Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make s3 bucket policy extend default ssl policy #49

Merged
merged 2 commits into from
Jun 14, 2024
Merged

Make s3 bucket policy extend default ssl policy #49

merged 2 commits into from
Jun 14, 2024

Conversation

anthonyhashemi
Copy link
Contributor

@anthonyhashemi anthonyhashemi commented Jun 13, 2024
edited
Loading

Make s3 bucket policy extend default ssl policy so that we can pass in a policy with extra restrictions but always deny ssl requests as per https://national-archives.atlassian.net/wiki/spaces/DAAE/pages/395477060/Simple+Storage+Service+S3

In action in AYR repo (temporarily pointed it to this branch):
https://github.com/nationalarchives/da-ayr-terraform/pull/166
https://github.com/nationalarchives/da-ayr-terraform/actions/runs/9498690780/job/26177949659

Screenshot 2024-06-13 at 12 20 31

@anthonyhashemi anthonyhashemi force-pushed the make-s3-policy-extend-default-ssl=policy branch 4 times, most recently from 9e97480 to ee62f9a Compare June 13, 2024 11:19
MancunianSam
MancunianSam reviewed Jun 14, 2024
View reviewed changes
Copy link
Contributor

@MancunianSam MancunianSam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really good, thanks.
Could you update the description of the bucket_policy variable to say that it adds a statement with a sid called AllowSSLRequestsOnly and that you don't need to add that to the provided bucket policy.

It's only because if someone passes in a policy which has a statement with that Sid then it will fail so it'd be good to have the variable explain why.

@anthonyhashemi
Copy link
Contributor Author

This is really good, thanks. Could you update the description of the bucket_policy variable to say that it adds a statement with a sid called AllowSSLRequestsOnly and that you don't need to add that to the provided bucket policy.

It's only because if someone passes in a policy which has a statement with that Sid then it will fail so it'd be good to have the variable explain why.

Ah yeah good shout, will do 👌

@anthonyhashemi anthonyhashemi force-pushed the make-s3-policy-extend-default-ssl=policy branch from b3af6d0 to 58f6686 Compare June 14, 2024 09:33
MancunianSam
MancunianSam approved these changes Jun 14, 2024
View reviewed changes
Copy link
Contributor

@MancunianSam MancunianSam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@anthonyhashemi anthonyhashemi force-pushed the make-s3-policy-extend-default-ssl=policy branch from 58f6686 to 113f1f1 Compare June 14, 2024 10:16
@anthonyhashemi anthonyhashemi merged commit 33f58b5 into main Jun 14, 2024
1 check passed
@anthonyhashemi anthonyhashemi deleted the make-s3-policy-extend-default-ssl=policy branch June 14, 2024 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MancunianSam MancunianSam MancunianSam approved these changes

@TomJKing TomJKing Awaiting requested review from TomJKing

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anthonyhashemi @MancunianSam