Skip to content

Commit

Permalink
Add a config option to not explicitly set S3 Block Public Access
Browse files Browse the repository at this point in the history
Unblocks users who have org policies preventing usage of
s3:PutPublicAccessBlock API (matanolabs#124).

Signed-off-by: 🐼 Samrose Ahmed 🐼 <[email protected]>
  • Loading branch information
Samrose-Ahmed committed Apr 4, 2023
1 parent 7373558 commit c5f6d3d
Show file tree
Hide file tree
Showing 6 changed files with 28 additions and 10 deletions.
4 changes: 4 additions & 0 deletions cli/src/commands/init.ts
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ export default class Init extends BaseCommand {
if (awsProfile) {
cdkArgs.push("--profile", awsProfile);
}
const matanoConfig = parseMatanoConfig(matanoUserDirectory);
if (matanoConfig?.aws?.setBlockPublicAccess === false) {
cdkArgs.push("--public-access-block-configuration", "false");
}

const cdkContext: Record<string, any> = {
matanoUserDirectory,
Expand Down
3 changes: 3 additions & 0 deletions infra/lib/MatanoStack.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import * as s3 from "aws-cdk-lib/aws-s3";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import { FriendlyNamingAspect } from "./aspects/naming";
import { RetentionPolicyAspect } from "./aspects/retention";
import { S3BlockPublicAccessAspect } from "./aspects/s3-block-public-access";

// from https://github.com/capralifecycle/liflig-cdk/blob/master/src/tags.ts
export function tagResources(scope: Construct, tags: (stack: cdk.Stack) => Record<string, string>): void {
Expand All @@ -33,6 +34,7 @@ export interface MatanoConfiguration {
account: string;
region: string;
tags?: Record<string, string>;
setBlockPublicAccess?: boolean;
};
project_label: string | undefined;
is_production: boolean | undefined;
Expand Down Expand Up @@ -72,6 +74,7 @@ export class MatanoStack extends cdk.Stack {

cdk.Aspects.of(this).add(new FriendlyNamingAspect());
cdk.Aspects.of(this).add(new RetentionPolicyAspect());
cdk.Aspects.of(this).add(new S3BlockPublicAccessAspect());
}

humanCfnOutput(name: string, props: cdk.CfnOutputProps) {
Expand Down
21 changes: 21 additions & 0 deletions infra/lib/aspects/s3-block-public-access.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
import { IConstruct } from "constructs";
import * as cdk from "aws-cdk-lib";
import * as s3 from "aws-cdk-lib/aws-s3";
import { MatanoStack } from "../MatanoStack";

export class S3BlockPublicAccessAspect implements cdk.IAspect {
public visit(node: IConstruct): void {
const doSetBlockPublicAccess = (cdk.Stack.of(node) as MatanoStack).matanoConfig?.aws?.setBlockPublicAccess !== false;

if (node instanceof s3.CfnBucket) {
if (node.publicAccessBlockConfiguration === undefined && doSetBlockPublicAccess) {
node.publicAccessBlockConfiguration = {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true,
}
}
}
}
}
1 change: 0 additions & 1 deletion infra/lib/enrichment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,6 @@ export class Enrichment extends Construct {
this.enrichmentConfigs = this.loadEnrichmentTables();

this.enrichmentTablesBucket = new s3.Bucket(this, "EnrichmentTables", {
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
lifecycleRules: [
{
prefix: "temp-enrich-sync",
Expand Down
1 change: 0 additions & 1 deletion infra/lib/s3-bucket-notifs.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ export class S3BucketWithNotifications extends Construct {

this.bucket = new s3.Bucket(this, "Bucket", {
...props.bucketProps,
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
});

const bucketName = props?.bucketProps?.bucketName;
Expand Down
8 changes: 0 additions & 8 deletions infra/src/DPCommonStack.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,6 @@ export class DPCommonStack extends MatanoStack {
super(scope, id, props);

this.matanoIngestionBucket = new S3BucketWithNotifications(this, "MatanoIngestionBucket", {
bucketProps: {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
},
});

// For delivering Cloudtrail, S3 access logs
Expand All @@ -55,17 +52,13 @@ export class DPCommonStack extends MatanoStack {
});

this.matanoLakeStorageBucket = new S3BucketWithNotifications(this, "MatanoLakeStorageBucket", {
bucketProps: {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
},
queueProps: {
visibilityTimeout: cdk.Duration.seconds(185),
},
s3Filters: [{ prefix: "lake", suffix: "mtn_append.zstd.parquet" }],
});

this.realtimeBucket = new Bucket(this, "MatanoRealtimeBucket", {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
lifecycleRules: [{ expiration: cdk.Duration.days(7) }],
});
this.realtimeBucketTopic = new Topic(this, "MatanoRealtimeBucketNotifications", {
Expand All @@ -91,7 +84,6 @@ export class DPCommonStack extends MatanoStack {
});

this.matanoAthenaResultsBucket = new s3.Bucket(this, "MatanoAthenaResults", {
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
lifecycleRules: [{ expiration: cdk.Duration.days(60) }],
});
const matanoDefaultAthenaWorkgroup = new athena.CfnWorkGroup(this, "MatanoDefault", {
Expand Down

0 comments on commit c5f6d3d

Please sign in to comment.