feat: Support for S3 Object Lock legal hold (#1)

casperbiering · Aug 11, 2022 · b00c2ac · b00c2ac
1 parent 2f2485c
commit b00c2ac
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -36,6 +36,7 @@ The plugin can be configured in the [**semantic-release** configuration file](ht
             "awsRegion": "eu-west-1",
             "s3Bucket": "production-eu-bucket",
             "s3Key": "builds/${nextRelease.version}.zip",
+            "s3LegalHold": true,
             "replaceS3BucketVariable": "s3_bucket_eu",
             "replaceS3KeyVariable": "s3_key_eu",
             "replaceS3VersionIdVariable": "s3_object_version_eu"
@@ -47,6 +48,7 @@ The plugin can be configured in the [**semantic-release** configuration file](ht
             "awsRegion": "us-east-1",
             "s3Bucket": "production-us-bucket",
             "s3Key": "builds/${nextRelease.version}.zip",
+            "s3LegalHold": true,
             "replaceS3BucketVariable": "s3_bucket_us",
             "replaceS3KeyVariable": "s3_key_us",
             "replaceS3VersionIdVariable": "s3_object_version_us"
@@ -94,6 +96,7 @@ The plugin uses [AWS SDK for JavaScript v3](https://github.com/aws/aws-sdk-js-v3
 | `destinations.*.awsRegion` | (REQUIRED) AWS Region | N/A |
 | `destinations.*.s3Bucket` | (REQUIRED) AWS Region | N/A |
 | `destinations.*.s3Key` | (REQUIRED) Key for sourceFile. It's templateable with `branch` name and `nextRelease` | N/A |
+| `destinations.*.s3LegalHold` | Set to `true` to turn 'ON' legal hold for object | `false` |
 | `destinations.*.replaceS3BucketVariable` | (REQUIRED) Variable to patch this destinations S3 bucket name | N/A |
 | `destinations.*.replaceS3KeyVariable` | (REQUIRED) Variable to patch this destinations S3 key | N/A |
 | `destinations.*.replaceS3VersionIdVariable` | Variable to patch this destinations S3 Object Version Id. This is only supported if the bucket has enabled versioning. It's HIGHLY recommended though, since it's the only way to have immutability. | `null` |

diff --git a/__tests__/prepare.js b/__tests__/prepare.js
@@ -53,6 +53,7 @@ test('prepare success', async () => {
         awsRegion: 'eu-west-1',
         s3Bucket: 'production-eu-bucket',
         s3Key: `builds/\${nextRelease.version}.zip`,
+        s3LegalHold: true,
         replaceS3BucketVariable: 's3_bucket',
         replaceS3KeyVariable: 's3_key',
         replaceS3VersionIdVariable: 's3_object_version',
@@ -85,6 +86,7 @@ test('prepare success with assume', async () => {
         awsRegion: 'eu-west-1',
         s3Bucket: 'production-eu-bucket',
         s3Key: `builds/\${nextRelease.version}.zip`,
+        s3LegalHold: true,
         replaceS3BucketVariable: 's3_bucket',
         replaceS3KeyVariable: 's3_key',
         replaceS3VersionIdVariable: 's3_object_version',
@@ -116,6 +118,7 @@ test('version variable not bucket not versioned', async () => {
         awsRegion: 'eu-west-1',
         s3Bucket: 'production-eu-bucket',
         s3Key: `builds/\${nextRelease.version}.zip`,
+        s3LegalHold: true,
         replaceS3BucketVariable: 's3_bucket',
         replaceS3KeyVariable: 's3_key',
         replaceS3VersionIdVariable: 's3_object_version',

diff --git a/__tests__/verify.js b/__tests__/verify.js
@@ -37,6 +37,7 @@ test('verify success', async () => {
         awsRegion: 'eu-west-1',
         s3Bucket: 'production-eu-bucket',
         s3Key: `builds/\${nextRelease.version}.zip`,
+        s3LegalHold: true,
         replaceS3BucketVariable: 's3_bucket_eu',
         replaceS3KeyVariable: 's3_key_eu',
         replaceS3VersionIdVariable: 's3_object_version_eu',
@@ -56,13 +57,15 @@ test('require unique variable names', async () => {
         awsRegion: 'eu-west-1',
         s3Bucket: 'production-eu-bucket',
         s3Key: `builds/\${nextRelease.version}.zip`,
+        s3LegalHold: true,
         replaceS3BucketVariable: 's3_bucket',
         replaceS3KeyVariable: 's3_key',
       },
       {
         awsRegion: 'us-east-1',
         s3Bucket: 'production-us-bucket',
         s3Key: `builds/\${nextRelease.version}.zip`,
+        s3LegalHold: true,
         replaceS3BucketVariable: 's3_bucket',
         replaceS3KeyVariable: 's3_key',
         replaceS3VersionIdVariable: 's3_object_version',

diff --git a/lib/prepare.js b/lib/prepare.js
@@ -1,4 +1,5 @@
 const _ = require('lodash');
+const crypto = require('crypto');
 const escapeStringRegexp = require('escape-string-regexp');
 const fs = require('fs');
 const fg = require('fast-glob');
@@ -37,12 +38,21 @@ async function handleDestination({ pluginConfig, context, destination }) {
     credentials,
   });
 
+  const body = fs.readFileSync(pluginConfig.sourceFile);
+
   const putObjectParams = {
     Bucket: destination.s3Bucket,
     Key: _.template(destination.s3Key)({ branch: branch.name, nextRelease }),
-    Body: fs.readFileSync(pluginConfig.sourceFile),
+    Body: body,
   };
 
+  if (destination.s3LegalHold) {
+    const hash = crypto.createHash('md5').update(body).digest('base64');
+
+    putObjectParams.ContentMD5 = hash;
+    putObjectParams.ObjectLockLegalHoldStatus = 'ON';
+  }
+
   const putObjectResult = await s3Client.send(new PutObjectCommand(putObjectParams));
 
   logger.log(

diff --git a/lib/verify.js b/lib/verify.js
@@ -18,6 +18,7 @@ const pluginConfigSchema = {
           awsRegion: { type: 'string' },
           s3Bucket: { type: 'string' },
           s3Key: { type: 'string' },
+          s3LegalHold: { type: 'boolean' },
           replaceS3BucketVariable: { type: 'string' },
           replaceS3KeyVariable: { type: 'string' },
           replaceS3VersionIdVariable: { type: 'string' },