diff --git a/beta-template.yml.erb b/beta-template.yml.erb index d519f46f..5036eea4 100644 --- a/beta-template.yml.erb +++ b/beta-template.yml.erb @@ -470,7 +470,7 @@ Resources: ContentBucket: Type: AWS::S3::Bucket Properties: - BucketName: !If [IsDevCondition, !Sub "cdo-dev-${SubdomainName}-content", !Sub "cdo-${SubdomainName}-content"] + BucketName: !Sub "${SubdomainName}-content.${BaseDomainName}" CorsConfiguration: CorsRules: - AllowedMethods: [GET, PUT] diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml index c0a8ac66..9c9e1448 100644 --- a/cicd/2-cicd/cicd.template.yml +++ b/cicd/2-cicd/cicd.template.yml @@ -317,7 +317,7 @@ Resources: - - '{ "SubdomainName": "' - !Sub "javabuilder-dev-${GitHubBranch}" - '" }' - Capabilities: CAPABILITY_AUTO_EXPAND + Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService - !Ref AWS::NoValue @@ -343,7 +343,7 @@ Resources: - - '{ "SubdomainName": "' - !If [ TargetsMainBranch, 'javabuilder-test', !Sub 'javabuilder-${GitHubBranch}-test' ] - '" }' - Capabilities: CAPABILITY_AUTO_EXPAND + Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService - !Ref AWS::NoValue @@ -392,7 +392,7 @@ Resources: - - '{ "SubdomainName": "' - !If [ TargetsMainBranch, 'javabuilder', !Sub 'javabuilder-${GitHubBranch}' ] - '" }' - Capabilities: CAPABILITY_AUTO_EXPAND + Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService - Name: app-demo-deploy ActionTypeId: @@ -422,7 +422,7 @@ Resources: !Sub "javabuilder-demo-${GitHubBranch}", ] - '" }' - Capabilities: CAPABILITY_AUTO_EXPAND + Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService - !Ref AWS::NoValue diff --git a/cicd/3-app/javabuilder/template.yml.erb b/cicd/3-app/javabuilder/template.yml.erb index 9cb765df..9c60bc84 100644 --- a/cicd/3-app/javabuilder/template.yml.erb +++ b/cicd/3-app/javabuilder/template.yml.erb @@ -473,7 +473,7 @@ Resources: ContentBucket: Type: AWS::S3::Bucket Properties: - BucketName: !If [IsDevCondition, !Sub "cdo-dev-${SubdomainName}-content", !Sub "cdo-${SubdomainName}-content"] + BucketName: !Sub "${SubdomainName}-content.${BaseDomainName}" CorsConfiguration: CorsRules: - AllowedMethods: [GET, PUT] @@ -500,6 +500,37 @@ Resources: Resource: !Sub "arn:aws:s3:::${ContentBucket}/*" Principal: '*' + # TODO: the cloudformation role used to deploy this does not have permission to putRolePolicy. I'd like to find a way to allow creation of roles within this template. + ContentBucketWritePolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub "${AWS::StackName}-content-bucket-write-policy" + PolicyDocument: + Statement: + - Action: + - 's3:PutObject' + Effect: Allow + Resource: !Sub "arn:aws:s3:::${ContentBucket}/*" + Roles: + # TODO: do not hard code these! + - javabuilder-iam-PutSourcesLambdaRole-1R0GH6YNAXIC3 + - javabuilder-iam-BuildAndRunLambdaRole-ZR48U5GF0610 + + # TODO: the cloudformation role used to deploy this does not have permission to putRolePolicy. I'd like to find a way to allow creation of roles within this template. + ContentBucketReadPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub "${AWS::StackName}-content-bucket-read-policy" + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: !Sub "arn:aws:s3:::${ContentBucket}/*" + Roles: + # TODO: do not hard code this! + - javabuilder-iam-BuildAndRunLambdaRole-ZR48U5GF0610 + ContentApiCertificate: Type: AWS::CertificateManager::Certificate Properties: diff --git a/cicd/README.md b/cicd/README.md index 1c259fa6..f64596fa 100644 --- a/cicd/README.md +++ b/cicd/README.md @@ -55,6 +55,7 @@ You can create a Development (aka 'adhoc') environment by setting the `ENVIRONME Notes: +* branch names are used as a unique identifier (stack name, among others). Therefore we can only deploy one CI/CD pipeline per branch per AWS Account. * your branch name cannot contain the character `/`, as this causes issues in AWS. Note that resources will be deployed with the tags `{EnvType = development}`. * for now, these must deployed to the production AWS account. There is planned work to enable these to be deployed to the Dev AWS account. diff --git a/iam.yml b/iam.yml index 04c1f679..4c6eac55 100644 --- a/iam.yml +++ b/iam.yml @@ -17,6 +17,8 @@ Parameters: Resources: # Permissions for the long-running lambda that compiles/runs student projects + # S3 Read/Write permissions are granted within the app stack + # TODO: create per-environment in app stack BuildAndRunLambdaRole: Type: AWS::IAM::Role Properties: @@ -32,22 +34,11 @@ Resources: - PolicyName: BuildAndRunLambdaExecutionPolicy PolicyDocument: Statement: - # BuildAndRunJavaProject Lambda needs to put objects to the content bucket. - - Effect: Allow - Action: - - 's3:PutObject' - - 's3:GetObject' - Resource: 'arn:aws:s3:::cdo-*javabuilder*-content/*' # Read from Javabuilder SQS Queue - Effect: Allow Action: - "sqs:ReceiveMessage" - "sqs:DeleteMessage" - # May need the following - # - "sqs:GetQueueAttributes" - # - "sqs:GetQueueUrl" - # - "sqs:ListDeadLetterSourceQueues" - # - "sqs:ListQueues" Resource: # TODO: limit this - '*' @@ -149,6 +140,8 @@ Resources: - '*' # Permissions for the lambda that uploads student code to S3 + # Per-bucket PutObject permissions are granted in the app template + # TODO move this role to the app stack PutSourcesLambdaRole: Type: AWS::IAM::Role Properties: @@ -160,15 +153,6 @@ Resources: Principal: {Service: [lambda.amazonaws.com]} ManagedPolicyArns: - !Ref JavabuilderLoggingPolicy - Policies: - - PolicyName: named - PolicyDocument: - Statement: - # Put objects to the content bucket. - - Effect: Allow - Action: - - 's3:putObject' - Resource: 'arn:aws:s3:::cdo-*javabuilder*-content/*' # Shared permissions that several lambdas need JavabuilderLoggingPolicy: @@ -221,12 +205,6 @@ Resources: - "cloudformation:DescribeStacks" Resource: '*' - # BuildAndRunJavaProject Lambda needs to put objects to the content bucket. - - Effect: Allow - Action: - - 's3:PutObject' - Resource: 'arn:aws:s3:::cdo-*javabuilder*-content/*' - # All Lambdas need logging permissions. - Effect: Allow Action: @@ -333,8 +311,10 @@ Resources: - !Sub "arn:aws:s3:::${TemplateBucket}/*" - Effect: Allow Action: + # TODO: limit this permission to only actions required by cloudformation (low priority) - "s3:*" Resource: + # TODO: use new bucket name - "arn:aws:s3:::cdo-*javabuilder*-content" - Effect: Allow Action: diff --git a/org-code-javabuilder/lib/src/test/java/org/code/javabuilder/AWSContentManagerTest.java b/org-code-javabuilder/lib/src/test/java/org/code/javabuilder/AWSContentManagerTest.java index cf77efe3..4aa4c18e 100644 --- a/org-code-javabuilder/lib/src/test/java/org/code/javabuilder/AWSContentManagerTest.java +++ b/org-code-javabuilder/lib/src/test/java/org/code/javabuilder/AWSContentManagerTest.java @@ -149,7 +149,7 @@ public void testGenerateAssetUrlDoesNotReturnStubUrlIfNotDashboard() { Properties.setCanAccessDashboardAssets(false); final String filename = "file"; - final String actualUrl = "cdo-javabuilderbeta-content/file.wav"; + final String actualUrl = "javabuilder-test.code.org-content/file.wav"; when(projectData.getAssetUrl(filename)).thenReturn(actualUrl); assertEquals(actualUrl, contentManager.getAssetUrl(filename));