Merge pull request #20 from Connected-Places/chore/update-s3-access-p…

…olicy Update cloudformation template to use new aws s3 access policy
Connected-Places · May 12, 2023 · d2eda25 · d2eda25
2 parents 44e617b + b8a04cf
commit d2eda25
Showing 1 changed file with 51 additions and 7 deletions.
diff --git a/aws/cloudformation.py b/aws/cloudformation.py
@@ -1,8 +1,8 @@
 # ==================================================
 # This stack creates the API infrastructure.
 # ==================================================
-from troposphere import Template, Parameter, Ref, GetAtt, Join, Output
-from troposphere.s3 import Bucket, OwnershipControls, OwnershipControlsRule, PublicAccessBlockConfiguration
+from troposphere import Template, Parameter, Ref, GetAtt, Join, Sub, Output
+from troposphere.s3 import Bucket, BucketPolicy, OwnershipControls, OwnershipControlsRule, PublicAccessBlockConfiguration
 import troposphere.iam as iam
 import troposphere.cloudfront as cloudfront
 import uuid
@@ -71,19 +71,56 @@
  'Bucket',
  BucketName=bucket_name_variable,
  PublicAccessBlockConfiguration=PublicAccessBlockConfiguration(
- BlockPublicAcls=False,
- BlockPublicPolicy=False,
- IgnorePublicAcls=False,
- RestrictPublicBuckets=False
+ BlockPublicAcls=True,
+ BlockPublicPolicy=True,
+ IgnorePublicAcls=True,
+ RestrictPublicBuckets=True
  ),
  OwnershipControls=OwnershipControls(
  Rules=[
  OwnershipControlsRule(
  ObjectOwnership="BucketOwnerPreferred"
  )
  ]
+ ),
+ )
+)
+
+cloudfront_oai = template.add_resource(
+ cloudfront.CloudFrontOriginAccessIdentity(
+ 'CloudFrontOAI',
+ CloudFrontOriginAccessIdentityConfig=cloudfront.CloudFrontOriginAccessIdentityConfig(
+ Comment=Sub("Cloudfront OAI for ${Cname}")
  )
+ )
+)
 
+bucket_policy = template.add_resource(
+ BucketPolicy(
+ 'PublicBucketPolicy',
+ Bucket=Ref(bucket_resource),
+ PolicyDocument={
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": [
+ "s3:GetObject"
+ ],
+ "Effect": "Allow",
+ "Resource": [
+ Join("", [
+ "arn:aws:s3:::",
+ Ref(bucket_resource),
+ "/*"
+ ]
+ )
+ ],
+ "Principal": {
+ 'CanonicalUser': GetAtt(cloudfront_oai, 'S3CanonicalUserId')
+ }
+ }
+ ]
+ }
  )
 )
 
@@ -111,6 +148,11 @@
  ErrorCode=404,
  ResponseCode=200,
  ResponsePagePath='/index.html'
+ ),
+ cloudfront.CustomErrorResponse(
+ ErrorCode=403,
+ ResponseCode=200,
+ ResponsePagePath='/index.html'
  )
  ],
  DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
@@ -127,7 +169,9 @@
  cloudfront.Origin(
  DomainName=GetAtt(bucket_resource, 'DomainName'),
  Id=Join('-', ['S3', Ref(bucket_resource)]),
- S3OriginConfig=cloudfront.S3OriginConfig()
+ S3OriginConfig=cloudfront.S3OriginConfig(
+ OriginAccessIdentity=Join('', ['origin-access-identity/cloudfront/', Ref(cloudfront_oai)])
+ )
  )
  ],
  ViewerCertificate=cloudfront.ViewerCertificate(