search

ansible-collections / amazon.aws

Ansible Collection for Amazon AWS
GNU General Public License v3.0
309 stars 341 forks source link

AWS dropped support for unencrypted S3 buckets #1401

Closed dgsangoma closed 1 year ago

dgsangoma commented 1 year ago

Summary

I think the option to set "encryption: none" in the s3_bucket module is no longer supported by AWS per https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html. We were using this until recently when it started failing with a confusing "Bucket encryption failed to apply in the expected time" error for an existing bucket because AWS has seemingly been slowly enabling AES256 on all existing unencrypted buckets.

build   01-Mar-2023 19:45:53    redirecting (type: modules) ansible.builtin.s3_bucket to amazon.aws.s3_bucket
build   01-Mar-2023 19:46:56    fatal: [localhost]: FAILED! => changed=false 
build   01-Mar-2023 19:46:56      live_encryption:
build   01-Mar-2023 19:46:56        SSEAlgorithm: AES256
build   01-Mar-2023 19:46:56      msg: Bucket encryption failed to apply in the expected time
build   01-Mar-2023 19:46:56      requested_encryption: null

Issue Type

Bug Report

Component Name

s3_bucket

Ansible Version

$ ansible --version
ansible [core 2.11.6]
  config file = /Users/user/Documents/dev/aws-infrastructure/ansible.cfg
  configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/user/Documents/dev/aws-infrastructure/.venv/lib/python3.6/site-packages/ansible
  ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/user/Documents/dev/aws-infrastructure/.venv/bin/ansible
  python version = 3.6.15 (default, Nov 29 2022, 15:07:30) [GCC Apple LLVM 14.0.0 (clang-1400.0.29.202)]
  jinja version = 3.0.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list

# /Users/user/Documents/dev/aws-infrastructure/.venv/lib/python3.6/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    1.5.1
ansible.netcommon             2.4.0
ansible.posix                 1.3.0
ansible.utils                 2.4.2
ansible.windows               1.7.3
arista.eos                    2.2.0
awx.awx                       19.4.0
azure.azcollection            1.10.0
check_point.mgmt              2.1.1
chocolatey.chocolatey         1.1.0
cisco.aci                     2.1.0
cisco.asa                     2.1.0
cisco.intersight              1.0.17
cisco.ios                     2.5.0
cisco.iosxr                   2.5.0
cisco.meraki                  2.5.0
cisco.mso                     1.2.0
cisco.nso                     1.0.3
cisco.nxos                    2.7.0
cisco.ucs                     1.6.0
cloudscale_ch.cloud           2.2.0
community.aws                 1.5.0
community.azure               1.1.0
community.crypto              1.9.6
community.digitalocean        1.11.0
community.docker              1.10.0
community.fortios             1.0.0
community.general             3.8.1
community.google              1.0.0
community.grafana             1.2.3
community.hashi_vault         1.4.1
community.hrobot              1.2.0
community.kubernetes          1.2.1
community.kubevirt            1.0.0
community.libvirt             1.0.2
community.mongodb             1.3.1
community.mysql               2.3.1
community.network             3.0.0
community.okd                 1.1.2
community.postgresql          1.5.0
community.proxysql            1.3.0
community.rabbitmq            1.1.0
community.routeros            1.2.0
community.skydive             1.0.0
community.sops                1.1.0
community.vmware              1.15.0
community.windows             1.7.0
community.zabbix              1.5.0
containers.podman             1.8.1
cyberark.conjur               1.1.0
cyberark.pas                  1.0.7
dellemc.enterprise_sonic      1.1.0
dellemc.openmanage            3.6.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.12.0
fortinet.fortimanager         2.1.3
fortinet.fortios              2.1.2
frr.frr                       1.0.3
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.6.0
hpe.nimble                    1.1.3
ibm.qradar                    1.0.3
infinidat.infinibox           1.2.4
inspur.sm                     1.3.0
junipernetworks.junos         2.6.0
kubernetes.core               1.2.1
mellanox.onyx                 1.0.0
netapp.aws                    21.6.0
netapp.azure                  21.9.0
netapp.cloudmanager           21.11.0
netapp.elementsw              21.6.1
netapp.ontap                  21.12.0
netapp.um_info                21.7.0
netapp_eseries.santricity     1.2.13
netbox.netbox                 3.3.0
ngine_io.cloudstack           2.2.2
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.0
openstack.cloud               1.5.1
openvswitch.openvswitch       2.0.2
ovirt.ovirt                   1.6.4
purestorage.flasharray        1.11.0
purestorage.flashblade        1.7.0
sensu.sensu_go                1.12.0
servicenow.servicenow         1.0.6
splunk.es                     1.0.2
t_systems_mms.icinga_director 1.23.0
theforeman.foreman            2.2.0
vyos.vyos                     2.6.0
wti.remote                    1.0.1

AWS SDK versions

$ pip show boto boto3 botocore

Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /Users/dgottlieb/Documents/dev/ca-aws-infrastructure/.venv/lib/python3.6/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.20.2
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Users/dgottlieb/Documents/dev/ca-aws-infrastructure/.venv/lib/python3.6/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.23.2
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /Users/dgottlieb/Documents/dev/ca-aws-infrastructure/.venv/lib/python3.6/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

No response

Steps to Reproduce

- name: aws s3api create-bucket --bucket my_bucket
  s3_bucket:
    name: "my_bucket"
    state: present
    encryption: none
    versioning: false
    public_access:
      block_public_acls: true
      block_public_policy: true
      ignore_public_acls: true
      restrict_public_buckets: true

Expected Results

Expected task to succeed, but failed with a timeout error due to breaking AWS changes.

Actual Results

Code of Conduct

tremble commented 1 year ago

@dgsangoma,

Thanks for taking the time to open this issue.

Amazon have indeed dropped support for disabling encryption.

We merged a change yesterday which will reflect this: https://github.com/ansible-collections/amazon.aws/pull/1395

The docs have been updated to reflect this, however, since we (sort-of) support various S3 compatible services we've left the code in place to handle it.