From 8328ee1b4ca75ff1b87cdcb9d1a1d58bbf2401f8 Mon Sep 17 00:00:00 2001 From: Harold Date: Sun, 1 Jan 2023 22:34:56 -0500 Subject: [PATCH 1/2] Remove CDK runtime dep - Creating the policy statements does not require classes --- packages/microapps-deployer/package.json | 1 - .../src/controllers/VersionController.ts | 22 ++++---- yarn.lock | 53 ++----------------- 3 files changed, 15 insertions(+), 61 deletions(-) diff --git a/packages/microapps-deployer/package.json b/packages/microapps-deployer/package.json index b850e3d7..4b6f9c50 100644 --- a/packages/microapps-deployer/package.json +++ b/packages/microapps-deployer/package.json @@ -20,7 +20,6 @@ }, "homepage": "https://github.com/pwrdrvr/microapps-core#readme", "dependencies": { - "@aws-cdk/aws-iam": "^1.111.0", "@aws-sdk/client-apigatewayv2": "^3.20.0", "@aws-sdk/client-dynamodb": "^3.20.0", "@aws-sdk/client-iam": "^3.20.0", diff --git a/packages/microapps-deployer/src/controllers/VersionController.ts b/packages/microapps-deployer/src/controllers/VersionController.ts index 90c40be7..7671f0ba 100644 --- a/packages/microapps-deployer/src/controllers/VersionController.ts +++ b/packages/microapps-deployer/src/controllers/VersionController.ts @@ -1,5 +1,4 @@ import crypto from 'crypto'; -import * as iamCDK from '@aws-cdk/aws-iam'; import * as apigwy from '@aws-sdk/client-apigatewayv2'; import * as lambda from '@aws-sdk/client-lambda'; import * as s3 from '@aws-sdk/client-s3'; @@ -82,23 +81,24 @@ export default class VersionController { // Get S3 creds if requested if (needS3Creds) { // Generate a temp policy for staging bucket app prefix - const iamPolicyDoc = new iamCDK.PolicyDocument({ + + const iamPolicyDoc = { statements: [ - new iamCDK.PolicyStatement({ - effect: iamCDK.Effect.ALLOW, + { + effect: 'Allow', actions: ['s3:PutObject', 's3:GetObject', 's3:AbortMultipartUpload'], resources: [`arn:aws:s3:::${config.filestore.stagingBucket}/*`], // TODO: Add condition to limit to app prefix - }), - new iamCDK.PolicyStatement({ - effect: iamCDK.Effect.ALLOW, + }, + { + effect: 'Allow', actions: ['s3:ListBucket'], resources: [`arn:aws:s3:::${config.filestore.stagingBucket}`], - }), + }, ], - }); + }; - Log.Instance.debug('Temp IAM Policy', { policy: JSON.stringify(iamPolicyDoc.toJSON()) }); + Log.Instance.debug('Temp IAM Policy', { policy: JSON.stringify(iamPolicyDoc) }); // Assume the upload role with limited S3 permissions const stsResult = await stsClient.send( @@ -108,7 +108,7 @@ export default class VersionController { RoleSessionName: VersionController.SHA1Hash( VersionController.GetBucketPrefix(request, config), ), - Policy: JSON.stringify(iamPolicyDoc.toJSON()), + Policy: JSON.stringify(iamPolicyDoc), }), ); diff --git a/yarn.lock b/yarn.lock index c2268669..f8673d07 100644 --- a/yarn.lock +++ b/yarn.lock @@ -25,51 +25,6 @@ resolved "https://registry.yarnpkg.com/@aws-cdk/aws-apigatewayv2-integrations-alpha/-/aws-apigatewayv2-integrations-alpha-2.24.1-alpha.0.tgz" integrity sha512-/Nu2DH9suome5w7306T3tzqPMoQB3fve4xzX5VpTC798F7cQUlMqcxzyZD3s55nuRXnhRZoLdAQlwLbEUxUIxA== -"@aws-cdk/aws-iam@^1.111.0": - version "1.156.1" - resolved "https://registry.yarnpkg.com/@aws-cdk/aws-iam/-/aws-iam-1.156.1.tgz" - integrity sha512-vxGGnIklGjLA+Z5KNVTHY5awQvLTRpTVEvftFA6K3X5xdiE4Xrbp44LAe+2iUAZ3kftcCwz7Hd3Z4qQ6B5ILUw== - dependencies: - "@aws-cdk/core" "1.156.1" - "@aws-cdk/cx-api" "1.156.1" - "@aws-cdk/region-info" "1.156.1" - constructs "^3.3.69" - -"@aws-cdk/cloud-assembly-schema@1.156.1": - version "1.156.1" - resolved "https://registry.yarnpkg.com/@aws-cdk/cloud-assembly-schema/-/cloud-assembly-schema-1.156.1.tgz" - integrity sha512-ahfBwr3D5opDTtnbd9+IZjQnTbPcloqPtyzMfIJe8awlNPa2x7y+0gqevH5SwObIn+i27NB0ZI6L5UjAlrIZng== - dependencies: - jsonschema "^1.4.0" - semver "^7.3.7" - -"@aws-cdk/core@1.156.1": - version "1.156.1" - resolved "https://registry.yarnpkg.com/@aws-cdk/core/-/core-1.156.1.tgz" - integrity sha512-TNTkbkAFqpoHdHOihqWcc4uicKnvwmggKMxCf95tknnjrVezwoCCr7vNNbOX6SUEUc/9KTuyszQdaBxLRM8+xw== - dependencies: - "@aws-cdk/cloud-assembly-schema" "1.156.1" - "@aws-cdk/cx-api" "1.156.1" - "@aws-cdk/region-info" "1.156.1" - "@balena/dockerignore" "^1.0.2" - constructs "^3.3.69" - fs-extra "^9.1.0" - ignore "^5.2.0" - minimatch "^3.1.2" - -"@aws-cdk/cx-api@1.156.1": - version "1.156.1" - resolved "https://registry.yarnpkg.com/@aws-cdk/cx-api/-/cx-api-1.156.1.tgz" - integrity sha512-xfz4QclTynPavSWiWUBpxqoMpCz01oFPlcnwtVWrMCSJuR9qLyXmpXmvBwGTPJ4FGY0xUNgluWe5/Bm8s4PcTQ== - dependencies: - "@aws-cdk/cloud-assembly-schema" "1.156.1" - semver "^7.3.7" - -"@aws-cdk/region-info@1.156.1": - version "1.156.1" - resolved "https://registry.yarnpkg.com/@aws-cdk/region-info/-/region-info-1.156.1.tgz" - integrity sha512-+LjfeJRFM7K9TzWzCIuWABDsf/KyCBNkCbwHmQXd+ORnrWffQU6u0CcQlq1E0ZHfIlHt+tFPIUx9XHa+FH4CUw== - "@aws-crypto/crc32@2.0.0": version "2.0.0" resolved "https://registry.yarnpkg.com/@aws-crypto/crc32/-/crc32-2.0.0.tgz" @@ -2337,9 +2292,9 @@ constructs "^10.0.5" "@pwrdrvr/microapps-app-release-cdk@^0.4.3": - version "0.4.3" - resolved "https://registry.yarnpkg.com/@pwrdrvr/microapps-app-release-cdk/-/microapps-app-release-cdk-0.4.3.tgz#6b4f76930614410ae29d9a79676e36f1569b4440" - integrity sha512-VlFH5WsOL8SVwlOIZ3B+p40GIAOf7En8syOddov0bKhHe9B/e8hL23AQmOyK8hc860Y934/Jgbt6iHsaQ/FR+Q== + version "0.4.5" + resolved "https://registry.yarnpkg.com/@pwrdrvr/microapps-app-release-cdk/-/microapps-app-release-cdk-0.4.5.tgz#1ab0ca8f1ea2944fb03d4265d006124850c1060a" + integrity sha512-TuRqkwuqJG1Q4P1tadbbUdlMNlmVOVRWwCHN1Xz+a2vnria/KrrLnxTru/BOq0PGQ3H8Qbl9e00X9uFniuOdXA== dependencies: aws-cdk-lib "^2.8.0" constructs "^10.0.5" @@ -3775,7 +3730,7 @@ console-control-strings@^1.1.0: resolved "https://registry.yarnpkg.com/console-control-strings/-/console-control-strings-1.1.0.tgz" integrity sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4= -constructs@10.0.5, constructs@^10.0.5, constructs@^3.3.69: +constructs@10.0.5, constructs@^10.0.5: version "10.0.5" resolved "https://registry.yarnpkg.com/constructs/-/constructs-10.0.5.tgz" integrity sha512-IwOwekzrASFC3qt4ozCtV09rteAIAesuCGsW0p+uBfqHd2XcvA5CXqJjgf4eUqm6g8e/noXlVCMDWwC8GaLtrg== From 85732409a7864dc8e36e4f0231a605f6faf0db2d Mon Sep 17 00:00:00 2001 From: Harold Date: Sun, 1 Jan 2023 23:14:07 -0500 Subject: [PATCH 2/2] Fix the statement --- .../src/controllers/VersionController.ts | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/packages/microapps-deployer/src/controllers/VersionController.ts b/packages/microapps-deployer/src/controllers/VersionController.ts index 7671f0ba..641d29af 100644 --- a/packages/microapps-deployer/src/controllers/VersionController.ts +++ b/packages/microapps-deployer/src/controllers/VersionController.ts @@ -83,19 +83,20 @@ export default class VersionController { // Generate a temp policy for staging bucket app prefix const iamPolicyDoc = { - statements: [ + Statement: [ { - effect: 'Allow', - actions: ['s3:PutObject', 's3:GetObject', 's3:AbortMultipartUpload'], - resources: [`arn:aws:s3:::${config.filestore.stagingBucket}/*`], + Effect: 'Allow', + Action: ['s3:PutObject', 's3:GetObject', 's3:AbortMultipartUpload'], + Resource: [`arn:aws:s3:::${config.filestore.stagingBucket}/*`], // TODO: Add condition to limit to app prefix }, { - effect: 'Allow', - actions: ['s3:ListBucket'], - resources: [`arn:aws:s3:::${config.filestore.stagingBucket}`], + Effect: 'Allow', + Action: ['s3:ListBucket'], + Resource: [`arn:aws:s3:::${config.filestore.stagingBucket}`], }, ], + Version: '2012-10-17', }; Log.Instance.debug('Temp IAM Policy', { policy: JSON.stringify(iamPolicyDoc) });