Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

data/aws/bootstrap: Block public ACLs, etc. for the S3 bucket #1203

Closed
wants to merge 1 commit into from

Conversation

wking
Copy link
Member

@wking wking commented Feb 6, 2019

The bucket is already private, but when browsing S3 in the AWS web console today (e.g. here), I noticed these buckets had public access settings described as:

  Manage public access control lists (ACLs)
  Block new public ACLs and uploading public objects (Recommended)
    False
  Remove public access granted through public ACLs (Recommended)
    False

  Manage public bucket policies
  Block new public bucket policies (Recommended)
    False
  Block public and cross-account access if bucket has public policies (Recommended)
    False

and the overview tab had Access warnings like "Objects can be public". We might as well shut all of that down, by using this access-block resource.

Verified

This commit was signed with the committer’s verified signature.
edgarrmondragon Edgar Ramírez Mondragón
The bucket is already private [1], but when browsing S3 in the AWS web
console today (e.g. [2]), I noticed these buckets had public access
settings described as:

  Manage public access control lists (ACLs)
  Block new public ACLs and uploading public objects (Recommended)
    False
  Remove public access granted through public ACLs (Recommended)
    False

  Manage public bucket policies
  Block new public bucket policies (Recommended)
    False
  Block public and cross-account access if bucket has public policies (Recommended)
    False

and the overview tab [3] had Access warnings like "Objects can be
public".  We might as well shut all of that down, by using this
access-block resource [4].

[1]: https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#acl
[2]: https://s3.console.aws.amazon.com/s3/buckets/terraform-20190206183528155600000001/?region=us-east-1&tab=permissions
[3]: https://s3.console.aws.amazon.com/s3/home?region=us-east-1
[4]: https://www.terraform.io/docs/providers/aws/r/s3_bucket_public_access_block.html
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 6, 2019
@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 6, 2019
@wking
Copy link
Member Author

wking commented Feb 6, 2019

CC @cuppett

@wking
Copy link
Member Author

wking commented Feb 7, 2019

e2e-aws:

level=error msg="Error: module.bootstrap.aws_s3_bucket_public_access_block.ignition: Provider doesn't support resource: aws_s3_bucket_public_access_block"

I guess I need to bump our provider.

@eparis
Copy link
Member

eparis commented Apr 26, 2019

Since there is no implicit dependency between
resource "aws_s3_bucket_public_access_block" "ignition" {
and
resource "aws_s3_bucket_object" "ignition" {
We could race and put data in the bucket before these controls are set, No? Do you need to set the explicit dependency?

@abhinavdahiya
Copy link
Contributor

closing due to inactivity. Please reopen if needed.

/close

@openshift-ci-robot
Copy link
Contributor

@abhinavdahiya: Closed this PR.

In response to this:

closing due to inactivity. Please reopen if needed.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking
Copy link
Member Author

wking commented Aug 9, 2019

#1442 brought in aws_s3_bucket_public_access_block.

@wking wking reopened this Aug 9, 2019
@wking
Copy link
Member Author

wking commented Aug 10, 2019

e2e-aws-upgrade:

Cluster did not complete upgrade: timed out waiting for the condition: Working towards registry.svc.ci.openshift.org/ci-op-qyrxdxpx/release@sha256:f52e9cd8208916c19798cc2b1aa6cc697f97f865a5a9241b8dd582ffff32e68d: downloading update

Dunno about that, but it seems to be pretty common at 32% of all upgrade failures:

chart

/test e2e-aws-upgrade

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 4, 2019

@wking: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/launch-aws 1b51342 link /test launch-aws
ci/prow/e2e-aws-scaleup-rhel7 1b51342 link /test e2e-aws-scaleup-rhel7
ci/prow/e2e-aws-disruptive 1b51342 link /test e2e-aws-disruptive

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@abhinavdahiya
Copy link
Contributor

Closing due to this being open for a long time, Please feel free to reopen

/close

@openshift-ci-robot
Copy link
Contributor

@abhinavdahiya: Closed this PR.

In response to this:

Closing due to this being open for a long time, Please feel free to reopen

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. platform/aws size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants