Skip to content

fix: remove explicit aws_s3_bucket_acl #815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 27, 2023
Merged

fix: remove explicit aws_s3_bucket_acl #815

merged 1 commit into from
Apr 27, 2023

Conversation

ryancausey
Copy link
Contributor

@ryancausey ryancausey commented Apr 26, 2023
edited by kayman-mk
Loading

This resolves an issue related to the April 2023 S3 API changes. More info can be found here: hashicorp/terraform-provider-aws#28353

Closes #814

Description

Remove the explicit private ACL that leads to an error during the apply phase as with the new security defaults, it should no longer be needed. I'm not 100% on the implications of removing this resource for existing deployments, so if that's a concern we can go the route of adding the explicit aws_s3_bucket_ownership_controls resource as per the related issue.

Migrations required

NO

Verification

fix: remove explicit aws_s3_bucket_acl
5d9b7d7 
This resolves an issue related to the April 2023 S3 API changes. More
info can be found here: hashicorp/terraform-provider-aws#28353

Closes cattle-ops#814
@github-actions
Copy link
Contributor

Hey @ryancausey! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

  • the problem being solved
  • the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

  • /help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

@ryancausey
Copy link
Contributor Author

/help

lint PR title check failing with Error: Resource not accessible by integration

@kayman-mk
Copy link
Collaborator

Had this ACL problem in another repository as well. But it was a new S3 deployment.

@ryancausey
Copy link
Contributor Author

Had this ACL problem in another repository as well. But it was a new S3 deployment.

Yes, it seems specific to new instantiations of the module.

@ryancausey
Copy link
Contributor Author

@kayman-mk I tried this using var.runners_executor = "docker" and the cache gets deployed but I'm getting 403 errors when the runner tries to push or pull from the cache. I'm allowing the module to create the cache and I am not specifying my own nor am I using the shared cache.

It looks to me like the only place the local.bucket_policy gets attached to anything is in resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance". This appears to indicate that the bucket policy is never attached to the runner instance itself when not using docker+machine. Is this analysis correct?

I just wanted to confirm that I'm not missing something and that this isn't a side effect of removing the S3 bucket's private ACL resource.

@ryancausey
Copy link
Contributor Author

ryancausey commented Apr 27, 2023
edited
Loading

Looks to me like it is a separate issue so I opened #816 and #817.

kayman-mk
kayman-mk approved these changes Apr 27, 2023
View reviewed changes
Copy link
Collaborator

@kayman-mk kayman-mk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution.

@kayman-mk kayman-mk merged commit 5d88370 into cattle-ops:main Apr 27, 2023
@cattle-ops-releaser cattle-ops-releaser bot mentioned this pull request Apr 27, 2023
Merged
kayman-mk pushed a commit that referenced this pull request Apr 27, 2023
@cattle-ops-releaser @github-actions
chore(main): release 6.3.1 (#818)
cf63149 
🤖 I have created a release *beep* *boop*
---


##
[6.3.1](6.3.0...6.3.1)
(2023-04-27)


### Bug Fixes

* allow s3 cache access for the "docker" runner executor
([#817](#817))
([a17015f](a17015f))
* remove explicit aws_s3_bucket_acl
([#815](#815))
([5d88370](5d88370))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Signed-off-by: Niek Palm <[email protected]>
Co-authored-by: cattle-ops-releaser[bot] <126345536+cattle-ops-releaser[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@ryancausey ryancausey deleted the fix/remove-explicit-private-bucket-acl branch December 14, 2023 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kayman-mk kayman-mk kayman-mk approved these changes

@npalm npalm Awaiting requested review from npalm npalm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AccessControlListNotSupported: The bucket does not allow ACLs
2 participants
@ryancausey @kayman-mk