From 17c9c9dc816c9a0df434ce461ede3b2cd3afcb58 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 1 Mar 2023 12:46:45 +0100 Subject: [PATCH 1/3] Disable S3 tests related to removing bucket encryption --- .../s3_bucket/tasks/encryption_bucket_key.yml | 63 ++++++++++--------- .../roles/s3_bucket/tasks/encryption_kms.yml | 57 +++++++++-------- .../roles/s3_bucket/tasks/encryption_sse.yml | 60 +++++++++--------- 3 files changed, 95 insertions(+), 85 deletions(-) diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml index c0d5e1167bc..66a54c1e0b3 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml @@ -32,7 +32,7 @@ bucket_key_enabled: true register: output - - name: Assert for 'Enable bucket key for bucket with aws:kms encryption' + - name: "Assert for 'Enable bucket key for bucket with aws:kms encryption'" assert: that: - output.changed @@ -45,40 +45,43 @@ bucket_key_enabled: true register: output - - name: Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'' + - name: "Assert for 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'" assert: that: - not output.changed - output.encryption - # ============================================================ - - - name: Disable encryption from bucket - s3_bucket: - name: "{{ local_bucket_name }}" - encryption: none - bucket_key_enabled: false - register: output - - - name: Assert for 'Disable encryption from bucket' - assert: - that: - - output.changed - - not output.encryption - - - name: Disable encryption from bucket (idempotent) - s3_bucket: - name: "{{ local_bucket_name }}" - bucket_key_enabled: true - register: output - - - name: Assert for 'Disable encryption from bucket (idempotent)' - assert: - that: - - output is not changed - - not output.encryption - - # ============================================================ + ## # ============================================================ + ## + ## AWS S3 no longer supports disabling S3 encryption + ## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: "{{ local_bucket_name }}" + ## encryption: none + ## bucket_key_enabled: false + ## register: output + ## + ## - name: Assert for 'Disable encryption from bucket' + ## assert: + ## that: + ## - output.changed + ## - not output.encryption + ## + ## - name: Disable encryption from bucket (idempotent) + ## s3_bucket: + ## name: "{{ local_bucket_name }}" + ## bucket_key_enabled: true + ## register: output + ## + ## - name: Assert for 'Disable encryption from bucket (idempotent)' + ## assert: + ## that: + ## - output is not changed + ## - not output.encryption + ## + ## # ============================================================ - name: Delete encryption test s3 bucket s3_bucket: diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml index 9650821c3f2..75cdb4c6f0a 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml @@ -42,33 +42,36 @@ - output.encryption - output.encryption.SSEAlgorithm == 'aws:kms' - # ============================================================ - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output.changed - - not output.encryption - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output is not changed - - not output.encryption - - # ============================================================ + ## # ============================================================ + ## + ## AWS S3 no longer supports disabling S3 encryption + ## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output.changed + ## - not output.encryption + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output is not changed + ## - not output.encryption + ## + ## # ============================================================ - name: Delete encryption test s3 bucket s3_bucket: diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml index 6090339a86c..60ee2600912 100644 --- a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml +++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml @@ -25,7 +25,8 @@ - assert: that: - - output.changed + # SSE is now enabled by default + # - output.changed - output.encryption - output.encryption.SSEAlgorithm == 'AES256' @@ -42,33 +43,36 @@ - output.encryption - output.encryption.SSEAlgorithm == 'AES256' - # ============================================================ - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output.changed - - not output.encryption - - - name: Disable encryption from bucket - s3_bucket: - name: '{{ local_bucket_name }}' - state: present - encryption: "none" - register: output - - - assert: - that: - - output is not changed - - not output.encryption - - # ============================================================ + ## # ============================================================ + ## + ## AWS S3 no longer supports disabling S3 encryption + ## https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output.changed + ## - not output.encryption + ## + ## - name: Disable encryption from bucket + ## s3_bucket: + ## name: '{{ local_bucket_name }}' + ## state: present + ## encryption: "none" + ## register: output + ## + ## - assert: + ## that: + ## - output is not changed + ## - not output.encryption + ## + ## # ============================================================ - name: Delete encryption test s3 bucket s3_bucket: From 4dd8456605e79334c5a13c942724e440ad3980e1 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 1 Mar 2023 13:21:26 +0100 Subject: [PATCH 2/3] changelog --- changelogs/fragments/1395-s3-encryption.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/1395-s3-encryption.yml diff --git a/changelogs/fragments/1395-s3-encryption.yml b/changelogs/fragments/1395-s3-encryption.yml new file mode 100644 index 00000000000..3e6c2ea6e13 --- /dev/null +++ b/changelogs/fragments/1395-s3-encryption.yml @@ -0,0 +1,2 @@ +trivial: +- s3_bucket - disabled tests related to disabling encryption on S3 buckets, this is no longer supported by AWS, and encryption is enabled by default (https://github.com/ansible-collections/amazon.aws/pull/1395). From f50d284c8a608049fb8fb4217a2c6954d16ac9e7 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 1 Mar 2023 14:10:07 +0100 Subject: [PATCH 3/3] Add note to module docs --- plugins/modules/s3_bucket.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/modules/s3_bucket.py b/plugins/modules/s3_bucket.py index fdda8b9adf7..e3ce44058cd 100644 --- a/plugins/modules/s3_bucket.py +++ b/plugins/modules/s3_bucket.py @@ -70,6 +70,7 @@ description: - Describes the default server-side encryption to apply to new objects in the bucket. In order to remove the server-side encryption, the encryption needs to be set to 'none' explicitly. + - "Note: Since January 2023 Amazon S3 doesn't support disabling encryption on S3 buckets." choices: [ 'none', 'AES256', 'aws:kms' ] type: str encryption_key_id: