Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OBS Bucket Policy parameter not exposed in huaweicloud_obs_bucket #382

Closed
thiagoeh opened this issue Jul 14, 2020 · 7 comments · Fixed by #407
Closed

OBS Bucket Policy parameter not exposed in huaweicloud_obs_bucket #382

thiagoeh opened this issue Jul 14, 2020 · 7 comments · Fixed by #407

Comments

@thiagoeh
Copy link

When creating a bucket (huaweicloud_obs_bucket) there is no way to set the bucket policy. The bucket Policy has precedence over the bucket ACL.

In region ap-southeast-1, the created bucket assumes the Private bucket policy.
The bucket ACL setting is working as expected, but the bucket policy attribute is not exposed in the huaweicloud_obs_bucket resource.

Terraform Version

terraform version
Terraform v0.12.28
+ provider.huaweicloud v1.16.0

Affected Resource(s)

  • huaweicloud_obs_bucket

Terraform Configuration Files

resource "huaweicloud_obs_bucket" "bucket" {
  region        = var.region
  bucket        = var.obs_bucket_name
  acl           = "public-read"
}

Expected Behavior

A public accessible OBS bucket

Actual Behavior

Bucket ACL is configured to allow unauthenticated access, but the access is still denied because of the Private Bucket Policy.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

References
@niuzhenguo
Copy link
Member

@ShiChangkuo Please have a look at this when you got time.

@ShiChangkuo
Copy link
Collaborator

@thiagoeh Sorry, I don't get your point.

the bucket assumes the Private bucket policy (maybe created by other tools, I think), so unauthenticated users can not access the bucket even the acl is set "public-read". (https://support.huaweicloud.com/intl/en-us/usermanual-obs/obs_03_0114.html)

@thiagoeh
Copy link
Author

thiagoeh commented Jul 15, 2020
edited
Loading

In my tests, the bucket was created through the Terraform provider using the huaweicloud_obs_bucket resource.
There are two bucket level access controls mechanisms in OBS:

  • Bucket Policy (currently not configurable through the Terraform provider)
  • Bucket ACL (configurable through the Terraform provider)

Currently, only the Bucket ACL is exposed in the huaweicloud_obs_bucket resource, through the acl parameter.
What I'm asking is to have an additional parameter in huaweicloud_obs_bucket exposing the Bucket Policy.

@ShiChangkuo
Copy link
Collaborator

ok, will add additional parameter called policy soon.

@thiagoeh
Copy link
Author

I did some additional tests and found that it is possible to manage the OBS bucket policy through the s3_bucket_policy resource.

Instead of including an additional parameter in obs_bucket, I believe it would be simpler to just change the documentation suggesting the usage of s3_bucket_policy to manage the OBS Bucket Policy.

@niuzhenguo
Copy link
Member

We plan to deprecate s3 related resources soon. Is that possible to add a new obs_bucket_policy?

@ShiChangkuo ShiChangkuo mentioned this issue Jul 20, 2020
Merged
@ShiChangkuo
Copy link
Collaborator

@thiagoeh the policy format of obs_bucket_policy is different with s3_bucket_policy, you can get the description of policy format from here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add obs bucket policy resource and docs ShiChangkuo/terraform-provider-huaweicloud
3 participants
@niuzhenguo @thiagoeh @ShiChangkuo