Fix S3 public ACL configuration (#559)

Adjust the AWS static website templates to account for new public ACL configurations Fixes #558 Signed-off-by: Scott Lowe <slowe@pulumi.com>
pulumi · Apr 21, 2023 · ed5e07a · ed5e07a
1 parent ae04782
commit ed5e07a
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 13 deletions.
diff --git a/static-website-aws-csharp/Program.cs b/static-website-aws-csharp/Program.cs
@@ -14,20 +14,41 @@
     // Create an S3 bucket and configure it as a website.
     var bucket = new Aws.S3.Bucket("bucket", new()
     {
-        Acl = "public-read",
         Website = new Aws.S3.Inputs.BucketWebsiteArgs
         {
             IndexDocument = indexDocument,
             ErrorDocument = errorDocument,
         },
     });
 
+    // Configure ownership controls for the new S3 bucket
+    var ownershipControls = new Aws.S3.BucketOwnershipControls("ownership-controls", new()
+    {
+        Bucket = bucket.Id,
+        Rule = new Aws.S3.Inputs.BucketOwnershipControlsRuleArgs
+        {
+            ObjectOwnership = "ObjectWriter",
+        },
+    });
+
+    // Configure public access block for the new S3 bucket
+    var publicAccessBlock = new Aws.S3.BucketPublicAccessBlock("public-access-block", new()
+    {
+        Bucket = bucket.Id,
+        BlockPublicAcls = false,
+    });
+
     // Use a synced folder to manage the files of the website.
     var bucketFolder = new SyncedFolder.S3BucketFolder("bucket-folder", new()
     {
         Path = path,
         BucketName = bucket.BucketName,
         Acl = "public-read",
+    }, new ComponentResourceOptions { 
+        DependsOn = { 
+            ownershipControls,
+            publicAccessBlock
+        }
     });
 
     // Create a CloudFront CDN to distribute and cache the website.

diff --git a/static-website-aws-go/main.go b/static-website-aws-go/main.go
@@ -30,7 +30,6 @@ func main() {
 
 		// Create an S3 bucket and configure it as a website.
 		bucket, err := s3.NewBucket(ctx, "bucket", &s3.BucketArgs{
-			Acl: pulumi.String("public-read"),
 			Website: &s3.BucketWebsiteArgs{
 				IndexDocument: pulumi.String(indexDocument),
 				ErrorDocument: pulumi.String(errorDocument),
@@ -40,12 +39,32 @@ func main() {
 			return err
 		}
 
+		// Set ownership controls for the new S3 bucket
+		ownershipControls, err := s3.NewBucketOwnershipControls(ctx, "ownership-controls", &s3.BucketOwnershipControlsArgs{
+			Bucket: bucket.Bucket,
+			Rule: &s3.BucketOwnershipControlsRuleArgs{
+				ObjectOwnership: pulumi.String("ObjectWriter"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+
+		// Configure public access block for the new S3 bucket
+		publicAccessBlock, err := s3.NewBucketPublicAccessBlock(ctx, "public-access-block", &s3.BucketPublicAccessBlockArgs{
+			Bucket:          bucket.Bucket,
+			BlockPublicAcls: pulumi.Bool(false),
+		})
+		if err != nil {
+			return err
+		}
+
 		// Use a synced folder to manage the files of the website.
 		_, err = synced.NewS3BucketFolder(ctx, "bucket-folder", &synced.S3BucketFolderArgs{
 			Path:       pulumi.String(path),
 			BucketName: bucket.Bucket,
 			Acl:        pulumi.String("public-read"),
-		})
+		}, pulumi.DependsOn([]pulumi.Resource{ownershipControls, publicAccessBlock}))
 		if err != nil {
 			return err
 		}

diff --git a/static-website-aws-python/__main__.py b/static-website-aws-python/__main__.py
@@ -11,16 +11,38 @@
 # Create an S3 bucket and configure it as a website.
 bucket = aws.s3.Bucket(
     "bucket",
-    acl="public-read",
     website=aws.s3.BucketWebsiteArgs(
         index_document=index_document,
         error_document=error_document,
     ),
 )
 
+# Set ownership controls for the new bucket
+ownership_controls = aws.s3.BucketOwnershipControls(
+    "ownership-controls",
+    bucket=bucket.bucket,
+    rule=aws.s3.BucketOwnershipControlsRuleArgs(
+        object_ownership="ObjectWriter",
+    )
+)
+
+# Configure public ACL block on the new bucket
+public_access_block = aws.s3.BucketPublicAccessBlock(
+    "public-access-block",
+    bucket=bucket.bucket,
+    block_public_acls=False,
+)
+
 # Use a synced folder to manage the files of the website.
 bucket_folder = synced_folder.S3BucketFolder(
-    "bucket-folder", path=path, bucket_name=bucket.bucket, acl="public-read"
+    "bucket-folder",
+    acl="public-read",
+    bucket_name=bucket.bucket,
+    path=path,
+    opts=pulumi.ResourceOptions(depends_on=[
+        ownership_controls,
+        public_access_block
+    ])
 )
 
 # Create a CloudFront CDN to distribute and cache the website.

diff --git a/static-website-aws-typescript/index.ts b/static-website-aws-typescript/index.ts
@@ -10,19 +10,32 @@ const errorDocument = config.get("errorDocument") || "error.html";
 
 // Create an S3 bucket and configure it as a website.
 const bucket = new aws.s3.Bucket("bucket", {
-    acl: "public-read",
     website: {
         indexDocument: indexDocument,
         errorDocument: errorDocument,
     },
 });
 
+// Configure ownership controls for the new S3 bucket
+const ownershipControls = new aws.s3.BucketOwnershipControls("ownership-controls", {
+    bucket: bucket.bucket,
+    rule: {
+        objectOwnership: "ObjectWriter",
+    },
+});
+
+// Configure public ACL block on the new S3 bucket
+const publicAccessBlock = new aws.s3.BucketPublicAccessBlock("public-access-block", {
+    bucket: bucket.bucket,
+    blockPublicAcls: false,
+});
+
 // Use a synced folder to manage the files of the website.
 const bucketFolder = new synced_folder.S3BucketFolder("bucket-folder", {
     path: path,
     bucketName: bucket.bucket,
     acl: "public-read",
-});
+}, { dependsOn: [ownershipControls, publicAccessBlock]});
 
 // Create a CloudFront CDN to distribute and cache the website.
 const cdn = new aws.cloudfront.Distribution("cdn", {

diff --git a/static-website-aws-yaml/Pulumi.yaml b/static-website-aws-yaml/Pulumi.yaml
@@ -34,20 +34,38 @@ resources:
 
   # Create an S3 bucket and configure it as a website.
   bucket:
-    type: aws:s3:Bucket
     properties:
-      acl: public-read
       website:
-        indexDocument: ${indexDocument}
         errorDocument: ${errorDocument}
+        indexDocument: ${indexDocument}
+    type: aws:s3:Bucket
+
+  # Assign ownership controls to the new S3 bucket
+  ownership-controls:
+    properties:
+      bucket: ${bucket.id}
+      rule:
+        objectOwnership: ObjectWriter
+    type: aws:s3:BucketOwnershipControls
+
+  # Configure the public access block for the new S3 bucket
+  public-access-block:
+    properties:
+      bucket: ${bucket.id}
+      blockPublicAcls: false
+    type: aws:s3:BucketPublicAccessBlock
 
   # Use a synced folder to manage the files of the website.
   bucket-folder:
-    type: synced-folder:index:S3BucketFolder
+    options:
+      dependsOn:
+        - ${ownership-controls}
+        - ${public-access-block}
     properties:
-      path: ${path}
-      bucketName: ${bucket.bucket}
       acl: public-read
+      bucketName: ${bucket.bucket}
+      path: ${path}
+    type: synced-folder:index:S3BucketFolder
 
   # Create a CloudFront CDN to distribute and cache the website.
   cdn: