def secure_bucket(self, name, suppressions=None, **kwargs): bucket = Bucket(self, name, removal_policy=RemovalPolicy.RETAIN, encryption=BucketEncryption.S3_MANAGED, block_public_access=BlockPublicAccess.BLOCK_ALL, **kwargs) bucket.add_to_resource_policy( iam.PolicyStatement( sid="HttpsOnly", resources=[ bucket.arn_for_objects("*"), ], actions=["*"], effect=iam.Effect.DENY, principals=[iam.AnyPrincipal()], conditions={"Bool": { "aws:SecureTransport": False }}, )) bucket_cfn = bucket.node.default_child # type: CfnResource bucket_cfn.override_logical_id(name) if suppressions: add_cfn_nag_suppressions(bucket_cfn, suppressions) return bucket
def provide_access_to_artifacts(scope: core.Construct, *, pipeline_def: Pipeline, artifact_bucket: aws_s3.Bucket) -> None: role_arns = set() for role_arn in pipeline_def.get("artifact_access", {}).get("role_arns", []): role_arns.add(role_arn) for stage_def in pipeline_def["stages"]: for action_def in stage_def["actions"]: if "role_arn" in action_def: account = core.Arn.parse(action_def["role_arn"]).account if account != core.Stack.of(scope).account: role_arns.add(action_def["role_arn"]) for role_arn in role_arns: artifact_bucket.add_to_resource_policy( aws_iam.PolicyStatement( actions=["s3:Get*"], resources=[artifact_bucket.arn_for_objects("*")], effect=aws_iam.Effect.ALLOW, principals=[aws_iam.ArnPrincipal(role_arn)], ))