.get_policy_document_output(