updated to legacy bucketPermissions

mickychetta · mickychetta · commit f14cc541810f · 2022-02-18T23:53:01.000Z
diff --git a/source/patterns/@aws-solutions-constructs/aws-fargate-s3/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-fargate-s3/lib/index.ts
@@ -17,6 +17,7 @@ import * as s3 from "@aws-cdk/aws-s3";
 import { Construct } from "@aws-cdk/core";
 import * as defaults from "@aws-solutions-constructs/core";
 import * as ecs from "@aws-cdk/aws-ecs";
+import * as iam from "@aws-cdk/aws-iam";
 
 export interface FargateToS3Props {
   /**
@@ -211,11 +212,21 @@ export class FargateToS3 extends Construct {
       if (props.bucketPermissions.includes('Read')) {
         bucket.grantRead(this.service.taskDefinition.taskRole);
       }
+      // Sticking with legacy v1 permissions s3:PutObject* instead of CDK v2 s3:PutObject
+      // to prevent build failures for both versions
       if (props.bucketPermissions.includes('Write')) {
-        bucket.grantWrite(this.service.taskDefinition.taskRole);
+        this.service.taskDefinition.taskRole.addToPrincipalPolicy(new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          resources: [bucket.bucketArn, `${bucket.bucketArn}/*`],
+          actions: ['s3:DeleteObject*', 's3:PutObject*', 's3:Abort*']
+        }));
       }
     } else {
-      bucket.grantReadWrite(this.service.taskDefinition.taskRole);
+      this.service.taskDefinition.taskRole.addToPrincipalPolicy(new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        resources: [bucket.bucketArn, `${bucket.bucketArn}/*` ],
+        actions: ['s3:GetObject*', 's3:GetBucket*', 's3:List*', 's3:DeleteObject*', 's3:PutObject*', 's3:Abort*']
+      }));
     }
 
     // Add environment variables
diff --git a/source/patterns/@aws-solutions-constructs/aws-fargate-s3/package.json b/source/patterns/@aws-solutions-constructs/aws-fargate-s3/package.json
@@ -66,6 +66,7 @@
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/aws-ecs": "0.0.0",
+    "@aws-cdk/aws-iam": "0.0.0",
     "@types/jest": "^26.0.22",
     "@aws-solutions-constructs/core": "0.0.0",
     "@types/node": "^10.3.0",
diff --git a/source/patterns/@aws-solutions-constructs/aws-fargate-s3/test/integ.existing-resources.expected.json b/source/patterns/@aws-solutions-constructs/aws-fargate-s3/test/integ.existing-resources.expected.json
@@ -988,7 +988,7 @@
             {
               "Action": [
                 "s3:DeleteObject*",
-                "s3:PutObject",
+                "s3:PutObject*",
                 "s3:Abort*"
               ],
               "Effect": "Allow",
diff --git a/source/patterns/@aws-solutions-constructs/aws-fargate-s3/test/integ.new-resources.expected.json b/source/patterns/@aws-solutions-constructs/aws-fargate-s3/test/integ.new-resources.expected.json
@@ -1079,7 +1079,7 @@
                 "s3:GetBucket*",
                 "s3:List*",
                 "s3:DeleteObject*",
-                "s3:PutObject",
+                "s3:PutObject*",
                 "s3:Abort*"
               ],
               "Effect": "Allow",

Original file line number	Diff line number	Diff line change
`@@ -988,7 +988,7 @@`
`988`	`988`	`{`
`989`	`989`	`"Action": [`
`990`	`990`	`"s3:DeleteObject*",`
`991`		`- "s3:PutObject",`
	`991`	`+ "s3:PutObject*",`
`992`	`992`	`"s3:Abort*"`
`993`	`993`	`],`
`994`	`994`	`"Effect": "Allow",`