IT-1295 #312
IT-1295 #312
Conversation
templates/s3-bucket-v2.j2
Outdated
| - !If | ||
| - AllowWrite | ||
| - Sid: InternalPutObjectAccess | ||
| Effect: Allow | ||
| Principal: | ||
| AWS: !Ref GrantAccess | ||
| Action: | ||
| - "s3:PutObject" | ||
| - "s3:PutObjectAcl" | ||
| Resource: !If [EnableEncryption, !Sub "${SynapseEncryptedExternalBucket.Arn}/*", !Sub "${SynapseExternalBucket.Arn}/*"] | ||
| Condition: | ||
| StringLike: | ||
| "aws:PrincipalArn": | ||
| - "arn:aws:iam::055273631518:*" | ||
| - "arn:aws:sts::055273631518:assumed-role/*" | ||
| - !If | ||
| - AllowWrite | ||
| - Sid: ExternalPutObjectAccess | ||
| Effect: Allow | ||
| Principal: | ||
| AWS: !Ref GrantAccess | ||
| Action: | ||
| - "s3:PutObject" | ||
| - "s3:PutObjectAcl" | ||
| Resource: !If [EnableEncryption, !Sub "${SynapseEncryptedExternalBucket.Arn}/*", !Sub "${SynapseExternalBucket.Arn}/*"] | ||
| Condition: | ||
| StringEquals: | ||
| s3:x-amz-acl: bucket-owner-full-control |
There was a problem hiding this comment.
these if conditions look wrong. The docs provide example as !If [condition_name, value_if_true, value_if_false] which implies that valid inputs to If condition are 3 strings, not lists. Also you'll need to provide a 3rd parameter to the If construct, in this case i'm thinking you'll want a AWS::NoValue, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
There was a problem hiding this comment.
valid inputs to If condition are 3 strings, not lists
Here's an an example that uses lists:
https://stackoverflow.com/questions/56970457/how-to-use-fnif-with-array-values-in-cloud-formation-templates
There's an example on this page too:
aws/serverless-application-model#1218
There's an example on this page that uses a nested IF in the else clause!
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-sample-templates.html
Done! |
This PR modifies the S3 bucket template to meet the requirements listed in IT-1295, i.e.:
bucket-owner-full-controlACL;bucket-owner-full-controlACL. Bucket owner assumes ownership;I created this policy interactively in S3, converted the JSON to YAML and mapped it back into the CFN template. It passes the CloudFormation Linter but we'll have to check it against the UAT bucket to ensure correctness.
There are six statements in the policy:
SynapseBucketAccess - gives Synapse access to the bucket
SynapseObjectAccess - gives Synapse access to objects in the bucket (R/O or R/W)
BucketAccess - gives grantees access to the bucket
ReadObjectAccess - give grantees read access to objects
InternalPutObjectAccess - gives bucket account grantees the ability to upload objects
ExternalPutObjectAccess - gives cross-account grantees the ability to upload objects
Note that the template has a boolean 'AllowWrite'. The *PutObjectAccess statements are conditioned on this boolean.