-
Notifications
You must be signed in to change notification settings - Fork 342
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updating module S3 Bucket Keys for SSE-KMS (#882)
updating module S3 Bucket Keys for SSE-KMS SUMMARY refrence: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html Adding Parameter to enable to s3 bucket keys only when the encryption is aws:kms ISSUE TYPE New Module Pull Request COMPONENT NAME s3 bucket keys ADDITIONAL INFORMATION Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None> Reviewed-by: Milan Zink <[email protected]> (cherry picked from commit ca9ed18)
- Loading branch information
1 parent
9c117c6
commit 4f54d3a
Showing
4 changed files
with
191 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
minor_changes: | ||
- s3_bucket - updated module to enable support for setting S3 Bucket Keys for SSE-KMS (https://github.com/ansible-collections/amazon.aws/pull/882). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,7 @@ complex | |
dotted | ||
tags | ||
encryption_kms | ||
encryption_bucket_key | ||
encryption_sse | ||
public_access | ||
acl | ||
|
100 changes: 100 additions & 0 deletions
100
tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
--- | ||
- module_defaults: | ||
group/aws: | ||
aws_access_key: "{{ aws_access_key }}" | ||
aws_secret_key: "{{ aws_secret_key }}" | ||
security_token: "{{ security_token | default(omit) }}" | ||
region: "{{ aws_region }}" | ||
block: | ||
- name: Set facts for encryption_bucket_key test | ||
set_fact: | ||
local_bucket_name: "{{ bucket_name | hash('md5') }}-bucket-key" | ||
# ============================================================ | ||
|
||
- name: "Create a simple bucket" | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
state: present | ||
register: output | ||
|
||
- name: "Enable aws:kms encryption with KMS master key" | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
state: present | ||
encryption: "aws:kms" | ||
register: output | ||
|
||
- name: "Enable bucket key for bucket with aws:kms encryption" | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
state: present | ||
encryption: "aws:kms" | ||
bucket_key_enabled: true | ||
register: output | ||
|
||
- name: Assert for 'Enable bucket key for bucket with aws:kms encryption' | ||
assert: | ||
that: | ||
- output.changed | ||
- output.encryption | ||
|
||
- name: "Re-enable bucket key for bucket with aws:kms encryption (idempotent)" | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
encryption: "aws:kms" | ||
bucket_key_enabled: true | ||
register: output | ||
|
||
- name: Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'' | ||
assert: | ||
that: | ||
- not output.changed | ||
- output.encryption | ||
|
||
# ============================================================ | ||
|
||
- name: Disable encryption from bucket | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
encryption: none | ||
bucket_key_enabled: false | ||
register: output | ||
|
||
- name: Assert for 'Disable encryption from bucket' | ||
assert: | ||
that: | ||
- output.changed | ||
- not output.encryption | ||
|
||
- name: Disable encryption from bucket (idempotent) | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
bucket_key_enabled: true | ||
register: output | ||
|
||
- name: Assert for 'Disable encryption from bucket (idempotent)' | ||
assert: | ||
that: | ||
- output is not changed | ||
- not output.encryption | ||
|
||
# ============================================================ | ||
|
||
- name: Delete encryption test s3 bucket | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
state: absent | ||
register: output | ||
|
||
- name: Assert for 'Delete encryption test s3 bucket' | ||
assert: | ||
that: | ||
- output.changed | ||
|
||
# ============================================================ | ||
always: | ||
- name: Ensure all buckets are deleted | ||
s3_bucket: | ||
name: "{{ local_bucket_name }}" | ||
state: absent | ||
failed_when: false |