fix: grant the bucket owner control to addon template artifacts#3485
fix: grant the bucket owner control to addon template artifacts#3485mergify[bot] merged 16 commits intoaws:mainlinefrom
Conversation
| // AddonsArtifactPath prefixes the key with the addons artifact path. | ||
| func AddonsArtifactPath(key string) string { | ||
| return path.Join(artifactDirName, addonDirName, key) | ||
| } | ||
|
|
||
| // TemplateArtifactPath prefixes the key with the template artifact path. | ||
| func TemplateArtifactPath(key string) string { | ||
| return path.Join(artifactDirName, templateDirName, key) | ||
| } |
There was a problem hiding this comment.
These don't seem to fit the s3 package 💭
What do you think of moving them to deploy instead?
There was a problem hiding this comment.
I moved them to the template/ package. My motivation was that it might be easier for us to manage/visualize from the codebase what our artifact folder structure would be, if these path definition is put together in a single package.
In the current codebase that are scattered in cli/deploy, deploy and s3.
let me know what ya think!
| reader := strings.NewReader(template) | ||
| url, err := cf.s3Client.Upload(bucket, fmt.Sprintf(fmtWorkloadCFNTemplateName, config.StackName(), sha256.Sum256([]byte(template))), reader) | ||
| artifactName := path.Join(config.StackName(), fmt.Sprintf("%x.yml", sha256.Sum256([]byte(template)))) | ||
| url, err := cf.s3Client.Upload(bucket, s3.TemplateArtifactPath(artifactName), reader) |
There was a problem hiding this comment.
What do you think of a path like:
templates/<stack name>/<sha>.yml
There was a problem hiding this comment.
Currently it's manual/templates/stackname/sha.yml what do ya think? The new code here doesn't change the path it's just some refactoring!
| reader := strings.NewReader(template) | ||
| url, err := in.uploader.Upload(d.resources.S3Bucket, fmt.Sprintf(deploy.AddonsCfnTemplateNameFormat, d.name), reader) | ||
| reader := strings.NewReader(tmpl) | ||
| artifactName := path.Join(d.name, fmt.Sprintf("%x.yml", sha256.Sum256([]byte(tmpl)))) |
There was a problem hiding this comment.
I wonder if we should move sha256.Sum256 to AddonsArtifactPath. Same for TemplateArtifactPath because it seems like whenever we use them we always call sha256.Sum256
There was a problem hiding this comment.
I would prefer the key being determined by the client but I'm fine either way
There was a problem hiding this comment.
But do we have an assumption that all the addons artifacts should do sha256.Sum256? Same for the env file and template uploads. If so maybe we would want
// Env file upload
url, err := in.uploader.Upload(d.resources.S3Bucket, template.EnvFileArtifactPath(envFilePath, content), reader)
// Addons upload
url, err := in.uploader.Upload(d.resources.S3Bucket, template.AddonsArtifactPath(d.name, content), reader)
// Template upload
url, err := cf.s3Client.Upload(bucket, template.TemplateArtifactPath(config.StackName(), content), reader)it's ok if you don't want to change. Not a big one tho.
There was a problem hiding this comment.
I agree that we should most likely always upload with sha256 :) this way we can eliminate this bug altogether for future code changes
| Bucket: aws.String(bucket), | ||
| Key: aws.String(key), | ||
| }) | ||
| ACL: aws.String(s3.ObjectCannedACLBucketOwnerFullControl), |
There was a problem hiding this comment.
nit: is gofmt or a similar formatter running?
| // AddonsArtifactPath prefixes the key with the addons artifact path. | ||
| func AddonsArtifactPath(key string) string { |
There was a problem hiding this comment.
I wonder if we should have a new package for all of these? so that it reads a bit better template.MkdirSHA256 is not obvious that it's for s3.
Let me know what you think of this layout:
// Package artifactpath holds functions to generate the S3 object path for artifacts.
package template/artifactpath
// Addons returns the path to store addon artifact files.
func Addons(key string) string
// CFNTemplate returns the path to store cloudformation templates.
func CFNTemplate(key string) string
// SHA256Func returns a function that will namespace a key with the sha256 hash of its content.
func SHA256Func(content []byte) func(string) string {
return func(key string) string {
return path.Join(fmt.Sprintf("%x", sha256.Sum256(content)), key)
}
}
// Chain applies the path functions sequentially to nest the key.
func Chain(key string, fn ...func(string) string) string This would be the client's experience:
artifactpath.Chain(key, artifactpath.SHA256Func(content), artifactpath.CFNTemplate)There was a problem hiding this comment.
Since we always want to add SHA256, I've inlined it into the function -> chaining was rendered unnecessary when SHA256 is inlined. Let me know what you think!
iamhopaul123
added
the
do-not-merge
Lou1415926
force-pushed
the
fix/addons/s3-permission
branch
from
d83668f to
4429ad0
Compare
Lou1415926
force-pushed
the
fix/addons/s3-permission
branch
from
4429ad0 to
a57db70
Compare
|
|
||
| // Addons returns the path to store addon artifact files. | ||
| // Example: manual/addons/key/sha.yml. | ||
| func AddonsWithSHA256(key string, content []byte) string { |
There was a problem hiding this comment.
nit: It should be fine to drop the WithSHA256 suffix now that we do it for everything
Lou1415926
removed
the
do-not-merge
Lou1415926
changed the title
4 participants
Fix #3453 by:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.