fix(servicecatalog): product stack asset bucket with forced encryption (

aws#26303) Clients account setup strictly required that every bucket is encrypted. It also forces Bucket Policy to deny any unencrypted PutObject actions. When suppling ProductStack with such a Bucket as assetBucket the deployment fails on Custom Resource Lambda not being able to synch asset files into assetBucket (Access Denied). Expected Behavior I would expect that assets will be encrypted when the asset bucket has encryption enabled. Current Behavior Under the hood ProductStack uses BucketDeployment construct without encryption which results in AccessDenied. I does not considers Bucket encryption settings. Possible Solution This PR is a possible solution in which user would provide additional property `serverSideEncryption` along with encryption key `serverSideEncryptionAwsKmsKeyId` which would turn on respectful options on BucketDeployment to enable encryption. This could also be implicitly learnt from assetBucket configuration but I feel it better to leave this decision to the user - but I am open to change implementation if you thing this is better approach. Closes aws#26302. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
bmoffatt · Jul 28, 2023 · 0e698ba · 0e698ba
1 parent 03dfbb6
commit 0e698ba
Show file tree

Hide file tree

Showing 26 changed files with 3,329 additions and 8 deletions.
diff --git a/...et.js.snapshot/asset.292870ae2617f1c4d62ff18422e009afd534a342c17877fd1b931fb8d8a62abc.zip b/...et.js.snapshot/asset.292870ae2617f1c4d62ff18422e009afd534a342c17877fd1b931fb8d8a62abc.zip
diff --git a/...t.js.snapshot/asset.6412a5f4524c6b41d26fbeee226c68c2dad735393940a51008d77e6f8b1038f5.json b/...t.js.snapshot/asset.6412a5f4524c6b41d26fbeee226c68c2dad735393940a51008d77e6f8b1038f5.json
@@ -0,0 +1,98 @@
+{
+  "AWSTemplateFormatVersion" : "2010-09-09",
+
+  "Description" : "AWS Service Catalog sample template. Creates an Amazon EC2 instance running the Amazon Linux AMI. The AMI is chosen based on the region in which the stack is run. This example creates an EC2 security group for the instance to give you SSH access. **WARNING** This template creates an Amazon EC2 instance. You will be billed for the AWS resources used if you create a stack from this template.",
+
+  "Parameters" : {
+    "KeyName": {
+      "Description" : "Name of an existing EC2 key pair for SSH access to the EC2 instance.",
+      "Type": "AWS::EC2::KeyPair::KeyName"
+    },
+
+    "InstanceType" : {
+      "Description" : "EC2 instance type.",
+      "Type" : "String",
+      "Default" : "t2.micro",
+      "AllowedValues" : [ "t2.micro", "t2.small", "t2.medium"]
+    },
+
+    "SSHLocation" : {
+      "Description" : "The IP address range that can SSH to the EC2 instance.",
+      "Type": "String",
+      "MinLength": "9",
+      "MaxLength": "18",
+      "Default": "0.0.0.0/0",
+      "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
+      "ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x."
+   }
+  },
+
+  "Metadata" : {
+    "AWS::CloudFormation::Interface" : {
+      "ParameterGroups" : [{
+        "Label" : {"default": "Instance configuration"},
+        "Parameters" : ["InstanceType"]
+      },{
+        "Label" : {"default": "Security configuration"},
+        "Parameters" : ["KeyName", "SSHLocation"]
+      }],
+      "ParameterLabels" : {
+        "InstanceType": {"default": "Server size:"},
+        "KeyName": {"default": "Key pair:"},
+        "SSHLocation": {"default": "CIDR range:"}
+      }
+    }
+  },
+
+  "Mappings" : {
+    "AWSRegionArch2AMI" : {
+      "us-east-1"      : { "HVM64" : "ami-08842d60" },
+      "us-west-2"      : { "HVM64" : "ami-8786c6b7" },
+      "us-west-1"      : { "HVM64" : "ami-cfa8a18a" },
+      "eu-west-1"      : { "HVM64" : "ami-748e2903" },
+      "ap-southeast-1" : { "HVM64" : "ami-d6e1c584" },
+      "ap-northeast-1" : { "HVM64" : "ami-35072834" },
+      "ap-southeast-2" : { "HVM64" : "ami-fd4724c7" },
+      "sa-east-1"      : { "HVM64" : "ami-956cc688" },
+      "cn-north-1"     : { "HVM64" : "ami-ac57c595" },
+      "eu-central-1"   : { "HVM64" : "ami-b43503a9" }
+    }
+
+  },
+
+  "Resources" : {
+    "EC2Instance" : {
+      "Type" : "AWS::EC2::Instance",
+      "Properties" : {
+        "InstanceType" : { "Ref" : "InstanceType" },
+        "SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
+        "KeyName" : { "Ref" : "KeyName" },
+        "ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" }, "HVM64" ] }
+      }
+    },
+
+    "InstanceSecurityGroup" : {
+      "Type" : "AWS::EC2::SecurityGroup",
+      "Properties" : {
+        "GroupDescription" : "Enable SSH access via port 22",
+        "SecurityGroupIngress" : [ {
+          "IpProtocol" : "tcp",
+          "FromPort" : "22",
+          "ToPort" : "22",
+          "CidrIp" : { "Ref" : "SSHLocation"}
+        } ]
+      }
+    }
+  },
+
+  "Outputs" : {
+    "PublicDNSName" : {
+      "Description" : "Public DNS name of the new EC2 instance",
+      "Value" : { "Fn::GetAtt" : [ "EC2Instance", "PublicDnsName" ] }
+    },
+    "PublicIPAddress" : {
+      "Description" : "Public IP address of the new EC2 instance",
+      "Value" : { "Fn::GetAtt" : [ "EC2Instance", "PublicIp" ] }
+    }
+  }
+}
diff --git a/....snapshot/asset.89c643a8a6c919d906e0b1cb079b0c5e131cf3cc19c05126f90fc118647fb08c/index.js b/....snapshot/asset.89c643a8a6c919d906e0b1cb079b0c5e131cf3cc19c05126f90fc118647fb08c/index.js