fix: asset permissions (#1110)

* chore: document how to disable iam generation * chore: typo * chore: self mutation Signed-off-by: github-actions <[email protected]> * fix: asset permissions * fix: kms key asset permissions (#1101) * fix: kms key asset permissions Signed-off-by: lennartrommeiss <[email protected]> * fix: update tests Signed-off-by: lennartrommeiss <[email protected]> * fix: update some tests Signed-off-by: lennartrommeiss <[email protected]> --------- Signed-off-by: lennartrommeiss <[email protected]> * chore: self mutation Signed-off-by: github-actions <[email protected]> --------- Signed-off-by: github-actions <[email protected]> Signed-off-by: lennartrommeiss <[email protected]> Co-authored-by: github-actions <[email protected]> Co-authored-by: Lennart Rommeiss <[email protected]> Co-authored-by: lennartrommeiss <[email protected]>
dbsystel · Feb 6, 2025 · 2755dea · 2755dea
1 parent 8e85334
commit 2755dea
Show file tree

Hide file tree

Showing 11 changed files with 208 additions and 97 deletions.
diff --git a/API.md b/API.md
diff --git a/src/SopsSync.ts b/src/SopsSync.ts
@@ -1,13 +1,13 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import {
-  SecretValue,
-  Duration,
-  Lazy,
-  Stack,
   Annotations,
   CustomResource,
+  Duration,
   FileSystem,
+  Lazy,
+  SecretValue,
+  Stack,
 } from 'aws-cdk-lib';
 import { ISecurityGroup, IVpc, SubnetSelection } from 'aws-cdk-lib/aws-ec2';
 import {
@@ -17,7 +17,7 @@ import {
   PolicyStatement,
 } from 'aws-cdk-lib/aws-iam';
 import { IKey, Key } from 'aws-cdk-lib/aws-kms';
-import { SingletonFunction, Code, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { Code, Runtime, SingletonFunction } from 'aws-cdk-lib/aws-lambda';
 import { Asset } from 'aws-cdk-lib/aws-s3-assets';
 import { ISecret } from 'aws-cdk-lib/aws-secretsmanager';
 import { Construct } from 'constructs';
@@ -137,6 +137,12 @@ export interface SopsSyncOptions {
    * @default true
    */
   readonly autoGenerateIamPermissions?: boolean;
+
+  /**
+   * The encryption key used by the CDK default Asset S3 Bucket.
+   * @default - Trying to get the key using the CDK Bootstrap context.
+   */
+  readonly assetEncryptionKey?: IKey;
 }
 
 /**
@@ -352,7 +358,12 @@ export class SopsSync extends Construct {
           role: provider.role,
           sopsFileContent: sopsFileContent.toString(),
         });
-        Permissions.assetBucket(sopsAsset, provider.role);
+        Permissions.assetBucket(
+          this,
+          sopsAsset,
+          provider.role,
+          props.assetEncryptionKey,
+        );
         Permissions.encryptionKey(props.encryptionKey, provider.role);
         Permissions.secret(props.secret, provider.role);
         Permissions.parameters(this, props.parameterNames, provider.role);
@@ -559,10 +570,32 @@ export namespace Permissions {
   /**
    * Grants the necessary permissions to read the given asset from S3.
    */
-  export function assetBucket(asset: Asset | undefined, target: IGrantable) {
+  export function assetBucket(
+    context: Construct,
+    asset: Asset | undefined,
+    target: IGrantable,
+    assetKey: IKey | undefined,
+  ) {
     if (asset === undefined) {
       return;
     }
     asset.bucket.grantRead(target);
+
+    if (assetKey) {
+      assetKey.grantDecrypt(target);
+    } else {
+      try {
+        const qualifier =
+          Stack.of(context).synthesizer.bootstrapQualifier ?? 'hnb659fds'; // hnb659fds is the AWS global default qualifier
+        Key.fromLookup(context, 'AssetBucketKey', {
+          aliasName: `alias/cdk-bootstrap/${qualifier}`,
+        }).grantEncrypt(target);
+      } catch (error) {
+        Annotations.of(context).addWarningV2(
+          'no-asset-kms-key',
+          `An error occured while retreving the KMS-Key for the Asset S3-Bucket from CDK Bootstrap. Set encryption key manually by using props.assetEncryptionKey. ${error}`,
+        );
+      }
+    }
   }
 }
diff --git a/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json b/test/secret-asset.integ.snapshot/SecretIntegrationAsset.assets.json
@@ -1,16 +1,17 @@
 {
   "version": "36.0.0",
   "files": {
-    "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4": {
+    "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e": {
       "source": {
-        "path": "asset.71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
+        "path": "asset.6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "71584c9f9a2d019cb5df6044c81ca32662370c709381898a7d72f8c7d40a21a4.zip",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
+          "objectKey": "6b7324d3cfcf3382ce5efed880245dc232ee5e4ccc0affec91bfce961fb36b9e.zip",
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     },
@@ -20,10 +21,11 @@
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
           "objectKey": "2e0bdd84bc2fecdd9795887da1814888ec0b5d184a7324c5fda69c4bd54fa649.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     },
@@ -33,10 +35,11 @@
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
           "objectKey": "c0d63dcd2d506c5d270284d70d1805688ff5d3a2e0d7515bfa56b1b3ed416c4f.yaml",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     },
@@ -46,10 +49,11 @@
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
           "objectKey": "313aad921c737076a990ead756b250f1677aecc927177440df0c809cd56bf282.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     },
@@ -59,10 +63,11 @@
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
           "objectKey": "4547532a137611d83958d17095c6c2d38ae0036a760c3b79c9dd5957d1c20cf2.yaml",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     },
@@ -72,23 +77,25 @@
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
           "objectKey": "a8aece61894327fcfc2c7fab967a72583c0f795025e4d5f2e87c248b6e916d4b.binary",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     },
-    "be9b36c08762ff449b54230ebeb5b0d09e6a0e7737d3eda30a64be5f835d49ad": {
+    "f38430ae989f7328d34b16732c6932c35e9314625fe461dfa174222af079cae3": {
       "source": {
         "path": "SecretIntegrationAsset.template.json",
         "packaging": "file"
       },
       "destinations": {
-        "current_account-current_region": {
-          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "be9b36c08762ff449b54230ebeb5b0d09e6a0e7737d3eda30a64be5f835d49ad.json",
-          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        "123456789-us-east-1": {
+          "bucketName": "cdk-integ-assets-123456789-us-east-1",
+          "objectKey": "f38430ae989f7328d34b16732c6932c35e9314625fe461dfa174222af079cae3.json",
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::123456789:role/cdk-integ-file-publishing-role-123456789-us-east-1"
         }
       }
     }