From 6bdfecd18a11ab203f6436d7b643153bf8556a69 Mon Sep 17 00:00:00 2001 From: Tyler Schwend Date: Thu, 24 Mar 2022 13:30:12 -0400 Subject: [PATCH] feat: Add S3 bucket owner enforcement (#694) feat: Add S3 bucket owner enforcement SUMMARY AWS finally supports the ability to enforce object ownership such that the owner of the bucket owns all objects. This adds support for that. ISSUE TYPE Feature Pull Request COMPONENT NAME s3_bucket ADDITIONAL INFORMATION --- - hosts: localhost tasks: - s3_bucket: name: tyler-test-123 state: present - s3_bucket: name: tyler-test-123 object_ownership: BucketOwnerEnforced state: present - s3_bucket: name: tyler-test-123 state: absent - s3_bucket: name: tyler-test-123 object_ownership: BucketOwnerEnforced state: present - s3_bucket: name: tyler-test-123 state: absent Reviewed-by: Alina Buzachis Reviewed-by: Markus Bergholz (cherry picked from commit 7cf0e505d4a601793aa3a187abbda4448cb79234) --- .../694-s3_bucket-owner_enforcement.yml | 2 ++ plugins/modules/s3_bucket.py | 9 ++++-- .../s3_bucket/tasks/ownership_controls.yml | 30 +++++++++++++++++-- 3 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/694-s3_bucket-owner_enforcement.yml diff --git a/changelogs/fragments/694-s3_bucket-owner_enforcement.yml b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml new file mode 100644 index 00000000000..1c3d29b3677 --- /dev/null +++ b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml @@ -0,0 +1,2 @@ +minor_changes: + - s3_bucket - Add support for enforced bucket owner object ownership (https://github.com/ansible-collections/amazon.aws/pull/694). diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index 700306a97e0..9b66aa45209 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -124,12 +124,17 @@ object_ownership: description: - Allow bucket's ownership controls. + - C(BucketOwnerEnforced) - ACLs are disabled and no longer affect access permissions to your + bucket. Requests to set or update ACLs fail. However, requests to read ACLs are supported. + Bucket owner has full ownership and control. Object writer no longer has full ownership and + control. - C(BucketOwnerPreferred) - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. - C(ObjectWriter) - The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. - This option cannot be used together with a I(delete_object_ownership) definition. - choices: [ 'BucketOwnerPreferred', 'ObjectWriter' ] + - C(BucketOwnerEnforced) has been added in version 3.2.0. + choices: [ 'BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter' ] type: str version_added: 2.0.0 delete_object_ownership: @@ -1016,7 +1021,7 @@ def main(): block_public_policy=dict(type='bool', default=False), restrict_public_buckets=dict(type='bool', default=False))), delete_public_access=dict(type='bool', default=False), - object_ownership=dict(type='str', choices=['BucketOwnerPreferred', 'ObjectWriter']), + object_ownership=dict(type='str', choices=['BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter']), delete_object_ownership=dict(type='bool', default=False), acl=dict(type='str', choices=['private', 'public-read', 'public-read-write', 'authenticated-read']), validate_bucket_name=dict(type='bool', default=True), diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml index 209b658241b..683ff06597c 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml @@ -51,7 +51,7 @@ - output.object_ownership - output.object_ownership == 'ObjectWriter' - - name: 'update s3 bucket ownership controls' + - name: 'update s3 bucket ownership preferred controls' s3_bucket: name: '{{ local_bucket_name }}' state: present @@ -64,7 +64,7 @@ - output.object_ownership - output.object_ownership == 'BucketOwnerPreferred' - - name: 'test idempotency update s3 bucket ownership controls' + - name: 'test idempotency update s3 bucket ownership preferred controls' s3_bucket: name: '{{ local_bucket_name }}' state: present @@ -77,6 +77,32 @@ - output.object_ownership - output.object_ownership == 'BucketOwnerPreferred' + - name: 'update s3 bucket ownership enforced controls' + s3_bucket: + name: '{{ local_bucket_name }}' + state: present + object_ownership: BucketOwnerEnforced + register: output + + - assert: + that: + - output.changed + - output.object_ownership + - output.object_ownership == 'BucketOwnerEnforced' + + - name: 'test idempotency update s3 bucket ownership preferred controls' + s3_bucket: + name: '{{ local_bucket_name }}' + state: present + object_ownership: BucketOwnerEnforced + register: output + + - assert: + that: + - output.changed is false + - output.object_ownership + - output.object_ownership == 'BucketOwnerEnforced' + - name: 'delete s3 bucket ownership controls' s3_bucket: name: '{{ local_bucket_name }}'