Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Velero backup_location to allow s3:actions with or without bucket prefix declaration. #145

Merged
merged 22 commits into from
Apr 27, 2023
Merged

fix: Velero backup_location to allow s3:actions with or without bucket prefix declaration. #145

merged 22 commits into from
Apr 27, 2023

Conversation

rodrigobersa
Copy link
Contributor

What does this PR do?

Refactor locals and IAM Policy resources to allow s3:actions on Buckets with or without prefix.

The existing configuration creates an IAM Policy to allow s3:actions in the declared S3 ARN with a Bucket Prefix, however if the customer provides the ARN without a Bucket prefix, the Policy will not allow the s3:actions in the bucket objects or folders.

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I ran pre-commit run -a with this PR

For Moderators

  • E2E Test successfully complete before merge?

Additional Notes

Example with Bucket Prefix

tests/complete

  enable_velero = true
  # An S3 Bucket ARN is required. This can be declared with or without a Prefix.
  velero = {
    # S3 Bucket ARN provided by an S3 Module (module.velero_backup_s3_bucket declared below), without prefix.
    #s3_backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
    # S3 Bucket ARN for an already existing Bucket provided with prefix.
    s3_backup_location = "arn:aws:s3:::backup/dev"
  }

# velero backup-location get                           
NAME      PROVIDER   BUCKET/PREFIX   PHASE         LAST VALIDATED                  ACCESS MODE   DEFAULT
default   aws        dev/dev         Unavailable   2023-04-27 11:52:09 -0400 EDT   ReadWrite     
# aws iam get-policy-version --policy-arn arn:aws:iam::978045894046:policy/velero-20230427002355971300000007  --version-id v4 --query "PolicyVersion.Document.Statement[2].Resource"
"arn:aws:s3:::backup/dev"

Example with a Bucket provided by an S3 Module module.velero_backup_s3_bucket without Bucket Prefix

tests/complete

  enable_velero = true
  # An S3 Bucket ARN is required. This can be declared with or without a Prefix.
  velero = {
    # S3 Bucket ARN provided by an S3 Module (module.velero_backup_s3_bucket declared below), without prefix.
    s3_backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
    # S3 Bucket ARN for an already existing Bucket provided with prefix.
    #s3_backup_location = "arn:aws:s3:::backup/dev"
  }

# aws s3 ls
2023-04-27 12:08:07 complete-20230427160804638700000001
# velero backup-location get 
NAME      PROVIDER   BUCKET/PREFIX                         PHASE         LAST VALIDATED                  ACCESS MODE   DEFAULT
default   aws        complete-20230427160804638700000001   Unavailable   2023-04-27 12:08:40 -0400 EDT   ReadWrite     
# aws iam get-policy-version --policy-arn arn:aws:iam::978045894046:policy/velero-20230427002355971300000007  --version-id v5 --query "PolicyVersion.Document.Statement[2].Resource"
"arn:aws:s3:::complete-20230427160804638700000001/*"

@rodrigobersa rodrigobersa requested a review from a team as a code owner April 27, 2023 16:14
@askulkarni2 askulkarni2 merged commit 06fedfe into main Apr 27, 2023
@askulkarni2 askulkarni2 deleted the refactor/velero branch April 27, 2023 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@askulkarni2 askulkarni2 askulkarni2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rodrigobersa @askulkarni2