From 063dc7b7d777803be153551d0f835057c175d54e Mon Sep 17 00:00:00 2001 From: Tyler Schwend Date: Wed, 2 Mar 2022 14:46:18 -0500 Subject: [PATCH 1/5] feat: support enforced bucket owner object ownership --- plugins/modules/s3_bucket.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index 700306a97e0..a948868f3ec 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -124,12 +124,16 @@ object_ownership: description: - Allow bucket's ownership controls. + - C(BucketOwnerEnforced) - ACLs are disabled and no longer affect access permissions to your + bucket. Requests to set or update ACLs fail. However, requests to read ACLs are supported. + Bucket owner has full ownership and control. +Object writer no longer has full ownership and control. - C(BucketOwnerPreferred) - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. - C(ObjectWriter) - The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. - This option cannot be used together with a I(delete_object_ownership) definition. - choices: [ 'BucketOwnerPreferred', 'ObjectWriter' ] + choices: [ 'BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter' ] type: str version_added: 2.0.0 delete_object_ownership: @@ -1016,7 +1020,7 @@ def main(): block_public_policy=dict(type='bool', default=False), restrict_public_buckets=dict(type='bool', default=False))), delete_public_access=dict(type='bool', default=False), - object_ownership=dict(type='str', choices=['BucketOwnerPreferred', 'ObjectWriter']), + object_ownership=dict(type='str', choices=['BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter']), delete_object_ownership=dict(type='bool', default=False), acl=dict(type='str', choices=['private', 'public-read', 'public-read-write', 'authenticated-read']), validate_bucket_name=dict(type='bool', default=True), From 8c3604ab09662eb8381f5e0c041ab1d786d15116 Mon Sep 17 00:00:00 2001 From: Tyler Schwend Date: Wed, 2 Mar 2022 14:49:43 -0500 Subject: [PATCH 2/5] tests: add tests for bucket owner enforcement --- .../s3_bucket/tasks/ownership_controls.yml | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml index 209b658241b..683ff06597c 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/ownership_controls.yml @@ -51,7 +51,7 @@ - output.object_ownership - output.object_ownership == 'ObjectWriter' - - name: 'update s3 bucket ownership controls' + - name: 'update s3 bucket ownership preferred controls' s3_bucket: name: '{{ local_bucket_name }}' state: present @@ -64,7 +64,7 @@ - output.object_ownership - output.object_ownership == 'BucketOwnerPreferred' - - name: 'test idempotency update s3 bucket ownership controls' + - name: 'test idempotency update s3 bucket ownership preferred controls' s3_bucket: name: '{{ local_bucket_name }}' state: present @@ -77,6 +77,32 @@ - output.object_ownership - output.object_ownership == 'BucketOwnerPreferred' + - name: 'update s3 bucket ownership enforced controls' + s3_bucket: + name: '{{ local_bucket_name }}' + state: present + object_ownership: BucketOwnerEnforced + register: output + + - assert: + that: + - output.changed + - output.object_ownership + - output.object_ownership == 'BucketOwnerEnforced' + + - name: 'test idempotency update s3 bucket ownership preferred controls' + s3_bucket: + name: '{{ local_bucket_name }}' + state: present + object_ownership: BucketOwnerEnforced + register: output + + - assert: + that: + - output.changed is false + - output.object_ownership + - output.object_ownership == 'BucketOwnerEnforced' + - name: 'delete s3 bucket ownership controls' s3_bucket: name: '{{ local_bucket_name }}' From bd4cae8139713cf945cf76eac5a7fa3fa487f728 Mon Sep 17 00:00:00 2001 From: Tyler Schwend Date: Fri, 4 Mar 2022 08:31:52 -0500 Subject: [PATCH 3/5] changelog --- changelogs/fragments/694-s3_bucket-owner_enforcement.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/694-s3_bucket-owner_enforcement.yml diff --git a/changelogs/fragments/694-s3_bucket-owner_enforcement.yml b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml new file mode 100644 index 00000000000..5b3363dbd95 --- /dev/null +++ b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml @@ -0,0 +1,2 @@ +minor_changes: + - s3_bucket - Add support for enforced bucket owner object ownership. From aef45912f0c5efd3519caf4d9704fc9c3ba12f5b Mon Sep 17 00:00:00 2001 From: Tyler Schwend Date: Fri, 4 Mar 2022 13:37:22 -0500 Subject: [PATCH 4/5] fix: missing indent --- plugins/modules/s3_bucket.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index a948868f3ec..a3f54707999 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -126,8 +126,8 @@ - Allow bucket's ownership controls. - C(BucketOwnerEnforced) - ACLs are disabled and no longer affect access permissions to your bucket. Requests to set or update ACLs fail. However, requests to read ACLs are supported. - Bucket owner has full ownership and control. -Object writer no longer has full ownership and control. + Bucket owner has full ownership and control. Object writer no longer has full ownership and + control. - C(BucketOwnerPreferred) - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. - C(ObjectWriter) - The uploading account will own the object From 0ea71648b35c7713dea0514f7b405610a9d41434 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Thu, 24 Mar 2022 11:02:23 +0100 Subject: [PATCH 5/5] add version_added for BucketOwnerEnforced option Signed-off-by: Alina Buzachis --- changelogs/fragments/694-s3_bucket-owner_enforcement.yml | 2 +- plugins/modules/s3_bucket.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/changelogs/fragments/694-s3_bucket-owner_enforcement.yml b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml index 5b3363dbd95..1c3d29b3677 100644 --- a/changelogs/fragments/694-s3_bucket-owner_enforcement.yml +++ b/changelogs/fragments/694-s3_bucket-owner_enforcement.yml @@ -1,2 +1,2 @@ minor_changes: - - s3_bucket - Add support for enforced bucket owner object ownership. + - s3_bucket - Add support for enforced bucket owner object ownership (https://github.com/ansible-collections/amazon.aws/pull/694). diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index a3f54707999..9b66aa45209 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -133,6 +133,7 @@ - C(ObjectWriter) - The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. - This option cannot be used together with a I(delete_object_ownership) definition. + - C(BucketOwnerEnforced) has been added in version 3.2.0. choices: [ 'BucketOwnerEnforced', 'BucketOwnerPreferred', 'ObjectWriter' ] type: str version_added: 2.0.0