feat(aws-s3): add option to specify block public access settings #1664
Conversation
| @@ -514,6 +519,10 @@ export abstract class BucketBase extends cdk.Construct implements IBucket { | |||
| * @returns The `iam.PolicyStatement` object, which can be used to apply e.g. conditions. | |||
| */ | |||
| public grantPublicAccess(keyPrefix = '*', ...allowedActions: string[]): iam.PolicyStatement { | |||
| if (this.publicAccessBlocked) { | |||
| throw new Error('Cannot grant public access when block public access settings are enabled'); | |||
There was a problem hiding this comment.
Change "block public access" to "blockPublicAccess"
|
|
||
| /** | ||
| * Enables all block public access settings on the bucket. | ||
| * |
| @@ -666,7 +683,15 @@ export class Bucket extends BucketBase { | |||
| bucketEncryption, | |||
| versioningConfiguration: props.versioned ? { status: 'Enabled' } : undefined, | |||
| lifecycleConfiguration: new cdk.Token(() => this.parseLifecycleConfiguration()), | |||
| websiteConfiguration: this.renderWebsiteConfiguration(props) | |||
| websiteConfiguration: this.renderWebsiteConfiguration(props), | |||
| publicAccessBlockConfiguration: props.blockPublicAccess | |||
There was a problem hiding this comment.
We should support the entire surface area of the feature, but also find a way to provide a more ergonomic API.
How about using an "enum-like class":
export interface BlockPublicAccessOptions {
blockPublicAcls?: boolean;
ignorePublicAcls?: boolean;
blockPublicPolicy?: boolean;
restrictPublicBuckets?: boolean;
}
export class BlockPublicAccess {
public static blockAll = new BlockPublicAccess({ blockPublicAcls: true, ...true, true, true... });
public static block... // maybe there are other canned settings we can provide
constructor(options: BlockPublicAccessOptions) { ... }
}There was a problem hiding this comment.
@jogold have you seen this comment?
There was a problem hiding this comment.
Yes, I understand your point. I initially thought that a propertyOverrides would be sufficient here.
What kind of api/naming would like to see on the Bucket construct? props.blockPublicAccess becomes an instance of BlockPublicAccess? Do I need to add an interface BlockPublicAccessOptions as suggested or can I reuse the generated one (CfnBucket.PublicAccessBlockConfigurationProperty)
There was a problem hiding this comment.
We try not to "leak" the CFN layer, eventually L2 should cover the entire surface area. We don't want people to need to traverse these layers to use prop overrides. Please define another props interface. In most cases it's not a 1:1 mapping (although it might be here). We also want to able to evolve those independently.
As for naming, blockPublicAccess of type BlockPublicAccess, so the usage would be:
blockPublicAccess: BlockPublicAccess.blockAll(a bit of a mouthfull but not too bad)
There was a problem hiding this comment.
See latest commit:
- used
BlockAll(capitalized) - added
BlockAcls grantPublicReadnow only throws whenblockPublicPolicyis enabled because it's only in this case that S3 rejects calls to PUT Bucket policy.
| /** | ||
| * Whether all block public access settings are enabled | ||
| */ | ||
| protected abstract publicAccessBlocked?: boolean; |
There was a problem hiding this comment.
Since this is not really accurate for the case of an imported bucket, rename this to disallowPublicAccess. It will semantically reflect what this is actually used for instead falsely representing this configuration for imported buckets.
There was a problem hiding this comment.
Is indeed better, done.
| "PublicAccessBlockConfiguration": { | ||
| "BlockPublicAcls": true, | ||
| "BlockPublicPolicy": true, | ||
| "IgnorePublicAcls": true, |
There was a problem hiding this comment.
Verify behavior for imported buckets
There was a problem hiding this comment.
What do you want me to check for imported buckets in the generated CF output? I don't get it.
There was a problem hiding this comment.
Specifically, I think the code not covered is grantPublicAccess should throw an error, no?
eladb
changed the title
jogold
changed the title
| /** | ||
| * The block public access configuration of this bucket. | ||
| */ | ||
| protected abstract blockPublicAccess?: BlockPublicAccess; |
There was a problem hiding this comment.
I actually think this should have remained disallowPublicAccess because it reflects the intent to disallow grantPublicAccess and not the specific type of public access blocked during configuration. Otherwise, you go back to faking it with the imported resource...
|
❤️ thanks! |
…#1664) Adds option to enable all block public access settings on the bucket (`blockPublicAccess`). Also throws an error when trying to use grantPublicAccess if blockPublicAccess is set to true. https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
Adds option to enable all block public access settings on the bucket (
blockPublicAccess). Also throws an error when trying to usegrantPublicAccessifblockPublicAccessis set to true.https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.