Skip to content
This repository was archived by the owner on Aug 6, 2025. It is now read-only.

Commit 80a8367

Browse files
rkhullar-mongodbrkhullar-mongodb
authored
[DOP-2715] bucket polices and job filter (#688)
1 parent 1615462 commit 80a8367

File tree

2 files changed

+36
-7
lines changed

2 files changed

+36
-7
lines changed

api/controllers/v1/jobs.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -249,6 +249,14 @@ async function SubmitArchiveJob(jobId: string) {
249249
const job = await models.jobs.getJobById(jobId);
250250
const repo = await models.branches.getRepo(job.payload.repoName);
251251

252+
/* NOTE
253+
* we don't archive landing for two reasons:
254+
* - we can't unless we add efs to batch for extra storage; or https://github.com/aws/containers-roadmap/issues/1383
255+
* - other properties like realm are nested under s3
256+
*/
257+
const archiveExclusions = ['docs-landing'];
258+
if (archiveExclusions.includes(repo.repoName)) return;
259+
252260
const response = await new Batch(environment).submitArchiveJob(
253261
repo.bucket[environment],
254262
`docs-archive-${environment}-mongodb`,

infrastructure/ecs-main/buckets.yml

Lines changed: 28 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -79,9 +79,12 @@ Resources:
7979
- Effect: Allow
8080
Principal:
8181
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
82-
Action: 's3:GetObject'
82+
Action:
83+
- 's3:GetObject'
84+
- 's3:ListBucket'
8385
Resource:
8486
- Fn::Join: ['', [{ "Fn::GetAtt": ["DocsBucket", "Arn" ] }, '/*']]
87+
- Fn::Join: ['', [{ "Fn::GetAtt": ["DocsBucket", "Arn" ] }]]
8588
- Effect: Allow
8689
Principal:
8790
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch
@@ -106,9 +109,12 @@ Resources:
106109
- Effect: Allow
107110
Principal:
108111
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
109-
Action: 's3:GetObject'
112+
Action:
113+
- 's3:GetObject'
114+
- 's3:ListBucket'
110115
Resource:
111116
- Fn::Join: ['', [{ "Fn::GetAtt": ["DocAtlasBucket", "Arn" ] }, '/*']]
117+
- Fn::Join: ['', [{ "Fn::GetAtt": ["DocAtlasBucket", "Arn" ] }]]
112118
- Effect: Allow
113119
Principal:
114120
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch
@@ -133,9 +139,12 @@ Resources:
133139
- Effect: Allow
134140
Principal:
135141
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
136-
Action: 's3:GetObject'
142+
Action:
143+
- 's3:GetObject'
144+
- 's3:ListBucket'
137145
Resource:
138146
- Fn::Join: ['', [{ "Fn::GetAtt": ["CloudManagerBucket", "Arn" ] }, '/*']]
147+
- Fn::Join: ['', [{ "Fn::GetAtt": ["CloudManagerBucket", "Arn" ] }]]
139148
- Effect: Allow
140149
Principal:
141150
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch
@@ -160,9 +169,12 @@ Resources:
160169
- Effect: Allow
161170
Principal:
162171
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
163-
Action: 's3:GetObject'
172+
Action:
173+
- 's3:GetObject'
174+
- 's3:ListBucket'
164175
Resource:
165176
- Fn::Join: ['', [{ "Fn::GetAtt": ["OpsManagerBucket", "Arn" ] }, '/*']]
177+
- Fn::Join: ['', [{ "Fn::GetAtt": ["OpsManagerBucket", "Arn" ] }]]
166178
- Effect: Allow
167179
Principal:
168180
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch
@@ -187,9 +199,12 @@ Resources:
187199
- Effect: Allow
188200
Principal:
189201
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
190-
Action: 's3:GetObject'
202+
Action:
203+
- 's3:GetObject'
204+
- 's3:ListBucket'
191205
Resource:
192206
- Fn::Join: ['', [{ "Fn::GetAtt": ["JavaBucket", "Arn" ] }, '/*']]
207+
- Fn::Join: ['', [{ "Fn::GetAtt": ["JavaBucket", "Arn" ] }]]
193208
- Effect: Allow
194209
Principal:
195210
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch
@@ -214,9 +229,12 @@ Resources:
214229
- Effect: Allow
215230
Principal:
216231
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
217-
Action: 's3:GetObject'
232+
Action:
233+
- 's3:GetObject'
234+
- 's3:ListBucket'
218235
Resource:
219236
- Fn::Join: ['', [{ "Fn::GetAtt": ["GoBucket", "Arn" ] }, '/*']]
237+
- Fn::Join: ['', [{ "Fn::GetAtt": ["GoBucket", "Arn" ] }]]
220238
- Effect: Allow
221239
Principal:
222240
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch
@@ -241,9 +259,12 @@ Resources:
241259
- Effect: Allow
242260
Principal:
243261
AWS: arn:aws:iam::${aws:accountId}:role/docs-archive-job-${self:provider.stage}-batch
244-
Action: 's3:GetObject'
262+
Action:
263+
- 's3:GetObject'
264+
- 's3:ListBucket'
245265
Resource:
246266
- Fn::Join: ['', [{ "Fn::GetAtt": ["NodeBucket", "Arn" ] }, '/*']]
267+
- Fn::Join: ['', [{ "Fn::GetAtt": ["NodeBucket", "Arn" ] }]]
247268
- Effect: Allow
248269
Principal:
249270
AWS: arn:aws:iam::${aws:accountId}:role/docs-deploy-job-${self:provider.stage}-batch

0 commit comments

Comments
 (0)