@webiny/project-aws 6.3.0 → 6.4.0-beta.0

package/pulumi/apps/core/cognitoIdentityProviders/google.js.map

@@ -1 +1 @@
-{"version":3,"names":["getGoogleIdpConfig","userPoolId","config","providerName","providerType","providerDetails","idpIdentifiers","attributeMapping","username","email","given_name","family_name"],"sources":["google.ts"],"sourcesContent":["import type * as pulumi from \"@pulumi/pulumi\";\nimport { type CognitoIdentityProviderConfig } from \"./configure.js\";\nimport { type IdentityProviderArgs } from \"@pulumi/aws/cognito/index.js\";\n\nexport const getGoogleIdpConfig = (\n    userPoolId: pulumi.Input<string>,\n    config: CognitoIdentityProviderConfig\n): IdentityProviderArgs => {\n    return {\n        userPoolId,\n        providerName: \"Google\",\n        providerType: \"Google\",\n        providerDetails: config.providerDetails,\n        idpIdentifiers: config.idpIdentifiers,\n        attributeMapping: {\n            \"custom:id\": \"sub\",\n            username: \"sub\",\n            email: \"email\",\n            given_name: \"given_name\",\n            family_name: \"family_name\",\n            ...config.attributeMapping\n        }\n    };\n};\n"],"mappings":"AAIA,OAAO,MAAMA,kBAAkB,GAAGA,CAC9BC,UAAgC,EAChCC,MAAqC,KACd;EACvB,OAAO;IACHD,UAAU;IACVE,YAAY,EAAE,QAAQ;IACtBC,YAAY,EAAE,QAAQ;IACtBC,eAAe,EAAEH,MAAM,CAACG,eAAe;IACvCC,cAAc,EAAEJ,MAAM,CAACI,cAAc;IACrCC,gBAAgB,EAAE;MACd,WAAW,EAAE,KAAK;MAClBC,QAAQ,EAAE,KAAK;MACfC,KAAK,EAAE,OAAO;MACdC,UAAU,EAAE,YAAY;MACxBC,WAAW,EAAE,aAAa;MAC1B,GAAGT,MAAM,CAACK;IACd;EACJ,CAAC;AACL,CAAC","ignoreList":[]}
+{"version":3,"file":"pulumi/apps/core/cognitoIdentityProviders/google.js","sources":["../../../../../src/pulumi/apps/core/cognitoIdentityProviders/google.ts"],"sourcesContent":["import type * as pulumi from \"@pulumi/pulumi\";\nimport { type CognitoIdentityProviderConfig } from \"./configure.js\";\nimport { type IdentityProviderArgs } from \"@pulumi/aws/cognito/index.js\";\n\nexport const getGoogleIdpConfig = (\n    userPoolId: pulumi.Input<string>,\n    config: CognitoIdentityProviderConfig\n): IdentityProviderArgs => {\n    return {\n        userPoolId,\n        providerName: \"Google\",\n        providerType: \"Google\",\n        providerDetails: config.providerDetails,\n        idpIdentifiers: config.idpIdentifiers,\n        attributeMapping: {\n            \"custom:id\": \"sub\",\n            username: \"sub\",\n            email: \"email\",\n            given_name: \"given_name\",\n            family_name: \"family_name\",\n            ...config.attributeMapping\n        }\n    };\n};\n"],"names":["getGoogleIdpConfig","userPoolId","config"],"mappings":"AAIO,MAAMA,qBAAqB,CAC9BC,YACAC,SAEO;QACHD;QACA,cAAc;QACd,cAAc;QACd,iBAAiBC,OAAO,eAAe;QACvC,gBAAgBA,OAAO,cAAc;QACrC,kBAAkB;YACd,aAAa;YACb,UAAU;YACV,OAAO;YACP,YAAY;YACZ,aAAa;YACb,GAAGA,OAAO,gBAAgB;QAC9B;IACJ"}

package/pulumi/apps/core/cognitoIdentityProviders/index.js

@@ -1,3 +1 @@
 export * from "./configure.js";
-
-//# sourceMappingURL=index.js.map

package/pulumi/apps/core/cognitoIdentityProviders/oidc.js

@@ -1,20 +1,19 @@
-export const getOidcIdpConfig = (userPoolId, config) => {
-  return {
-    userPoolId,
-    providerName: config.name || "OIDC",
-    providerType: "OIDC",
-    providerDetails: config.providerDetails,
-    idpIdentifiers: config.idpIdentifiers,
-    attributeMapping: {
-      "custom:id": "sub",
-      username: "sub",
-      email: "email",
-      given_name: "given_name",
-      family_name: "family_name",
-      preferred_username: "email",
-      ...config.attributeMapping
-    }
-  };
-};
+const getOidcIdpConfig = (userPoolId, config)=>({
+        userPoolId,
+        providerName: config.name || "OIDC",
+        providerType: "OIDC",
+        providerDetails: config.providerDetails,
+        idpIdentifiers: config.idpIdentifiers,
+        attributeMapping: {
+            "custom:id": "sub",
+            username: "sub",
+            email: "email",
+            given_name: "given_name",
+            family_name: "family_name",
+            preferred_username: "email",
+            ...config.attributeMapping
+        }
+    });
+export { getOidcIdpConfig };
 
 //# sourceMappingURL=oidc.js.map

package/pulumi/apps/core/cognitoIdentityProviders/oidc.js.map

@@ -1 +1 @@
-{"version":3,"names":["getOidcIdpConfig","userPoolId","config","providerName","name","providerType","providerDetails","idpIdentifiers","attributeMapping","username","email","given_name","family_name","preferred_username"],"sources":["oidc.ts"],"sourcesContent":["import type * as pulumi from \"@pulumi/pulumi\";\nimport { type CognitoIdentityProviderConfig } from \"./configure.js\";\nimport { type IdentityProviderArgs } from \"@pulumi/aws/cognito/index.js\";\n\nexport const getOidcIdpConfig = (\n    userPoolId: pulumi.Input<string>,\n    config: CognitoIdentityProviderConfig\n): IdentityProviderArgs => {\n    return {\n        userPoolId,\n        providerName: config.name || \"OIDC\",\n        providerType: \"OIDC\",\n        providerDetails: config.providerDetails,\n        idpIdentifiers: config.idpIdentifiers,\n        attributeMapping: {\n            \"custom:id\": \"sub\",\n            username: \"sub\",\n            email: \"email\",\n            given_name: \"given_name\",\n            family_name: \"family_name\",\n            preferred_username: \"email\",\n            ...config.attributeMapping\n        }\n    };\n};\n"],"mappings":"AAIA,OAAO,MAAMA,gBAAgB,GAAGA,CAC5BC,UAAgC,EAChCC,MAAqC,KACd;EACvB,OAAO;IACHD,UAAU;IACVE,YAAY,EAAED,MAAM,CAACE,IAAI,IAAI,MAAM;IACnCC,YAAY,EAAE,MAAM;IACpBC,eAAe,EAAEJ,MAAM,CAACI,eAAe;IACvCC,cAAc,EAAEL,MAAM,CAACK,cAAc;IACrCC,gBAAgB,EAAE;MACd,WAAW,EAAE,KAAK;MAClBC,QAAQ,EAAE,KAAK;MACfC,KAAK,EAAE,OAAO;MACdC,UAAU,EAAE,YAAY;MACxBC,WAAW,EAAE,aAAa;MAC1BC,kBAAkB,EAAE,OAAO;MAC3B,GAAGX,MAAM,CAACM;IACd;EACJ,CAAC;AACL,CAAC","ignoreList":[]}
+{"version":3,"file":"pulumi/apps/core/cognitoIdentityProviders/oidc.js","sources":["../../../../../src/pulumi/apps/core/cognitoIdentityProviders/oidc.ts"],"sourcesContent":["import type * as pulumi from \"@pulumi/pulumi\";\nimport { type CognitoIdentityProviderConfig } from \"./configure.js\";\nimport { type IdentityProviderArgs } from \"@pulumi/aws/cognito/index.js\";\n\nexport const getOidcIdpConfig = (\n    userPoolId: pulumi.Input<string>,\n    config: CognitoIdentityProviderConfig\n): IdentityProviderArgs => {\n    return {\n        userPoolId,\n        providerName: config.name || \"OIDC\",\n        providerType: \"OIDC\",\n        providerDetails: config.providerDetails,\n        idpIdentifiers: config.idpIdentifiers,\n        attributeMapping: {\n            \"custom:id\": \"sub\",\n            username: \"sub\",\n            email: \"email\",\n            given_name: \"given_name\",\n            family_name: \"family_name\",\n            preferred_username: \"email\",\n            ...config.attributeMapping\n        }\n    };\n};\n"],"names":["getOidcIdpConfig","userPoolId","config"],"mappings":"AAIO,MAAMA,mBAAmB,CAC5BC,YACAC,SAEO;QACHD;QACA,cAAcC,OAAO,IAAI,IAAI;QAC7B,cAAc;QACd,iBAAiBA,OAAO,eAAe;QACvC,gBAAgBA,OAAO,cAAc;QACrC,kBAAkB;YACd,aAAa;YACb,UAAU;YACV,OAAO;YACP,YAAY;YACZ,aAAa;YACb,oBAAoB;YACpB,GAAGA,OAAO,gBAAgB;QAC9B;IACJ"}

package/pulumi/apps/core/configureS3BucketMalwareProtection.js

@@ -1,195 +1,258 @@
-import * as pulumi from "@pulumi/pulumi";
-import * as aws from "@pulumi/aws";
 import { getAwsAccountId, getAwsRegion } from "../awsUtils.js";
-export const configureS3BucketMalwareProtection = app => {
-  const awsAccountId = getAwsAccountId(app);
-  const awsRegion = getAwsRegion(app);
-  const eventBus = app.resources.eventBus;
-  const bucket = app.resources.fileManagerBucket.output;
-  const currentAccount = {
-    StringEquals: {
-      "aws:ResourceAccount": awsAccountId
-    }
-  };
-  const managedByGuardDuty = {
-    StringEquals: {
-      "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
-    }
-  };
-  const assumeRole = aws.iam.getPolicyDocument({
-    statements: [{
-      effect: "Allow",
-      principals: [{
-        type: "Service",
-        identifiers: ["malware-protection-plan.guardduty.amazonaws.com"]
-      }],
-      actions: ["sts:AssumeRole"]
-    }]
-  });
-  const role = app.addResource(aws.iam.Role, {
-    name: "fm-bucket-guardduty-role",
-    config: {
-      assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json)
-    }
-  });
-  const policy = app.addResource(aws.iam.Policy, {
-    name: `fm-bucket-guardduty-role-policy`,
-    config: {
-      description: "This policy enables GuardDuty to interact with the S3 bucket.",
-      policy: {
-        Version: "2012-10-17",
-        Statement: [{
-          Sid: "AllowManagedRuleToSendS3EventsToGuardDuty",
-          Effect: "Allow",
-          Action: ["events:PutRule"],
-          Resource: [pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`],
-          Condition: {
-            ...managedByGuardDuty,
-            "ForAllValues:StringEquals": {
-              "events:source": "aws.s3",
-              "events:detail-type": ["Object Created", "AWS API Call via CloudTrail"]
-            },
-            Null: {
-              "events:source": "false",
-              "events:detail-type": "false"
+import * as __rspack_external__pulumi_pulumi_d0276039 from "@pulumi/pulumi";
+import * as __rspack_external__pulumi_aws_e7af83c1 from "@pulumi/aws";
+const configureS3BucketMalwareProtection = (app)=>{
+    const awsAccountId = getAwsAccountId(app);
+    const awsRegion = getAwsRegion(app);
+    const eventBus = app.resources.eventBus;
+    const bucket = app.resources.fileManagerBucket.output;
+    const currentAccount = {
+        StringEquals: {
+            "aws:ResourceAccount": awsAccountId
+        }
+    };
+    const managedByGuardDuty = {
+        StringEquals: {
+            "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
+        }
+    };
+    const assumeRole = __rspack_external__pulumi_aws_e7af83c1.iam.getPolicyDocument({
+        statements: [
+            {
+                effect: "Allow",
+                principals: [
+                    {
+                        type: "Service",
+                        identifiers: [
+                            "malware-protection-plan.guardduty.amazonaws.com"
+                        ]
+                    }
+                ],
+                actions: [
+                    "sts:AssumeRole"
+                ]
             }
-          }
-        }, {
-          Sid: "AllowUpdateTargetAndDeleteManagedRule",
-          Effect: "Allow",
-          Action: ["events:DeleteRule", "events:PutTargets", "events:RemoveTargets"],
-          Resource: [pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`],
-          Condition: {
-            ...managedByGuardDuty
-          }
-        }, {
-          Sid: "AllowGuardDutyToMonitorEventBridgeManagedRule",
-          Effect: "Allow",
-          Action: ["events:DescribeRule", "events:ListTargetsByRule"],
-          Resource: [pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`]
-        }, {
-          Sid: "AllowPostScanTag",
-          Effect: "Allow",
-          Action: ["s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging"],
-          Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],
-          Condition: {
-            ...currentAccount
-          }
-        }, {
-          Sid: "AllowEnableS3EventBridgeEvents",
-          Effect: "Allow",
-          Action: ["s3:PutBucketNotification", "s3:GetBucketNotification"],
-          Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],
-          Condition: {
-            ...currentAccount
-          }
-        }, {
-          Sid: "AllowPutValidationObject",
-          Effect: "Allow",
-          Action: ["s3:PutObject"],
-          Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/malware-protection-resource-validation-object`],
-          Condition: {
-            ...currentAccount
-          }
-        }, {
-          Sid: "AllowCheckBucketOwnership",
-          Effect: "Allow",
-          Action: ["s3:ListBucket"],
-          Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],
-          Condition: {
-            ...currentAccount
-          }
-        }, {
-          Sid: "AllowMalwareScan",
-          Effect: "Allow",
-          Action: ["s3:GetObject", "s3:GetObjectVersion"],
-          Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],
-          Condition: {
-            ...currentAccount
-          }
-        }]
-      }
-    }
-  });
-  app.addResource(aws.iam.RolePolicyAttachment, {
-    name: `fm-bucket-malware-protection-role-policy-attachment`,
-    config: {
-      role: role.output.name,
-      policyArn: policy.output.arn
-    }
-  });
-  app.addResource(aws.guardduty.MalwareProtectionPlan, {
-    name: `fm-bucket-malware-protection-plan`,
-    config: {
-      role: role.output.arn,
-      protectedResource: {
-        s3Bucket: {
-          bucketName: bucket.bucket
+        ]
+    });
+    const role = app.addResource(__rspack_external__pulumi_aws_e7af83c1.iam.Role, {
+        name: "fm-bucket-guardduty-role",
+        config: {
+            assumeRolePolicy: assumeRole.then((assumeRole)=>assumeRole.json)
         }
-      }
-    }
-  });
-
-  // FORWARD EVENTS FROM "DEFAULT" TO CUSTOM EVENT BUS.
-
-  // Create an IAM Role for EventBridge to forward events
-  const eventBridgeRole = app.addResource(aws.iam.Role, {
-    name: "guard-duty-forward-events-role",
-    config: {
-      assumeRolePolicy: JSON.stringify({
-        Version: "2012-10-17",
-        Statement: [{
-          Effect: "Allow",
-          Principal: {
-            Service: "events.amazonaws.com"
-          },
-          Action: "sts:AssumeRole"
-        }]
-      })
-    }
-  });
-
-  // Attach Policy to Allow EventBridge to PutEvents on Custom Event Bus
-  app.addResource(aws.iam.RolePolicy, {
-    name: "guard-duty-forward-events-policy",
-    config: {
-      role: eventBridgeRole.output,
-      policy: pulumi.output(eventBus.output.arn).apply(arn => JSON.stringify({
-        Version: "2012-10-17",
-        Statement: [{
-          Effect: "Allow",
-          Action: "events:PutEvents",
-          Resource: arn
-        }]
-      }))
-    }
-  });
-  const forwardToCustomBusRule = app.addResource(aws.cloudwatch.EventRule, {
-    name: "forward-events-from-default-to-custom-bus-rule",
-    config: {
-      eventBusName: "default",
-      eventPattern: bucket.bucket.apply(name => JSON.stringify({
-        source: ["aws.guardduty"],
-        "detail-type": ["GuardDuty Malware Protection Object Scan Result"],
-        detail: {
-          s3ObjectDetails: {
-            bucketName: [name]
-          }
+    });
+    const policy = app.addResource(__rspack_external__pulumi_aws_e7af83c1.iam.Policy, {
+        name: "fm-bucket-guardduty-role-policy",
+        config: {
+            description: "This policy enables GuardDuty to interact with the S3 bucket.",
+            policy: {
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Sid: "AllowManagedRuleToSendS3EventsToGuardDuty",
+                        Effect: "Allow",
+                        Action: [
+                            "events:PutRule"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`
+                        ],
+                        Condition: {
+                            ...managedByGuardDuty,
+                            "ForAllValues:StringEquals": {
+                                "events:source": "aws.s3",
+                                "events:detail-type": [
+                                    "Object Created",
+                                    "AWS API Call via CloudTrail"
+                                ]
+                            },
+                            Null: {
+                                "events:source": "false",
+                                "events:detail-type": "false"
+                            }
+                        }
+                    },
+                    {
+                        Sid: "AllowUpdateTargetAndDeleteManagedRule",
+                        Effect: "Allow",
+                        Action: [
+                            "events:DeleteRule",
+                            "events:PutTargets",
+                            "events:RemoveTargets"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`
+                        ],
+                        Condition: {
+                            ...managedByGuardDuty
+                        }
+                    },
+                    {
+                        Sid: "AllowGuardDutyToMonitorEventBridgeManagedRule",
+                        Effect: "Allow",
+                        Action: [
+                            "events:DescribeRule",
+                            "events:ListTargetsByRule"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`
+                        ]
+                    },
+                    {
+                        Sid: "AllowPostScanTag",
+                        Effect: "Allow",
+                        Action: [
+                            "s3:GetObjectTagging",
+                            "s3:GetObjectVersionTagging",
+                            "s3:PutObjectTagging",
+                            "s3:PutObjectVersionTagging"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:s3:::${bucket.bucket}/*`
+                        ],
+                        Condition: {
+                            ...currentAccount
+                        }
+                    },
+                    {
+                        Sid: "AllowEnableS3EventBridgeEvents",
+                        Effect: "Allow",
+                        Action: [
+                            "s3:PutBucketNotification",
+                            "s3:GetBucketNotification"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:s3:::${bucket.bucket}`
+                        ],
+                        Condition: {
+                            ...currentAccount
+                        }
+                    },
+                    {
+                        Sid: "AllowPutValidationObject",
+                        Effect: "Allow",
+                        Action: [
+                            "s3:PutObject"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:s3:::${bucket.bucket}/malware-protection-resource-validation-object`
+                        ],
+                        Condition: {
+                            ...currentAccount
+                        }
+                    },
+                    {
+                        Sid: "AllowCheckBucketOwnership",
+                        Effect: "Allow",
+                        Action: [
+                            "s3:ListBucket"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:s3:::${bucket.bucket}`
+                        ],
+                        Condition: {
+                            ...currentAccount
+                        }
+                    },
+                    {
+                        Sid: "AllowMalwareScan",
+                        Effect: "Allow",
+                        Action: [
+                            "s3:GetObject",
+                            "s3:GetObjectVersion"
+                        ],
+                        Resource: [
+                            __rspack_external__pulumi_pulumi_d0276039.interpolate`arn:aws:s3:::${bucket.bucket}/*`
+                        ],
+                        Condition: {
+                            ...currentAccount
+                        }
+                    }
+                ]
+            }
         }
-      }))
-    }
-  });
-
-  // Target: Send events to the custom event bus
-  app.addResource(aws.cloudwatch.EventTarget, {
-    name: "forward-events-from-default-to-custom-bus-target",
-    config: {
-      rule: forwardToCustomBusRule.output.name,
-      roleArn: eventBridgeRole.output.arn,
-      eventBusName: "default",
-      arn: eventBus.output.arn
-    }
-  });
+    });
+    app.addResource(__rspack_external__pulumi_aws_e7af83c1.iam.RolePolicyAttachment, {
+        name: "fm-bucket-malware-protection-role-policy-attachment",
+        config: {
+            role: role.output.name,
+            policyArn: policy.output.arn
+        }
+    });
+    app.addResource(__rspack_external__pulumi_aws_e7af83c1.guardduty.MalwareProtectionPlan, {
+        name: "fm-bucket-malware-protection-plan",
+        config: {
+            role: role.output.arn,
+            protectedResource: {
+                s3Bucket: {
+                    bucketName: bucket.bucket
+                }
+            }
+        }
+    });
+    const eventBridgeRole = app.addResource(__rspack_external__pulumi_aws_e7af83c1.iam.Role, {
+        name: "guard-duty-forward-events-role",
+        config: {
+            assumeRolePolicy: JSON.stringify({
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Effect: "Allow",
+                        Principal: {
+                            Service: "events.amazonaws.com"
+                        },
+                        Action: "sts:AssumeRole"
+                    }
+                ]
+            })
+        }
+    });
+    app.addResource(__rspack_external__pulumi_aws_e7af83c1.iam.RolePolicy, {
+        name: "guard-duty-forward-events-policy",
+        config: {
+            role: eventBridgeRole.output,
+            policy: __rspack_external__pulumi_pulumi_d0276039.output(eventBus.output.arn).apply((arn)=>JSON.stringify({
+                    Version: "2012-10-17",
+                    Statement: [
+                        {
+                            Effect: "Allow",
+                            Action: "events:PutEvents",
+                            Resource: arn
+                        }
+                    ]
+                }))
+        }
+    });
+    const forwardToCustomBusRule = app.addResource(__rspack_external__pulumi_aws_e7af83c1.cloudwatch.EventRule, {
+        name: "forward-events-from-default-to-custom-bus-rule",
+        config: {
+            eventBusName: "default",
+            eventPattern: bucket.bucket.apply((name)=>JSON.stringify({
+                    source: [
+                        "aws.guardduty"
+                    ],
+                    "detail-type": [
+                        "GuardDuty Malware Protection Object Scan Result"
+                    ],
+                    detail: {
+                        s3ObjectDetails: {
+                            bucketName: [
+                                name
+                            ]
+                        }
+                    }
+                }))
+        }
+    });
+    app.addResource(__rspack_external__pulumi_aws_e7af83c1.cloudwatch.EventTarget, {
+        name: "forward-events-from-default-to-custom-bus-target",
+        config: {
+            rule: forwardToCustomBusRule.output.name,
+            roleArn: eventBridgeRole.output.arn,
+            eventBusName: "default",
+            arn: eventBus.output.arn
+        }
+    });
 };
+export { configureS3BucketMalwareProtection };
 
 //# sourceMappingURL=configureS3BucketMalwareProtection.js.map

package/pulumi/apps/core/configureS3BucketMalwareProtection.js.map

@@ -1 +1 @@
-{"version":3,"names":["pulumi","aws","getAwsAccountId","getAwsRegion","configureS3BucketMalwareProtection","app","awsAccountId","awsRegion","eventBus","resources","bucket","fileManagerBucket","output","currentAccount","StringEquals","managedByGuardDuty","assumeRole","iam","getPolicyDocument","statements","effect","principals","type","identifiers","actions","role","addResource","Role","name","config","assumeRolePolicy","then","json","policy","Policy","description","Version","Statement","Sid","Effect","Action","Resource","interpolate","Condition","Null","RolePolicyAttachment","policyArn","arn","guardduty","MalwareProtectionPlan","protectedResource","s3Bucket","bucketName","eventBridgeRole","JSON","stringify","Principal","Service","RolePolicy","apply","forwardToCustomBusRule","cloudwatch","EventRule","eventBusName","eventPattern","source","detail","s3ObjectDetails","EventTarget","rule","roleArn"],"sources":["configureS3BucketMalwareProtection.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport type { CorePulumiApp } from \"~/pulumi/apps/core/index.js\";\nimport { getAwsAccountId, getAwsRegion } from \"~/pulumi/apps/awsUtils.js\";\n\nexport const configureS3BucketMalwareProtection = (app: CorePulumiApp) => {\n    const awsAccountId = getAwsAccountId(app);\n    const awsRegion = getAwsRegion(app);\n    const eventBus = app.resources.eventBus;\n\n    const bucket = app.resources.fileManagerBucket.output;\n\n    const currentAccount = {\n        StringEquals: {\n            \"aws:ResourceAccount\": awsAccountId\n        }\n    };\n\n    const managedByGuardDuty = {\n        StringEquals: {\n            \"events:ManagedBy\": \"malware-protection-plan.guardduty.amazonaws.com\"\n        }\n    };\n\n    const assumeRole = aws.iam.getPolicyDocument({\n        statements: [\n            {\n                effect: \"Allow\",\n                principals: [\n                    {\n                        type: \"Service\",\n                        identifiers: [\"malware-protection-plan.guardduty.amazonaws.com\"]\n                    }\n                ],\n                actions: [\"sts:AssumeRole\"]\n            }\n        ]\n    });\n\n    const role = app.addResource(aws.iam.Role, {\n        name: \"fm-bucket-guardduty-role\",\n        config: {\n            assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json)\n        }\n    });\n\n    const policy = app.addResource(aws.iam.Policy, {\n        name: `fm-bucket-guardduty-role-policy`,\n        config: {\n            description: \"This policy enables GuardDuty to interact with the S3 bucket.\",\n            policy: {\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Sid: \"AllowManagedRuleToSendS3EventsToGuardDuty\",\n                        Effect: \"Allow\",\n                        Action: [\"events:PutRule\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n                        ],\n                        Condition: {\n                            ...managedByGuardDuty,\n                            \"ForAllValues:StringEquals\": {\n                                \"events:source\": \"aws.s3\",\n                                \"events:detail-type\": [\n                                    \"Object Created\",\n                                    \"AWS API Call via CloudTrail\"\n                                ]\n                            },\n                            Null: {\n                                \"events:source\": \"false\",\n                                \"events:detail-type\": \"false\"\n                            }\n                        }\n                    },\n                    {\n                        Sid: \"AllowUpdateTargetAndDeleteManagedRule\",\n                        Effect: \"Allow\",\n                        Action: [\"events:DeleteRule\", \"events:PutTargets\", \"events:RemoveTargets\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n                        ],\n                        Condition: {\n                            ...managedByGuardDuty\n                        }\n                    },\n                    {\n                        Sid: \"AllowGuardDutyToMonitorEventBridgeManagedRule\",\n                        Effect: \"Allow\",\n                        Action: [\"events:DescribeRule\", \"events:ListTargetsByRule\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n                        ]\n                    },\n                    {\n                        Sid: \"AllowPostScanTag\",\n                        Effect: \"Allow\",\n                        Action: [\n                            \"s3:GetObjectTagging\",\n                            \"s3:GetObjectVersionTagging\",\n                            \"s3:PutObjectTagging\",\n                            \"s3:PutObjectVersionTagging\"\n                        ],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowEnableS3EventBridgeEvents\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:PutBucketNotification\", \"s3:GetBucketNotification\"],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowPutValidationObject\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:PutObject\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/malware-protection-resource-validation-object`\n                        ],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowCheckBucketOwnership\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:ListBucket\"],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowMalwareScan\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:GetObject\", \"s3:GetObjectVersion\"],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    }\n                ]\n            }\n        }\n    });\n\n    app.addResource(aws.iam.RolePolicyAttachment, {\n        name: `fm-bucket-malware-protection-role-policy-attachment`,\n        config: {\n            role: role.output.name,\n            policyArn: policy.output.arn\n        }\n    });\n\n    app.addResource(aws.guardduty.MalwareProtectionPlan, {\n        name: `fm-bucket-malware-protection-plan`,\n        config: {\n            role: role.output.arn,\n            protectedResource: {\n                s3Bucket: {\n                    bucketName: bucket.bucket\n                }\n            }\n        }\n    });\n\n    // FORWARD EVENTS FROM \"DEFAULT\" TO CUSTOM EVENT BUS.\n\n    // Create an IAM Role for EventBridge to forward events\n    const eventBridgeRole = app.addResource(aws.iam.Role, {\n        name: \"guard-duty-forward-events-role\",\n        config: {\n            assumeRolePolicy: JSON.stringify({\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Effect: \"Allow\",\n                        Principal: { Service: \"events.amazonaws.com\" },\n                        Action: \"sts:AssumeRole\"\n                    }\n                ]\n            })\n        }\n    });\n\n    // Attach Policy to Allow EventBridge to PutEvents on Custom Event Bus\n    app.addResource(aws.iam.RolePolicy, {\n        name: \"guard-duty-forward-events-policy\",\n        config: {\n            role: eventBridgeRole.output,\n            policy: pulumi.output(eventBus.output.arn).apply(arn =>\n                JSON.stringify({\n                    Version: \"2012-10-17\",\n                    Statement: [\n                        {\n                            Effect: \"Allow\",\n                            Action: \"events:PutEvents\",\n                            Resource: arn\n                        }\n                    ]\n                })\n            )\n        }\n    });\n\n    const forwardToCustomBusRule = app.addResource(aws.cloudwatch.EventRule, {\n        name: \"forward-events-from-default-to-custom-bus-rule\",\n        config: {\n            eventBusName: \"default\",\n            eventPattern: bucket.bucket.apply(name =>\n                JSON.stringify({\n                    source: [\"aws.guardduty\"],\n                    \"detail-type\": [\"GuardDuty Malware Protection Object Scan Result\"],\n                    detail: {\n                        s3ObjectDetails: {\n                            bucketName: [name]\n                        }\n                    }\n                })\n            )\n        }\n    });\n\n    // Target: Send events to the custom event bus\n    app.addResource(aws.cloudwatch.EventTarget, {\n        name: \"forward-events-from-default-to-custom-bus-target\",\n        config: {\n            rule: forwardToCustomBusRule.output.name,\n            roleArn: eventBridgeRole.output.arn,\n            eventBusName: \"default\",\n            arn: eventBus.output.arn\n        }\n    });\n};\n"],"mappings":"AAAA,OAAO,KAAKA,MAAM,MAAM,gBAAgB;AACxC,OAAO,KAAKC,GAAG,MAAM,aAAa;AAElC,SAASC,eAAe,EAAEC,YAAY;AAEtC,OAAO,MAAMC,kCAAkC,GAAIC,GAAkB,IAAK;EACtE,MAAMC,YAAY,GAAGJ,eAAe,CAACG,GAAG,CAAC;EACzC,MAAME,SAAS,GAAGJ,YAAY,CAACE,GAAG,CAAC;EACnC,MAAMG,QAAQ,GAAGH,GAAG,CAACI,SAAS,CAACD,QAAQ;EAEvC,MAAME,MAAM,GAAGL,GAAG,CAACI,SAAS,CAACE,iBAAiB,CAACC,MAAM;EAErD,MAAMC,cAAc,GAAG;IACnBC,YAAY,EAAE;MACV,qBAAqB,EAAER;IAC3B;EACJ,CAAC;EAED,MAAMS,kBAAkB,GAAG;IACvBD,YAAY,EAAE;MACV,kBAAkB,EAAE;IACxB;EACJ,CAAC;EAED,MAAME,UAAU,GAAGf,GAAG,CAACgB,GAAG,CAACC,iBAAiB,CAAC;IACzCC,UAAU,EAAE,CACR;MACIC,MAAM,EAAE,OAAO;MACfC,UAAU,EAAE,CACR;QACIC,IAAI,EAAE,SAAS;QACfC,WAAW,EAAE,CAAC,iDAAiD;MACnE,CAAC,CACJ;MACDC,OAAO,EAAE,CAAC,gBAAgB;IAC9B,CAAC;EAET,CAAC,CAAC;EAEF,MAAMC,IAAI,GAAGpB,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAACgB,GAAG,CAACU,IAAI,EAAE;IACvCC,IAAI,EAAE,0BAA0B;IAChCC,MAAM,EAAE;MACJC,gBAAgB,EAAEd,UAAU,CAACe,IAAI,CAACf,UAAU,IAAIA,UAAU,CAACgB,IAAI;IACnE;EACJ,CAAC,CAAC;EAEF,MAAMC,MAAM,GAAG5B,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAACgB,GAAG,CAACiB,MAAM,EAAE;IAC3CN,IAAI,EAAE,iCAAiC;IACvCC,MAAM,EAAE;MACJM,WAAW,EAAE,+DAA+D;MAC5EF,MAAM,EAAE;QACJG,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIC,GAAG,EAAE,2CAA2C;UAChDC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,gBAAgB,CAAC;UAC1BC,QAAQ,EAAE,CACNzC,MAAM,CAAC0C,WAAW,kBAAkBnC,SAAS,IAAID,YAAY,yDAAyD,CACzH;UACDqC,SAAS,EAAE;YACP,GAAG5B,kBAAkB;YACrB,2BAA2B,EAAE;cACzB,eAAe,EAAE,QAAQ;cACzB,oBAAoB,EAAE,CAClB,gBAAgB,EAChB,6BAA6B;YAErC,CAAC;YACD6B,IAAI,EAAE;cACF,eAAe,EAAE,OAAO;cACxB,oBAAoB,EAAE;YAC1B;UACJ;QACJ,CAAC,EACD;UACIN,GAAG,EAAE,uCAAuC;UAC5CC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,mBAAmB,EAAE,mBAAmB,EAAE,sBAAsB,CAAC;UAC1EC,QAAQ,EAAE,CACNzC,MAAM,CAAC0C,WAAW,kBAAkBnC,SAAS,IAAID,YAAY,yDAAyD,CACzH;UACDqC,SAAS,EAAE;YACP,GAAG5B;UACP;QACJ,CAAC,EACD;UACIuB,GAAG,EAAE,+CAA+C;UACpDC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,qBAAqB,EAAE,0BAA0B,CAAC;UAC3DC,QAAQ,EAAE,CACNzC,MAAM,CAAC0C,WAAW,kBAAkBnC,SAAS,IAAID,YAAY,yDAAyD;QAE9H,CAAC,EACD;UACIgC,GAAG,EAAE,kBAAkB;UACvBC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CACJ,qBAAqB,EACrB,4BAA4B,EAC5B,qBAAqB,EACrB,4BAA4B,CAC/B;UACDC,QAAQ,EAAE,CAACzC,MAAM,CAAC0C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,IAAI,CAAC;UAC/DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,gCAAgC;UACrCC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,0BAA0B,EAAE,0BAA0B,CAAC;UAChEC,QAAQ,EAAE,CAACzC,MAAM,CAAC0C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,EAAE,CAAC;UAC7DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,0BAA0B;UAC/BC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,cAAc,CAAC;UACxBC,QAAQ,EAAE,CACNzC,MAAM,CAAC0C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,gDAAgD,CAClG;UACDiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,2BAA2B;UAChCC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,eAAe,CAAC;UACzBC,QAAQ,EAAE,CAACzC,MAAM,CAAC0C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,EAAE,CAAC;UAC7DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC,EACD;UACIyB,GAAG,EAAE,kBAAkB;UACvBC,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,CAAC,cAAc,EAAE,qBAAqB,CAAC;UAC/CC,QAAQ,EAAE,CAACzC,MAAM,CAAC0C,WAAW,gBAAgBhC,MAAM,CAACA,MAAM,IAAI,CAAC;UAC/DiC,SAAS,EAAE;YACP,GAAG9B;UACP;QACJ,CAAC;MAET;IACJ;EACJ,CAAC,CAAC;EAEFR,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAACgB,GAAG,CAAC4B,oBAAoB,EAAE;IAC1CjB,IAAI,EAAE,qDAAqD;IAC3DC,MAAM,EAAE;MACJJ,IAAI,EAAEA,IAAI,CAACb,MAAM,CAACgB,IAAI;MACtBkB,SAAS,EAAEb,MAAM,CAACrB,MAAM,CAACmC;IAC7B;EACJ,CAAC,CAAC;EAEF1C,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAAC+C,SAAS,CAACC,qBAAqB,EAAE;IACjDrB,IAAI,EAAE,mCAAmC;IACzCC,MAAM,EAAE;MACJJ,IAAI,EAAEA,IAAI,CAACb,MAAM,CAACmC,GAAG;MACrBG,iBAAiB,EAAE;QACfC,QAAQ,EAAE;UACNC,UAAU,EAAE1C,MAAM,CAACA;QACvB;MACJ;IACJ;EACJ,CAAC,CAAC;;EAEF;;EAEA;EACA,MAAM2C,eAAe,GAAGhD,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAACgB,GAAG,CAACU,IAAI,EAAE;IAClDC,IAAI,EAAE,gCAAgC;IACtCC,MAAM,EAAE;MACJC,gBAAgB,EAAEwB,IAAI,CAACC,SAAS,CAAC;QAC7BnB,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIE,MAAM,EAAE,OAAO;UACfiB,SAAS,EAAE;YAAEC,OAAO,EAAE;UAAuB,CAAC;UAC9CjB,MAAM,EAAE;QACZ,CAAC;MAET,CAAC;IACL;EACJ,CAAC,CAAC;;EAEF;EACAnC,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAACgB,GAAG,CAACyC,UAAU,EAAE;IAChC9B,IAAI,EAAE,kCAAkC;IACxCC,MAAM,EAAE;MACJJ,IAAI,EAAE4B,eAAe,CAACzC,MAAM;MAC5BqB,MAAM,EAAEjC,MAAM,CAACY,MAAM,CAACJ,QAAQ,CAACI,MAAM,CAACmC,GAAG,CAAC,CAACY,KAAK,CAACZ,GAAG,IAChDO,IAAI,CAACC,SAAS,CAAC;QACXnB,OAAO,EAAE,YAAY;QACrBC,SAAS,EAAE,CACP;UACIE,MAAM,EAAE,OAAO;UACfC,MAAM,EAAE,kBAAkB;UAC1BC,QAAQ,EAAEM;QACd,CAAC;MAET,CAAC,CACL;IACJ;EACJ,CAAC,CAAC;EAEF,MAAMa,sBAAsB,GAAGvD,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAAC4D,UAAU,CAACC,SAAS,EAAE;IACrElC,IAAI,EAAE,gDAAgD;IACtDC,MAAM,EAAE;MACJkC,YAAY,EAAE,SAAS;MACvBC,YAAY,EAAEtD,MAAM,CAACA,MAAM,CAACiD,KAAK,CAAC/B,IAAI,IAClC0B,IAAI,CAACC,SAAS,CAAC;QACXU,MAAM,EAAE,CAAC,eAAe,CAAC;QACzB,aAAa,EAAE,CAAC,iDAAiD,CAAC;QAClEC,MAAM,EAAE;UACJC,eAAe,EAAE;YACbf,UAAU,EAAE,CAACxB,IAAI;UACrB;QACJ;MACJ,CAAC,CACL;IACJ;EACJ,CAAC,CAAC;;EAEF;EACAvB,GAAG,CAACqB,WAAW,CAACzB,GAAG,CAAC4D,UAAU,CAACO,WAAW,EAAE;IACxCxC,IAAI,EAAE,kDAAkD;IACxDC,MAAM,EAAE;MACJwC,IAAI,EAAET,sBAAsB,CAAChD,MAAM,CAACgB,IAAI;MACxC0C,OAAO,EAAEjB,eAAe,CAACzC,MAAM,CAACmC,GAAG;MACnCgB,YAAY,EAAE,SAAS;MACvBhB,GAAG,EAAEvC,QAAQ,CAACI,MAAM,CAACmC;IACzB;EACJ,CAAC,CAAC;AACN,CAAC","ignoreList":[]}
+{"version":3,"file":"pulumi/apps/core/configureS3BucketMalwareProtection.js","sources":["../../../../src/pulumi/apps/core/configureS3BucketMalwareProtection.ts"],"sourcesContent":["import * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\nimport type { CorePulumiApp } from \"~/pulumi/apps/core/index.js\";\nimport { getAwsAccountId, getAwsRegion } from \"~/pulumi/apps/awsUtils.js\";\n\nexport const configureS3BucketMalwareProtection = (app: CorePulumiApp) => {\n    const awsAccountId = getAwsAccountId(app);\n    const awsRegion = getAwsRegion(app);\n    const eventBus = app.resources.eventBus;\n\n    const bucket = app.resources.fileManagerBucket.output;\n\n    const currentAccount = {\n        StringEquals: {\n            \"aws:ResourceAccount\": awsAccountId\n        }\n    };\n\n    const managedByGuardDuty = {\n        StringEquals: {\n            \"events:ManagedBy\": \"malware-protection-plan.guardduty.amazonaws.com\"\n        }\n    };\n\n    const assumeRole = aws.iam.getPolicyDocument({\n        statements: [\n            {\n                effect: \"Allow\",\n                principals: [\n                    {\n                        type: \"Service\",\n                        identifiers: [\"malware-protection-plan.guardduty.amazonaws.com\"]\n                    }\n                ],\n                actions: [\"sts:AssumeRole\"]\n            }\n        ]\n    });\n\n    const role = app.addResource(aws.iam.Role, {\n        name: \"fm-bucket-guardduty-role\",\n        config: {\n            assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json)\n        }\n    });\n\n    const policy = app.addResource(aws.iam.Policy, {\n        name: `fm-bucket-guardduty-role-policy`,\n        config: {\n            description: \"This policy enables GuardDuty to interact with the S3 bucket.\",\n            policy: {\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Sid: \"AllowManagedRuleToSendS3EventsToGuardDuty\",\n                        Effect: \"Allow\",\n                        Action: [\"events:PutRule\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n                        ],\n                        Condition: {\n                            ...managedByGuardDuty,\n                            \"ForAllValues:StringEquals\": {\n                                \"events:source\": \"aws.s3\",\n                                \"events:detail-type\": [\n                                    \"Object Created\",\n                                    \"AWS API Call via CloudTrail\"\n                                ]\n                            },\n                            Null: {\n                                \"events:source\": \"false\",\n                                \"events:detail-type\": \"false\"\n                            }\n                        }\n                    },\n                    {\n                        Sid: \"AllowUpdateTargetAndDeleteManagedRule\",\n                        Effect: \"Allow\",\n                        Action: [\"events:DeleteRule\", \"events:PutTargets\", \"events:RemoveTargets\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n                        ],\n                        Condition: {\n                            ...managedByGuardDuty\n                        }\n                    },\n                    {\n                        Sid: \"AllowGuardDutyToMonitorEventBridgeManagedRule\",\n                        Effect: \"Allow\",\n                        Action: [\"events:DescribeRule\", \"events:ListTargetsByRule\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:events:${awsRegion}:${awsAccountId}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*`\n                        ]\n                    },\n                    {\n                        Sid: \"AllowPostScanTag\",\n                        Effect: \"Allow\",\n                        Action: [\n                            \"s3:GetObjectTagging\",\n                            \"s3:GetObjectVersionTagging\",\n                            \"s3:PutObjectTagging\",\n                            \"s3:PutObjectVersionTagging\"\n                        ],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowEnableS3EventBridgeEvents\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:PutBucketNotification\", \"s3:GetBucketNotification\"],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowPutValidationObject\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:PutObject\"],\n                        Resource: [\n                            pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/malware-protection-resource-validation-object`\n                        ],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowCheckBucketOwnership\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:ListBucket\"],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    },\n                    {\n                        Sid: \"AllowMalwareScan\",\n                        Effect: \"Allow\",\n                        Action: [\"s3:GetObject\", \"s3:GetObjectVersion\"],\n                        Resource: [pulumi.interpolate`arn:aws:s3:::${bucket.bucket}/*`],\n                        Condition: {\n                            ...currentAccount\n                        }\n                    }\n                ]\n            }\n        }\n    });\n\n    app.addResource(aws.iam.RolePolicyAttachment, {\n        name: `fm-bucket-malware-protection-role-policy-attachment`,\n        config: {\n            role: role.output.name,\n            policyArn: policy.output.arn\n        }\n    });\n\n    app.addResource(aws.guardduty.MalwareProtectionPlan, {\n        name: `fm-bucket-malware-protection-plan`,\n        config: {\n            role: role.output.arn,\n            protectedResource: {\n                s3Bucket: {\n                    bucketName: bucket.bucket\n                }\n            }\n        }\n    });\n\n    // FORWARD EVENTS FROM \"DEFAULT\" TO CUSTOM EVENT BUS.\n\n    // Create an IAM Role for EventBridge to forward events\n    const eventBridgeRole = app.addResource(aws.iam.Role, {\n        name: \"guard-duty-forward-events-role\",\n        config: {\n            assumeRolePolicy: JSON.stringify({\n                Version: \"2012-10-17\",\n                Statement: [\n                    {\n                        Effect: \"Allow\",\n                        Principal: { Service: \"events.amazonaws.com\" },\n                        Action: \"sts:AssumeRole\"\n                    }\n                ]\n            })\n        }\n    });\n\n    // Attach Policy to Allow EventBridge to PutEvents on Custom Event Bus\n    app.addResource(aws.iam.RolePolicy, {\n        name: \"guard-duty-forward-events-policy\",\n        config: {\n            role: eventBridgeRole.output,\n            policy: pulumi.output(eventBus.output.arn).apply(arn =>\n                JSON.stringify({\n                    Version: \"2012-10-17\",\n                    Statement: [\n                        {\n                            Effect: \"Allow\",\n                            Action: \"events:PutEvents\",\n                            Resource: arn\n                        }\n                    ]\n                })\n            )\n        }\n    });\n\n    const forwardToCustomBusRule = app.addResource(aws.cloudwatch.EventRule, {\n        name: \"forward-events-from-default-to-custom-bus-rule\",\n        config: {\n            eventBusName: \"default\",\n            eventPattern: bucket.bucket.apply(name =>\n                JSON.stringify({\n                    source: [\"aws.guardduty\"],\n                    \"detail-type\": [\"GuardDuty Malware Protection Object Scan Result\"],\n                    detail: {\n                        s3ObjectDetails: {\n                            bucketName: [name]\n                        }\n                    }\n                })\n            )\n        }\n    });\n\n    // Target: Send events to the custom event bus\n    app.addResource(aws.cloudwatch.EventTarget, {\n        name: \"forward-events-from-default-to-custom-bus-target\",\n        config: {\n            rule: forwardToCustomBusRule.output.name,\n            roleArn: eventBridgeRole.output.arn,\n            eventBusName: \"default\",\n            arn: eventBus.output.arn\n        }\n    });\n};\n"],"names":["configureS3BucketMalwareProtection","app","awsAccountId","getAwsAccountId","awsRegion","getAwsRegion","eventBus","bucket","currentAccount","managedByGuardDuty","assumeRole","aws","role","policy","pulumi","eventBridgeRole","JSON","arn","forwardToCustomBusRule","name"],"mappings":";;;AAKO,MAAMA,qCAAqC,CAACC;IAC/C,MAAMC,eAAeC,gBAAgBF;IACrC,MAAMG,YAAYC,aAAaJ;IAC/B,MAAMK,WAAWL,IAAI,SAAS,CAAC,QAAQ;IAEvC,MAAMM,SAASN,IAAI,SAAS,CAAC,iBAAiB,CAAC,MAAM;IAErD,MAAMO,iBAAiB;QACnB,cAAc;YACV,uBAAuBN;QAC3B;IACJ;IAEA,MAAMO,qBAAqB;QACvB,cAAc;YACV,oBAAoB;QACxB;IACJ;IAEA,MAAMC,aAAaC,uCAAAA,GAAAA,CAAAA,iBAAyB,CAAC;QACzC,YAAY;YACR;gBACI,QAAQ;gBACR,YAAY;oBACR;wBACI,MAAM;wBACN,aAAa;4BAAC;yBAAkD;oBACpE;iBACH;gBACD,SAAS;oBAAC;iBAAiB;YAC/B;SACH;IACL;IAEA,MAAMC,OAAOX,IAAI,WAAW,CAACU,uCAAAA,GAAAA,CAAAA,IAAY,EAAE;QACvC,MAAM;QACN,QAAQ;YACJ,kBAAkBD,WAAW,IAAI,CAACA,CAAAA,aAAcA,WAAW,IAAI;QACnE;IACJ;IAEA,MAAMG,SAASZ,IAAI,WAAW,CAACU,uCAAAA,GAAAA,CAAAA,MAAc,EAAE;QAC3C,MAAM;QACN,QAAQ;YACJ,aAAa;YACb,QAAQ;gBACJ,SAAS;gBACT,WAAW;oBACP;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;yBAAiB;wBAC1B,UAAU;4BACNG,0CAAAA,WAAkB,CAAC,eAAe,EAAEV,UAAU,CAAC,EAAEF,aAAa,uDAAuD,CAAC;yBACzH;wBACD,WAAW;4BACP,GAAGO,kBAAkB;4BACrB,6BAA6B;gCACzB,iBAAiB;gCACjB,sBAAsB;oCAClB;oCACA;iCACH;4BACL;4BACA,MAAM;gCACF,iBAAiB;gCACjB,sBAAsB;4BAC1B;wBACJ;oBACJ;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;4BAAqB;4BAAqB;yBAAuB;wBAC1E,UAAU;4BACNK,0CAAAA,WAAkB,CAAC,eAAe,EAAEV,UAAU,CAAC,EAAEF,aAAa,uDAAuD,CAAC;yBACzH;wBACD,WAAW;4BACP,GAAGO,kBAAkB;wBACzB;oBACJ;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;4BAAuB;yBAA2B;wBAC3D,UAAU;4BACNK,0CAAAA,WAAkB,CAAC,eAAe,EAAEV,UAAU,CAAC,EAAEF,aAAa,uDAAuD,CAAC;yBACzH;oBACL;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BACJ;4BACA;4BACA;4BACA;yBACH;wBACD,UAAU;4BAACY,0CAAAA,WAAkB,CAAC,aAAa,EAAEP,OAAO,MAAM,CAAC,EAAE,CAAC;yBAAC;wBAC/D,WAAW;4BACP,GAAGC,cAAc;wBACrB;oBACJ;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;4BAA4B;yBAA2B;wBAChE,UAAU;4BAACM,0CAAAA,WAAkB,CAAC,aAAa,EAAEP,OAAO,MAAM,CAAC,CAAC;yBAAC;wBAC7D,WAAW;4BACP,GAAGC,cAAc;wBACrB;oBACJ;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;yBAAe;wBACxB,UAAU;4BACNM,0CAAAA,WAAkB,CAAC,aAAa,EAAEP,OAAO,MAAM,CAAC,8CAA8C,CAAC;yBAClG;wBACD,WAAW;4BACP,GAAGC,cAAc;wBACrB;oBACJ;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;yBAAgB;wBACzB,UAAU;4BAACM,0CAAAA,WAAkB,CAAC,aAAa,EAAEP,OAAO,MAAM,CAAC,CAAC;yBAAC;wBAC7D,WAAW;4BACP,GAAGC,cAAc;wBACrB;oBACJ;oBACA;wBACI,KAAK;wBACL,QAAQ;wBACR,QAAQ;4BAAC;4BAAgB;yBAAsB;wBAC/C,UAAU;4BAACM,0CAAAA,WAAkB,CAAC,aAAa,EAAEP,OAAO,MAAM,CAAC,EAAE,CAAC;yBAAC;wBAC/D,WAAW;4BACP,GAAGC,cAAc;wBACrB;oBACJ;iBACH;YACL;QACJ;IACJ;IAEAP,IAAI,WAAW,CAACU,uCAAAA,GAAAA,CAAAA,oBAA4B,EAAE;QAC1C,MAAM;QACN,QAAQ;YACJ,MAAMC,KAAK,MAAM,CAAC,IAAI;YACtB,WAAWC,OAAO,MAAM,CAAC,GAAG;QAChC;IACJ;IAEAZ,IAAI,WAAW,CAACU,uCAAAA,SAAAA,CAAAA,qBAAmC,EAAE;QACjD,MAAM;QACN,QAAQ;YACJ,MAAMC,KAAK,MAAM,CAAC,GAAG;YACrB,mBAAmB;gBACf,UAAU;oBACN,YAAYL,OAAO,MAAM;gBAC7B;YACJ;QACJ;IACJ;IAKA,MAAMQ,kBAAkBd,IAAI,WAAW,CAACU,uCAAAA,GAAAA,CAAAA,IAAY,EAAE;QAClD,MAAM;QACN,QAAQ;YACJ,kBAAkBK,KAAK,SAAS,CAAC;gBAC7B,SAAS;gBACT,WAAW;oBACP;wBACI,QAAQ;wBACR,WAAW;4BAAE,SAAS;wBAAuB;wBAC7C,QAAQ;oBACZ;iBACH;YACL;QACJ;IACJ;IAGAf,IAAI,WAAW,CAACU,uCAAAA,GAAAA,CAAAA,UAAkB,EAAE;QAChC,MAAM;QACN,QAAQ;YACJ,MAAMI,gBAAgB,MAAM;YAC5B,QAAQD,0CAAAA,MAAa,CAACR,SAAS,MAAM,CAAC,GAAG,EAAE,KAAK,CAACW,CAAAA,MAC7CD,KAAK,SAAS,CAAC;oBACX,SAAS;oBACT,WAAW;wBACP;4BACI,QAAQ;4BACR,QAAQ;4BACR,UAAUC;wBACd;qBACH;gBACL;QAER;IACJ;IAEA,MAAMC,yBAAyBjB,IAAI,WAAW,CAACU,uCAAAA,UAAAA,CAAAA,SAAwB,EAAE;QACrE,MAAM;QACN,QAAQ;YACJ,cAAc;YACd,cAAcJ,OAAO,MAAM,CAAC,KAAK,CAACY,CAAAA,OAC9BH,KAAK,SAAS,CAAC;oBACX,QAAQ;wBAAC;qBAAgB;oBACzB,eAAe;wBAAC;qBAAkD;oBAClE,QAAQ;wBACJ,iBAAiB;4BACb,YAAY;gCAACG;6BAAK;wBACtB;oBACJ;gBACJ;QAER;IACJ;IAGAlB,IAAI,WAAW,CAACU,uCAAAA,UAAAA,CAAAA,WAA0B,EAAE;QACxC,MAAM;QACN,QAAQ;YACJ,MAAMO,uBAAuB,MAAM,CAAC,IAAI;YACxC,SAASH,gBAAgB,MAAM,CAAC,GAAG;YACnC,cAAc;YACd,KAAKT,SAAS,MAAM,CAAC,GAAG;QAC5B;IACJ;AACJ"}