Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS dropped support for unencrypted S3 buckets #1401

Closed
1 task done
dgsangoma opened this issue Mar 2, 2023 · 1 comment
Closed
1 task done

AWS dropped support for unencrypted S3 buckets #1401

dgsangoma opened this issue Mar 2, 2023 · 1 comment

Comments

@dgsangoma
Copy link

Summary

I think the option to set "encryption: none" in the s3_bucket module is no longer supported by AWS per https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html. We were using this until recently when it started failing with a confusing "Bucket encryption failed to apply in the expected time" error for an existing bucket because AWS has seemingly been slowly enabling AES256 on all existing unencrypted buckets.

build	01-Mar-2023 19:45:53	redirecting (type: modules) ansible.builtin.s3_bucket to amazon.aws.s3_bucket
build	01-Mar-2023 19:46:56	fatal: [localhost]: FAILED! => changed=false 
build	01-Mar-2023 19:46:56	  live_encryption:
build	01-Mar-2023 19:46:56	    SSEAlgorithm: AES256
build	01-Mar-2023 19:46:56	  msg: Bucket encryption failed to apply in the expected time
build	01-Mar-2023 19:46:56	  requested_encryption: null

Issue Type

Bug Report

Component Name

s3_bucket

Ansible Version

$ ansible --version
ansible [core 2.11.6]
  config file = /Users/user/Documents/dev/aws-infrastructure/ansible.cfg
  configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/user/Documents/dev/aws-infrastructure/.venv/lib/python3.6/site-packages/ansible
  ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/user/Documents/dev/aws-infrastructure/.venv/bin/ansible
  python version = 3.6.15 (default, Nov 29 2022, 15:07:30) [GCC Apple LLVM 14.0.0 (clang-1400.0.29.202)]
  jinja version = 3.0.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list

# /Users/user/Documents/dev/aws-infrastructure/.venv/lib/python3.6/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.1
ansible.netcommon             2.4.0
ansible.posix                 1.3.0
ansible.utils                 2.4.2
ansible.windows               1.7.3
arista.eos                    2.2.0
awx.awx                       19.4.0
azure.azcollection            1.10.0
check_point.mgmt              2.1.1
chocolatey.chocolatey         1.1.0
cisco.aci                     2.1.0
cisco.asa                     2.1.0
cisco.intersight              1.0.17
cisco.ios                     2.5.0
cisco.iosxr                   2.5.0
cisco.meraki                  2.5.0
cisco.mso                     1.2.0
cisco.nso                     1.0.3
cisco.nxos                    2.7.0
cisco.ucs                     1.6.0
cloudscale_ch.cloud           2.2.0
community.aws                 1.5.0
community.azure               1.1.0
community.crypto              1.9.6
community.digitalocean        1.11.0
community.docker              1.10.0
community.fortios             1.0.0
community.general             3.8.1
community.google              1.0.0
community.grafana             1.2.3
community.hashi_vault         1.4.1
community.hrobot              1.2.0
community.kubernetes          1.2.1
community.kubevirt            1.0.0
community.libvirt             1.0.2
community.mongodb             1.3.1
community.mysql               2.3.1
community.network             3.0.0
community.okd                 1.1.2
community.postgresql          1.5.0
community.proxysql            1.3.0
community.rabbitmq            1.1.0
community.routeros            1.2.0
community.skydive             1.0.0
community.sops                1.1.0
community.vmware              1.15.0
community.windows             1.7.0
community.zabbix              1.5.0
containers.podman             1.8.1
cyberark.conjur               1.1.0
cyberark.pas                  1.0.7
dellemc.enterprise_sonic      1.1.0
dellemc.openmanage            3.6.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.12.0
fortinet.fortimanager         2.1.3
fortinet.fortios              2.1.2
frr.frr                       1.0.3
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.6.0
hpe.nimble                    1.1.3
ibm.qradar                    1.0.3
infinidat.infinibox           1.2.4
inspur.sm                     1.3.0
junipernetworks.junos         2.6.0
kubernetes.core               1.2.1
mellanox.onyx                 1.0.0
netapp.aws                    21.6.0
netapp.azure                  21.9.0
netapp.cloudmanager           21.11.0
netapp.elementsw              21.6.1
netapp.ontap                  21.12.0
netapp.um_info                21.7.0
netapp_eseries.santricity     1.2.13
netbox.netbox                 3.3.0
ngine_io.cloudstack           2.2.2
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.0
openstack.cloud               1.5.1
openvswitch.openvswitch       2.0.2
ovirt.ovirt                   1.6.4
purestorage.flasharray        1.11.0
purestorage.flashblade        1.7.0
sensu.sensu_go                1.12.0
servicenow.servicenow         1.0.6
splunk.es                     1.0.2
t_systems_mms.icinga_director 1.23.0
theforeman.foreman            2.2.0
vyos.vyos                     2.6.0
wti.remote                    1.0.1

AWS SDK versions

$ pip show boto boto3 botocore

Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: [email protected]
License: MIT
Location: /Users/dgottlieb/Documents/dev/ca-aws-infrastructure/.venv/lib/python3.6/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.20.2
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Users/dgottlieb/Documents/dev/ca-aws-infrastructure/.venv/lib/python3.6/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.23.2
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Users/dgottlieb/Documents/dev/ca-aws-infrastructure/.venv/lib/python3.6/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

No response

Steps to Reproduce

- name: aws s3api create-bucket --bucket my_bucket
  s3_bucket:
    name: "my_bucket"
    state: present
    encryption: none
    versioning: false
    public_access:
      block_public_acls: true
      block_public_policy: true
      ignore_public_acls: true
      restrict_public_buckets: true

Expected Results

Expected task to succeed, but failed with a timeout error due to breaking AWS changes.

Actual Results

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@tremble
Copy link
Contributor

tremble commented Mar 2, 2023

@dgsangoma,

Thanks for taking the time to open this issue.

Amazon have indeed dropped support for disabling encryption.

We merged a change yesterday which will reflect this: #1395

The docs have been updated to reflect this, however, since we (sort-of) support various S3 compatible services we've left the code in place to handle it.

@tremble tremble closed this as completed Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants