Provide support for AWS S3 Public Access Blocking

[sky-amoncadot]

SUMMARY

Support public access blocking on S3 buckets.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

aws_s3.py and/or s3_bucket.py

ADDITIONAL INFORMATION

Original feature request here.

AWS release info.

Public access blocking is a new AWS S3 capability that ensures a bucket is much more private than even the default and that the bucket cannot subsequently be configured to have some public capabilities.

This is detached from S3 bucket policies or permissions as it is a separate API entirely. Its part of S3Control in botocore if I recall. An example of what is being requested as a native feature in Ansible:

aws s3api put-public-access-block --bucket "${BUCKET_NAME}" --public-access-block-configuration '{
  "BlockPublicAcls": true,
  "IgnorePublicAcls": true,
  "BlockPublicPolicy": true,
  "RestrictPublicBuckets": true
}'

(Above snippet taken from here.)

[ansibullbot]

Files identified in the description:

• plugins/modules/s3_bucket.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @s-hertel @tremble @wimnat
click here for bot help

[zeten30]

@sky-amoncadot I've hit the same problem with blocking public access. I'll try to prepare a merge request soon.

[zeten30]

So I have a working prototype:)

- hosts: localhost
  gather_facts: false

  tasks:
    - amazon.aws.s3_bucket:
        name: "<bucket_name>"
        state: present
        public_access:
          BlockPublicAcls: true
          # IgnorePublicAcls: false
          # BlockPublicPolicy: false
          # RestrictPublicBuckets: false
      register: module_result

    - debug:
        var: module_result

ansible-playbook -i ../inventory/ s3-bucket-testing.yml  

PLAY [localhost] **************************************************************************************************************************

TASK [amazon.aws.s3_bucket] ***************************************************************************************************************
changed: [localhost]

TASK [debug] ******************************************************************************************************************************
ok: [localhost] => 
  module_result:
    changed: true
    failed: false
    name: <bucket_name>
    policy: null
    public_access_block:
      BlockPublicAcls: true
      BlockPublicPolicy: false
      IgnorePublicAcls: false
      RestrictPublicBuckets: false
    requester_pays: false
    tags: {}
    versioning:
      MfaDelete: Disabled
      Versioning: Disabled

PLAY RECAP ********************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

aws s3api get-public-access-block --bucket <bucket_name>
{
    "PublicAccessBlockConfiguration": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": false,
        "BlockPublicPolicy": false,
        "RestrictPublicBuckets": false
    }
}

I'll do few more tests & prepare merge request.

[zeten30]

@sky-amoncadot another 'related' pull request:) - ansible-collections/community.aws#260