From 67ab7b54113327a1f8cd605404b30bbcb92de054 Mon Sep 17 00:00:00 2001
From: Brian Stack <bstack@mozilla.com>
Date: Fri, 2 Aug 2019 12:00:08 -0400
Subject: [PATCH] Add real support for public artifacts in dev envs

---
 infrastructure/builder/src/dev/aws.js | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/infrastructure/builder/src/dev/aws.js b/infrastructure/builder/src/dev/aws.js
index 904d3fe8291..3c0126bf66b 100644
--- a/infrastructure/builder/src/dev/aws.js
+++ b/infrastructure/builder/src/dev/aws.js
@@ -1,3 +1,4 @@
+const _ = require('lodash');
 const AWS = require('aws-sdk');
 
 const setupIam = async ({iam, iamName, iamPolicy}) => {
@@ -42,7 +43,7 @@ module.exports = async ({userConfig, answer, configTmpl}) => {
 
   userConfig.queue = userConfig.queue || {};
 
-  // TODO: Add private artifact bucket and both blob buckets
+  // TODO: Add both blob buckets
   // TODO: Also set up auth/notify aws stuff
 
   const publicBucketName = `${prefix}-public-artifacts`;
@@ -54,7 +55,29 @@ module.exports = async ({userConfig, answer, configTmpl}) => {
       ACL: 'public-read',
     }).promise();
     userConfig.queue.public_artifact_bucket = publicBucketName;
-    // TODO: Set up policy that allows for objects in here to be read
+  }
+
+  const publicPolicy = {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Sid: "PublicReadGetObject",
+        Effect: "Allow",
+        Principal: {
+          AWS: "*",
+        },
+        Action: "s3:GetObject",
+        Resource: `arn:aws:s3:::${publicBucketName}/*`,
+      },
+    ],
+  };
+  if (!userConfig.meta.lastAppliedPublicBucketPolicy ||
+      !_.isEqual(userConfig.meta.lastAppliedPublicBucketPolicy, publicPolicy)) {
+    await s3.putBucketPolicy({
+      Bucket: publicBucketName,
+      Policy: JSON.stringify(publicPolicy),
+    }).promise();
+    userConfig.meta.lastAppliedPublicBucketPolicy = publicPolicy;
   }
 
   if (!userConfig.queue.private_artifact_bucket) {