feat(security-questionnaire): add support for questionnaire file uploads to S3 (#1758)

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>

Author: github-actions[bot]

.env.example

@@ -17,6 +17,7 @@ APP_AWS_ACCESS_KEY_ID="" # AWS Access Key ID
 APP_AWS_SECRET_ACCESS_KEY="" # AWS Secret Access Key
 APP_AWS_REGION="" # AWS Region
 APP_AWS_BUCKET_NAME="" # AWS Bucket Name
+APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET=""  # AWS, Required for Security Questionnaire feature
 
 TRIGGER_SECRET_KEY="" # For background jobs. Self-host or use cloud-version @ https://trigger.dev
 # TRIGGER_API_URL="" # Only set if you are self-hosting

SELF_HOSTING.md

@@ -43,6 +43,8 @@ Portal (`apps/portal`):
 
 App (`apps/app`):
 
+- **APP_AWS_REGION**, **APP_AWS_ACCESS_KEY_ID**, **APP_AWS_SECRET_ACCESS_KEY**, **APP_AWS_BUCKET_NAME**: AWS S3 credentials for file storage (attachments, general uploads).
+- **APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET**: AWS S3 bucket name specifically for questionnaire file uploads. Required for the Security Questionnaire feature. If not set, users will see an error when trying to parse questionnaires.
 - **OPENAI_API_KEY**: Enables AI features that call OpenAI models.
 - **UPSTASH_REDIS_REST_URL**, **UPSTASH_REDIS_REST_TOKEN**: Optional Redis (Upstash) used for rate limiting/queues/caching.
 - **NEXT_PUBLIC_POSTHOG_KEY**, **NEXT_PUBLIC_POSTHOG_HOST**: Client analytics via PostHog; leave unset to disable.
@@ -143,6 +145,12 @@ BETTER_AUTH_URL_PORTAL=http://localhost:3002
 NEXT_PUBLIC_BETTER_AUTH_URL_PORTAL=http://localhost:3002
 
 # Optional
+# AWS S3 (for file storage)
+# APP_AWS_REGION=
+# APP_AWS_ACCESS_KEY_ID=
+# APP_AWS_SECRET_ACCESS_KEY=
+# APP_AWS_BUCKET_NAME=
+# APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET=
 # OPENAI_API_KEY=
 # UPSTASH_REDIS_REST_URL=
 # UPSTASH_REDIS_REST_TOKEN=

apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/parse-questionnaire-ai.ts

@@ -4,6 +4,7 @@ import { authActionClient } from '@/actions/safe-action';
 import { parseQuestionnaireTask } from '@/jobs/tasks/vendors/parse-questionnaire';
 import { tasks } from '@trigger.dev/sdk';
 import { z } from 'zod';
+import { APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET } from '@/app/s3';
 
 const inputSchema = z.object({
   inputType: z.enum(['file', 'url', 'attachment', 's3']),
@@ -35,6 +36,11 @@ export const parseQuestionnaireAI = authActionClient
     if (!session?.activeOrganizationId) {
       throw new Error('No active organization');
     }
+
+    // Validate questionnaire upload bucket is configured
+    if (!APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET) {
+      throw new Error('Questionnaire upload service is not configured. Please set APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET environment variable to use this feature.');
+    }
 
     const organizationId = session.activeOrganizationId;
 

apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/upload-questionnaire-file.ts

@@ -1,6 +1,6 @@
 'use server';
 
-import { BUCKET_NAME, s3Client } from '@/app/s3';
+import { APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET, s3Client } from '@/app/s3';
 import { authActionClient } from '@/actions/safe-action';
 import { PutObjectCommand } from '@aws-sdk/client-s3';
 import { db } from '@db';
@@ -48,10 +48,14 @@ export const uploadQuestionnaireFile = authActionClient
       throw new Error('Unauthorized');
     }
 
-    if (!s3Client || !BUCKET_NAME) {
+    if (!s3Client) {
       throw new Error('S3 client not configured');
     }
 
+    if (!APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET) {
+      throw new Error('Questionnaire upload bucket is not configured. Please set APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET environment variable.');
+    }
+
     try {
       // Convert base64 to buffer
       const fileBuffer = Buffer.from(fileData, 'base64');
@@ -70,7 +74,7 @@ export const uploadQuestionnaireFile = authActionClient
 
       // Upload to S3
       const putCommand = new PutObjectCommand({
-        Bucket: BUCKET_NAME,
+        Bucket: APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET,
         Key: s3Key,
         Body: fileBuffer,
         ContentType: fileType,
@@ -93,6 +97,35 @@ export const uploadQuestionnaireFile = authActionClient
         },
       };
     } catch (error) {
+      // Provide more helpful error messages for common S3 errors
+      if (error && typeof error === 'object' && 'Code' in error) {
+        const awsError = error as { Code: string; message?: string };
+        
+        if (awsError.Code === 'AccessDenied') {
+          throw new Error(
+            `Access denied to S3 bucket "${APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET}". ` +
+            `Please verify that:\n` +
+            `1. The bucket "${APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET}" exists\n` +
+            `2. Your AWS credentials have s3:PutObject permission for this bucket\n` +
+            `3. The bucket is in the correct region (${process.env.APP_AWS_REGION || 'not set'})\n` +
+            `4. The bucket name is correct`
+          );
+        }
+        
+        if (awsError.Code === 'NoSuchBucket') {
+          throw new Error(
+            `S3 bucket "${APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET}" does not exist. ` +
+            `Please create the bucket or update APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET environment variable.`
+          );
+        }
+        
+        if (awsError.Code === 'InvalidAccessKeyId' || awsError.Code === 'SignatureDoesNotMatch') {
+          throw new Error(
+            `Invalid AWS credentials. Please check APP_AWS_ACCESS_KEY_ID and APP_AWS_SECRET_ACCESS_KEY environment variables.`
+          );
+        }
+      }
+      
       throw error instanceof Error
         ? error
         : new Error('Failed to upload questionnaire file');

apps/app/src/app/s3.ts

@@ -5,6 +5,7 @@ const APP_AWS_ACCESS_KEY_ID = process.env.APP_AWS_ACCESS_KEY_ID;
 const APP_AWS_SECRET_ACCESS_KEY = process.env.APP_AWS_SECRET_ACCESS_KEY;
 
 export const BUCKET_NAME = process.env.APP_AWS_BUCKET_NAME;
+export const APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET = process.env.APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET;
 
 let s3ClientInstance: S3Client;
 

apps/app/src/env.mjs

@@ -28,6 +28,7 @@ export const env = createEnv({
     APP_AWS_SECRET_ACCESS_KEY: z.string().optional(),
     APP_AWS_REGION: z.string().optional(),
     APP_AWS_BUCKET_NAME: z.string().optional(),
+    APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET: z.string().optional(),
     NEXT_PUBLIC_PORTAL_URL: z.string(),
     FIRECRAWL_API_KEY: z.string().optional(),
     FLEET_URL: z.string().optional(),
@@ -81,6 +82,7 @@ export const env = createEnv({
     APP_AWS_SECRET_ACCESS_KEY: process.env.APP_AWS_SECRET_ACCESS_KEY,
     APP_AWS_REGION: process.env.APP_AWS_REGION,
     APP_AWS_BUCKET_NAME: process.env.APP_AWS_BUCKET_NAME,
+    APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET: process.env.APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET,
     NEXT_PUBLIC_PORTAL_URL: process.env.NEXT_PUBLIC_PORTAL_URL,
     FIRECRAWL_API_KEY: process.env.FIRECRAWL_API_KEY,
     FLEET_URL: process.env.FLEET_URL,

apps/app/src/jobs/tasks/vendors/parse-questionnaire.ts

@@ -1,5 +1,5 @@
 import { logger, task } from '@trigger.dev/sdk';
-import { BUCKET_NAME, extractS3KeyFromUrl, s3Client } from '@/app/s3';
+import { APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET, BUCKET_NAME, extractS3KeyFromUrl, s3Client } from '@/app/s3';
 import { env } from '@/env.mjs';
 import { GetObjectCommand } from '@aws-sdk/client-s3';
 import { openai } from '@ai-sdk/openai';
@@ -309,8 +309,16 @@ async function extractContentFromS3Key(
   s3Key: string,
   fileType: string,
 ): Promise<{ content: string; fileType: string }> {
+  if (!s3Client) {
+    throw new Error('S3 client is not initialized. Please check AWS S3 environment variables (APP_AWS_REGION, APP_AWS_ACCESS_KEY_ID, APP_AWS_SECRET_ACCESS_KEY).');
+  }
+
+  if (!APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET) {
+    throw new Error('Questionnaire upload bucket is not configured. Please set APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET environment variable.');
+  }
+
   const getCommand = new GetObjectCommand({
-    Bucket: BUCKET_NAME!,
+    Bucket: APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET,
     Key: s3Key,
   });