VED-814 Resolve sonarcloud warnings on S3 bucket ownership (#882)

dlzhry2nhs · web-flow · commit 83a94912bda2 · 2025-10-07T14:03:35.000+01:00
diff --git a/mesh_processor/src/converter.py b/mesh_processor/src/converter.py
@@ -5,6 +5,7 @@
 import boto3
 from smart_open import open
 
+EXPECTED_BUCKET_OWNER_ACCOUNT = os.getenv("ACCOUNT_ID")
 DESTINATION_BUCKET_NAME = os.getenv("DESTINATION_BUCKET_NAME")
 
 logging.basicConfig(level=logging.INFO)
@@ -80,9 +81,15 @@ def move_file(source_bucket: str, source_key: str, destination_bucket: str, dest
     s3_client.copy_object(
         CopySource={"Bucket": source_bucket, "Key": source_key},
         Bucket=destination_bucket,
-        Key=destination_key
+        Key=destination_key,
+        ExpectedBucketOwner=EXPECTED_BUCKET_OWNER_ACCOUNT,
+        ExpectedSourceBucketOwner=EXPECTED_BUCKET_OWNER_ACCOUNT
+    )
+    s3_client.delete_object(
+        Bucket=source_bucket,
+        Key=source_key,
+        ExpectedBucketOwner=EXPECTED_BUCKET_OWNER_ACCOUNT
     )
-    s3_client.delete_object(Bucket=source_bucket, Key=source_key)
 
 
 def transfer_multipart_content(bucket_name: str, file_key: str, boundary: bytes, filename: str) -> None:
@@ -122,7 +129,11 @@ def process_record(record: dict) -> None:
     file_key = record["s3"]["object"]["key"]
     logger.info(f"Processing {file_key}")
 
-    response = s3_client.head_object(Bucket=bucket_name, Key=file_key)
+    response = s3_client.head_object(
+        Bucket=bucket_name,
+        Key=file_key,
+        ExpectedBucketOwner=EXPECTED_BUCKET_OWNER_ACCOUNT
+    )
     content_type = response['ContentType']
     media_type, content_type_params = parse_header_value(content_type)
     filename = response["Metadata"].get("mex-filename") or file_key
@@ -136,7 +147,9 @@ def process_record(record: dict) -> None:
         s3_client.copy_object(
             Bucket=DESTINATION_BUCKET_NAME,
             CopySource={"Bucket": bucket_name, "Key": file_key},
-            Key=filename
+            Key=filename,
+            ExpectedBucketOwner=EXPECTED_BUCKET_OWNER_ACCOUNT,
+            ExpectedSourceBucketOwner=EXPECTED_BUCKET_OWNER_ACCOUNT
         )
 
     logger.info(f"Transfer complete for {file_key}")
diff --git a/mesh_processor/tests/test_converter.py b/mesh_processor/tests/test_converter.py
@@ -6,6 +6,8 @@
 from botocore.exceptions import ClientError
 from moto import mock_aws
 
+MOCK_MOTO_ACCOUNT_ID = "123456789012"
+
 
 def invoke_lambda(file_key: str):
     # Local import so that globals can be mocked
@@ -26,7 +28,7 @@ def invoke_lambda(file_key: str):
 
 
 @mock_aws
-@patch.dict(os.environ, {"DESTINATION_BUCKET_NAME": "destination-bucket"})
+@patch.dict(os.environ, {"DESTINATION_BUCKET_NAME": "destination-bucket", "ACCOUNT_ID": MOCK_MOTO_ACCOUNT_ID})
 class TestLambdaHandler(TestCase):
     def setUp(self):
         s3 = boto3.client("s3", region_name="eu-west-2")
diff --git a/terraform/mesh_processor.tf b/terraform/mesh_processor.tf
@@ -217,6 +217,7 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" {
 
   environment {
     variables = {
+      ACCOUNT_ID              = var.immunisation_account_id
       DESTINATION_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -217,6 +217,7 @@ resource "aws_lambda_function" "mesh_file_converter_lambda" {`
`217`	`217`
`218`	`218`	`environment {`
`219`	`219`	`variables = {`
	`220`	`+ ACCOUNT_ID = var.immunisation_account_id`
`220`	`221`	`DESTINATION_BUCKET_NAME = aws_s3_bucket.batch_data_source_bucket.bucket`
`221`	`222`	`}`
`222`	`223`	`}`