-
Notifications
You must be signed in to change notification settings - Fork 134
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Support AWS S3 Express One Zone buckets (#229)
# What This change adds the `S3_SERVICE` configuration variable which will default to `s3` and may be one of `s3express` or `s3`. It also introduces the `virtual-v2` `S3_STYLE` argument option in support of the connectivity requirement of the S3 Express One Zone (directory) buckets. We are using this as a successor to `virtual` and believe it should work well in all AWS usages but want to be cautious as we make this change. Many thanks for @hveiga for driving the implementation of this feature in their original pull request. Setting this variable to s3express will change the "service" used to sign the requests with the V4 header to s3express. Currently the gateway works without this step, but it's advised in the documentation [here](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-best-practices.html). ## Other Changes We are moving the determination of the hostname used to query S3 into the docker entrypoint (or bootstrap script for non-docker installs). If `S3_STYLE` is set to `virtual` (this is the default and aws recommended scheme) then the hostname will be: ``` ${S3_BUCKET_NAME}.${S3_SERVER}:${S3_SERVER_PORT} ``` which will be used in these locations: * The `proxy_path` directive * The HTTP `Host` header sent to AWS * The `host` element of the canonical headers used in signing AWS signature V4 requests. Based on my reading here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html It looks like AWS recommends that the bucket be always prepended and other schemes exist only for backwards compatibility reasons. However, please comment on this discussion if you have concerns #231 Co-authored-by: @hveiga <[email protected]>"
- Loading branch information
Showing
23 changed files
with
362 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
terraform 1.8.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Purpose | ||
This Terraform script sets up an AWS S3 Express One Zone bucket for testing. | ||
|
||
## Usage | ||
Use environment variables to authenticate: | ||
|
||
```bash | ||
export AWS_ACCESS_KEY_ID="anaccesskey" | ||
export AWS_SECRET_ACCESS_KEY="asecretkey" | ||
export AWS_REGION="us-west-2" | ||
``` | ||
|
||
Generate a plan: | ||
```bash | ||
terraform plan -out=plan.tfplan \ | ||
> -var="bucket_name=my-bucket-name--usw2-az1--x-s3" \ | ||
> -var="region=us-west-2" \ | ||
> -var="availability_zone_id=usw2-az1" \ | ||
> -var="[email protected]" | ||
``` | ||
> [!NOTE] | ||
> Note that AWS S3 Express One Zone is only available in [certain regions and availability zones](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-networking.html#s3-express-endpoints). If you get an error like this: `api error InvalidBucketName`. If you have met the [naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html), this likely means you have chosen a bad region/availability zone combination. | ||
|
||
If you are comfortable with the plan, apply it: | ||
``` | ||
terraform apply "plan.tfplan" | ||
``` | ||
|
||
Then build the image (you can also use the latest release) | ||
```bash | ||
docker build --file Dockerfile.oss --tag nginx-s3-gateway:oss --tag nginx-s3-gateway . | ||
``` | ||
|
||
Configure and run the image: | ||
|
||
```bash | ||
docker run --rm --env-file ./settings.s3express.example --publish 80:80 --name nginx-s3-gateway \ | ||
nginx-s3-gateway:oss | ||
``` | ||
|
||
Confirm that it is working. The terraform script will prepopulate the bucket with a single test object | ||
```bash | ||
curl http://localhost:80/test.txt | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
provider "aws" { | ||
region = var.region | ||
} | ||
|
||
resource "aws_s3_directory_bucket" "example" { | ||
bucket = var.bucket_name | ||
location { | ||
name = var.availability_zone_id | ||
} | ||
|
||
force_destroy = true | ||
} | ||
|
||
data "aws_partition" "current" {} | ||
data "aws_caller_identity" "current" {} | ||
|
||
data "aws_iam_policy_document" "example" { | ||
statement { | ||
effect = "Allow" | ||
|
||
actions = [ | ||
"s3express:*", | ||
] | ||
|
||
resources = [ | ||
aws_s3_directory_bucket.example.arn, | ||
] | ||
|
||
principals { | ||
type = "AWS" | ||
identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"] | ||
} | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_policy" "example" { | ||
bucket = aws_s3_directory_bucket.example.bucket | ||
policy = data.aws_iam_policy_document.example.json | ||
} | ||
|
||
# The filemd5() function is available in Terraform 0.11.12 and later | ||
# For Terraform 0.11.11 and earlier, use the md5() function and the file() function: | ||
# etag = "${md5(file("path/to/file"))}" | ||
# etag = filemd5("path/to/file") | ||
resource "aws_s3_object" "example" { | ||
bucket = aws_s3_directory_bucket.example.bucket | ||
key = "test.txt" | ||
source = "${path.root}/test_data/test.txt" | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
S3_BUCKET_NAME=my-bucket-name--usw2-az1--x-s3 | ||
AWS_ACCESS_KEY_ID=ZZZZZZZZZZZZZZZZZZZZ | ||
AWS_SECRET_ACCESS_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | ||
AWS_SESSION_TOKEN=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb | ||
S3_SERVER=s3express-usw2-az1.us-west-2.amazonaws.com | ||
S3_SERVER_PORT=443 | ||
S3_SERVER_PROTO=https | ||
S3_REGION=us-west-2 | ||
S3_STYLE=virtual-v2 | ||
S3_SERVICE=s3express | ||
DEBUG=true | ||
AWS_SIGS_VERSION=4 | ||
ALLOW_DIRECTORY_LIST=false | ||
PROVIDE_INDEX_PAGE=false | ||
APPEND_SLASH_FOR_POSSIBLE_DIRECTORY=false | ||
DIRECTORY_LISTING_PATH_PREFIX="" | ||
PROXY_CACHE_MAX_SIZE=10g | ||
PROXY_CACHE_SLICE_SIZE="1m" | ||
PROXY_CACHE_INACTIVE=60m | ||
PROXY_CACHE_VALID_OK=1h | ||
PROXY_CACHE_VALID_NOTFOUND=1m | ||
PROXY_CACHE_VALID_FORBIDDEN=30s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
Congratulations, friend. You are using Amazon S3 Express One Zone. | ||
πππ Choo-choo~ πππ |
Oops, something went wrong.