Closed chuckwondo closed 2 years ago
To apply fix to Production or to Dev deployments (primary UAT deployment is not affected, as its buckets do not include the account ID in the names), after #51 is approved and merged into main:
main
branchmake docker
(just to be sure you're image is up to date)make all-init
make bash
(to open a terminal window within the Docker container)aws s3 mv --recursive s3://csdap-${CUMULUS_PREFIX}-tfstate-$(aws sts get-caller-identity --query Account --output text)/${TS_ENV} s3://csdap-${CUMULUS_PREFIX}-tfstate/${TS_ENV}
terraspace plan cumulus
(this will ensure the correct buckets are created, but otherwise, ignore the output)aws s3 cp --recursive s3://csdap-${CUMULUS_PREFIX}-internal-$(aws sts get-caller-identity --query Account --output text)/${CUMULUS_PREFIX}/crypto s3://csdap-${CUMULUS_PREFIX}-internal/${CUMULUS_PREFIX}/crypto
make all-init
again (might not be necessary, but just in case, after moving the tfstate files above)make all-up-yes
Issue
Our buckets in Prod include the AWS Account ID in the names. While the configured bucket mapping hides this from appearing in the distribution URLs, the S3 URLs, which do include the Account ID, are still exposed, so we want to use buckets without the Account ID in the names, to avoid exposing them (e.g., via the AWS S3 Access links shown in Earthdata Search).
Acceptance Criteria