Cloudformation Custom Resource that creates a S3 BucketPolicy. This is intended
only for use in ServiceCatalog, as it retrieves an ARN that Service Catalog sets,
aws:servicecatalog:provisioningPrincipalArn
, to set as a principal on the
BucketPolicy.
Inventory of source code and supporting files:
- policy_maker - Code for the application's Lambda function.
- events - Invocation events that you can use to invoke the function.
- tests - Unit tests for the application code.
- template.yaml - A template that defines the application's AWS resources.
Create a custom resource in your cloud formation template. Here's an example:
S3Bucket:
Type: AWS::S3::Bucket
SCS3BucketPolicy:
Type: Custom::SCS3BucketPolicy
Properties:
ServiceToken: !ImportValue
'Fn::Sub': '${AWS::Region}-cfn-cr-sc-bucket-policy-FunctionArn'
BucketName: !Ref S3Bucket
ExtraPrincipalArns: !Ref S3UserARNs
The creation of the custom resource triggers the lambda. It creates an S3 BucketPolicy.
ServiceToken
refers to the ARN of the lambda function. You can follow the pattern given; see "Install Lambda into AWS" below for the stack that exports that value.- The only required property is
BucketName
, a String. ExtraPrincipalArns
is one or more valid IAM policy principals.
Contributions are welcome.
Run pipenv install --dev
to install both production and development
requirements, and pipenv shell
to activate the virtual environment. For more
information see the pipenv docs.
After activating the virtual environment, run pre-commit install
to install
the pre-commit git hook.
$ sam build --use-container
$ sam local invoke Function --event events/create.json
Tests are defined in the tests
folder in this project. Use PIP to install the
pytest and run unit tests.
$ python -m pytest tests/ -v
sam build
This requires the correct permissions to upload to bucket
bootstrap-awss3cloudformationbucket-19qromfd235z9
.
sam package --template-file .aws-sam/build/template.yaml \
--s3-bucket essentials-awss3lambdaartifactsbucket-x29ftznj6pqw \
--output-template-file .aws-sam/build/cfn-cf-sc-bucket-policy.yaml
aws s3 cp .aws-sam/build/cfn-cf-sc-bucket-policy.yaml s3://bootstrap-awss3cloudformationbucket-19qromfd235z9/cfn-cf-sc-bucket-policy/master
Create the following sceptre file
config/prod/cfn-cf-sc-bucket-policy.yaml
template_path: "remote/cfn-cf-sc-bucket-policy.yaml"
stack_name: "cfn-cf-sc-bucket-policy"
stack_tags:
Department: "Platform"
Project: "Infrastructure"
OwnerEmail: "[email protected]"
hooks:
before_launch:
- !cmd "curl https://s3.amazonaws.com/bootstrap-awss3cloudformationbucket-19qromfd235z9/cfn-cf-sc-bucket-policy/master/cfn-cf-sc-bucket-policy.yaml --create-dirs -o templates/remote/cfn-cf-sc-bucket-policy.yaml"
Install the lambda using sceptre:
sceptre --var "profile=my-profile" --var "region=us-east-1" launch prod/cfn-cf-sc-bucket-policy