fix config remote state s3 and update if needs #2063
Conversation
leonardobiffi
requested review from
yorinasub17,
rhoboat,
zackproser and
denis256
as code owners
|
Noticed that integration tests failed, each run different tests, I was wondering merge from master(to include #2073) will help tests to pass |
1 similar comment
|
Noticed that integration tests failed, each run different tests, I was wondering merge from master(to include #2073) will help tests to pass |
|
@denis256 Hi, |
|
@leonardobiffi try to merge the last changes from master and we will see if it will help to pass more integration tests |
…config-remote-state-s3
|
Build passed 👍 |
|
@denis256 when this PR will be release? |
|
Hi, I think this week, I was doing more tests to see if will appear any issue when switching from older versions |
|
@denis256 awesome, let me known if anything is wrong |
There was a problem hiding this comment.
This LGTM as well! Thanks for the contribution! I had one small request, but once that's addressed, we can move forward with this.
cc @denis256
remote/remote_state_s3.go
Outdated
| type S3BucketConfig struct { | ||
| Versioning string | ||
| SSEEncryption string | ||
| RootAccess string | ||
| EnforcedTLS string | ||
| AccessLogging string | ||
| PublicAccess string | ||
| } |
There was a problem hiding this comment.
It looks like value of the string is immaterial in configBucket, and is only used to track if these attributes need updating. Is that true?
If so, these should be bool instead of string and the struct should be renamed to something like S3BucketUpdatesRequired.
There was a problem hiding this comment.
@yorinasub17 Hi, it does make sense. I made the suggested adjustment and the necessary corrections. Let me know if I'm missing something
|
Noticed that still fail test Can be a concurrency issue? when multiple tests try to change S3 configuration? |
@denis256 Hi, i fixed this error and the test passed. Can you validate? See here this error message: https://github.com/aws/aws-sdk-go/blob/main/service/s3control/errors.go#L50 |
|
I see the build started to pass, I'm still somehow suspect since the last change is to shallow NoSuchPublicAccessBlockConfiguration error, and before last change individual run of |
|
@denis256 Hi, |
|
Hi, tests are passing all, I was wondering if is a good solution to shallow error NoSuchPublicAccessBlockConfiguration |
|
@denis256 https://docs.aws.amazon.com/sdk-for-go/api/service/s3control/#S3Control.GetPublicAccessBlock What do you think? |
|
Hello, |
Hi, this PR is a suggestion to resolve the KMS config when the bucket is created, as the default key KMS ID is not being informed, the bucket has encryption enabled but without the KMS:
I am also suggesting an important change so that buckets that do not comply with the default encryption settings, public access blocking, bucket policy (enforce SSL only), access logging, versioning enabled are updated according to what is defined in the block of config. The
disable_bucket_updateattribute disable this behavior for anyone managing the bucket outside of terragrunt. This change causes the buckets to be updated when running terragrunt to conform to the config that are already made when the bucket is created.Another fix is for the bucket policy, where currently only EnforcedTLS is being defined, the first policy configured for RootAccess is overwritten.
What I changed is to check the policy already configured and be attached to the existing one, as shown in the image below
Closes #1770
Closes #1143
Closes #1106