Skip to content

Commit

Permalink
Update secrets-provider to BucketV2
Browse files Browse the repository at this point in the history
  • Loading branch information
@t0yv0
t0yv0 committed Sep 19, 2024
1 parent f143bd3 commit 93c2196
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 20 deletions.
10 changes: 2 additions & 8 deletions secrets-provider/aws/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ pulumi up --yes
Previewing update (aws-kms):
Type Name Plan
+ pulumi:pulumi:Stack pulumi-aws-kms-aws-kms create
+ ├─ aws:s3:Bucket bucket create
+ ├─ aws:s3:BucketV2 bucket create
+ └─ aws:s3:BucketObject secret create

Resources:
Expand All @@ -73,7 +73,7 @@ Resources:
Updating (aws-kms):
Type Name Status
+ pulumi:pulumi:Stack pulumi-aws-kms-aws-kms created
+ ├─ aws:s3:Bucket bucket created
+ ├─ aws:s3:BucketV2 bucket created
+ └─ aws:s3:BucketObject secret created

Outputs:
Expand All @@ -100,9 +100,3 @@ pulumi up --yes
error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
status code: 400, request id: 35ff51c6-ef88-4c06-9146-361231b8fd4a
```






28 changes: 26 additions & 2 deletions secrets-provider/aws/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,36 @@ const config = new pulumi.Config();
const bucketName = config.require('bucketName');
const secretValue = config.requireSecret('secretValue');

export function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 {
const ownership = new aws.s3.BucketOwnershipControls(bucketName, {
bucket: bucket.bucket,
rule: {
objectOwnership: "BucketOwnerPreferred",
}
});
const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, {
bucket: bucket.bucket,
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets: false,
});
const bucketACL = new aws.s3.BucketAclV2(bucketName, {
bucket: bucket.bucket,
acl: acl,
}, {
dependsOn: [ownership, publicAccessBlock]
});
return bucketACL;
}

// Create a private bucket
const bucket = new aws.s3.Bucket("bucket", {
const bucket = new aws.s3.BucketV2("bucket", {
bucket: bucketName,
acl: "private",
});

configureACL("bucket", bucket, "private");

// Create an object from the secret value
const superSecretObject = new aws.s3.BucketObject("secret", {
bucket: bucket.id,
Expand Down
11 changes: 3 additions & 8 deletions secrets-provider/vault/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ pulumi up --yes
Previewing update (vault-kms):
Type Name Plan
+ pulumi:pulumi:Stack pulumi-vault-kms-vault-kms create
+ ├─ aws:s3:Bucket bucket create
+ ├─ aws:s3:BucketV2 bucket create
+ └─ aws:s3:BucketObject secret create
Resources:
Expand All @@ -77,7 +77,7 @@ Resources:
Updating (aws-kms):
Type Name Status
+ pulumi:pulumi:Stack pulumi-vault-kms-vault-kms created
+ ├─ aws:s3:Bucket bucket created
+ ├─ aws:s3:BucketV2 bucket created
+ └─ aws:s3:BucketObject secret created
Outputs:
Expand All @@ -99,7 +99,7 @@ You'll notice the secret value is also omitted from the output!
A quick way to verify if the encryption is using the Vault key is to remove your `VAULT_SERVER_TOKEN` environment variable setting:
```bash
unset
unset
pulumi up --yes
error: getting secrets manager: secrets (code=Unknown): Error making API request.
Expand All @@ -108,8 +108,3 @@ Code: 400. Errors:
* missing client token
```
28 changes: 26 additions & 2 deletions secrets-provider/vault/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,36 @@ const config = new pulumi.Config();
const bucketName = config.require('bucketName');
const secretValue = config.requireSecret('secretValue');

function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 {
const ownership = new aws.s3.BucketOwnershipControls(bucketName, {
bucket: bucket.bucket,
rule: {
objectOwnership: "BucketOwnerPreferred",
}
});
const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, {
bucket: bucket.bucket,
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets: false,
});
const bucketACL = new aws.s3.BucketAclV2(bucketName, {
bucket: bucket.bucket,
acl: acl,
}, {
dependsOn: [ownership, publicAccessBlock]
});
return bucketACL;
}

// Create a private bucket
const bucket = new aws.s3.Bucket("bucket", {
const bucket = new aws.s3.BucketV2("bucket", {
bucket: bucketName,
acl: "private",
});

configureACL("bucket", bucket, "private");

// Create an object from the secret value
const superSecretObject = new aws.s3.BucketObject("secret", {
bucket: bucket.id,
Expand Down

0 comments on commit 93c2196

Please sign in to comment.