-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide support for AWS S3 Public Access Blocking #171
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Milan,
thanks for taking the time to submit this. In general it's better to use options/suboptions rather than manually validating things later. It would also be good if you could test that you don't change values when you haven't intentionally set them.
plugins/modules/s3_bucket.py
Outdated
return {} | ||
|
||
|
||
def sanitize_public_access_parameter(public_access_block): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would be better handled as "suboptions" on the parameter, will show how below.
plugins/modules/s3_bucket.py
Outdated
@@ -691,7 +763,8 @@ def main(): | |||
versioning=dict(type='bool'), | |||
ceph=dict(default=False, type='bool'), | |||
encryption=dict(choices=['none', 'AES256', 'aws:kms']), | |||
encryption_key_id=dict() | |||
encryption_key_id=dict(), | |||
public_access=dict(type='dict') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public_access=dict(type='dict') | |
public_access=dict(type='dict', options=dict( | |
block_public_acls=dict(type='bool'), | |
ignore_public_acls=dict(type='bool'), | |
block_public_policy=dict(type='bool'), | |
restrict_public_buckets=dict(type='bool')), |
This can be converted to the format used by boto3 using snake_dict_to_camel_dict (and back again using camel_dict_to_snake_dict) these functions can be found in ansible.module_utils.common.dict_transformations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, that will be much better. I was not aware about this 'dict in dict'.
s3_bucket: | ||
name: '{{ bucket_name }}' | ||
state: present | ||
public_access: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also add a test to the 'basic' suite to make sure your PR doesn't change the default behaviour.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think I get this. Can you please explain in further detail? I don't see any file named basic in tests/. I've followed what's already in place for 'encryption_kms' test. It's in inventory and in tasks/. Thanks in advance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simplest version would be to tweak https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/simple.yml and make sure that the returned values for public_access match those of Amazon's defaults if you didn't pass public_access.
The intention is to ensure that in adding the new public_access option you've not changed the default behaviour when someone creates a bucket.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, makes perfect sense now:) TY.
@tremble Please check the latest changes. I hope I've adapted all requested changes. I'm stuck with failing tests. All T=aws/X.Y/1 are throwing:
Isn't it a testing user permissions problem? Similar to: https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/ I have no issues when running unit test locally. |
I think that testing account is probably missing: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:PutBucketPublicAccessBlock"
],
"Resource": "*"
}
]
} |
# Before applying policy
$ aws --profile testing_profile s3api get-public-access-block --bucket testing-bucket-ansible-7
An error occurred (AccessDenied) when calling the GetPublicAccessBlock operation: Access Denied
# After applying policy
$ aws --profile testing_profile s3api get-public-access-block --bucket testing-bucket-ansible-7
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
# Other S3 API calls (not defined in policy)
aws --profile testing_profile s3api get-bucket-policy --bucket testing-bucket-ansible-7
An error occurred (AccessDenied) when calling the GetBucketPolicy operation: Access Denied |
Got rid of unnecessary API public block calls .. but it's still failing due to permission in public_access test. Local tests are ok.
|
Please submit a PR against the CI policy: https://github.com/mattclay/aws-terminator/blob/master/aws/policy/storage-services.yaml |
Addind Get/PubPublicAccessBlock Fix failing integration test <ansible-collections/amazon.aws#171>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've realised there's one small thing I forgot to request: please add a changelog entry. CI policy has now been updated so we're good to merge once we have a changelog entry
Many thanks for your efforts on this. I'm sorry it's taken so long. Given how long you've been waiting on us for this I've added a changelog fragment and some missing version_added parameters to the documentation. |
@tremble Thank you very much. I was about to add changelog later today, but you were faster;) |
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws -- 317 -- See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171)
…y added by ec2_argument_spec (ansible-collections#171)
…y added by ec2_argument_spec (ansible-collections#171)
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
…y added by ec2_argument_spec (ansible-collections#171) This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@8d6b652
SUMMARY
Provide support to configure public access block on S3 bucket (including tests).
Fixes #144
ISSUE TYPE
COMPONENT NAME
s3_bucket
ADDITIONAL INFORMATION