From 514eea111dd7c9c0c63e38e5f9f51e8da0e60812 Mon Sep 17 00:00:00 2001 From: Anton Tayanovskyy Date: Thu, 19 Sep 2024 16:02:03 -0400 Subject: [PATCH 1/3] Update secrets-provider to BucketV2 --- secrets-provider/aws/README.md | 10 ++-------- secrets-provider/aws/index.ts | 28 ++++++++++++++++++++++++++-- secrets-provider/vault/README.md | 11 +++-------- secrets-provider/vault/index.ts | 28 ++++++++++++++++++++++++++-- 4 files changed, 57 insertions(+), 20 deletions(-) diff --git a/secrets-provider/aws/README.md b/secrets-provider/aws/README.md index 1878dde9b..dc0310e01 100644 --- a/secrets-provider/aws/README.md +++ b/secrets-provider/aws/README.md @@ -64,7 +64,7 @@ pulumi up --yes Previewing update (aws-kms): Type Name Plan + pulumi:pulumi:Stack pulumi-aws-kms-aws-kms create - + ├─ aws:s3:Bucket bucket create + + ├─ aws:s3:BucketV2 bucket create + └─ aws:s3:BucketObject secret create Resources: @@ -73,7 +73,7 @@ Resources: Updating (aws-kms): Type Name Status + pulumi:pulumi:Stack pulumi-aws-kms-aws-kms created - + ├─ aws:s3:Bucket bucket created + + ├─ aws:s3:BucketV2 bucket created + └─ aws:s3:BucketObject secret created Outputs: @@ -100,9 +100,3 @@ pulumi up --yes error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. status code: 400, request id: 35ff51c6-ef88-4c06-9146-361231b8fd4a ``` - - - - - - diff --git a/secrets-provider/aws/index.ts b/secrets-provider/aws/index.ts index cd5132008..abb887ec2 100644 --- a/secrets-provider/aws/index.ts +++ b/secrets-provider/aws/index.ts @@ -10,12 +10,36 @@ const config = new pulumi.Config(); const bucketName = config.require('bucketName'); const secretValue = config.requireSecret('secretValue'); +export function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 { + const ownership = new aws.s3.BucketOwnershipControls(bucketName, { + bucket: bucket.bucket, + rule: { + objectOwnership: "BucketOwnerPreferred", + } + }); + const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, { + bucket: bucket.bucket, + blockPublicAcls: false, + blockPublicPolicy: false, + ignorePublicAcls: false, + restrictPublicBuckets: false, + }); + const bucketACL = new aws.s3.BucketAclV2(bucketName, { + bucket: bucket.bucket, + acl: acl, + }, { + dependsOn: [ownership, publicAccessBlock] + }); + return bucketACL; +} + // Create a private bucket -const bucket = new aws.s3.Bucket("bucket", { +const bucket = new aws.s3.BucketV2("bucket", { bucket: bucketName, - acl: "private", }); +configureACL("bucket", bucket, "private"); + // Create an object from the secret value const superSecretObject = new aws.s3.BucketObject("secret", { bucket: bucket.id, diff --git a/secrets-provider/vault/README.md b/secrets-provider/vault/README.md index e6c5ee086..38c64af0c 100644 --- a/secrets-provider/vault/README.md +++ b/secrets-provider/vault/README.md @@ -68,7 +68,7 @@ pulumi up --yes Previewing update (vault-kms): Type Name Plan + pulumi:pulumi:Stack pulumi-vault-kms-vault-kms create - + ├─ aws:s3:Bucket bucket create + + ├─ aws:s3:BucketV2 bucket create + └─ aws:s3:BucketObject secret create Resources: @@ -77,7 +77,7 @@ Resources: Updating (aws-kms): Type Name Status + pulumi:pulumi:Stack pulumi-vault-kms-vault-kms created - + ├─ aws:s3:Bucket bucket created + + ├─ aws:s3:BucketV2 bucket created + └─ aws:s3:BucketObject secret created Outputs: @@ -99,7 +99,7 @@ You'll notice the secret value is also omitted from the output! A quick way to verify if the encryption is using the Vault key is to remove your `VAULT_SERVER_TOKEN` environment variable setting: ```bash -unset +unset pulumi up --yes error: getting secrets manager: secrets (code=Unknown): Error making API request. @@ -108,8 +108,3 @@ Code: 400. Errors: * missing client token ``` - - - - - diff --git a/secrets-provider/vault/index.ts b/secrets-provider/vault/index.ts index cd5132008..121481353 100644 --- a/secrets-provider/vault/index.ts +++ b/secrets-provider/vault/index.ts @@ -10,12 +10,36 @@ const config = new pulumi.Config(); const bucketName = config.require('bucketName'); const secretValue = config.requireSecret('secretValue'); +function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 { + const ownership = new aws.s3.BucketOwnershipControls(bucketName, { + bucket: bucket.bucket, + rule: { + objectOwnership: "BucketOwnerPreferred", + } + }); + const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, { + bucket: bucket.bucket, + blockPublicAcls: false, + blockPublicPolicy: false, + ignorePublicAcls: false, + restrictPublicBuckets: false, + }); + const bucketACL = new aws.s3.BucketAclV2(bucketName, { + bucket: bucket.bucket, + acl: acl, + }, { + dependsOn: [ownership, publicAccessBlock] + }); + return bucketACL; +} + // Create a private bucket -const bucket = new aws.s3.Bucket("bucket", { +const bucket = new aws.s3.BucketV2("bucket", { bucket: bucketName, - acl: "private", }); +configureACL("bucket", bucket, "private"); + // Create an object from the secret value const superSecretObject = new aws.s3.BucketObject("secret", { bucket: bucket.id, From 88c65622a675eb60a925b0b4f6a90257fad09bfc Mon Sep 17 00:00:00 2001 From: Anton Tayanovskyy Date: Thu, 3 Oct 2024 11:13:48 -0400 Subject: [PATCH 2/3] PR feedback --- secrets-provider/aws/index.ts | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-) diff --git a/secrets-provider/aws/index.ts b/secrets-provider/aws/index.ts index abb887ec2..5594d204a 100644 --- a/secrets-provider/aws/index.ts +++ b/secrets-provider/aws/index.ts @@ -10,36 +10,16 @@ const config = new pulumi.Config(); const bucketName = config.require('bucketName'); const secretValue = config.requireSecret('secretValue'); -export function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 { - const ownership = new aws.s3.BucketOwnershipControls(bucketName, { - bucket: bucket.bucket, - rule: { - objectOwnership: "BucketOwnerPreferred", - } - }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, { - bucket: bucket.bucket, - blockPublicAcls: false, - blockPublicPolicy: false, - ignorePublicAcls: false, - restrictPublicBuckets: false, - }); - const bucketACL = new aws.s3.BucketAclV2(bucketName, { - bucket: bucket.bucket, - acl: acl, - }, { - dependsOn: [ownership, publicAccessBlock] - }); - return bucketACL; -} - -// Create a private bucket +// Create a private bucket. +// +// The configuration is kept very simple as the goal of this example is to demonstrate KMS encryption, not storing +// secrets in buckets securely. In a real-world scenario if you are certain you need to be storing sensitive data in +// buckets and have eliminated other storage options, consider setting up a custom KMS key, enforcing TLS, and enabling +// versioning for the bucket. const bucket = new aws.s3.BucketV2("bucket", { bucket: bucketName, }); -configureACL("bucket", bucket, "private"); - // Create an object from the secret value const superSecretObject = new aws.s3.BucketObject("secret", { bucket: bucket.id, From 862712b3278a06dddc8d22dd373f12d4dce0daf0 Mon Sep 17 00:00:00 2001 From: Anton Tayanovskyy Date: Thu, 3 Oct 2024 11:15:02 -0400 Subject: [PATCH 3/3] Same for vault --- secrets-provider/vault/index.ts | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-) diff --git a/secrets-provider/vault/index.ts b/secrets-provider/vault/index.ts index 121481353..5594d204a 100644 --- a/secrets-provider/vault/index.ts +++ b/secrets-provider/vault/index.ts @@ -10,36 +10,16 @@ const config = new pulumi.Config(); const bucketName = config.require('bucketName'); const secretValue = config.requireSecret('secretValue'); -function configureACL(bucketName: string, bucket: aws.s3.BucketV2, acl: string): aws.s3.BucketAclV2 { - const ownership = new aws.s3.BucketOwnershipControls(bucketName, { - bucket: bucket.bucket, - rule: { - objectOwnership: "BucketOwnerPreferred", - } - }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock(bucketName, { - bucket: bucket.bucket, - blockPublicAcls: false, - blockPublicPolicy: false, - ignorePublicAcls: false, - restrictPublicBuckets: false, - }); - const bucketACL = new aws.s3.BucketAclV2(bucketName, { - bucket: bucket.bucket, - acl: acl, - }, { - dependsOn: [ownership, publicAccessBlock] - }); - return bucketACL; -} - -// Create a private bucket +// Create a private bucket. +// +// The configuration is kept very simple as the goal of this example is to demonstrate KMS encryption, not storing +// secrets in buckets securely. In a real-world scenario if you are certain you need to be storing sensitive data in +// buckets and have eliminated other storage options, consider setting up a custom KMS key, enforcing TLS, and enabling +// versioning for the bucket. const bucket = new aws.s3.BucketV2("bucket", { bucket: bucketName, }); -configureACL("bucket", bucket, "private"); - // Create an object from the secret value const superSecretObject = new aws.s3.BucketObject("secret", { bucket: bucket.id,