Skip to content

Commit

Permalink
Disable S3 tests related to removing bucket encryption (#1395) (#1398)
Browse files Browse the repository at this point in the history
[PR #1395/15d92a74 backport][stable-5] Disable S3 tests related to removing bucket encryption

This is a backport of PR #1395 as merged into main (15d92a7).
SUMMARY
Amazon now enables S3-SSE bucket encryption by default and it's not possible to disable it.  Disable the relevant tests but leave a minimal framework in place.
ISSUE TYPE

Tests Pull Request

COMPONENT NAME
s3_bucket
ADDITIONAL INFORMATION

Reviewed-by: Mark Chappell
  • Loading branch information
patchback[bot] authored Mar 3, 2023
1 parent 83dd180 commit e274f54
Show file tree
Hide file tree
Showing 5 changed files with 98 additions and 85 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/1395-s3-encryption.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
trivial:
- s3_bucket - disabled tests related to disabling encryption on S3 buckets, this is no longer supported by AWS, and encryption is enabled by default (https://github.com/ansible-collections/amazon.aws/pull/1395).
1 change: 1 addition & 0 deletions plugins/modules/s3_bucket.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@
description:
- Describes the default server-side encryption to apply to new objects in the bucket.
In order to remove the server-side encryption, the encryption needs to be set to 'none' explicitly.
- "Note: Since January 2023 Amazon S3 doesn't support disabling encryption on S3 buckets."
choices: [ 'none', 'AES256', 'aws:kms' ]
type: str
encryption_key_id:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
bucket_key_enabled: true
register: output

- name: Assert for 'Enable bucket key for bucket with aws:kms encryption'
- name: "Assert for 'Enable bucket key for bucket with aws:kms encryption'"
assert:
that:
- output.changed
Expand All @@ -45,40 +45,43 @@
bucket_key_enabled: true
register: output

- name: Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)''
- name: "Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'"
assert:
that:
- not output.changed
- output.encryption

# ============================================================

- name: Disable encryption from bucket
s3_bucket:
name: "{{ local_bucket_name }}"
encryption: none
bucket_key_enabled: false
register: output

- name: Assert for 'Disable encryption from bucket'
assert:
that:
- output.changed
- not output.encryption

- name: Disable encryption from bucket (idempotent)
s3_bucket:
name: "{{ local_bucket_name }}"
bucket_key_enabled: true
register: output

- name: Assert for 'Disable encryption from bucket (idempotent)'
assert:
that:
- output is not changed
- not output.encryption

# ============================================================
## # ============================================================
##
## AWS S3 no longer supports disabling S3 encryption
## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html
##
## - name: Disable encryption from bucket
## s3_bucket:
## name: "{{ local_bucket_name }}"
## encryption: none
## bucket_key_enabled: false
## register: output
##
## - name: Assert for 'Disable encryption from bucket'
## assert:
## that:
## - output.changed
## - not output.encryption
##
## - name: Disable encryption from bucket (idempotent)
## s3_bucket:
## name: "{{ local_bucket_name }}"
## bucket_key_enabled: true
## register: output
##
## - name: Assert for 'Disable encryption from bucket (idempotent)'
## assert:
## that:
## - output is not changed
## - not output.encryption
##
## # ============================================================

- name: Delete encryption test s3 bucket
s3_bucket:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,33 +42,36 @@
- output.encryption
- output.encryption.SSEAlgorithm == 'aws:kms'

# ============================================================

- name: Disable encryption from bucket
s3_bucket:
name: '{{ local_bucket_name }}'
state: present
encryption: "none"
register: output

- assert:
that:
- output.changed
- not output.encryption

- name: Disable encryption from bucket
s3_bucket:
name: '{{ local_bucket_name }}'
state: present
encryption: "none"
register: output

- assert:
that:
- output is not changed
- not output.encryption

# ============================================================
## # ============================================================
##
## AWS S3 no longer supports disabling S3 encryption
## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html
##
## - name: Disable encryption from bucket
## s3_bucket:
## name: '{{ local_bucket_name }}'
## state: present
## encryption: "none"
## register: output
##
## - assert:
## that:
## - output.changed
## - not output.encryption
##
## - name: Disable encryption from bucket
## s3_bucket:
## name: '{{ local_bucket_name }}'
## state: present
## encryption: "none"
## register: output
##
## - assert:
## that:
## - output is not changed
## - not output.encryption
##
## # ============================================================

- name: Delete encryption test s3 bucket
s3_bucket:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@

- assert:
that:
- output.changed
# SSE is now enabled by default
# - output.changed
- output.encryption
- output.encryption.SSEAlgorithm == 'AES256'

Expand All @@ -42,33 +43,36 @@
- output.encryption
- output.encryption.SSEAlgorithm == 'AES256'

# ============================================================

- name: Disable encryption from bucket
s3_bucket:
name: '{{ local_bucket_name }}'
state: present
encryption: "none"
register: output

- assert:
that:
- output.changed
- not output.encryption

- name: Disable encryption from bucket
s3_bucket:
name: '{{ local_bucket_name }}'
state: present
encryption: "none"
register: output

- assert:
that:
- output is not changed
- not output.encryption

# ============================================================
## # ============================================================
##
## AWS S3 no longer supports disabling S3 encryption
## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html
##
## - name: Disable encryption from bucket
## s3_bucket:
## name: '{{ local_bucket_name }}'
## state: present
## encryption: "none"
## register: output
##
## - assert:
## that:
## - output.changed
## - not output.encryption
##
## - name: Disable encryption from bucket
## s3_bucket:
## name: '{{ local_bucket_name }}'
## state: present
## encryption: "none"
## register: output
##
## - assert:
## that:
## - output is not changed
## - not output.encryption
##
## # ============================================================

- name: Delete encryption test s3 bucket
s3_bucket:
Expand Down

0 comments on commit e274f54

Please sign in to comment.