compliance-policies
compliance-policies copied to clipboard
Published
20 hours ago •
pulumi
pulumi
Can't have the replication bucket in the same Pulumi stack for `awsnative-s3-bucket-configure-replication-configuration`
What happened?
To enable the awsnative-s3-bucket-configure-replication-configuration policy, I add a destinationBucket to my existing Pulumi stack. Because this is a "target" bucket, it does not have replication enabled.
Example
S3 Bucket acting as a target for replication.
// Create a destination bucket in another region with versioning enabled
const destinationBucket = new aws.s3.Bucket("policy-as-code-workshop-dest-" + name, {
versioning: {
enabled: true,
},
// Enabling server-side encryption by default using AES256
serverSideEncryptionConfiguration: {
rule: {
applyServerSideEncryptionByDefault: {
sseAlgorithm: "aws:kms",
kmsMasterKeyId: kmsKey.id,
},
bucketKeyEnabled: true,
},
},
}, {
provider: new aws.Provider("policy-as-code-workshop-dest" + name, {
region: aws.Region.USWest1, // example destination region
}),
});
S3 Bucket acting as source:
const sourceBucket = new aws.s3.Bucket("policy-as-code-workshop-" + name, {
// Exercise 01: Authoring and Using Resource Policies
tags: {
// "Department": "Engineering",
"Owner": name,
},
// Versioning is needed for exercise 02
versioning: {
enabled: true,
},
// replication config is needed for exercise 02
replicationConfiguration: {
role: replicationRole.arn,
rules: [{
status: "Enabled",
filter: {
prefix: "", // an empty string means to replicate everything
},
destination: {
bucket: destinationBucket.arn,
},
}],
},
// Enabling server-side encryption by default using AES256
serverSideEncryptionConfiguration: {
rule: {
applyServerSideEncryptionByDefault: {
sseAlgorithm: "aws:kms",
kmsMasterKeyId: kmsKey.id,
},
bucketKeyEnabled: true,
},
},
});
Pulumi Output:
Policies:
❌ [email protected]
- [mandatory] aws-s3-bucket-enable-replication-configuration (aws:s3/bucket:Bucket: policy-as-code-workshop-dest-diana)
Checks that S3 Bucket have cross-region replication enabled.
S3 buckets should have cross-region replication enabled.
Output of pulumi about
pulumi about
CLI
Version 3.106.0
Go Version go1.22.0
Go Compiler gc
Plugins
NAME VERSION
aws 6.22.2
docker 4.5.1
nodejs unknown
Host
OS darwin
Version 14.3
Arch arm64
This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v21.6.2'
Additional context
I've discussed this with @jkodroff and thought we could do a workaround policy that enforces destination buckets to have a tag. This specifically tagged bucket would have to be excluded from the above policy.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
