Add SFTP service bucket to those accessible by the application

Ended up having to move some of the sftp code into the assets
module, like the sftp bucket, to resolve an otherwise circular
dependency between assets and sftp.

Author: dpoirier

stack/__init__.py

@@ -1,11 +1,11 @@
 import os
 
+from . import sftp  # noqa: F401
 from . import assets  # noqa: F401
 from . import cache  # noqa: F401
 from . import database  # noqa: F401
 from . import logs  # noqa: F401
 from . import vpc  # noqa: F401
-from . import sftp  # noqa: F401
 from . import template
 
 if os.environ.get('USE_GOVCLOUD') != 'on':

stack/assets.py

@@ -13,6 +13,7 @@
     Output,
     Ref,
     Split,
+    Condition,
 )
 from troposphere.certificatemanager import Certificate, DomainValidationOption
 from troposphere.cloudfront import (
@@ -43,6 +44,7 @@
     use_cmk_arn
 )
 from .domain import domain_name, domain_name_alternates, no_alt_domains
+from .sftp import use_sftp_condition, use_sftp_with_kms_condition
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
 
@@ -122,11 +124,13 @@
 
 
 # Output S3 asset bucket name
-template.add_output(Output(
-    "AssetsBucketDomainName",
-    Description="Assets bucket domain name",
-    Value=GetAtt(assets_bucket, "DomainName")
-))
+template.add_output(
+    Output(
+        "AssetsBucketDomainName",
+        Description="Assets bucket domain name",
+        Value=GetAtt(assets_bucket, "DomainName"),
+    )
+)
 
 
 # Create an S3 bucket that holds user uploads or other non-public files
@@ -158,41 +162,104 @@
     )
 )
 
+# Output S3 private assets bucket name
+template.add_output(
+    Output(
+        "PrivateAssetsBucketDomainName",
+        Description="Private assets bucket domain name",
+        Value=GetAtt(private_assets_bucket, "DomainName"),
+    )
+)
 
-# Output S3 asset bucket name
-template.add_output(Output(
-    "PrivateAssetsBucketDomainName",
-    Description="Private assets bucket domain name",
-    Value=GetAtt(private_assets_bucket, "DomainName")
-))
+# Bucket for SFTP service
+sftp_assets_bucket = Bucket(
+    "SFTPAssetsBucket",
+    Condition=use_sftp_condition,
+    AccessControl=Private,
+    PublicAccessBlockConfiguration=PublicAccessBlockConfiguration(
+        BlockPublicAcls=True,
+        BlockPublicPolicy=True,
+        IgnorePublicAcls=True,
+        RestrictPublicBuckets=True,
+    ),
+    BucketEncryption=If(
+        use_aes256_encryption_cond,
+        BucketEncryption(
+            ServerSideEncryptionConfiguration=[
+                ServerSideEncryptionRule(
+                    ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
+                        SSEAlgorithm=If(use_cmk_arn, "aws:kms", "AES256"),
+                        KMSMasterKeyID=If(
+                            use_cmk_arn, Ref(cmk_arn), Ref("AWS::NoValue")
+                        ),
+                    )
+                )
+            ]
+        ),
+        NoValue,
+    ),
+    **common_bucket_conf,
+)
+template.add_resource(sftp_assets_bucket)
+
+# Output SFTP asset bucket name
+template.add_output(
+    Output(
+        "SFTPBucketDomainName",
+        Condition=use_sftp_condition,
+        Description="SFTP bucket domain name",
+        Value=GetAtt(sftp_assets_bucket, "DomainName"),
+    )
+)
+
+assets_management_policy_statements = [
+    dict(
+        Effect="Allow",
+        Action=["s3:ListBucket"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket)]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=["s3:*"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket), "/*"]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=["s3:ListBucket"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket)]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=["s3:*"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket), "/*"]),
+    ),
+]
 
+assets_management_policy_statements_including_sftp_bucket = (
+    assets_management_policy_statements
+    + [
+        dict(
+            Effect="Allow",
+            Action=["s3:ListBucket"],
+            Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket)]),
+        ),
+        dict(
+            Effect="Allow",
+            Action=["s3:*"],
+            Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket), "/*"]),
+        ),
+    ]
+)
 
 # central asset management policy for use in instance roles
 assets_management_policy = iam.Policy(
     PolicyName="AssetsManagementPolicy",
     PolicyDocument=dict(
-        Statement=[
-            dict(
-                Effect="Allow",
-                Action=["s3:ListBucket"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket)]),
-            ),
-            dict(
-                Effect="Allow",
-                Action=["s3:*"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(assets_bucket), "/*"]),
-            ),
-            dict(
-                Effect="Allow",
-                Action=["s3:ListBucket"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket)]),
-            ),
-            dict(
-                Effect="Allow",
-                Action=["s3:*"],
-                Resource=Join("", [arn_prefix, ":s3:::", Ref(private_assets_bucket), "/*"]),
-            ),
-        ],
+        Statement=If(
+            Condition(use_sftp_condition),
+            assets_management_policy_statements_including_sftp_bucket,
+            assets_management_policy_statements,
+        )
     ),
 )
 
@@ -314,11 +381,119 @@
     )
 
     # Output CloudFront url
-    template.add_output(Output(
-        "AssetsDistributionDomainName",
-        Description="The assets CDN domain name",
-        Value=GetAtt(distribution, "DomainName"),
-        Condition=assets_use_cloudfront_condition,
-    ))
+    template.add_output(
+        Output(
+            "AssetsDistributionDomainName",
+            Description="The assets CDN domain name",
+            Value=GetAtt(distribution, "DomainName"),
+            Condition=assets_use_cloudfront_condition,
+        )
+    )
 else:
     distribution = None
+
+# The scopedown policy is used to restrict a user's access to the parts of the bucket
+# we don't want them to access.
+common_sftp_scopedown_policy_statements = [
+    {
+        "Sid": "AllowListingOfSFTPUserFolder",
+        "Action": ["s3:ListBucket"],
+        "Effect": "Allow",
+        "Resource": ["arn:aws:s3:::${transfer:HomeBucket}"],
+        "Condition": {
+            "StringLike": {
+                "s3:prefix": ["${transfer:UserName}/*", "${transfer:UserName}"]
+            }
+        },
+    },
+    {
+        "Sid": "HomeDirObjectAccess",
+        "Effect": "Allow",
+        "Action": [
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:DeleteObjectVersion",
+            "s3:DeleteObject",
+            "s3:GetObjectVersion",
+        ],
+        "Resource": [
+            Join("/", [GetAtt(sftp_assets_bucket, "Arn"), "${transfer:UserName}"]),
+            Join("/", [GetAtt(sftp_assets_bucket, "Arn"), "${transfer:UserName}/*"]),
+        ],
+    },
+]
+
+sftp_kms_policy_statement = dict(
+    Effect="Allow",
+    Action=["kms:DescribeKey", "kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt"],
+    Resource=Ref(cmk_arn),
+)
+
+sftp_scopedown_policy = iam.ManagedPolicy(
+    # This is for applying when adding users to the transfer server. It's not used directly in the stack creation,
+    # other than adding it to IAM for later use.
+    "SFTPUserScopeDownPolicy",
+    PolicyDocument=dict(
+        Version="2012-10-17",
+        Statement=If(
+            use_sftp_with_kms_condition,
+            common_sftp_scopedown_policy_statements + [sftp_kms_policy_statement],
+            common_sftp_scopedown_policy_statements,
+        ),
+    ),
+)
+template.add_resource(sftp_scopedown_policy)
+
+# The ROLE is applied to users to let them access the bucket in general,
+# without regart to who they are.
+common_sftp_user_role_statements = [
+    dict(
+        Effect="Allow",
+        Action=["s3:ListBucket", "s3:GetBucketLocation"],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket)]),
+    ),
+    dict(
+        Effect="Allow",
+        Action=[
+            "s3:PutObject",
+            "s3:GetObject",
+            "s3:DeleteObject",
+            "s3:DeleteObjectVersion",
+            "s3:GetObjectVersion",
+            "s3:GetObjectACL",
+            "s3:PutObjectACL",
+        ],
+        Resource=Join("", [arn_prefix, ":s3:::", Ref(sftp_assets_bucket), "/*"]),
+    ),
+]
+
+sftp_user_role = iam.Role(
+    # This also is not used directly during the stack setup, but is put into IAM
+    # to be used later when adding users to the transfer server.
+    "SFTPUserRole",
+    template=template,
+    AssumeRolePolicyDocument=dict(
+        Statement=[
+            dict(
+                Effect="Allow",
+                Principal=dict(Service=["transfer.amazonaws.com"]),
+                Action=["sts:AssumeRole"],
+            )
+        ]
+    ),
+    Policies=[
+        iam.Policy(
+            "SFTPSUserRolePolicy",
+            PolicyName="SFTPSUserRolePolicy",
+            PolicyDocument=dict(
+                Version="2012-10-17",
+                Statement=If(
+                    use_sftp_with_kms_condition,
+                    common_sftp_user_role_statements + [sftp_kms_policy_statement],
+                    common_sftp_user_role_statements,
+                ),
+            ),
+        )
+    ],
+    RoleName=Join("-", [Ref("AWS::StackName"), "SFTPUserRole"]),
+)