Skip to content

Commit

Permalink
Avoid overwriting existing resources in s3-access policy statements (#…
Browse files Browse the repository at this point in the history
…768)

Should have stuck to my original code - updating Statement dicts with empty Resource list removes all resources 🤦‍♂️
  • Loading branch information
andyhd authored Oct 22, 2019
1 parent 54371e9 commit a0e4bde
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 3 deletions.
3 changes: 0 additions & 3 deletions controlpanel/api/aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -106,19 +106,16 @@ def iam_arn(resource, account=settings.AWS_ACCOUNT_ID):
's3:ListBucket',
],
'Effect': 'Allow',
'Resource': [],
},
'readonly': {
'Sid': 'readonly',
'Action': READ_ACTIONS,
'Effect': 'Allow',
'Resource': [],
},
'readwrite': {
'Sid': 'readwrite',
'Action': READ_ACTIONS + WRITE_ACTIONS,
'Effect': 'Allow',
'Resource': [],
},
}

Expand Down
8 changes: 8 additions & 0 deletions tests/api/test_aws.py
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,14 @@ def test_grant_bucket_access(iam, users, resources):
else:
assert bucket_arn in statements['list']['Resource']

aws.grant_bucket_access(user.iam_role_name, f'{bucket_arn}-2', 'readonly')
policy.reload()
statements = get_statements_by_sid(policy.policy_document)
expected_num_resources = 2
if path_arns:
expected_num_resources = len(path_arns) + 1
assert len(statements['readonly']['Resource']) == expected_num_resources


@pytest.mark.parametrize(
'resources',
Expand Down

0 comments on commit a0e4bde

Please sign in to comment.