s3Houses shared S3 utilities and the Pulumi project that provisions our document buckets.
The pulumi/ directory is a standalone Pulumi program (cfx-s3) that owns:
cfx-customer-documents-<stack> — customer document uploads (customer + bank dashboard CORS).cfx-bank-documents-<stack> — bank document uploads (bank dashboard CORS only).Each bucket is private, SSE-AES256, with an access-logs prefix into cfx-bucket-access-logs-<stack> and a bucket policy denying insecure transport.
Bucket names and ARNs are published as stack outputs:
customerDocumentsBucketName, customerDocumentsBucketArnbankDocumentsBucketName, bankDocumentsBucketArnpnpm exec nx run s3:pulumi-preview # dev (default)
pnpm exec nx run s3:pulumi-preview:prod
pnpm exec nx run s3:pulumi-up # dev
pnpm exec nx run s3:pulumi-up:prod
cfx-common-infrastructureBoth buckets are currently owned by the cfx-common-infrastructure Pulumi stack. Before running pulumi up on cfx-s3, the resources must be migrated so we don't recreate them:
pulumi state export the bucket resources (bucket, public-access-block, bucket-policy, optional lifecycle) from cfx-common-infrastructure/<stack>.pulumi state import them into cfx-s3/<stack> (or pass the import: option on each resource in pulumi/index.ts for a one-time adoption).cfx-common-infrastructure/index.ts and repoint createVercelOidcRole / createS3AccessUser to read the new bucket references via pulumi.StackReference("organization/cfx-s3/<stack>").packages/temporal-worker/pulumi/index.ts and packages/internal-dashboard/pulumi/index.ts from their hardcoded *-bucket-arn config values to StackReference outputs from cfx-s3.The legacyResourceName aliases on createBucket are preserved so the original common-infra resource URNs can be re-homed under new logical names without forcing bucket recreation.