Add a CORS configuration to hubverse S3-buckets

Resolves #48 To ensure that the "publicly accessible" component of Hubverse S3 buckets extends to web/HTTP requests, the buckets need to have a CORS configuration. The configuration defined i this PR allows HEAD and GET requests only.
hubverse-org · Aug 28, 2024 · fa60655 · fa60655
1 parent 725cc52
commit fa60655
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -98,6 +98,8 @@ The IAM roles below are used by Pulumi, thus they are not managed by Pulumi. Ins
 
 If you're a Hubverse developer who wants to use Pulumi locally (using [Pulumi's CLI](https://www.pulumi.com/docs/cli/), for example), you will need access to AWS credentials with the same permissions used by the GitHub workflows.
 
+**Note:** if you're adding a new type of AWS resource and get a 403 error from the `pulumi_update` GitHub action (or when running `pulumi up` manually), you likely need to update the `hubverse-infrastructure-write-policy` (which is attached to `hubverse-infrastructure-write-role`) to ensure it has permissions to create the new resource.
+
 ### Setup instructions
 
 1. Make sure you have the required version on Python installed on your machine (see [`.python-version`](.python-version)).

diff --git a/src/hubverse_infrastructure/hubs/s3.py b/src/hubverse_infrastructure/hubs/s3.py
@@ -66,8 +66,33 @@ def make_bucket_public(bucket: aws.s3.Bucket, bucket_name: str):
     )
 
 
+def add_s3_cors_config(bucket: aws.s3.Bucket, bucket_name: str):
+    """
+    Add CORS configuration to a spciified S3 bucket.
+    Having a CORS policy allows S3 buckets to be accessed via HTTP requests.
+    """
+
+    aws.s3.BucketCorsConfigurationV2(
+        resource_name=f"{bucket_name}-bucket-cors-config",
+        bucket=bucket.id,
+        cors_rules=[
+            {
+                "allowed_headers": ["*"],
+                "allowed_methods": [
+                    "GET",
+                    "HEAD",
+                ],
+                "allowed_origins": ["*"],
+                "expose_headers": [],
+                "max_age_seconds": 3000,
+            }
+        ],
+    )
+
+
 def create_s3_infrastructure(hub_info: dict) -> aws.s3.Bucket:
     hub_name = hub_info["hub"]
     bucket = create_bucket(hub_name)
     make_bucket_public(bucket, hub_name)
+    add_s3_cors_config(bucket, hub_name)
     return bucket