Cloudformation Custom Resource that creates a S3 BucketPolicy. This is intended only for use in ServiceCatalog, as it retrieves an ARN that Service Catalog sets, aws:servicecatalog:provisioningPrincipalArn, to set as a principal on the BucketPolicy.

Inventory of source code and supporting files:

• policy_maker - Code for the application's Lambda function.
• events - Invocation events that you can use to invoke the function.
• tests - Unit tests for the application code.
• template.yaml - A template that defines the application's AWS resources.

Create a custom resource in your cloud formation template. Here's an example:

  S3Bucket:
    Type: AWS::S3::Bucket

  SCS3BucketPolicy:
    Type: Custom::SCS3BucketPolicy
    Properties:
      ServiceToken: !ImportValue
        'Fn::Sub': '${AWS::Region}-cfn-cr-sc-bucket-policy-FunctionArn'
      BucketName: !Ref S3Bucket
      ExtraPrincipalArns: !Ref S3UserARNs

The creation of the custom resource triggers the lambda. It creates an S3 BucketPolicy.

• ServiceToken refers to the ARN of the lambda function. You can follow the pattern given; see "Install Lambda into AWS" below for the stack that exports that value.
• The only required property is BucketName, a String.
• ExtraPrincipalArns is one or more valid IAM policy principals.

Contributions are welcome.

Run pipenv install --dev to install both production and development requirements, and pipenv shell to activate the virtual environment. For more information see the pipenv docs.

After activating the virtual environment, run pre-commit install to install the pre-commit git hook.

$ sam build --use-container

$ sam local invoke Function --event events/create.json

Tests are defined in the tests folder in this project. Use PIP to install the pytest and run unit tests.

$ python -m pytest tests/ -v

sam build

This requires the correct permissions to upload to bucket bootstrap-awss3cloudformationbucket-19qromfd235z9.

sam package --template-file .aws-sam/build/template.yaml \
  --s3-bucket essentials-awss3lambdaartifactsbucket-x29ftznj6pqw \
  --output-template-file .aws-sam/build/cfn-cf-sc-bucket-policy.yaml

aws s3 cp .aws-sam/build/cfn-cf-sc-bucket-policy.yaml s3://bootstrap-awss3cloudformationbucket-19qromfd235z9/cfn-cf-sc-bucket-policy/master

Create the following sceptre file

config/prod/cfn-cf-sc-bucket-policy.yaml

template_path: "remote/cfn-cf-sc-bucket-policy.yaml"
stack_name: "cfn-cf-sc-bucket-policy"
stack_tags:
  Department: "Platform"
  Project: "Infrastructure"
  OwnerEmail: "[email protected]"
hooks:
  before_launch:
    - !cmd "curl https://s3.amazonaws.com/bootstrap-awss3cloudformationbucket-19qromfd235z9/cfn-cf-sc-bucket-policy/master/cfn-cf-sc-bucket-policy.yaml --create-dirs -o templates/remote/cfn-cf-sc-bucket-policy.yaml"

Install the lambda using sceptre:

sceptre --var "profile=my-profile" --var "region=us-east-1" launch prod/cfn-cf-sc-bucket-policy