Add bucket policy for uploads in testing

.github/workflows/testing-build-and-deploy.yml

@@ -1,6 +1,6 @@
 name: Build and deploy testing
 on:
-  push:
+  pull_request:
     branches:
       - master
 permissions:

infrastructure/Pulumi.www-production.yaml

@@ -3,11 +3,12 @@ config:
   www.pulumi.com:addSecurityHeaders: "true"
   www.pulumi.com:certificateArn: "arn:aws:acm:us-east-1:388588623842:certificate/9db6a76b-f7ba-465b-ab96-ce1d3b8ae02c"
   www.pulumi.com:doEdgeRedirects: "true"
+  www.pulumi.com:hostedZone: www.pulumi.com
   www.pulumi.com:makeFallbackBucket: "false"
+  www.pulumi.com:marketingPortalStack: pulumi/marketing-db/production
   www.pulumi.com:originBucketNameOverride: ""
   www.pulumi.com:pathToOriginBucketMetadata: ../origin-bucket-metadata.json
+  www.pulumi.com:registryStack: "pulumi/registry/production"
+  www.pulumi.com:setRootRecord: "true"
   www.pulumi.com:websiteDomain: www.pulumi.com
   www.pulumi.com:websiteLogsBucketName: www-prod.pulumi.com-website-logs
-  www.pulumi.com:hostedZone: www.pulumi.com
-  www.pulumi.com:setRootRecord: true
-  www.pulumi.com:registryStack: "pulumi/registry/production"

infrastructure/Pulumi.www-testing.yaml

@@ -3,10 +3,11 @@ config:
   www.pulumi.com:addSecurityHeaders: "true"
   www.pulumi.com:certificateArn: "arn:aws:acm:us-east-1:571684982431:certificate/dacf95ab-d4dd-4370-9c93-6ce0b9dda7c0"
   www.pulumi.com:doEdgeRedirects: "true"
+  www.pulumi.com:hostedZone: www.pulumi-test.io
   www.pulumi.com:makeFallbackBucket: "false"
+  www.pulumi.com:marketingPortalStack: pulumi/marketing-db/staging
   www.pulumi.com:pathToOriginBucketMetadata: ../origin-bucket-metadata.json
+  www.pulumi.com:registryStack: "pulumi/registry/testing"
+  www.pulumi.com:setRootRecord: "true"
   www.pulumi.com:websiteDomain: www.pulumi-test.io
   www.pulumi.com:websiteLogsBucketName: pulumi-test-io-website-logs
-  www.pulumi.com:hostedZone: www.pulumi-test.io
-  www.pulumi.com:setRootRecord: true
-  www.pulumi.com:registryStack: "pulumi/registry/testing"

infrastructure/index.ts

@@ -49,6 +49,10 @@ const config = {
 
     // the registry stack to reference to route traffic to for `/registry` routes.
     registryStack: stackConfig.get("registryStack"),
+
+    // the marketing portal stack to reference to allow the marketing portal
+    // to add items to the uploads bucket.
+    marketingPortalStack: stackConfig.get("marketingPortalStack"),
 };
 
 const aiAppStack = new pulumi.StackReference('pulumi/pulumi-ai-app-infra/prod');
@@ -94,6 +98,43 @@ const uploadsBucket = new aws.s3.Bucket("uploads-bucket", {
     }],
 });
 
+if (config.marketingPortalStack) {
+    const marketingAppStack = new pulumi.StackReference(config.marketingPortalStack);
+    const ecsRoleArn = marketingAppStack.getOutput("ecsRoleArn");
+
+    const uploadsBucketPolicy = new aws.s3.BucketPolicy("uploads-bucket-policy", {
+        bucket: uploadsBucket.bucket,
+        policy: pulumi.all([uploadsBucket.arn, ecsRoleArn])
+            .apply(([bucketArn, roleArn]) => JSON.stringify({
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Action": [
+                            "s3:ListBucket",
+                            "s3:GetBucketLocation"
+                        ],
+                        "Principal": {
+                            "AWS": roleArn,
+                            },
+                        "Effect": "Allow",
+                        "Resource": bucketArn,
+                    },
+                    {
+                        "Effect": "Allow",
+                        "Principal": {
+                            "AWS": roleArn,
+                        },
+                        "Action": [
+                            "s3:GetObject",
+                            "s3:PutObject"
+                        ],
+                        "Resource": `${bucketArn}/*`,
+                    },
+                ]
+            })),
+    });
+}
+
 // This needs to be set in order to allow the use of ACLs. This was added to update our infrastructure to be
 // compatible with the default S3 settings from AWS' April update. `ObjectWriter` was the prior default, so
 // changing it to that here to match the configuration prior to the update.