aws-solutions-constructs icon indicating copy to clipboard operation
aws-solutions-constructs copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Missing S3 secureTransport helper function

Open xeroxnir opened this issue 3 years ago • 7 comments

The helper function applySecureBucketPolicy to implement enforce secureTransport was removed from the repository since this.

Any reason why this was removed?

xeroxnir avatar Feb 22 '22 06:02 xeroxnir

Thanks for the feedback - unfortunately the link you provided is link results in a GitHub 404 page. Can you fix the link or better guide us to the area of concern? Thanks.

biffgaut avatar Feb 22 '22 14:02 biffgaut

Updated, extra dot at the end.

xeroxnir avatar Feb 22 '22 15:02 xeroxnir

That change was in response to Issue 518. We originally implemented the handling of the enforceSSL in our code and in so doing had introduced incorrect behavior. We relegated handling of this prop to the original the CDK code, making our applySecureBucketPolicy() obsolete as CDK has its own implementation here. The CDK implementation also creates a less granular policy, which is nearly always better.

Unfortunately, we can only support the documented interfaces for the constructs themselves. While the nature of Typescript doesn't allow us to hide our internal support routines, they are not supported for client use and can change at any time. If you were dependent upon this function I would suggest lifting the code from an old version to incorporate in your app (or copy the CDK implementation).

biffgaut avatar Feb 22 '22 18:02 biffgaut

So you would not recommend reusing AWS Solutions Constructs helper functions in other CDK projects?

I see a lot of value for customers in reusing these functions to implement AWS Well Architected or security best practices such as in (applySecureTopicPolicy, applySecureQueuePolicy, buildWebacl

xeroxnir avatar Feb 23 '22 06:02 xeroxnir

I wouldn't make a recommendation for or against utilizing the helper functions within Solutions Constructs. My point is that if you call these functions from your AWS Solutions Constructs client, you must recognize that you are vulnerable to the functions changing or disappearing in future releases. If there are functions there with functionality that you find beneficial, you are welcome to call them with the understanding that they may change. To protect yourself from future changes, copying the code for the function into your codebase is another alternative.

biffgaut avatar Feb 23 '22 16:02 biffgaut

Will the helper functions be guaranteed to be in the future core modules is moved from "experimental" stability to "stable"?

xeroxnir avatar Feb 28 '22 08:02 xeroxnir

No, the helper functions are not part of the published interface.

biffgaut avatar Feb 28 '22 13:02 biffgaut