From 95852ed76db52bb87277fa20b4e0a045b0eeb9b6 Mon Sep 17 00:00:00 2001
From: Nic <123965403+ngayerie@users.noreply.github.com>
Date: Fri, 18 Oct 2024 12:52:09 +0200
Subject: [PATCH 1/2] [Rules] Update providers.mdx

SPM-2581
---
 .../docs/rules/cloud-connector/providers.mdx  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/src/content/docs/rules/cloud-connector/providers.mdx b/src/content/docs/rules/cloud-connector/providers.mdx
index 8d22a6c822e3da4..bb259864af85c07 100644
--- a/src/content/docs/rules/cloud-connector/providers.mdx
+++ b/src/content/docs/rules/cloud-connector/providers.mdx
@@ -38,6 +38,44 @@ Cloud Connector supports both subdomain and URI path-style URLs:
 
 For more information, refer to the [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EnableWebsiteHosting.html).
 
+### Configure bucket policies to allow Cloudflare IP addresses
+
+Now that you’ve created your buckets and enabled hosting for static content, you can set up permissions to allow Cloudflare to access your bucket. 
+This ensures that your site only responds to requests coming from the Cloudflare proxy. This is the [current list of IP address ranges](https://www.cloudflare.com/ips/) used by the Cloudflare proxy.
+
+To set up your policy:
+
+1. Follow these instructions from Amazon to [Add an S3 Bucket Policy](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html).
+2. For the step where you enter the policy in the **Bucket policy editor**, use this sample to fill out the needed JSON code, making sure to replace:
+- `www.example.com` (appearing in `"Resource": "arn:aws:s3:www.example.com/*"`) with the S3 bucket name for your subdomain URL.
+- The placeholder IP addresses with the [current list of IP address ranges](https://www.cloudflare.com/ips/)
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowCloudflareIPs",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3:::www.example.com/*",
+            "Condition": {
+                "IpAddress": {
+                    "aws:SourceIp": [
+                        "192.2.0.1/32" (example IPv4 address),
+                        "192.2.1.0/24" (example IPv4 range),
+                        "2001:db8::1111:1111" (example IPv6 address),
+                        "2001:db8::/32" (example IPv6 range),
+                        (add all IPs ranges at https://www.cloudflare.com/ips)
+                    ]
+                }
+            }
+        }
+    ]
+}
+```
+
 ## Google Cloud Platform - Cloud Storage
 
 The hostname of your Cloud Storage bucket URL must be the following (where `*` is a wildcard character):

From 5058783d2deda04c50f6ea1957810128a868f378 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 18 Oct 2024 17:25:14 +0100
Subject: [PATCH 2/2] Update to generic recommendation

---
 .../docs/rules/cloud-connector/providers.mdx  | 44 +++----------------
 ...nnector-limit-bucket-to-cloudflare-ips.mdx |  5 +++
 2 files changed, 12 insertions(+), 37 deletions(-)
 create mode 100644 src/content/partials/rules/cloud-connector-limit-bucket-to-cloudflare-ips.mdx

diff --git a/src/content/docs/rules/cloud-connector/providers.mdx b/src/content/docs/rules/cloud-connector/providers.mdx
index bb259864af85c07..f33b31b199d79d9 100644
--- a/src/content/docs/rules/cloud-connector/providers.mdx
+++ b/src/content/docs/rules/cloud-connector/providers.mdx
@@ -5,6 +5,8 @@ sidebar:
   order: 4
 ---
 
+import { Render } from "~/components";
+
 Cloud Connector currently supports the following cloud providers and services:
 
 - Amazon Web Services - S3
@@ -38,43 +40,7 @@ Cloud Connector supports both subdomain and URI path-style URLs:
 
 For more information, refer to the [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EnableWebsiteHosting.html).
 
-### Configure bucket policies to allow Cloudflare IP addresses
-
-Now that you’ve created your buckets and enabled hosting for static content, you can set up permissions to allow Cloudflare to access your bucket. 
-This ensures that your site only responds to requests coming from the Cloudflare proxy. This is the [current list of IP address ranges](https://www.cloudflare.com/ips/) used by the Cloudflare proxy.
-
-To set up your policy:
-
-1. Follow these instructions from Amazon to [Add an S3 Bucket Policy](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html).
-2. For the step where you enter the policy in the **Bucket policy editor**, use this sample to fill out the needed JSON code, making sure to replace:
-- `www.example.com` (appearing in `"Resource": "arn:aws:s3:www.example.com/*"`) with the S3 bucket name for your subdomain URL.
-- The placeholder IP addresses with the [current list of IP address ranges](https://www.cloudflare.com/ips/)
-
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AllowCloudflareIPs",
-            "Effect": "Allow",
-            "Principal": "*",
-            "Action": "s3:GetObject",
-            "Resource": "arn:aws:s3:::www.example.com/*",
-            "Condition": {
-                "IpAddress": {
-                    "aws:SourceIp": [
-                        "192.2.0.1/32" (example IPv4 address),
-                        "192.2.1.0/24" (example IPv4 range),
-                        "2001:db8::1111:1111" (example IPv6 address),
-                        "2001:db8::/32" (example IPv6 range),
-                        (add all IPs ranges at https://www.cloudflare.com/ips)
-                    ]
-                }
-            }
-        }
-    ]
-}
-```
+<Render file="cloud-connector-limit-bucket-to-cloudflare-ips" />
 
 ## Google Cloud Platform - Cloud Storage
 
@@ -101,6 +67,8 @@ Cloud Connector supports both subdomain and URI path-style URLs:
 
 If the files in your bucket are not publicly accessible, you must change the bucket permissions. For details, refer to the [Google Cloud Storage documentation](https://cloud.google.com/storage/docs/access-control/making-data-public#buckets).
 
+<Render file="cloud-connector-limit-bucket-to-cloudflare-ips" />
+
 ## Microsoft Azure - Blob Storage
 
 The hostname of your Blob Storage bucket URL must have one of the following formats:
@@ -117,3 +85,5 @@ For Azure Blog Storage, Cloud Connector supports only subdomain URLs like `<BUCK
 3. Get your bucket URL from the **Blob service** endpoint or the **Static website** endpoint.
 
 If the blob container is not configured for public access, you must change the container settings. For details, refer to the [Azure Storage documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal).
+
+<Render file="cloud-connector-limit-bucket-to-cloudflare-ips" />
diff --git a/src/content/partials/rules/cloud-connector-limit-bucket-to-cloudflare-ips.mdx b/src/content/partials/rules/cloud-connector-limit-bucket-to-cloudflare-ips.mdx
new file mode 100644
index 000000000000000..4ddbc195912bdc9
--- /dev/null
+++ b/src/content/partials/rules/cloud-connector-limit-bucket-to-cloudflare-ips.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+Once you configure Cloud Connector with your storage provider's public bucket, you may wish that only Cloudflare can access the objects in that bucket. To achieve this, check your provider's documentation on how to create a policy that only allows incoming requests from [Cloudflare IP addresses](https://www.cloudflare.com/ips/).