Skip to content

Commit

Permalink
Initial implementation of new pull_push buckets
Browse files Browse the repository at this point in the history
  • Loading branch information
@jhpyke
jhpyke committed Nov 15, 2023
1 parent 8390598 commit 652b001
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 29 deletions.
6 changes: 5 additions & 1 deletion __main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,18 @@
name = dataset["name"]
pull_arns = dataset["pull_arns"]
users = dataset["users"]
if "is_writable" in dataset.keys():
writable = dataset["allow_push"]
else:
writable = False

pull_bucket = Bucket(
name=f"mojap-{name}",
tagger=tagger,
)

# Add bucket policy allowing the specified arn to read
bucket_policy = Output.all(bucket_arn=pull_bucket.arn, pull_arns=pull_arns).apply(
bucket_policy = Output.all(bucket_arn=pull_bucket.arn, pull_arns=pull_arns, allow_push=writable).apply(
pull.create_pull_bucket_policy
)
BucketPolicy(
Expand Down
90 changes: 63 additions & 27 deletions data_engineering_exports/pull.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,33 +28,69 @@ def create_pull_bucket_policy(args: Dict[str, str]) -> AwaitableGetPolicyDocumen
"""
bucket_arn = args.pop("bucket_arn")
pull_arns = args.pop("pull_arns")

bucket_policy = get_policy_document(
statements=[
GetPolicyDocumentStatementArgs(
actions=[
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
],
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=pull_arns, type="AWS"
)
],
resources=[bucket_arn + "/*"],
),
GetPolicyDocumentStatementArgs(
actions=["s3:ListBucket"],
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=pull_arns, type="AWS"
)
],
resources=[bucket_arn],
),
]
)
allow_push = args.pop("allow_push", False)
writable_actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:RestoreObject",
]
standard_actions = [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
]
if allow_push:
bucket_policy = get_policy_document(
statements=[
GetPolicyDocumentStatementArgs(
actions=writable_actions,
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=pull_arns, type="AWS"
)
],
resources=[bucket_arn + "/*"],
),
GetPolicyDocumentStatementArgs(
actions=["s3:ListBucket"],
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=pull_arns, type="AWS"
)
],
resources=[bucket_arn],
),
]
)
else:
bucket_policy = get_policy_document(
statements=[
GetPolicyDocumentStatementArgs(
actions=standard_actions,
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=pull_arns, type="AWS"
)
],
resources=[bucket_arn + "/*"],
),
GetPolicyDocumentStatementArgs(
actions=["s3:ListBucket"],
principals=[
GetPolicyDocumentStatementPrincipalArgs(
identifiers=pull_arns, type="AWS"
)
],
resources=[bucket_arn],
),
]
)
return bucket_policy


Expand Down
4 changes: 3 additions & 1 deletion pull_datasets/pull_permission_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,6 @@ name: pull-permission-test
pull_arns:
- arn:aws:iam::684969100054:role/restricted-admin
users:
- alpha_user_jhpyke
- alpha_user_jhpyke
allow_push:
- True

0 comments on commit 652b001

Please sign in to comment.