From 73a972c87a7397d3974b3169254adabe07667d1c Mon Sep 17 00:00:00 2001 From: Alexander Braverman Masis Date: Fri, 30 Aug 2024 14:28:14 -0400 Subject: [PATCH] S3 Logging add option to disable ACL setup --- plugins/modules/s3_logging.py | 28 ++++- .../targets/s3_logging/defaults/main.yml | 1 + .../targets/s3_logging/tasks/main.yml | 102 ++++++++++++++++++ 3 files changed, 128 insertions(+), 3 deletions(-) diff --git a/plugins/modules/s3_logging.py b/plugins/modules/s3_logging.py index 3a78749945f..ece02d642fe 100644 --- a/plugins/modules/s3_logging.py +++ b/plugins/modules/s3_logging.py @@ -34,6 +34,13 @@ - "The prefix that should be prepended to the generated log files written to the target_bucket." default: "" type: str + acl: + description: + - "Setup target bucket ACLs to grant AWS special log delivery account to write server access logs." + - "Setting to False will remove the ACL for log delivery on the target bucket." + default: True + type: bool + version_added: 8.3.0 extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules @@ -95,6 +102,9 @@ def verify_acls(connection, module, target_bucket): botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError, ) as e: # pylint: disable=duplicate-except + if not module.params.get("acl"): + module.warn(f"Unable to fetch Bucket ACLs ({e})") + return False module.fail_json_aws(e, msg="Failed to fetch target bucket ACL") required_grant = { @@ -102,16 +112,27 @@ def verify_acls(connection, module, target_bucket): "Permission": "FULL_CONTROL", } + grant_present = False for grant in current_grants: if grant == required_grant: - return False + grant_present = True + + if module.params.get("acl") == grant_present: + return False if module.check_mode: return True updated_acl = dict(current_acl) - updated_grants = list(current_grants) - updated_grants.append(required_grant) + updated_grants = [] + if module.params.get("acl"): + updated_grants = list(current_grants) + updated_grants.append(required_grant) + else: + for grant in current_grants: + if grant != required_grant: + updated_grants.append(grant) + updated_acl["Grants"] = updated_grants del updated_acl["ResponseMetadata"] try: @@ -197,6 +218,7 @@ def main(): target_bucket=dict(required=False, default=None), target_prefix=dict(required=False, default=""), state=dict(required=False, default="present", choices=["present", "absent"]), + acl=dict(type="bool", default=True), ) module = AnsibleAWSModule(argument_spec=argument_spec, supports_check_mode=True) diff --git a/tests/integration/targets/s3_logging/defaults/main.yml b/tests/integration/targets/s3_logging/defaults/main.yml index f8f1d758746..f9751bd8d33 100644 --- a/tests/integration/targets/s3_logging/defaults/main.yml +++ b/tests/integration/targets/s3_logging/defaults/main.yml @@ -2,3 +2,4 @@ test_bucket: '{{ tiny_prefix }}-s3-logging' log_bucket_1: '{{ tiny_prefix }}-logs-1' log_bucket_2: '{{ tiny_prefix }}-logs-2' +log_bucket_3: '{{ tiny_prefix }}-logs-3' diff --git a/tests/integration/targets/s3_logging/tasks/main.yml b/tests/integration/targets/s3_logging/tasks/main.yml index e9a7b220b52..3d03c40f5e1 100644 --- a/tests/integration/targets/s3_logging/tasks/main.yml +++ b/tests/integration/targets/s3_logging/tasks/main.yml @@ -64,6 +64,17 @@ - output is changed - output.name == log_bucket_2 + - name: Create simple s3_bucket as third target for logs + s3_bucket: + state: present + name: '{{ log_bucket_3 }}' + object_ownership: BucketOwnerPreferred + register: output + - assert: + that: + - output is changed + - output.name == log_bucket_3 + # ============================================================ - name: Enable logging (check_mode) @@ -152,6 +163,97 @@ that: - result is not changed +# ============================================================ + + - name: Disable ACL on logging bucket (check_mode) + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + acl: False + register: result + check_mode: True + - assert: + that: + - result is changed + + - name: Disable ACL logging bucket + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + acl: False + register: result + - assert: + that: + - result is changed + + - name: Disable ACL on logging bucket idempotency (check_mode) + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + acl: False + register: result + check_mode: True + - assert: + that: + - result is not changed + + - name: Disable ACL on logging bucket idempotency + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + acl: False + register: result + - assert: + that: + - result is not changed + + - name: Re-Enable ACL on logging bucket (check_mode) + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + register: result + check_mode: True + - assert: + that: + - result is changed + + - name: Re-Enable ACL logging bucket + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + register: result + - assert: + that: + - result is changed + + - name: Re-Enable ACL on logging bucket idempotency (check_mode) + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + register: result + check_mode: True + - assert: + that: + - result is not changed + + - name: Re-Enable ACL on logging bucket idempotency + s3_logging: + state: present + name: '{{ test_bucket }}' + target_bucket: '{{ log_bucket_2 }}' + register: result + - assert: + that: + - result is not changed + + # ============================================================ - name: Change logging prefix (check_mode)