feat(cloudtrail): accept existing S3 bucket #3680
Conversation
Mater to latest
Sync with up stream bas
…licy. The bucket is externally created, we just check on is present and the the LogGroup and trail is created.
…lipdexic/aws-cdk into slipdexic/cloudtrail-s3-bucket
Pull Request Checklist
|
|
Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged. |
merge base into local fork
chore: fixes mergify commenting on check failures (aws#3693)
Pull master into fork
Pull master into branch
| StringEquals: {'s3:x-amz-acl': "bucket-owner-full-control"} | ||
| } | ||
| })); | ||
| if (props.s3Bucket === undefined) { |
There was a problem hiding this comment.
I think this can be made simpler by writing something like:
this.s3bucket = props.bucket || new s3.Bucket(...);Same as we do for roles all over the place.
There was a problem hiding this comment.
This would then cause the policy to be applied to the bucket , the intent was to not apply the policy . As the bucket is pre-defined
There was a problem hiding this comment.
@rix0rrr I have applied the change as suggested.
|
|
||
| this.s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.UNENCRYPTED}); | ||
|
|
||
| this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({ |
There was a problem hiding this comment.
To match the behavior of roles, I think we should add to the resource policy, even if a literal bucket is given.
If that is undesired, an adapter for IBucket which drops calls to addToResourcePolicy() can always be written.
There was a problem hiding this comment.
The purpose of this PR is to allow a bucket with pre-defined policies to be passed in.
I work in sectors that only a the security team can create Policies.
One current use cases for this , is a company may use a central logging bucket or send CT logs to a SOC bucket owned by another company , in these two cases, CDK would not have permissions to apply any policies.
If that is undesired, an adapter for IBucket which drops calls to addToResourcePolicy() can always be written.
I would not know where to start
There was a problem hiding this comment.
I work in sectors that only a the security team can create Policies.
Yep, and we need a way to address that use case across the entire CDK. You'll have noticed this is not the only situation in which the CDK tries to do "too much" for users in locked-down IAM environments.
In the mean time, I don't think we should have inconsistent behavior across the CDK because the feature author happens to work or not work in a locked-down environment.
I would not know where to start
A rough sketch of it would be something like:
class BucketWrapper implements IBucket {
constructor(private readonly inner: IBucket) {
}
public get bucketArn() {
return this.inner.bucketArn;
}
public urlForObject(key?: string) {
return this.inner.urlForObject(key);
}
// ...
public addToResourcePolicy(statement: iam.PolicyStatement) {
// Intentionally do nothing
}
}There was a problem hiding this comment.
Ok I will implement your suggestion, I was not aware of using the above suggest pattern to override addToResourcePolicy. We need to make everyone aware in document about this way of handling this type of issue.
There was a problem hiding this comment.
I agree, and we should probably provide a set of these classes out of the box.
There was a problem hiding this comment.
Wrote up an issue here: #3753
Merge base into fork
Pull latest master info branch
|
@rix0rrr please review again. |
rix0rrr
changed the title
rix0rrr
changed the title
Pull in V1.5 from Base
Pull in V1.5 from Master
Make CloudTrail accept existing S3 bucket to write to.
Fixes #3651.
Please read the contribution guidelines and follow the pull-request checklist.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license