Merge pull request #612 from guardian/aa-replace-dist-bucket-policy

feat: Move to GuCDK's policy to get the artifact

cdk/lib/__snapshots__/amigo.test.ts.snap

@@ -367,6 +367,65 @@ Object {
       },
       "Type": "AWS::AutoScaling::AutoScalingGroup",
     },
+    "GetDistributablePolicyAmigoB25A5D2B": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "s3:GetObject",
+              "Effect": "Allow",
+              "Resource": Object {
+                "Fn::Join": Array [
+                  "",
+                  Array [
+                    "arn:aws:s3:::",
+                    Object {
+                      "Ref": "DistributionBucketName",
+                    },
+                    "/deploy/",
+                    Object {
+                      "Ref": "Stage",
+                    },
+                    "/amigo/*",
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "GetDistributablePolicyAmigoB25A5D2B",
+        "Roles": Array [
+          Object {
+            "Fn::Select": Array [
+              1,
+              Object {
+                "Fn::Split": Array [
+                  "/",
+                  Object {
+                    "Fn::Select": Array [
+                      5,
+                      Object {
+                        "Fn::Split": Array [
+                          ":",
+                          Object {
+                            "Fn::GetAtt": Array [
+                              "RootRole",
+                              "Arn",
+                            ],
+                          },
+                        ],
+                      },
+                    ],
+                  },
+                ],
+              },
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "GuLogShippingPolicy981BFE5A": Object {
       "Properties": Object {
         "PolicyDocument": Object {
@@ -477,6 +536,9 @@ aws --region eu-west-1 s3 cp s3://\${DistributionBucketName}/deploy/\${Stage}/am
 dpkg -i /tmp/amigo.deb
 ",
               Object {
+                "DistributionBucketName": Object {
+                  "Ref": "DistributionBucketName",
+                },
                 "Stage": Object {
                   "Ref": "Stage",
                 },
@@ -820,41 +882,6 @@ dpkg -i /tmp/amigo.deb
       },
       "Type": "AWS::IAM::Policy",
     },
-    "UserDataPolicy": Object {
-      "Properties": Object {
-        "PolicyDocument": Object {
-          "Statement": Array [
-            Object {
-              "Action": Array [
-                "s3:GetObject",
-              ],
-              "Effect": "Allow",
-              "Resource": Array [
-                Object {
-                  "Fn::Join": Array [
-                    "",
-                    Array [
-                      "arn:aws:s3::*:",
-                      Object {
-                        "Ref": "DistributionBucketName",
-                      },
-                      "/*",
-                    ],
-                  ],
-                },
-              ],
-            },
-          ],
-        },
-        "PolicyName": "download-artifacts-from-s3",
-        "Roles": Array [
-          Object {
-            "Ref": "RootRole",
-          },
-        ],
-      },
-      "Type": "AWS::IAM::Policy",
-    },
   },
 }
 `;

cdk/lib/amigo.ts

@@ -4,19 +4,28 @@ import { Effect, PolicyStatement, Role } from "@aws-cdk/aws-iam";
 import { CfnInclude } from "@aws-cdk/cloudformation-include";
 import type { App } from "@aws-cdk/core";
 import type { GuStackProps, GuStageParameter } from "@guardian/cdk/lib/constructs/core";
-import { GuStack } from "@guardian/cdk/lib/constructs/core";
-import { GuLogShippingPolicy, GuSSMRunCommandPolicy } from "@guardian/cdk/lib/constructs/iam";
+import { GuDistributionBucketParameter, GuStack } from "@guardian/cdk/lib/constructs/core";
+import type { AppIdentity } from "@guardian/cdk/lib/constructs/core/identity";
+import { GuGetDistributablePolicy, GuLogShippingPolicy, GuSSMRunCommandPolicy } from "@guardian/cdk/lib/constructs/iam";
 
 const yamlTemplateFilePath = path.join(__dirname, "../../cloudformation.yaml");
 
 export class AmigoStack extends GuStack {
+  private static app: AppIdentity = {
+    app: "amigo",
+  };
+
   constructor(scope: App, id: string, props: GuStackProps) {
     super(scope, id, props);
 
     const yamlDefinedStack = new CfnInclude(this, "YamlTemplate", {
       templateFile: yamlTemplateFilePath,
+
+      // These override like-named parameters in the YAML template.
+      // TODO remove the parameter from the YAML template once each resource that uses it has been CDK-ified.
       parameters: {
         Stage: this.getParam<GuStageParameter>("Stage"), // TODO `GuStageParameter` could be a singleton to simplify this
+        DistributionBucketName: GuDistributionBucketParameter.getInstance(this).valueAsString,
       },
     });
 
@@ -40,5 +49,7 @@ export class AmigoStack extends GuStack {
     ssmPolicy.attachToRole(rootRole);
 
     GuLogShippingPolicy.getInstance(this).attachToRole(rootRole);
+
+    new GuGetDistributablePolicy(this, AmigoStack.app).attachToRole(rootRole);
   }
 }

cloudformation.yaml

@@ -65,19 +65,6 @@ Resources:
           Value: deploy
         - Key: Stage
           Value: !Ref 'Stage'
-  UserDataPolicy:
-    Type: AWS::IAM::Policy
-    Properties:
-      PolicyName: download-artifacts-from-s3
-      PolicyDocument:
-        Statement:
-        - Effect: Allow
-          Action:
-          - s3:GetObject
-          Resource:
-          - !Join [ "", [ "arn:aws:s3::*:", !Ref DistributionBucketName, "/*" ] ]
-      Roles:
-      - !Ref 'RootRole'
   AmigoAppPolicy:
     Type: AWS::IAM::Policy
     Properties: