fix: korjaa ilmoitustaulusyötteen oikeuspuutteet (#287)

backend/src/aws/awsRequest.ts

@@ -15,7 +15,7 @@ export async function sendSignedRequest(
   }
   const signer = new SignatureV4({
     credentials: AWS.config.credentials,
-    region: process.env.AWS_REGION || "eu-west-1",
+    region: "eu-west-1",
     service,
     sha256: Sha256,
   });

deployment/lib/common.ts

@@ -0,0 +1,15 @@
+import { Construct } from "@aws-cdk/core";
+import { Domain } from "@aws-cdk/aws-opensearchservice";
+import { Config } from "./config";
+import { AccountStackOutputs } from "./hassu-account";
+
+export async function getOpenSearchDomain(scope: Construct, accountStackOutputs: AccountStackOutputs) {
+  if (Config.env !== "localstack") {
+    return Domain.fromDomainAttributes(scope, "DomainEndPoint", {
+      domainEndpoint: accountStackOutputs.SearchDomainEndpointOutput,
+      domainArn: accountStackOutputs.SearchDomainArnOutput,
+    });
+  } else {
+    return Domain.fromDomainEndpoint(scope, "DomainEndPoint", "http://not-used-with-localstack");
+  }
+}

deployment/lib/hassu-account.ts

@@ -3,6 +3,8 @@ import * as cdk from "@aws-cdk/core";
 import { Construct, RemovalPolicy } from "@aws-cdk/core";
 import { Config } from "./config";
 import { Domain, EngineVersion } from "@aws-cdk/aws-opensearchservice";
+import { OpenSearchAccessPolicy } from "@aws-cdk/aws-opensearchservice/lib/opensearch-access-policy";
+import { AccountRootPrincipal, Effect, PolicyStatement } from "@aws-cdk/aws-iam";
 
 // These should correspond to CfnOutputs produced by this stack
 export type AccountStackOutputs = {
@@ -38,6 +40,19 @@ export class HassuAccountStack extends cdk.Stack {
       removalPolicy: RemovalPolicy.RETAIN,
     });
 
+    new OpenSearchAccessPolicy(this, "OpenSearchAccessPolicy", {
+      domainName: this.searchDomain.domainName,
+      domainArn: this.searchDomain.domainArn,
+      accessPolicies: [
+        new PolicyStatement({
+          effect: Effect.ALLOW,
+          actions: ["es:ESHttpGet", "es:ESHttpPut", "es:ESHttpPost", "es:ESHttpDelete"],
+          principals: [new AccountRootPrincipal().grantPrincipal],
+          resources: [this.searchDomain.domainArn],
+        }),
+      ],
+    });
+
     new cdk.CfnOutput(this, "SearchDomainEndpointOutput", {
       value: this.searchDomain.domainEndpoint || "",
     });

deployment/lib/hassu-backend.ts

@@ -15,8 +15,7 @@ import { AuthorizationMode } from "@aws-cdk/aws-appsync/lib/graphqlapi";
 import { DynamoEventSource, SqsEventSource } from "@aws-cdk/aws-lambda-event-sources";
 import * as eventTargets from "@aws-cdk/aws-events-targets";
 import * as events from "@aws-cdk/aws-events";
-import { Domain, IDomain } from "@aws-cdk/aws-opensearchservice";
-import { OpenSearchAccessPolicy } from "@aws-cdk/aws-opensearchservice/lib/opensearch-access-policy";
+import { IDomain } from "@aws-cdk/aws-opensearchservice";
 import { Effect, ManagedPolicy, PolicyStatement } from "@aws-cdk/aws-iam";
 import { Bucket } from "@aws-cdk/aws-s3";
 import {
@@ -27,6 +26,7 @@ import {
 import { LambdaInsightsVersion } from "@aws-cdk/aws-lambda/lib/lambda-insights";
 import { RuleTargetInput } from "@aws-cdk/aws-events/lib/input";
 import { EmailEventType } from "../../backend/src/email/emailEvent";
+import { getOpenSearchDomain } from "./common";
 
 const path = require("path");
 
@@ -63,16 +63,8 @@ export class HassuBackendStack extends cdk.Stack {
   async process() {
     const config = await Config.instance(this);
 
-    let accountStackOutputs = await readAccountStackOutputs();
-    let searchDomain: IDomain;
-    if (Config.env !== "localstack") {
-      searchDomain = Domain.fromDomainAttributes(this, "DomainEndPoint", {
-        domainEndpoint: accountStackOutputs.SearchDomainEndpointOutput,
-        domainArn: accountStackOutputs.SearchDomainArnOutput,
-      });
-    } else {
-      searchDomain = Domain.fromDomainEndpoint(this, "DomainEndPoint", "http://not-used-with-localstack");
-    }
+    const accountStackOutputs = await readAccountStackOutputs();
+    const searchDomain = await getOpenSearchDomain(this, accountStackOutputs);
 
     const api = this.createAPI(config);
     const commonEnvironmentVariables = await this.getCommonEnvironmentVariables(config, searchDomain);
@@ -89,7 +81,7 @@ export class HassuBackendStack extends cdk.Stack {
 
     const projektiSearchIndexer = this.createProjektiSearchIndexer(commonEnvironmentVariables);
     this.attachDatabaseToLambda(projektiSearchIndexer);
-    this.configureOpenSearchAccess(projektiSearchIndexer, backendLambda, searchDomain);
+    HassuBackendStack.configureOpenSearchAccess(projektiSearchIndexer, backendLambda, searchDomain);
 
     let aineistoImporterLambda = await this.createAineistoImporterLambda(commonEnvironmentVariables, aineistoSQS);
     this.attachDatabaseToLambda(aineistoImporterLambda);
@@ -107,27 +99,14 @@ export class HassuBackendStack extends cdk.Stack {
     }
   }
 
-  private configureOpenSearchAccess(
+  private static configureOpenSearchAccess(
     projektiSearchIndexer: NodejsFunction,
     backendLambda: NodejsFunction,
     searchDomain: IDomain
   ) {
     // Grant write access to the app-search index
     searchDomain.grantIndexWrite("projekti-" + Config.env + "-*", projektiSearchIndexer);
     searchDomain.grantIndexReadWrite("projekti-" + Config.env + "-*", backendLambda);
-
-    new OpenSearchAccessPolicy(this, "OpenSearchAccessPolicy", {
-      domainName: searchDomain.domainName,
-      domainArn: searchDomain.domainArn,
-      accessPolicies: [
-        new PolicyStatement({
-          effect: Effect.ALLOW,
-          actions: ["es:ESHttpGet", "es:ESHttpPut", "es:ESHttpPost", "es:ESHttpDelete"],
-          principals: [projektiSearchIndexer.grantPrincipal, backendLambda.grantPrincipal],
-          resources: [searchDomain.domainArn],
-        }),
-      ],
-    });
   }
 
   private createAPI(config: Config) {

deployment/lib/hassu-frontend.ts

@@ -13,7 +13,7 @@ import {
   OriginRequestPolicy,
   OriginSslPolicy,
   PriceClass,
-  ViewerProtocolPolicy,
+  ViewerProtocolPolicy
 } from "@aws-cdk/aws-cloudfront";
 import { Config } from "./config";
 import { HttpOrigin } from "@aws-cdk/aws-cloudfront-origins/lib/http-origin";
@@ -28,15 +28,21 @@ import {
   PolicyDocument,
   PolicyStatement,
   Role,
-  ServicePrincipal,
+  ServicePrincipal
 } from "@aws-cdk/aws-iam";
 import * as fs from "fs";
 import { EdgeFunction } from "@aws-cdk/aws-cloudfront/lib/experimental";
 import { S3Origin } from "@aws-cdk/aws-cloudfront-origins";
 import { BlockPublicAccess, Bucket } from "@aws-cdk/aws-s3";
 import * as ssm from "@aws-cdk/aws-ssm";
-import { readBackendStackOutputs, readDatabaseStackOutputs, readPipelineStackOutputs } from "../bin/setupEnvironment";
+import {
+  readAccountStackOutputs,
+  readBackendStackOutputs,
+  readDatabaseStackOutputs,
+  readPipelineStackOutputs
+} from "../bin/setupEnvironment";
 import { IOriginAccessIdentity } from "@aws-cdk/aws-cloudfront/lib/origin-access-identity";
+import { getOpenSearchDomain } from "./common";
 
 // These should correspond to CfnOutputs produced by this stack
 export type FrontendStackOutputs = {
@@ -154,6 +160,12 @@ export class HassuFrontendStack extends cdk.Stack {
     this.configureNextJSAWSPermissions(nextJSLambdaEdge);
     HassuFrontendStack.configureNextJSRequestHeaders(nextJSLambdaEdge);
 
+    const accountStackOutputs = await readAccountStackOutputs();
+    const searchDomain = await getOpenSearchDomain(this, accountStackOutputs);
+    if (nextJSLambdaEdge.nextApiLambda) {
+      searchDomain.grantIndexReadWrite("projekti-" + Config.env + "-*", nextJSLambdaEdge.nextApiLambda);
+    }
+
     const distribution: cloudfront.Distribution = nextJSLambdaEdge.distribution;
     new cdk.CfnOutput(this, "CloudfrontPrivateDNSName", {
       value: distribution.distributionDomainName || "",

next.config.js

@@ -85,6 +85,7 @@ module.exports = (phase) => {
     NEXT_PUBLIC_VAYLA_EXTRANET_URL: process.env.NEXT_PUBLIC_VAYLA_EXTRANET_URL,
     NEXT_PUBLIC_VELHO_BASE_URL: process.env.NEXT_PUBLIC_VELHO_BASE_URL,
     INFRA_ENVIRONMENT: BaseConfig.infraEnvironment,
+    ENVIRONMENT: BaseConfig.env,
   };
   /**
    * @type {import("next").NextConfig}