Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CloudFront to use OAC instead of OAI #363

Merged
merged 2 commits into from
Apr 28, 2023
Merged

Update CloudFront to use OAC instead of OAI #363

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d903521
Bump cfn-lint version
ctd Apr 28, 2023
c184579
Update CloudFront to use OAC instead of OAI
ctd Apr 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## v0.59 (unreleased)

- [#363](https://github.com/awslabs/amazon-s3-find-and-forget/pull/363): Bump
cfn-lint version, update CloudFront to use OAC instead of OAI
- [#360](https://github.com/awslabs/amazon-s3-find-and-forget/pull/360):
Refactor of Web UI S3 bucket access control mechanisms

Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ generate-pip-requirements: $(patsubst %.in,%.txt,$(shell find . -type f -name re

.PHONY: lint-cfn
lint-cfn:
$(VENV)/bin/cfn-lint templates/*
$(VENV)/bin/cfn-lint -i W3002 templates/*

package:
make package-artefacts
Expand Down
2 changes: 1 addition & 1 deletion requirements.in
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
pip-tools>=6.12.1
pytest==7.2.0
certifi>=2022.12.7
cfn-lint==0.61.0
cfn-lint==0.77.3
cfn-flip==1.3.0
mock==4.0.1
pytest-cov==4.0.0
Expand Down
20 changes: 16 additions & 4 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ aws-assume-role-lib==2.10.0
# via
# -r ./backend/ecs_tasks/delete_files/requirements.txt
# -r ./backend/lambda_layers/aws_sdk/requirements.txt
aws-sam-translator==1.48.0
aws-sam-translator==1.66.0
# via cfn-lint
black==22.3.0
# via -r requirements.in
Expand Down Expand Up @@ -47,7 +47,7 @@ cfgv==3.3.1
# via pre-commit
cfn-flip==1.3.0
# via -r requirements.in
cfn-lint==0.61.0
cfn-lint==0.77.3
# via -r requirements.in
charset-normalizer==2.1.0
# via requests
Expand Down Expand Up @@ -97,6 +97,8 @@ junit-xml==1.9
# via cfn-lint
mock==4.0.1
# via -r requirements.in
mpmath==1.3.0
# via sympy
mypy-extensions==0.4.3
# via black
networkx==2.8.5
Expand Down Expand Up @@ -138,6 +140,8 @@ pycparser==2.21
# via
# -r ./backend/ecs_tasks/delete_files/requirements.txt
# cffi
pydantic==1.10.7
# via aws-sam-translator
pyparsing==3.0.9
# via packaging
pyrsistent==0.18.1
Expand Down Expand Up @@ -169,6 +173,8 @@ pyyaml==6.0
# cfn-lint
# pre-commit
# yq
regex==2023.3.23
# via cfn-lint
requests==2.28.1
# via -r requirements.in
s3transfer==0.6.0
Expand All @@ -187,6 +193,8 @@ six==1.16.0
# jsonschema
# junit-xml
# python-dateutil
sympy==1.11.1
# via cfn-lint
tenacity==8.0.1
# via -r ./backend/ecs_tasks/delete_files/requirements.txt
toml==0.10.2
Expand All @@ -198,9 +206,13 @@ tomli==2.0.1
# black
# build
# coverage
# pep517
# pytest
typing-extensions==4.3.0
# via black
typing-extensions==4.5.0
# via
# aws-sam-translator
# black
# pydantic
urllib3==1.26.11
# via
# -r ./backend/ecs_tasks/delete_files/requirements.txt
Expand Down
21 changes: 14 additions & 7 deletions templates/web_ui.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,19 +81,26 @@ Resources:
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:s3:::${WebUIBucket}/*
Principal:
CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
"AWS:SourceArn": !Sub "arn:${AWS::Partition}:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution.Id}"
- Sid: AllowDirectAccess
Action: s3:GetObject
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:s3:::${WebUIBucket}/*
Principal: "*"

CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
CloudFrontOAC:
Type: AWS::CloudFront::OriginAccessControl
Condition: WithCloudFront
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Ref WebUIBucket
OriginAccessControlConfig:
Description: S3F2 Web UI
Name: !Sub "${ResourcePrefix}-WebUI-OAC"
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4

CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Expand All @@ -103,8 +110,8 @@ Resources:
Origins:
- DomainName: !GetAtt WebUIBucket.RegionalDomainName
Id: !Sub ${ResourcePrefix}-myS3Origin
S3OriginConfig:
OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
OriginAccessControlId: !Ref CloudFrontOAC
S3OriginConfig: {}
Enabled: true
HttpVersion: http2
Comment: The Distribution for Amazon S3 Find and Forget
Expand Down