From 445fadc0806af85d98505fe3e0246f44d9670fa9 Mon Sep 17 00:00:00 2001 From: zchase Date: Thu, 14 Dec 2023 12:52:03 -0800 Subject: [PATCH 01/10] Add bucket policy for uploads in testing --- infrastructure/index.ts | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/infrastructure/index.ts b/infrastructure/index.ts index b46de9f14359..96298c999baa 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -94,6 +94,34 @@ const uploadsBucket = new aws.s3.Bucket("uploads-bucket", { }], }); +if (pulumi.getStack() === "www-testing") { + const marketingAppStack = new pulumi.StackReference("pulumi/marketing-db/staging"); + const marketingAppAccountId = marketingAppStack.getOutput("awsAccountId"); + + const uploadsBucketPolicy = new aws.s3.BucketPolicy("uploads-bucket-policy", { + bucket: uploadsBucket.bucket, + policy: JSON.stringify({ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Example permissions", + "Effect": "Allow", + "Principal": { + "AWS": `arn:aws:iam::${marketingAppAccountId}:root` + }, + "Action": [ + "s3:GetLifecycleConfiguration", + "s3:ListBucket" + ], + "Resource": [ + `arn:aws:s3:::${uploadsBucket.bucket}` + ] + } + ] + }), + }); +} + // This needs to be set in order to allow the use of ACLs. This was added to update our infrastructure to be // compatible with the default S3 settings from AWS' April update. `ObjectWriter` was the prior default, so // changing it to that here to match the configuration prior to the update. From 1e2b49684873ce4c1de1bf7ba5234b4b4742ce4b Mon Sep 17 00:00:00 2001 From: Sean Holung Date: Thu, 14 Dec 2023 13:00:50 -0800 Subject: [PATCH 02/10] temp commit deploy test --- .github/workflows/testing-build-and-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testing-build-and-deploy.yml b/.github/workflows/testing-build-and-deploy.yml index afc3f105ebb9..e068d85babed 100644 --- a/.github/workflows/testing-build-and-deploy.yml +++ b/.github/workflows/testing-build-and-deploy.yml @@ -1,6 +1,6 @@ name: Build and deploy testing on: - push: + pull_request: branches: - master permissions: From d9fcf7bfd8744b170ffba084c7211440573586eb Mon Sep 17 00:00:00 2001 From: zchase Date: Thu, 14 Dec 2023 13:57:59 -0800 Subject: [PATCH 03/10] fix up bucket policy --- infrastructure/index.ts | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/infrastructure/index.ts b/infrastructure/index.ts index 96298c999baa..fc569a76b020 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -100,25 +100,26 @@ if (pulumi.getStack() === "www-testing") { const uploadsBucketPolicy = new aws.s3.BucketPolicy("uploads-bucket-policy", { bucket: uploadsBucket.bucket, - policy: JSON.stringify({ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Example permissions", - "Effect": "Allow", - "Principal": { - "AWS": `arn:aws:iam::${marketingAppAccountId}:root` - }, - "Action": [ - "s3:GetLifecycleConfiguration", - "s3:ListBucket" - ], - "Resource": [ - `arn:aws:s3:::${uploadsBucket.bucket}` - ] - } - ] - }), + policy: pulumi.all([uploadsBucket.bucket, marketingAppAccountId]) + .apply(([bucket, accountId]) => JSON.stringify({ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Example permissions", + "Effect": "Allow", + "Principal": { + "AWS": `arn:aws:iam::${accountId}:root` + }, + "Action": [ + "s3:GetLifecycleConfiguration", + "s3:ListBucket" + ], + "Resource": [ + `arn:aws:s3:::${bucket}` + ] + } + ] + })), }); } From 351578f15c60a333e740fa36ac1d78375f36c80b Mon Sep 17 00:00:00 2001 From: zchase Date: Mon, 18 Dec 2023 13:17:17 -0800 Subject: [PATCH 04/10] Update policy --- infrastructure/index.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/index.ts b/infrastructure/index.ts index fc569a76b020..0a23ea8f0334 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -112,7 +112,8 @@ if (pulumi.getStack() === "www-testing") { }, "Action": [ "s3:GetLifecycleConfiguration", - "s3:ListBucket" + "s3:ListBucket", + "s3:PutObject" ], "Resource": [ `arn:aws:s3:::${bucket}` From 9910c142099d6235a0bbafff4f6a0e0efe79808f Mon Sep 17 00:00:00 2001 From: zchase Date: Mon, 18 Dec 2023 13:35:54 -0800 Subject: [PATCH 05/10] Update policy again --- infrastructure/index.ts | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/infrastructure/index.ts b/infrastructure/index.ts index 0a23ea8f0334..c4443e48b986 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -111,12 +111,11 @@ if (pulumi.getStack() === "www-testing") { "AWS": `arn:aws:iam::${accountId}:root` }, "Action": [ - "s3:GetLifecycleConfiguration", - "s3:ListBucket", - "s3:PutObject" + "s3:PutObject", + "s3:PutObjectAcl" ], "Resource": [ - `arn:aws:s3:::${bucket}` + `arn:aws:s3:::${bucket}/*` ] } ] From 87f6f6df5e9c0c68e9f4b9b401b0eda38e569614 Mon Sep 17 00:00:00 2001 From: zchase Date: Wed, 20 Dec 2023 09:18:37 -0800 Subject: [PATCH 06/10] Update policy --- infrastructure/index.ts | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/infrastructure/index.ts b/infrastructure/index.ts index c4443e48b986..0a2a1795f983 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -96,28 +96,40 @@ const uploadsBucket = new aws.s3.Bucket("uploads-bucket", { if (pulumi.getStack() === "www-testing") { const marketingAppStack = new pulumi.StackReference("pulumi/marketing-db/staging"); - const marketingAppAccountId = marketingAppStack.getOutput("awsAccountId"); + const ecsRoleArn = marketingAppStack.getOutput("ecsRoleArn"); const uploadsBucketPolicy = new aws.s3.BucketPolicy("uploads-bucket-policy", { bucket: uploadsBucket.bucket, - policy: pulumi.all([uploadsBucket.bucket, marketingAppAccountId]) - .apply(([bucket, accountId]) => JSON.stringify({ + policy: pulumi.all([uploadsBucket.bucket, ecsRoleArn]) + .apply(([bucket, roleArn]) => JSON.stringify({ "Version": "2012-10-17", "Statement": [ { - "Sid": "Example permissions", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Principal": { + "AWS": roleArn, + }, + "Effect": "Allow", + "Resource": [ + `arn:aws:s3:::${bucket}` + ] + }, + { "Effect": "Allow", "Principal": { - "AWS": `arn:aws:iam::${accountId}:root` + "AWS": roleArn, }, "Action": [ - "s3:PutObject", - "s3:PutObjectAcl" + "s3:GetObject", + "s3:PutObject" ], "Resource": [ `arn:aws:s3:::${bucket}/*` ] - } + }, ] })), }); From 19e73c6de2ba32bc1fbed8e8764b6c6bc84d5046 Mon Sep 17 00:00:00 2001 From: zchase Date: Wed, 20 Dec 2023 11:36:39 -0800 Subject: [PATCH 07/10] Update policy --- infrastructure/index.ts | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/infrastructure/index.ts b/infrastructure/index.ts index 0a2a1795f983..5b088953641f 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -100,8 +100,8 @@ if (pulumi.getStack() === "www-testing") { const uploadsBucketPolicy = new aws.s3.BucketPolicy("uploads-bucket-policy", { bucket: uploadsBucket.bucket, - policy: pulumi.all([uploadsBucket.bucket, ecsRoleArn]) - .apply(([bucket, roleArn]) => JSON.stringify({ + policy: pulumi.all([uploadsBucket.arn, ecsRoleArn]) + .apply(([bucketArn, roleArn]) => JSON.stringify({ "Version": "2012-10-17", "Statement": [ { @@ -113,9 +113,7 @@ if (pulumi.getStack() === "www-testing") { "AWS": roleArn, }, "Effect": "Allow", - "Resource": [ - `arn:aws:s3:::${bucket}` - ] + "Resource": bucketArn, }, { "Effect": "Allow", @@ -126,9 +124,7 @@ if (pulumi.getStack() === "www-testing") { "s3:GetObject", "s3:PutObject" ], - "Resource": [ - `arn:aws:s3:::${bucket}/*` - ] + "Resource": `${bucketArn}/*`, }, ] })), From 7fb19b0eaedbfe0dfe3c09bf2b1cfd7396f7b74a Mon Sep 17 00:00:00 2001 From: zchase Date: Tue, 9 Jan 2024 08:14:04 -0800 Subject: [PATCH 08/10] Enable in prod/staging --- infrastructure/Pulumi.www-production.yaml | 7 ++++--- infrastructure/Pulumi.www-testing.yaml | 7 ++++--- infrastructure/index.ts | 10 +++++++--- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/infrastructure/Pulumi.www-production.yaml b/infrastructure/Pulumi.www-production.yaml index 9d961907bd89..738f2ad84e83 100644 --- a/infrastructure/Pulumi.www-production.yaml +++ b/infrastructure/Pulumi.www-production.yaml @@ -3,11 +3,12 @@ config: www.pulumi.com:addSecurityHeaders: "true" www.pulumi.com:certificateArn: "arn:aws:acm:us-east-1:388588623842:certificate/9db6a76b-f7ba-465b-ab96-ce1d3b8ae02c" www.pulumi.com:doEdgeRedirects: "true" + www.pulumi.com:hostedZone: www.pulumi.com www.pulumi.com:makeFallbackBucket: "false" + www.pulumi.com:marketingPortalStack: pulumi/marketing-db/production www.pulumi.com:originBucketNameOverride: "" www.pulumi.com:pathToOriginBucketMetadata: ../origin-bucket-metadata.json + www.pulumi.com:registryStack: "pulumi/registry/production" + www.pulumi.com:setRootRecord: "true" www.pulumi.com:websiteDomain: www.pulumi.com www.pulumi.com:websiteLogsBucketName: www-prod.pulumi.com-website-logs - www.pulumi.com:hostedZone: www.pulumi.com - www.pulumi.com:setRootRecord: true - www.pulumi.com:registryStack: "pulumi/registry/production" diff --git a/infrastructure/Pulumi.www-testing.yaml b/infrastructure/Pulumi.www-testing.yaml index 5057bd4d94eb..e6e5ea654a0b 100644 --- a/infrastructure/Pulumi.www-testing.yaml +++ b/infrastructure/Pulumi.www-testing.yaml @@ -3,10 +3,11 @@ config: www.pulumi.com:addSecurityHeaders: "true" www.pulumi.com:certificateArn: "arn:aws:acm:us-east-1:571684982431:certificate/dacf95ab-d4dd-4370-9c93-6ce0b9dda7c0" www.pulumi.com:doEdgeRedirects: "true" + www.pulumi.com:hostedZone: www.pulumi-test.io www.pulumi.com:makeFallbackBucket: "false" + www.pulumi.com:marketingPortalStack: pulumi/marketing-db/staging www.pulumi.com:pathToOriginBucketMetadata: ../origin-bucket-metadata.json + www.pulumi.com:registryStack: "pulumi/registry/testing" + www.pulumi.com:setRootRecord: "true" www.pulumi.com:websiteDomain: www.pulumi-test.io www.pulumi.com:websiteLogsBucketName: pulumi-test-io-website-logs - www.pulumi.com:hostedZone: www.pulumi-test.io - www.pulumi.com:setRootRecord: true - www.pulumi.com:registryStack: "pulumi/registry/testing" diff --git a/infrastructure/index.ts b/infrastructure/index.ts index 5b088953641f..0f30b01f44f6 100644 --- a/infrastructure/index.ts +++ b/infrastructure/index.ts @@ -49,6 +49,10 @@ const config = { // the registry stack to reference to route traffic to for `/registry` routes. registryStack: stackConfig.get("registryStack"), + + // the marketing portal stack to reference to allow the marketing portal + // to add items to the uploads bucket. + marketingPortalStack: stackConfig.get("marketingPortalStack"), }; const aiAppStack = new pulumi.StackReference('pulumi/pulumi-ai-app-infra/prod'); @@ -94,8 +98,8 @@ const uploadsBucket = new aws.s3.Bucket("uploads-bucket", { }], }); -if (pulumi.getStack() === "www-testing") { - const marketingAppStack = new pulumi.StackReference("pulumi/marketing-db/staging"); +if (config.marketingPortalStack) { + const marketingAppStack = new pulumi.StackReference(config.marketingPortalStack); const ecsRoleArn = marketingAppStack.getOutput("ecsRoleArn"); const uploadsBucketPolicy = new aws.s3.BucketPolicy("uploads-bucket-policy", { @@ -111,7 +115,7 @@ if (pulumi.getStack() === "www-testing") { ], "Principal": { "AWS": roleArn, - }, + }, "Effect": "Allow", "Resource": bucketArn, }, From 5ce7694149fcab2956e2572e711d5422e03cd0c1 Mon Sep 17 00:00:00 2001 From: zchase Date: Tue, 9 Jan 2024 10:02:17 -0800 Subject: [PATCH 09/10] Empty-Commit From 09c35f3746a69b37f5fec6e087d545b7df7bb7e9 Mon Sep 17 00:00:00 2001 From: zchase Date: Tue, 9 Jan 2024 10:11:56 -0800 Subject: [PATCH 10/10] Empty-Commit