Merge pull request #60 from lalalilo/fix-aws-spa-list-cloudfront-perm…

…ission Do not list OAC when unnecessary
lalalilo · Jun 4, 2024 · f378c76 · f378c76
2 parents cbf7838 + 5c3f433
commit f378c76
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 51 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,44 +2,49 @@ version: 2
 jobs:
  build:
  docker:
-  - image: cimg/node:16.17
+ - image: cimg/node:16.17
 
  working_directory: ~/aws-spa
 
  steps:
- - checkout
-
- - restore_cache:
- name: Restore Yarn Package Cache
- keys:
- - yarn-packages-{{ checksum "yarn.lock" }}
-
- - run:
- name: Install Dependencies
- command: yarn install --frozen-lockfile
-
- - save_cache:
- name: Save Yarn Package Cache
- key: yarn-packages-{{ checksum "yarn.lock" }}
- paths:
- - ~/.cache/yarn
-
- - run:
- name: Check types
- command: yarn check-types
-
- - run:
- name: Run tests
- command: yarn test --coverage
-
- - run:
- name: Code coverage
- command: npx codecov
-
- - run:
- name: Build
- command: yarn build
-
- - run:
- name: Release
- command: npx semantic-release
+ - checkout
+
+ - restore_cache:
+ name: Restore Yarn Package Cache
+ keys:
+ - yarn-packages-{{ checksum "yarn.lock" }}
+
+ - run:
+ name: Install Dependencies
+ command: yarn install --frozen-lockfile
+
+ - save_cache:
+ name: Save Yarn Package Cache
+ key: yarn-packages-{{ checksum "yarn.lock" }}
+ paths:
+ - ~/.cache/yarn
+
+ - run:
+ name: Check types
+ command: yarn check-types
+
+ - run:
+ name: Run tests
+ command: yarn test --coverage
+
+ - run:
+ name: Code coverage
+ command: npx codecov
+
+ - run:
+ name: Build
+ command: yarn build
+
+ - run:
+ name: Release
+ command: |
+ if [ "${CIRCLE_BRANCH}" == "main" ]; then
+ npx semantic-release
+ else
+ npx semantic-release --dry-run --no-ci --branches ${CIRCLE_BRANCH}
+ fi
diff --git a/README.md b/README.md
@@ -86,8 +86,26 @@ If a CloudFront distribution with this S3 bucket already exists, the script will
 - cloudfront:TagResource
 - cloudfront:GetDistributionConfig
 - cloudfront:CreateInvalidation
-
-**TODO**: complete missing policies
+- cloudfront:UpdateDistribution
+- cloudfront:ListOriginAccessControls
+- cloudfront:GetOriginAccessControl
+- cloudfront:CreateOriginAccessControl
+- cloudfront:DeleteOriginAccessControl
+
+- s3:PutBucketPolicy
+- s3:GetBucketPolicy
+- s3:PutBucketWebsite
+- s3:GetBucketWebsite
+- s3:DeleteBucketWebsite
+- s3:PutBucketTagging
+- s3:GetBucketTagging
+- s3:DeleteBucketTagging
+- s3:ListBucket
+- s3:PutBucketPublicAccessBlock
+- s3:CreateBucket
+- s3:PutObject
+
+-**TODO**: complete missing policies
 
 ### If using simple auth
 

diff --git a/src/cloudfront/index.spec.ts b/src/cloudfront/index.spec.ts
@@ -410,7 +410,7 @@ describe("cloudfront", () => {
  distribution.Id,
  domainName,
  shouldBlockBucketPublicAccess,
- undefined
+ null
  );
 
  expect(updateDistribution).not.toHaveBeenCalled();

diff --git a/src/cloudfront/index.ts b/src/cloudfront/index.ts
@@ -417,7 +417,7 @@ export const updateCloudFrontDistribution = async (
  distributionId: string,
  domainName: string,
  shouldBlockBucketPublicAccess: boolean,
- oac: OAC | undefined,
+ oac: OAC | null,
 ) => {
  try {
  const { DistributionConfig, ETag } = await cloudfront

diff --git a/src/cloudfront/origin-access.spec.ts b/src/cloudfront/origin-access.spec.ts
@@ -62,18 +62,12 @@ describe("upsertOriginAccessControl", () => {
  const domainName = "my-domain";
  const shouldBlockBucketPublicAccess = false;
 
- listOriginAccessControlsMock.mockReturnValue(
- awsResolve({
- OriginAccessControlList: {},
- })
- );
-
  await upsertOriginAccessControl(
  domainName,
  "my-distribution-id",
  shouldBlockBucketPublicAccess
  );
-
+ expect(listOriginAccessControlsMock).not.toHaveBeenCalled();
  expect(createOriginAccessControlMock).not.toHaveBeenCalled();
  });
 
@@ -95,6 +89,7 @@ describe("upsertOriginAccessControl", () => {
  shouldBlockBucketPublicAccess
  );
 
+ expect(listOriginAccessControlsMock).toHaveBeenCalled();
  expect(createOriginAccessControlMock).toHaveBeenCalledTimes(1);
  expect(createOriginAccessControlMock).toHaveBeenCalledWith(
  expect.objectContaining({

diff --git a/src/cloudfront/origin-access.ts b/src/cloudfront/origin-access.ts
@@ -65,6 +65,9 @@ export const upsertOriginAccessControl = async (
  distributionId: string,
  shouldBlockBucketPublicAccess: boolean,
 ) => {
+ if (!shouldBlockBucketPublicAccess) {
+ return null;
+ }
  const originAccessControlName = getOriginAccessControlName(
  domainName,
  distributionId,
@@ -74,9 +77,7 @@ export const upsertOriginAccessControl = async (
  return existingOAC;
  }
 
- if (shouldBlockBucketPublicAccess) {
- return await createOAC(originAccessControlName, domainName, distributionId);
- }
+ return await createOAC(originAccessControlName, domainName, distributionId);
 };
 
 export const deleteOriginAccessControl = async (oac: OAC) => {