#2810 - Add check if aws s3 bucket is encrypted. #2937
Conversation
UranusBytes
force-pushed
the
2810
branch
2 times, most recently
from
4083dcb to
6072c99
Compare
Required terraform aws provider >= 1.6 Fix indentation issue in aws_s3_bucket.rb Signed-off-by: Jeremy Phillips <github@uranusbytes.com>
|
Was Blocked by #2884, now unblocked |
|
|
||
| def get_bucket_encryption(query) | ||
| buckets = { | ||
| 'public' => OpenStruct.new({ server_side_encryption_configuration: OpenStruct.new({ rules: [] }) }) |
There was a problem hiding this comment.
You can omit these curly braces and lose some of the noise here. OpenStruct.new(server_side_encryption_configuration: OpenStruct.new(rules: []))
| buckets = { | ||
| 'public' => OpenStruct.new({ server_side_encryption_configuration: OpenStruct.new({ rules: [] }) }) | ||
| } | ||
| if query[:bucket].eql?'private' |
There was a problem hiding this comment.
Add a space before the 'private' argument, please. (Or wrap it with parentheses.)
| unless buckets.key?(query[:bucket]) | ||
| raise Aws::S3::Errors::NoSuchBucket.new(nil, nil) | ||
| end | ||
| buckets[query[:bucket]] |
There was a problem hiding this comment.
I think putting these three cases into an actual case statement would make the purpose of this method more clear.
def get_bucket_encryption(query)
buckets = {
'public' => OpenStruct.new(server_side_encryption_configuration: OpenStruct.new(rules: []))
}
case
when query[:bucket].eql? 'private'
raise Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError.new(nil, nil)
when !buckets.key?(query[:bucket])
raise Aws::S3::Errors::NoSuchBucket.new(nil, nil)
else
buckets[query[:bucket]]
end
endIn writing that, I realized the second and third cases are actually just a missing use of fetch(), which I think is even better than the case approach.
def get_bucket_encryption(query)
buckets = {
'public' => OpenStruct.new(server_side_encryption_configuration: OpenStruct.new(rules: []))
}
if query[:bucket].eql? 'private'
raise Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError.new(nil, nil)
end
buckets.fetch(query[:bucket]) { raise Aws::S3::Errors::NoSuchBucket.new(nil, nil) }
end
lib/resources/aws/aws_s3_bucket.rb
Outdated
| @has_default_encryption_enabled = false | ||
| end | ||
| end | ||
| end |
There was a problem hiding this comment.
A few things here. =^)
Line 100 is hard to read for how long it is. Going vertical with those method calls off BackendFactory would make it more readable.
We can do a single assignment to @has_default_encryption_enabled from whatever you return in the catch_aws_errors block.
def fetch_bucket_encryption_configuration
@has_default_encryption_configuration ||= catch_aws_errors do
begin
!BackendFactory.create(inspec_runner)
.get_bucket_encryption(bucket: bucket_name)
.server_side_encryption_configuration
.nil?
rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
false
end
end
end| server_side_encryption_configuration { | ||
| rule { | ||
| apply_server_side_encryption_by_default { | ||
| sse_algorithm = "aws:kms" |
There was a problem hiding this comment.
[nitpick] Extra spacing between sse_algorithm and =.
lib/resources/aws/aws_s3_bucket.rb
Outdated
| @@ -35,6 +35,11 @@ def public? | |||
| bucket_policy.any? { |s| s.effect == 'Allow' && s.principal == '*' } | |||
| end | |||
|
|
|||
| def has_default_encryption_enabled? | |||
| return unless @exists | |||
There was a problem hiding this comment.
[nitpick] Predicate methods should only ever return explicit true or false values. So return false unless @exists would be the more accurate guard statement.
clintoncwolfe
added
Type: New Feature
…other methods to align with recommendations (except Terraform nitpick; preference is to keep coding style consistent until full refactor). Signed-off-by: Jeremy Phillips <github@uranusbytes.com>
|
Hey @UranusBytes, we merged in the new terraform pins and you will need to rebase your branch. Sorry about that. |
Fixes #2810 - Add check if aws s3 bucket is encrypted.
Required terraform aws provider >= 1.6
Signed-off-by: Jeremy Phillips github@uranusbytes.com