diff --git a/changelogs/fragments/694-s3_bucket-owner_enforcement.yml b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml new file mode 100644 index 00000000000..1c3d29b3677 --- /dev/null +++ b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml @@ -0,0 +1,2 @@ +minor_changes: + - s3_bucket - Add support for enforced bucket owner object ownership (https://github.com/ansible-collections/amazon.aws/pull/694). diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index 700306a97e0..9b66aa45209 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -124,12 +124,17 @@ object_ownership: description: - Allow bucket's ownership controls. + - C(BucketOwnerEnforced) - ACLs are disabled and no longer affect access permissions to your + bucket. Requests to set or update ACLs fail. However, requests to read ACLs are supported. + Bucket owner has full ownership and control. Object writer no longer has full ownership and + control. - C(BucketOwnerPreferred) - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. - C(ObjectWriter) - The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. - This option cannot be used together with a I(delete_object_ownership) definition. - choices: [ 'BucketOwnerPreferred', 'ObjectWriter' ] + - C(BucketOwnerEnforced) has been added in version 3.2.0. + choices: [ 'BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter' ] type: str version_added: 2.0.0 delete_object_ownership: @@ -1016,7 +1021,7 @@ def main(): block_public_policy=dict(type='bool', default=False), restrict_public_buckets=dict(type='bool', default=False))), delete_public_access=dict(type='bool', default=False), - object_ownership=dict(type='str', choices=['BucketOwnerPreferred', 'ObjectWriter']), + object_ownership=dict(type='str', choices=['BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter']), delete_object_ownership=dict(type='bool', default=False), acl=dict(type='str', choices=['private', 'public-read', 'public-read-write', 'authenticated-read']), validate_bucket_name=dict(type='bool', default=True), diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml index 209b658241b..683ff06597c 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml @@ -51,7 +51,7 @@ - output.object_ownership - output.object_ownership == 'ObjectWriter' - - name: 'update s3 bucket ownership controls' + - name: 'update s3 bucket ownership preferred controls' s3_bucket: name: '{{ local_bucket_name }}' state: present @@ -64,7 +64,7 @@ - output.object_ownership - output.object_ownership == 'BucketOwnerPreferred' - - name: 'test idempotency update s3 bucket ownership controls' + - name: 'test idempotency update s3 bucket ownership preferred controls' s3_bucket: name: '{{ local_bucket_name }}' state: present @@ -77,6 +77,32 @@ - output.object_ownership - output.object_ownership == 'BucketOwnerPreferred' + - name: 'update s3 bucket ownership enforced controls' + s3_bucket: + name: '{{ local_bucket_name }}' + state: present + object_ownership: BucketOwnerEnforced + register: output + + - assert: + that: + - output.changed + - output.object_ownership + - output.object_ownership == 'BucketOwnerEnforced' + + - name: 'test idempotency update s3 bucket ownership preferred controls' + s3_bucket: + name: '{{ local_bucket_name }}' + state: present + object_ownership: BucketOwnerEnforced + register: output + + - assert: + that: + - output.changed is false + - output.object_ownership + - output.object_ownership == 'BucketOwnerEnforced' + - name: 'delete s3 bucket ownership controls' s3_bucket: name: '{{ local_bucket_name }}'