🔄 do not create bucket policy if not exists

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
mondoohq · Feb 20, 2025 · 01b8dd5 · 01b8dd5
1 parent 75b2543
commit 01b8dd5
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 37 deletions.
diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr
@@ -1822,9 +1822,11 @@ private aws.s3.bucket.corsrule @defaults("name") {
 }
 
 // Amazon S3 bucket policy
-private aws.s3.bucket.policy @defaults("bucketName exists version") {
+private aws.s3.bucket.policy @defaults("bucketName version") {
   // Unique ID for the policy
   id string
+  // Deprecated
+  name string
   // Bucket name that this policy belongs
   bucketName string
   // Document for the policy
@@ -1833,11 +1835,8 @@ private aws.s3.bucket.policy @defaults("bucketName exists version") {
   version() string
   // List of statements for the policy
   statements() []dict
-  // Whether the bucket policy exists
-  exists bool
 }
 
-
 // AWS Application Auto Scaling
 aws.applicationAutoscaling @defaults("namespace") {
   init(namespace string)

diff --git a/providers/aws/resources/aws.lr.go b/providers/aws/resources/aws.lr.go
diff --git a/providers/aws/resources/aws_s3.go b/providers/aws/resources/aws_s3.go
@@ -191,21 +191,6 @@ func (a *mqlAwsS3Bucket) id() (string, error) {
 	return a.Arn.Data, nil
 }
 
-func (a *mqlAwsS3Bucket) emptyAwsS3BucketPolicy() (*mqlAwsS3BucketPolicy, error) {
-	res, err := CreateResource(a.MqlRuntime, "aws.s3.bucket.policy", map[string]*llx.RawData{
-		"bucketName": llx.StringData(a.Name.Data),
-		"document":   llx.StringData("{}"),
-		"version":    llx.StringData(""),
-		"id":         llx.StringData(""),
-		"exists":     llx.BoolData(false),
-		"statements": llx.ArrayData([]interface{}{}, types.Dict),
-	})
-	if err != nil {
-		return nil, err
-	}
-	return res.(*mqlAwsS3BucketPolicy), nil
-}
-
 func (a *mqlAwsS3Bucket) policy() (*mqlAwsS3BucketPolicy, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
 
@@ -217,10 +202,7 @@ func (a *mqlAwsS3Bucket) policy() (*mqlAwsS3BucketPolicy, error) {
 	policy, err := svc.GetBucketPolicy(ctx, &s3.GetBucketPolicyInput{
 		Bucket: &bucketname,
 	})
-	if err != nil {
-		if isNotFoundForS3(err) {
-			return a.emptyAwsS3BucketPolicy()
-		}
+	if err != nil && !isNotFoundForS3(err) {
 		return nil, err
 	}
 
@@ -233,10 +215,10 @@ func (a *mqlAwsS3Bucket) policy() (*mqlAwsS3BucketPolicy, error) {
 		mqlS3BucketPolicy, err := CreateResource(a.MqlRuntime, "aws.s3.bucket.policy",
 			map[string]*llx.RawData{
 				"id":         llx.StringData(parsedPolicy.Id),
+				"name":       llx.StringData(bucketname),
 				"bucketName": llx.StringData(bucketname),
 				"version":    llx.StringData(parsedPolicy.Version),
 				"document":   llx.StringDataPtr(policy.Policy),
-				"exists":     llx.BoolData(true),
 			})
 		if err != nil {
 			return nil, err
@@ -246,7 +228,7 @@ func (a *mqlAwsS3Bucket) policy() (*mqlAwsS3BucketPolicy, error) {
 	}
 
 	// no bucket policy found, return nil for the policy
-	return a.emptyAwsS3BucketPolicy()
+	return nil, nil
 }
 
 func (a *mqlAwsS3Bucket) tags() (map[string]interface{}, error) {