Bucket Policy Configuration Enhancements

[san4d]

Problem

I'm working with an S3 bucket (sst.aws.Bucket) that I'd like to add server-side encryption to with a customer managed key. As part of that work, I want to require KMS encryption on all objects in the bucket based on this documentation from AWS.

The policy needs to end up like this:

{
   "Version":"2012-10-17",
   "Id":"PutObjectPolicy",
   "Statement":[{
         "Sid":"DenyObjectsThatAreNotSSEKMS",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::amzn-s3-demo-bucket1/*",
         "Condition":{
            "Null":{
               "s3:x-amz-server-side-encryption-aws-kms-key-id":"true"
            }
         }
      }
   ]
}

Because the SST S3 creates a policy automatically and buckets cannot have more than one policy I tried to use transforms to adjust the policy. However, the policy transform does not have access to the bucket's ARN, which I need.

Ideas

1. Update the transform to have reference to the bucket so I can interpolate the arn (like you do here).
2. Add an optional policy statements field to BucketCorsArgs that can be pushed to the internal statements array before creating the policy document.

[fwang]

@san4d you have access to the bucket name via args passed into to transform.policy. We also recently added a helper function sst.aws.iamEdit to help w/ manipulating the IAM policy. You can

new sst.aws.Bucket("MyBucket", {
  transform: {
    policy: (args) => {
      args.policy = sst.aws.iamEdit(args.policy, (policy) => {
        policy.Statement.push({
          Effect: "Deny",
          Action: "s3:PutObject",
          Resource: $interpolate`arn:aws:s3:::${args.bucket}/*`,
          ...
        });
      });
    },
  },
});

Feel free to reopen is this doesn't work for you.