From 2cdc0511916e2010fa1590706a12e36c6c008b23 Mon Sep 17 00:00:00 2001 From: Emanuele Date: Tue, 23 Apr 2024 20:17:51 +0200 Subject: [PATCH] Fixed first version of redirect and S3 policies --- lambda_redirect/lambda_redirect.py | 34 +++++++++------ master.tf | 67 ++++++++++++++++++++++++++---- 2 files changed, 80 insertions(+), 21 deletions(-) diff --git a/lambda_redirect/lambda_redirect.py b/lambda_redirect/lambda_redirect.py index 5a5225c..ab7ea19 100644 --- a/lambda_redirect/lambda_redirect.py +++ b/lambda_redirect/lambda_redirect.py @@ -1,21 +1,30 @@ +import os import boto3 import json import boto3.exceptions from botocore.exceptions import ClientError s3_client = None +bucket_config = '' +bucket_data = '' def lambda_handler(event: dict, context): - global s3_client - + global s3_client, bucket_config, bucket_data + if s3_client is None: + print("Init Function") + bucket_config = os.environ.get('BUCKET_CONFIG', 'standout-config') + bucket_data = os.environ.get('BUCKET_DATA', 'standout-data') + print(f'Bucket Config: {bucket_config}') + print(f' Bucket Data: {bucket_data}') + s3_client = boto3.client('s3') for x in s3_client.list_buckets()['Buckets']: print(f"{x['Name']}: {x['CreationDate'].isoformat()}") try: resp = s3_client.get_object( - Bucket='standout-data', + Bucket=bucket_config, Key='redirects.json' ) except s3_client.exceptions.NoSuchKey as e: @@ -27,12 +36,12 @@ def lambda_handler(event: dict, context): try: redirects = json.load(resp["Body"]) params = event.get('queryStringParameters', {}) - customer = redirects.get(params['cust_id'], {}) - gadget = customer.get(params['gadget_id'], {}) + customer = redirects.get(params['id'], {}) + tag = customer.get(params['tag_id'], {}) - content = gadget.get('content', None) + content = tag.get('content', None) dest = None - if content and isinstance(content, dict): + if content and isinstance(content, dict) and not "type" in content.keys(): dest = content[params['face_id']] else: dest = content @@ -41,9 +50,10 @@ def lambda_handler(event: dict, context): match dest.get('type', 's3'): case "s3": try: + key = f'{params['id']}/{params['tag_id']}/{dest['key']}' response = s3_client.generate_presigned_url('get_object', - Params={'Bucket': 'standout-data', - 'Key': dest['key']}, + Params={'Bucket': bucket_data, + 'Key': key}, ExpiresIn=120) except ClientError as e: print(e) @@ -77,9 +87,9 @@ if __name__ == "__main__": "path": "/", "httpMethod": "GET", "queryStringParameters": { - "cust_id": "cust_id1", - "gadget_id": "gadget_id1", - "face_id": "face_id3" + "id": "customer1", + "tag_id": "tag3", + "face_id": "face1" }, } diff --git a/master.tf b/master.tf index b2bdfd3..0120a05 100644 --- a/master.tf +++ b/master.tf @@ -17,6 +17,12 @@ resource "aws_vpc" "vpc_standout" { cidr_block = "10.0.0.0/16" } +# create an s3 bucket for config +resource "aws_s3_bucket" "s3_standout_config" { + bucket = "standout-config" + force_destroy = false +} + # create an s3 bucket for data resource "aws_s3_bucket" "s3_standout" { bucket = "standout-data" @@ -30,11 +36,27 @@ resource "aws_s3_bucket_ownership_controls" "s3_standout_ownership" { } } +resource "aws_s3_bucket_ownership_controls" "s3_standout_config_ownership" { + bucket = aws_s3_bucket.s3_standout_config.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_public_access_block" "s3_standout_public_access" { bucket = aws_s3_bucket.s3_standout.id - block_public_acls = true - block_public_policy = true + block_public_acls = false + block_public_policy = false + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_public_access_block" "s3_standout_config_public_access" { + bucket = aws_s3_bucket.s3_standout_config.id + + block_public_acls = false + block_public_policy = false ignore_public_acls = true restrict_public_buckets = true } @@ -54,6 +76,30 @@ resource "aws_s3_bucket_policy" "s3_standout_policy" { policy = data.aws_iam_policy_document.s3_standout_allow_lambda.json } +resource "aws_s3_bucket_policy" "s3_standout_config_policy" { + bucket = aws_s3_bucket.s3_standout_config.id + policy = data.aws_iam_policy_document.s3_standout_config_allow_lambda.json +} + +data "aws_iam_policy_document" "s3_standout_config_allow_lambda" { + statement { + principals { + type = "AWS" + identifiers = ["*"] + } + + actions = [ + "s3:Get*", + "s3:List*", + "s3:Put*", + ] + + resources = [ + "${aws_s3_bucket.s3_standout_config.arn}/*", + ] + } +} + data "aws_iam_policy_document" "s3_standout_allow_lambda" { statement { principals { @@ -64,7 +110,7 @@ data "aws_iam_policy_document" "s3_standout_allow_lambda" { actions = [ "s3:Get*", "s3:List*", - "s3:Put*" + "s3:Put*", ] resources = [ @@ -108,13 +154,16 @@ resource "aws_lambda_function" "lambda_standout_redirect" { source_code_hash = data.archive_file.lambda_standout_code.output_base64sha256 - runtime = "python3.10" + runtime = "python3.12" - #environment { - # variables = { - # foo = "bar" - # } - #} + timeout = 10 + + environment { + variables = { + BUCKET_CONFIG = aws_s3_bucket.s3_standout_config.bucket, + BUCKET_DATA = aws_s3_bucket.s3_standout.bucket + } + } } # create API gateway for lambda triger and connect