forked from aws/aws-cdk
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(servicecatalog): product stack asset bucket with forced encryption (
aws#26303) Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied). Expected Behavior I would expect that assets will be encrypted when the asset bucket has encryption enabled. Current Behavior Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings. Possible Solution This PR is a possible solution in which user would provide additional property `serverSideEncryption` along with encryption key `serverSideEncryptionAwsKmsKeyId` which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user - but I am open to change implementation if you thing this is better approach. Closes aws#26302. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
Showing
26 changed files
with
3,329 additions
and
8 deletions.
There are no files selected for viewing
Binary file added
BIN
+15.1 MB
...et.js.snapshot/asset.292870ae2617f1c4d62ff18422e009afd534a342c17877fd1b931fb8d8a62abc.zip
Binary file not shown.
98 changes: 98 additions & 0 deletions
98
...t.js.snapshot/asset.6412a5f4524c6b41d26fbeee226c68c2dad735393940a51008d77e6f8b1038f5.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
{ | ||
"AWSTemplateFormatVersion" : "2010-09-09", | ||
|
||
"Description" : "AWS Service Catalog sample template. Creates an Amazon EC2 instance running the Amazon Linux AMI. The AMI is chosen based on the region in which the stack is run. This example creates an EC2 security group for the instance to give you SSH access. **WARNING** This template creates an Amazon EC2 instance. You will be billed for the AWS resources used if you create a stack from this template.", | ||
|
||
"Parameters" : { | ||
"KeyName": { | ||
"Description" : "Name of an existing EC2 key pair for SSH access to the EC2 instance.", | ||
"Type": "AWS::EC2::KeyPair::KeyName" | ||
}, | ||
|
||
"InstanceType" : { | ||
"Description" : "EC2 instance type.", | ||
"Type" : "String", | ||
"Default" : "t2.micro", | ||
"AllowedValues" : [ "t2.micro", "t2.small", "t2.medium"] | ||
}, | ||
|
||
"SSHLocation" : { | ||
"Description" : "The IP address range that can SSH to the EC2 instance.", | ||
"Type": "String", | ||
"MinLength": "9", | ||
"MaxLength": "18", | ||
"Default": "0.0.0.0/0", | ||
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", | ||
"ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x." | ||
} | ||
}, | ||
|
||
"Metadata" : { | ||
"AWS::CloudFormation::Interface" : { | ||
"ParameterGroups" : [{ | ||
"Label" : {"default": "Instance configuration"}, | ||
"Parameters" : ["InstanceType"] | ||
},{ | ||
"Label" : {"default": "Security configuration"}, | ||
"Parameters" : ["KeyName", "SSHLocation"] | ||
}], | ||
"ParameterLabels" : { | ||
"InstanceType": {"default": "Server size:"}, | ||
"KeyName": {"default": "Key pair:"}, | ||
"SSHLocation": {"default": "CIDR range:"} | ||
} | ||
} | ||
}, | ||
|
||
"Mappings" : { | ||
"AWSRegionArch2AMI" : { | ||
"us-east-1" : { "HVM64" : "ami-08842d60" }, | ||
"us-west-2" : { "HVM64" : "ami-8786c6b7" }, | ||
"us-west-1" : { "HVM64" : "ami-cfa8a18a" }, | ||
"eu-west-1" : { "HVM64" : "ami-748e2903" }, | ||
"ap-southeast-1" : { "HVM64" : "ami-d6e1c584" }, | ||
"ap-northeast-1" : { "HVM64" : "ami-35072834" }, | ||
"ap-southeast-2" : { "HVM64" : "ami-fd4724c7" }, | ||
"sa-east-1" : { "HVM64" : "ami-956cc688" }, | ||
"cn-north-1" : { "HVM64" : "ami-ac57c595" }, | ||
"eu-central-1" : { "HVM64" : "ami-b43503a9" } | ||
} | ||
|
||
}, | ||
|
||
"Resources" : { | ||
"EC2Instance" : { | ||
"Type" : "AWS::EC2::Instance", | ||
"Properties" : { | ||
"InstanceType" : { "Ref" : "InstanceType" }, | ||
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ], | ||
"KeyName" : { "Ref" : "KeyName" }, | ||
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" }, "HVM64" ] } | ||
} | ||
}, | ||
|
||
"InstanceSecurityGroup" : { | ||
"Type" : "AWS::EC2::SecurityGroup", | ||
"Properties" : { | ||
"GroupDescription" : "Enable SSH access via port 22", | ||
"SecurityGroupIngress" : [ { | ||
"IpProtocol" : "tcp", | ||
"FromPort" : "22", | ||
"ToPort" : "22", | ||
"CidrIp" : { "Ref" : "SSHLocation"} | ||
} ] | ||
} | ||
} | ||
}, | ||
|
||
"Outputs" : { | ||
"PublicDNSName" : { | ||
"Description" : "Public DNS name of the new EC2 instance", | ||
"Value" : { "Fn::GetAtt" : [ "EC2Instance", "PublicDnsName" ] } | ||
}, | ||
"PublicIPAddress" : { | ||
"Description" : "Public IP address of the new EC2 instance", | ||
"Value" : { "Fn::GetAtt" : [ "EC2Instance", "PublicIp" ] } | ||
} | ||
} | ||
} |
2 changes: 2 additions & 0 deletions
2
....snapshot/asset.89c643a8a6c919d906e0b1cb079b0c5e131cf3cc19c05126f90fc118647fb08c/index.js
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.