From 7856e5ad77ef0ec67c82d418b462f7237771eff9 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Fri, 3 Mar 2023 10:24:27 +0000 Subject: [PATCH] Disable S3 tests related to removing bucket encryption (#1395) (#1397) [PR #1395/15d92a74 backport][stable-4] Disable S3 tests related to removing bucket encryption This is a backport of PR #1395 as merged into main (15d92a7). SUMMARY Amazon now enables S3-SSE bucket encryption by default and it's not possible to disable it. Disable the relevant tests but leave a minimal framework in place. ISSUE TYPE Tests Pull Request COMPONENT NAME s3_bucket ADDITIONAL INFORMATION Reviewed-by: Alina Buzachis --- changelogs/fragments/1395-s3-encryption.yml | 2 + plugins/modules/s3_bucket.py | 1 + .../s3_bucket/tasks/encryption_bucket_key.yml | 63 ++++++++++--------- .../roles/s3_bucket/tasks/encryption_kms.yml | 57 +++++++++-------- .../roles/s3_bucket/tasks/encryption_sse.yml | 60 +++++++++--------- 5 files changed, 98 insertions(+), 85 deletions(-) create mode 100644 changelogs/fragments/1395-s3-encryption.yml diff --git a/changelogs/fragments/1395-s3-encryption.yml b/changelogs/fragments/1395-s3-encryption.yml new file mode 100644 index 00000000000..3e6c2ea6e13 --- /dev/null +++ b/changelogs/fragments/1395-s3-encryption.yml @@ -0,0 +1,2 @@ +trivial: +- s3_bucket - disabled tests related to disabling encryption on S3 buckets, this is no longer supported by AWS, and encryption is enabled by default (https://github.com/ansible-collections/amazon.aws/pull/1395). diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index 7667219c85a..1ad71255104 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -78,6 +78,7 @@ description: - Describes the default server-side encryption to apply to new objects in the bucket. In order to remove the server-side encryption, the encryption needs to be set to 'none' explicitly. + - "Note: Since January 2023 Amazon S3 doesn't support disabling encryption on S3 buckets." choices: [ 'none', 'AES256', 'aws:kms' ] type: str encryption_key_id: diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml index c0d5e1167bc..66a54c1e0b3 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml @@ -32,7 +32,7 @@ bucket_key_enabled: true register: output - - name: Assert for 'Enable bucket key for bucket with aws:kms encryption' + - name: "Assert for 'Enable bucket key for bucket with aws:kms encryption'" assert: that: - output.changed @@ -45,40 +45,43 @@ bucket_key_enabled: true register: output - - name: Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'' + - name: "Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'" assert: that: - not output.changed - output.encryption - # ============================================================ - - - name: Disable encryption from bucket - s3_bucket: - name: "{{ local_bucket_name }}" - encryption: none - bucket_key_enabled: false - register: output - - - name: Assert for 'Disable encryption from bucket' - assert: - that: - - output.changed - - not output.encryption - - - name: Disable encryption from bucket (idempotent) - s3_bucket: - name: "{{ local_bucket_name }}" - bucket_key_enabled: true - register: output - - - name: Assert for 'Disable encryption from bucket (idempotent)' - assert: - that: - - output is not changed - - not output.encryption - - # ============================================================ + ## # ============================================================ + ## + ## AWS S3 no longer supports disabling S3 encryption + ## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: "{{ local_bucket_name }}" + ## encryption: none + ## bucket_key_enabled: false + ## register: output + ## + ## - name: Assert for 'Disable encryption from bucket' + ## assert: + ## that: + ## - output.changed + ## - not output.encryption + ## + ## - name: Disable encryption from bucket (idempotent) + ## s3_bucket: + ## name: "{{ local_bucket_name }}" + ## bucket_key_enabled: true + ## register: output + ## + ## - name: Assert for 'Disable encryption from bucket (idempotent)' + ## assert: + ## that: + ## - output is not changed + ## - not output.encryption + ## + ## # ============================================================ - name: Delete encryption test s3 bucket s3_bucket: diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml index 9650821c3f2..75cdb4c6f0a 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml @@ -42,33 +42,36 @@ - output.encryption - output.encryption.SSEAlgorithm == 'aws:kms' - # ============================================================ - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output.changed - - not output.encryption - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output is not changed - - not output.encryption - - # ============================================================ + ## # ============================================================ + ## + ## AWS S3 no longer supports disabling S3 encryption + ## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output.changed + ## - not output.encryption + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output is not changed + ## - not output.encryption + ## + ## # ============================================================ - name: Delete encryption test s3 bucket s3_bucket: diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml index 6090339a86c..60ee2600912 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml @@ -25,7 +25,8 @@ - assert: that: - - output.changed + # SSE is now enabled by default + # - output.changed - output.encryption - output.encryption.SSEAlgorithm == 'AES256' @@ -42,33 +43,36 @@ - output.encryption - output.encryption.SSEAlgorithm == 'AES256' - # ============================================================ - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output.changed - - not output.encryption - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output is not changed - - not output.encryption - - # ============================================================ + ## # ============================================================ + ## + ## AWS S3 no longer supports disabling S3 encryption + ## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output.changed + ## - not output.encryption + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output is not changed + ## - not output.encryption + ## + ## # ============================================================ - name: Delete encryption test s3 bucket s3_bucket: