feat: object lock enabled

changelogs/fragments/1347-s3-object-lock-enabled.yml

@@ -0,0 +1,2 @@
+minor_changes:
+- s3_bucket - The option to create a bucket with object lock enabled (https://github.com/ansible-collections/amazon.aws/pull/1372).

plugins/modules/s3_bucket.py

@@ -163,6 +163,12 @@
     type: bool
     default: false
     version_added: 6.0.0
+  object_lock_enabled:
+    description:
+      - Whether S3 Object Lock to be enabled
+    type: bool
+    default: false
+    version_added: 6.0.0
 
 extends_documentation_fragment:
   - amazon.aws.common.modules
@@ -384,6 +390,7 @@ def create_or_update_bucket(s3_client, module):
     delete_public_access = module.params.get("delete_public_access")
     delete_object_ownership = module.params.get("delete_object_ownership")
     object_ownership = module.params.get("object_ownership")
+    object_lock_enabled = module.params.get("object_lock_enabled")
     acl = module.params.get("acl")
     # default to US Standard region,
     # note: module.region will also try to pull a default out of the boto3 configs.
@@ -401,7 +408,7 @@ def create_or_update_bucket(s3_client, module):
 
     if not bucket_is_present:
         try:
-            bucket_changed = create_bucket(s3_client, name, location)
+            bucket_changed = create_bucket(s3_client, name, location, object_lock_enabled)
             s3_client.get_waiter('bucket_exists').wait(Bucket=name)
             changed = changed or bucket_changed
         except botocore.exceptions.WaiterError as e:
@@ -649,6 +656,9 @@ def create_or_update_bucket(s3_client, module):
         except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e:  # pylint: disable=duplicate-except
             module.fail_json_aws(e, msg="Failed to update bucket ACL")
 
+    # -- Object Lock
+    result['object_lock_enabled'] = object_lock_enabled
+
     # Module exit
     module.exit_json(changed=changed, name=name, **result)
 
@@ -663,15 +673,15 @@ def bucket_exists(s3_client, bucket_name):
 
 
 @AWSRetry.exponential_backoff(max_delay=120)
-def create_bucket(s3_client, bucket_name, location):
+def create_bucket(s3_client, bucket_name, location, object_lock_enabled=False):
     try:
         configuration = {}
         if location not in ('us-east-1', None):
             configuration['LocationConstraint'] = location
         if len(configuration) > 0:
-            s3_client.create_bucket(Bucket=bucket_name, CreateBucketConfiguration=configuration)
+            s3_client.create_bucket(Bucket=bucket_name, CreateBucketConfiguration=configuration, ObjectLockEnabledForBucket=object_lock_enabled)
         else:
-            s3_client.create_bucket(Bucket=bucket_name)
+            s3_client.create_bucket(Bucket=bucket_name, ObjectLockEnabledForBucket=object_lock_enabled)
         return True
     except is_boto3_error_code('BucketAlreadyOwnedByYou'):
         # We should never get here since we check the bucket presence before calling the create_or_update_bucket
@@ -1085,6 +1095,7 @@ def main():
         acl=dict(type='str', choices=['private', 'public-read', 'public-read-write', 'authenticated-read']),
         validate_bucket_name=dict(type='bool', default=True),
         dualstack=dict(default=False, type="bool"),
+        object_lock_enabled=dict(type='bool', default=False),
     )
 
     required_by = dict(

tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/object_lock.yml

@@ -0,0 +1,81 @@
+---
+- module_defaults:
+    group/aws:
+      aws_access_key: "{{ aws_access_key }}"
+      aws_secret_key: "{{ aws_secret_key }}"
+      security_token: "{{ security_token | default(omit) }}"
+      region: "{{ aws_region }}"
+  block:
+    - set_fact:
+        local_bucket_name: "{{ bucket_name | hash('md5')}}.object_lock"
+    # ============================================================
+
+    - name: 'Create a simple bucket'
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: present
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - not output.object_lock_enabled
+
+    # - name: 'Re-enable AES256 encryption (idempotency)'
+    #   s3_bucket:
+    #     name: '{{ local_bucket_name }}'
+    #     state: present
+    #     encryption: 'AES256'
+    #   register: output
+
+    # - assert:
+    #     that:
+    #       - not output.changed
+    #       - output.encryption
+    #       - output.encryption.SSEAlgorithm == 'AES256'
+
+    # # ============================================================
+
+    # - name: Disable encryption from bucket
+    #   s3_bucket:
+    #     name: '{{ local_bucket_name }}'
+    #     state: present
+    #     encryption: "none"
+    #   register: output
+
+    # - assert:
+    #     that:
+    #       - output.changed
+    #       - not output.encryption
+
+    # - name: Disable encryption from bucket
+    #   s3_bucket:
+    #     name: '{{ local_bucket_name }}'
+    #     state: present
+    #     encryption: "none"
+    #   register: output
+
+    # - assert:
+    #     that:
+    #       - output is not changed
+    #       - not output.encryption
+
+    # ============================================================
+
+    - name: Delete encryption test s3 bucket
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+
+  # ============================================================
+  always:
+    - name: Ensure all buckets are deleted
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: absent
+      ignore_errors: yes