Add Bucket Policy to Sceptre's template bucket

[rishabhreply]

Subject of the issue

I am creating Sceptre's template bucket by just providing the name to template_bucket_name argument. I now want to enforce communication over HTTPS so I want to add that as a bucket policy to this bucket. How can I achieve this?

Your environment

• version of sceptre (sceptre --3.1)
• version of python (python --3.7)
• which OS/distro MacOS

[jfalkenstein]

template_bucket_name is a resolvable configuration, which means you can easily use !stack_output for it. My recommendation would be to define a new stack for a template bucket that outputs its name and add your policies to that bucket, and then use !stack_output to get the bucket name.

If you do this, you'll want to set the template_bucket_name to null on your template bucket's stack config to avoid the circular dependencies.

[rishabhreply]

THank you very much for the response. What do you mean by setting template_bucket_name to null? I only have one config.yaml file with this parameter to which if I understood correctly I need to provide !stack_output.

Also, during the first run the template bucket is already created by Sceptre, now I am not sure if I can create a new stack template for "creating" a bucket with the same name.

Is there an example somewhere that solves my issue? This link is not helpful.

[jfalkenstein]

Consider this project structure:

- config/
    - config.yaml    # This is your top-level config
    - my-app /
        - config.yaml   # The config in my-app will override configurations from config/config.yaml
        - vpc.yaml
    - template-bucket.yaml

The thing to remember is that, while config/config.yaml is your top-level config that can set configurations for your whole project, those configurations can be overridden in any StackGroup config (such as config/my-app/config.yaml) or Stack config (such as config/template-bucket.yaml).

So, consider these files:

# in config/config.yaml
template_bucket_name: !stack_output template-bucket.yaml::BucketName

parameters: 
    ...

# in config/template-bucket.yaml
# override the template_bucket_name so it doesn't inherit from the top-level config. If it did, it would be a circular 
# dependency that would blow up.
template_bucket_name: null

parameters:
    MyPolicyParameter: "blah-blah"

The point is that you can create the template bucket in template-bucket.yaml and then use that everywhere else by setting it in the top-level config/config.yaml. Remember, configurations from your top level config.yaml will be extended to every other stack in the project that doesn't override them. In this case, on your template bucket, you DO want to override it so that it doesn't try to use itself as the template bucket (which will blow up).

[rishabhreply]

Thank you for the very nice explanation. About the Bucket Policy, how can I define this part:

# in config/template-bucket.yaml
parameters:
    MyPolicyParameter: "blah-blah"

Do I need a template file to which this config/template-bucket.yaml points? Like:

template_path: "path/to/file"

[jfalkenstein]

Exactly. That template-bucket.yaml is for a stack like any other. In it, define a bucket with whatever permissions, lifecycles, etc that you want. Output the name of the bucket on the template and then you can use that output for your template_bucket_name