From 862712b3278a06dddc8d22dd373f12d4dce0daf0 Mon Sep 17 00:00:00 2001 From: Anton Tayanovskyy Date: Thu, 3 Oct 2024 11:15:02 -0400 Subject: [PATCH] Same for vault --- secrets-provider/vault/index.ts | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-) diff --git a/secrets-provider/vault/index.ts b/secrets-provider/vault/index.ts index 121481353..5594d204a 100644 --- a/secrets-provider/vault/index.ts +++ b/secrets-provider/vault/index.ts @@ -10,36 +10,16 @@ const config = new pulumi.Config(); const bucketName = config.require('bucketName'); const secretValue = config.requireSecret('secretValue'); -function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 { - const ownership = new aws.s3.BucketOwnershipControls(bucketName, { - bucket: bucket.bucket, - rule: { - objectOwnership: "BucketOwnerPreferred", - } - }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, { - bucket: bucket.bucket, - blockPublicAcls: false, - blockPublicPolicy: false, - ignorePublicAcls: false, - restrictPublicBuckets: false, - }); - const bucketACL = new aws.s3.BucketAclV2(bucketName, { - bucket: bucket.bucket, - acl: acl, - }, { - dependsOn: [ownership, publicAccessBlock] - }); - return bucketACL; -} - -// Create a private bucket +// Create a private bucket. +// +// The configuration is kept very simple as the goal of this example is to demonstrate KMS encryption, not storing +// secrets in buckets securely. In a real-world scenario if you are certain you need to be storing sensitive data in +// buckets and have eliminated other storage options, consider setting up a custom KMS key, enforcing TLS, and enabling +// versioning for the bucket. const bucket = new aws.s3.BucketV2("bucket", { bucket: bucketName, }); -configureACL("bucket", bucket, "private"); - // Create an object from the secret value const superSecretObject = new aws.s3.BucketObject("secret", { bucket: bucket.id,