wip 403 at olap

VerticalRelevance · May 10, 2022 · b049625 · b049625
1 parent afcb645
commit b049625
Showing 1 changed file with 43 additions and 3 deletions.
diff --git a/stacks/handlers_stack.py b/stacks/handlers_stack.py
@@ -19,6 +19,7 @@
     aws_events,
     aws_events_targets,
     aws_apigatewayv2,
+    aws_s3objectlambda,
     # experimental
     aws_apigatewayv2_alpha,
     aws_apigatewayv2_authorizers_alpha,
@@ -135,6 +136,7 @@ def pac_frameworks(self):
             ),
         )
 
+
         aws_s3_deployment.BucketDeployment(
             self,
             "PaCPoliciesDeployment",
@@ -155,15 +157,18 @@ def pac_frameworks(self):
             block_public_access=aws_s3.BlockPublicAccess(
                 block_public_acls=True,
                 ignore_public_acls=True,
-                block_public_policy=True,
-                restrict_public_buckets=True,
+                # block_public_policy=True,
+                # restrict_public_buckets=True,
+                block_public_policy=False,
+                restrict_public_buckets=False,
             ),
             event_bridge_enabled=True
         )
 
         self.bucket_raw_pac_results.add_to_resource_policy(
             aws_iam.PolicyStatement(
                 principals=[
+                    # aws_iam.AnyPrincipal()
                     aws_iam.AnyPrincipal().with_conditions(
                         {
                             "ForAnyValue:StringLike": {
@@ -174,16 +179,19 @@ def pac_frameworks(self):
                 ],
                 actions=[
                     "s3:GetObject",
+                    "s3:Get*",
+                    "s3:List*",
                 ],
                 resources=[
                     self.bucket_raw_pac_results.bucket_arn,
                     self.bucket_raw_pac_results.arn_for_objects("*"),
                 ],
             )
-        )
+        )   
 
     def output_handler(self):
 
+
         self.event_bus_infractions = aws_events.EventBus(
             self,
             "Infractions"
@@ -232,6 +240,7 @@ def output_handler(self):
             },
         )
 
+
         self.lambda_output_handler.role.add_to_policy(
             aws_iam.PolicyStatement(
                 actions=[
@@ -272,6 +281,7 @@ def output_handler(self):
         #     # prefix="home/myusername/*"
         # )
 
+
         self.access_point = aws_s3objectlambda_alpha.AccessPoint(
             self,
             "OuputHandlerCloudFormationOPA",
@@ -283,6 +293,36 @@ def output_handler(self):
             # }
         )
 
+        # policy_document_access_point = aws_iam.PolicyStatement(
+        #     principals=[
+        #         aws_iam.AnyPrincipal().with_conditions(
+        #             {
+        #                 "ForAnyValue:StringLike": {
+        #                     "aws:PrincipalOrgPaths": [
+        #                         # self.secrets.allowed_org_path,
+        #                         "o-9txpghbplo/*"
+        #                         ]
+        #                 }
+        #             }
+        #         )
+        #     ],
+        #     actions=[
+        #         "s3:GetObject",
+        #     ],
+        #     resources=["*"
+        #         # self.bucket_raw_pac_results.bucket_arn,
+        #         # self.bucket_raw_pac_results.arn_for_objects("*"),
+        #     ],
+        # )
+
+        # cfn_access_point_policy = aws_s3objectlambda.CfnAccessPointPolicy(
+        #     self,
+        #     "OuputHandlerSameOrgPolicy",
+        #     object_lambda_access_point=self.access_point.access_point_name,
+        #     policy_document=policy_document_access_point.to_json()
+        #     # policy_document={}
+        # )
+
         CfnOutput(self, "OuputHandlerCloudFormationOPAAccessPointArn", value=self.access_point.access_point_arn)
 
     def authorizer_lambda(self):