-
Notifications
You must be signed in to change notification settings - Fork 840
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
infra/aws: Add reg.k8s.io S3 buckets replication rules #4118
infra/aws: Add reg.k8s.io S3 buckets replication rules #4118
Conversation
|
Hi @deobieta. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cc @BobyMCbobs |
/assign @BobyMCbobs |
Thank you @deobieta for your changes. |
@deobieta, I was able to reproduce the Terraform in a separate account. I'm unsure of the intention of the behaviour. After writing multiple objects to the us-east-2 bucket, the objects were not seen in the other buckets even after 15mins or 8 hours. |
@BobyMCbobs I'll apply the code again and double check that replication is happening. In the meantime you can go through this troubleshooting guide. The PR does not create the IAM role or set the right permissions. Maybe something's in that matter is causing replication failure. |
@BobyMCbobs I tested the code again creating buckets in all regions this time and it worked (creation and deletion of objects). I'm not sure how to proceed to validate the code. Any thoughts? Here's the code I used to create the IAM role.
|
@deobieta, I'm trying to see if there's any debug info anywhere. I'm giving it access to use this role arn:aws:iam::513428760722:role/registry.k8s.io_s3admin, configured here |
@BobyMCbobs Make sure the role "arn:aws:iam::513428760722:role/registry.k8s.io_s3admin" has a trusted relationship with S3 service. This is necessary because S3 service assumes the role to sync objects across regions and buckets.
I would suggest creating a role specifically for this purpose and stick to "Least privilege" practice. |
@deobieta, thank you. It appears as there's more success to the services s3.amazonaws.com and batchoperations.s3.amazonaws.com being allow to sts:AssumeRole. |
I'm closing my attempt at the same thing My version was syncing between all the regions for an any bucket is the leader consistency, I may revisit this at a later date. |
64be7c1
to
988b871
Compare
988b871
to
5b90b65
Compare
I think that the changes are almost ready for merging. Running
I see
which is great. Only nit is to remove Looking for separate review and approve cc @deobieta @dims @ameukam @BenTheElder @Riaankl |
/approve Remove the hold when you're ready. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ameukam, deobieta The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
5b90b65
to
0dc5cbd
Compare
@BobyMCbobs I've removed versions.tf file from s3 module. |
Signed-off-by: Gabriel De Obieta <[email protected]>
0dc5cbd
to
5b5c529
Compare
@ameukam, please |
/lgtm |
It appears that s3:PutReplicationConfiguration is missing from the s3writer role. |
There appears to be something up with the IAM permissions for the s3admin role to put the ReplicationConfiguration. We're so close. I've spent several hours debugging this. I'm unsure what's different for this set up as to my testing one. To be clear, the problem is external to this PR. |
Switching out This determines that the issue is indeed permissions and not an AWS bug. |
I anticipate the buckets to now sync. Let's wait and see! |
I switched role into arn:aws:iam::513428760722:role/registry.k8s.io_s3admin, which has s3:* permissions. Which is weird because, there has already permission granted for that API through the wildcard. |
Ref: #4094
@ameukam @BobyMCbobs @puerco
Saw the latest k8s-infra meeting recording and seems you were having trouble setting up S3 bucket replication from Terraform.
I do not know how objects are copied from GCS to AWS main bucket (us-east-2) but this PR should take care of replication from there.
This PR do the following:
aws_s3_bucket_replication_configuration resource depends on this upgrade to work properly with aws_s3_bucket resource deprecated replication settings. If this upgrade isn't done terraform's plan will always show changes between the two replication settings.
s3_replication_iam_role_arn: IAM role assumed by S3 replication service.
s3_replication_rules: List of configuration maps for S3 replication rules.
us-east-2 bucket (main bucket) is the only S3 bucket that has replication rules for multiple destination buckets ( 1:N replication).
Any written or deleted object in this bucket will be replicated to all other buckets by S3 replication service.
IAM role used for replication
(arn:aws:iam::513428760722:role/registry.k8s.io_s3admin) should have the following premissions.
Replication rules only apply to objects created and deleted after the rules are created.
For existing object replication we shhould use S3 batch replication
I tested this changes in my AWS account, replication and deletion works as expected.
Please, if you have any questions or suggestions, let me know.