Separating Out Access Logging #1695
Conversation
|
Tested:
|
| self.default_environment_bucket = default_environment_bucket | ||
|
|
||
| default_environment_bucket.add_to_resource_policy( | ||
| default_environment_log_bucket.policy.apply_removal_policy(RemovalPolicy.RETAIN) |
There was a problem hiding this comment.
Isn't this already define in line 174?
There was a problem hiding this comment.
removal policy applies to the bucket only - the assocaited policy would get deleted unless we include this line
default_environment_log_bucket.policy.apply_removal_policy(RemovalPolicy.RETAIN)
which then potentially exposes our bucket
| @@ -100,6 +100,7 @@ | |||
| gql.Field('subscriptionsConsumersTopicName', type=gql.String), | |||
| gql.Field('subscriptionsProducersTopicName', type=gql.String), | |||
| gql.Field('EnvironmentDefaultBucketName', type=gql.String), | |||
| gql.Field('EnvironmentLogsBucketName', type=gql.String), | |||
There was a problem hiding this comment.
Do we need to expose the information in graphql back to the users? It is a logs bucket, we might want to keep it internal only
There was a problem hiding this comment.
Although I see it is used in the integration tests. It is fine as is
There was a problem hiding this comment.
it is used in testings
could theoretically be used elsewhere but currentically not used in our front end client as you mentioned
| server_access_logs_bucket=default_environment_log_bucket, | ||
| server_access_logs_prefix=f'access_logs/{self._environment.EnvironmentDefaultBucketName}/', | ||
| ) | ||
| default_environment_bucket.policy.apply_removal_policy(RemovalPolicy.RETAIN) |
There was a problem hiding this comment.
same as above, isn't the removal policy already defined in line 196
There was a problem hiding this comment.
same response - need to explicitly retain associated resources of bucket (i.e. bucket policy)
…1697) ### Feature or Bugfix <!-- please choose --> - Bugfix ### Detail - Fix integration test teardown of environment bug on cleaning up EnvironmentLogsBucketName ### Relates - #1695 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Feature or Bugfix
Detail
Relates
Security
Please answer the questions below briefly where applicable, or write
N/A. Based onOWASP 10.
fetching data from storage outside the application (e.g. a database, an S3 bucket)?
evalor similar functions are used?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.