code-dot-org · cat5inthecradle · May 24, 2023 · Jun 21, 2023 · Jun 21, 2023 · Jun 21, 2023
diff --git a/beta-template.yml.erb b/beta-template.yml.erb
@@ -470,7 +470,7 @@ Resources:
   ContentBucket:
     Type: AWS::S3::Bucket
     Properties:
-      BucketName: !If [IsDevCondition, !Sub "cdo-dev-${SubdomainName}-content", !Sub "cdo-${SubdomainName}-content"]
+      BucketName: !Sub "${SubdomainName}-content.${BaseDomainName}"
       CorsConfiguration:
         CorsRules:
           - AllowedMethods: [GET, PUT]

diff --git a/cicd/2-cicd/cicd.template.yml b/cicd/2-cicd/cicd.template.yml
@@ -317,7 +317,7 @@ Resources:
                       - - '{ "SubdomainName": "'
                         - !Sub "javabuilder-dev-${GitHubBranch}"
                         - '" }'
-                  Capabilities: CAPABILITY_AUTO_EXPAND
+                  Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM
                   RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService
           - !Ref AWS::NoValue
 
@@ -343,7 +343,7 @@ Resources:
                       - - '{ "SubdomainName": "'
                         - !If [ TargetsMainBranch, 'javabuilder-test', !Sub 'javabuilder-${GitHubBranch}-test' ]
                         - '" }'
-                  Capabilities: CAPABILITY_AUTO_EXPAND
+                  Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM
                   RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService
           - !Ref AWS::NoValue
 
@@ -392,7 +392,7 @@ Resources:
                     - - '{ "SubdomainName": "'
                       - !If [ TargetsMainBranch, 'javabuilder', !Sub 'javabuilder-${GitHubBranch}' ]
                       - '" }'
-                  Capabilities: CAPABILITY_AUTO_EXPAND
+                  Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM
                   RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService
               - Name: app-demo-deploy
                 ActionTypeId:
@@ -422,7 +422,7 @@ Resources:
                           !Sub "javabuilder-demo-${GitHubBranch}",
                         ]
                       - '" }'
-                  Capabilities: CAPABILITY_AUTO_EXPAND
+                  Capabilities: CAPABILITY_AUTO_EXPAND,CAPABILITY_IAM
                   RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/admin/CloudFormationService
           - !Ref AWS::NoValue
 

diff --git a/cicd/3-app/javabuilder/template.yml.erb b/cicd/3-app/javabuilder/template.yml.erb
@@ -473,7 +473,7 @@ Resources:
   ContentBucket:
     Type: AWS::S3::Bucket
     Properties:
-      BucketName: !If [IsDevCondition, !Sub "cdo-dev-${SubdomainName}-content", !Sub "cdo-${SubdomainName}-content"]
+      BucketName: !Sub "${SubdomainName}-content.${BaseDomainName}"
       CorsConfiguration:
         CorsRules:
           - AllowedMethods: [GET, PUT]
@@ -500,6 +500,37 @@ Resources:
           Resource: !Sub "arn:aws:s3:::${ContentBucket}/*"
           Principal: '*'
 
+  # TODO: the cloudformation role used to deploy this does not have permission to putRolePolicy. I'd like to find a way to allow creation of roles within this template.
+  ContentBucketWritePolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub "${AWS::StackName}-content-bucket-write-policy"
+      PolicyDocument:
+        Statement:
+          - Action:
+            - 's3:PutObject'
+            Effect: Allow
+            Resource: !Sub "arn:aws:s3:::${ContentBucket}/*"
+      Roles:
+        # TODO: do not hard code these!
+        - javabuilder-iam-PutSourcesLambdaRole-1R0GH6YNAXIC3
+        - javabuilder-iam-BuildAndRunLambdaRole-ZR48U5GF0610
+
+  # TODO: the cloudformation role used to deploy this does not have permission to putRolePolicy. I'd like to find a way to allow creation of roles within this template.
+  ContentBucketReadPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub "${AWS::StackName}-content-bucket-read-policy"
+      PolicyDocument:
+        Statement:
+          - Action:
+            - 's3:GetObject'
+            Effect: Allow
+            Resource: !Sub "arn:aws:s3:::${ContentBucket}/*"
+      Roles:
+        # TODO: do not hard code this!
+        - javabuilder-iam-BuildAndRunLambdaRole-ZR48U5GF0610
+
   ContentApiCertificate:
     Type: AWS::CertificateManager::Certificate
     Properties:

diff --git a/cicd/README.md b/cicd/README.md
@@ -55,6 +55,7 @@ You can create a Development (aka 'adhoc') environment by setting the `ENVIRONME
 
 Notes:
 
+* branch names are used as a unique identifier (stack name, among others). Therefore we can only deploy one CI/CD pipeline per branch per AWS Account.
 * your branch name cannot contain the character `/`, as this causes issues in AWS. Note that resources will be deployed with the tags `{EnvType = development}`.
 * for now, these must deployed to the production AWS account. There is planned work to enable these to be deployed to the Dev AWS account.
 

diff --git a/iam.yml b/iam.yml
@@ -17,6 +17,8 @@ Parameters:
 
 Resources:
   # Permissions for the long-running lambda that compiles/runs student projects
+  # S3 Read/Write permissions are granted within the app stack
+  # TODO: create per-environment in app stack
   BuildAndRunLambdaRole:
     Type: AWS::IAM::Role
     Properties:
@@ -32,22 +34,11 @@ Resources:
         - PolicyName: BuildAndRunLambdaExecutionPolicy
           PolicyDocument:
             Statement:
-              # BuildAndRunJavaProject Lambda needs to put objects to the content bucket.
-              - Effect: Allow
-                Action:
-                  - 's3:PutObject'
-                  - 's3:GetObject'
-                Resource: 'arn:aws:s3:::cdo-*javabuilder*-content/*'
               # Read from Javabuilder SQS Queue
               - Effect: Allow
                 Action:
                   - "sqs:ReceiveMessage"
                   - "sqs:DeleteMessage"
-                  # May need the following
-                  # - "sqs:GetQueueAttributes"
-                  # - "sqs:GetQueueUrl"
-                  # - "sqs:ListDeadLetterSourceQueues"
-                  # - "sqs:ListQueues"
                 Resource:
                   # TODO: limit this
                   - '*' 
@@ -149,6 +140,8 @@ Resources:
                   - '*'
 
   # Permissions for the lambda that uploads student code to S3
+  # Per-bucket PutObject permissions are granted in the app template
+  # TODO move this role to the app stack
   PutSourcesLambdaRole:
     Type: AWS::IAM::Role
     Properties:
@@ -160,15 +153,6 @@ Resources:
             Principal: {Service: [lambda.amazonaws.com]}
       ManagedPolicyArns:
         - !Ref JavabuilderLoggingPolicy
-      Policies:
-        - PolicyName: named
-          PolicyDocument:
-            Statement:
-              # Put objects to the content bucket.
-              - Effect: Allow
-                Action:
-                  - 's3:putObject'
-                Resource: 'arn:aws:s3:::cdo-*javabuilder*-content/*'
 
   # Shared permissions that several lambdas need
   JavabuilderLoggingPolicy:
@@ -221,12 +205,6 @@ Resources:
                   - "cloudformation:DescribeStacks"
                 Resource: '*'
 
-              # BuildAndRunJavaProject Lambda needs to put objects to the content bucket.
-              - Effect: Allow
-                Action:
-                  - 's3:PutObject'
-                Resource: 'arn:aws:s3:::cdo-*javabuilder*-content/*'
-
               # All Lambdas need logging permissions.
               - Effect: Allow
                 Action:
@@ -333,8 +311,10 @@ Resources:
                   - !Sub "arn:aws:s3:::${TemplateBucket}/*"
               - Effect: Allow
                 Action:
+                  # TODO: limit this permission to only actions required by cloudformation (low priority)
                   - "s3:*"
                 Resource:
+                  #  TODO: use new bucket name
                   - "arn:aws:s3:::cdo-*javabuilder*-content"
               - Effect: Allow
                 Action:

diff --git a/org-code-javabuilder/lib/src/test/java/org/code/javabuilder/AWSContentManagerTest.java b/org-code-javabuilder/lib/src/test/java/org/code/javabuilder/AWSContentManagerTest.java
@@ -149,7 +149,7 @@ public void testGenerateAssetUrlDoesNotReturnStubUrlIfNotDashboard() {
     Properties.setCanAccessDashboardAssets(false);
 
     final String filename = "file";
-    final String actualUrl = "cdo-javabuilderbeta-content/file.wav";
+    final String actualUrl = "javabuilder-test.code.org-content/file.wav";
     when(projectData.getAssetUrl(filename)).thenReturn(actualUrl);
 
     assertEquals(actualUrl, contentManager.getAssetUrl(filename));
-Original file line number
+Diff line change
@@ Expand Up @@
     Notes:
+    * branch names are used as a unique identifier (stack name, among others). Therefore we can only deploy one CI/CD pipeline per branch per AWS Account.
     * your branch name cannot contain the character `/`, as this causes issues in AWS. Note that resources will be deployed with the tags `{EnvType = development}`.
     * for now, these must deployed to the production AWS account. There is planned work to enable these to be deployed to the Dev AWS account.
@@ Expand Down @@