lift icon indicating copy to clipboard operation
lift copied to clipboard

Published 20 hours ago verified publisher icon getlift

Add ObjectLock as a storage attribute

Open flavianh opened this issue 3 years ago • 1 comments

"Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. You can use Object Lock to help meet regulatory requirements that require WORM storage, or to simply add another layer of protection against object changes and deletion."

This pull request only adds the ability to set Object Lock to "indefinite".

/!\ I don't know how to properly test this?

flavianh avatar Oct 21 '21 14:10 flavianh

Hey @flavianh, thanks for this proposal :) !

Our goal with Lift is to provide AWS-agnostic feature configuration - in the form of constructs - enabling more developers, not familiar with AWS ecosystem to join the serverless revolution. ObjectLock is strongly linked to AWS. Looking at the documentation, this opens up abilities to implement legal hold and retention periods policies on each object version in a bucket when uploading a new object.

A good way to approach this (and the type of configuration provided in the construct) is to think in terms of feature enabled by this configuration. What do you think of something like retention with an integer representing a value in days that would:

  • enable ObjectLock on the bucket (what you did in your PR)
  • add an ObjectLockConfiguration with the configured period (+ choosing between governance and compliance mode)

WDYT ?

In the meantime, if setting this property is urgent in your case, you can easily override this property without a dedicated option on the construct using the resources.extensions property from Serverless framework:

resources:
  extensions:
    MyAppBucket: // Replace  with the actual logicalId of the S3 bucket from the cloudformation ressources tab
      Properties:
        ObjectLockEnabled: true

As far as tests are concerned, you can add a configured storage construct using your new property in test/fixtures/storage/serverless.yml and then implement a test following exemples from test/unit/storage.test.ts to check that output Cloudformation contains the ObjectLockEnabled when the corresponding construct parameter is set.

fredericbarthelet avatar Oct 26 '21 18:10 fredericbarthelet