Encrypt the bucket and log access on the AWS S3 Bucket of the TFState #645
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brikis98
reviewed
Feb 3, 2019
remote/remote_state_s3.go
Outdated
| Bucket: aws.String(config.Bucket), | ||
| BucketLoggingStatus: &s3.BucketLoggingStatus{ | ||
| LoggingEnabled: &s3.LoggingEnabled{ | ||
| TargetBucket: aws.String(config.Bucket), |
There was a problem hiding this comment.
Are you writing the access logs back to the same bucket? If so, may be worth mentioning that in the log statement.
There was a problem hiding this comment.
Yes, in the same bucket. OK - will do.
| DynamotableTags []map[string]string `mapstructure:"dynamodb_table_tags"` | ||
| SkipBucketVersioning bool `mapstructure:"skip_bucket_versioning"` | ||
| SkipBucketSSEncryption bool `mapstructure:"skip_bucket_ssencryption"` | ||
| SkipBucketAccessLogging bool `mapstructure:"skip_bucket_accesslogging"` |
There was a problem hiding this comment.
Is this just GitHub rendering or is the indentation not quite right here? Try running make fmt if you haven't already.
There was a problem hiding this comment.
Weird - I use "Atom" v1.34.0 on Win10Home - looks nicely there. Installed MS VSC (latest) - modified it there, looks nicely - but again it's not fine in GitHub.
Will try make fmt
There was a problem hiding this comment.
@brikis98 Should be fixed.
Used the - https://github.com/Microsoft/vscode-go/wiki/Go-tools-that-the-Go-extension-depends-on - for correct formatting in MS VSC 1.30.2 (latest).
goreturns or goimports for formatting code
There was a problem hiding this comment.
On GitHub it still looks wrong though.
Tried using GitHub and then paste the code from there - but the Go tools revert it back locally to the currently uploaded code.
There was a problem hiding this comment.
Try making whitespace visible in your editor? In vscode, View -> Toggle Render Whitespace
There was a problem hiding this comment.
Fixed it remotely on GitHub already.
Thank you for the nice advice though - it'll be useful in the future.
There was a problem hiding this comment.
Nah - reverting - I'll use the formatting from the Go Tools. Checked the whitespaces as well - it should be fine when reverted.
It doesn't sound right to use GitHub remotely in a browser to fix such formatting issues.
There was a problem hiding this comment.
The funny part - after reverting it looks fine on GitHub as well... #GitHubSaySorryPlease
(1) OK - will do. |
Xtigyro
changed the title
|
Whoops, hit enter too soon! What I was trying to write:
Since Terragrunt talks to AWS, and our CI builds have credentials for our AWS account, we can't automatically run tests on external PRs: https://circleci.com/docs/2.0/oss/#pass-secrets-to-builds-from-forked-pull-requests So, we ask contributors to run tests themselves. You can test it manually and/or automatically. Once I merge, all the CI tests will run, but I want to have some sense of confidence so I don't merge broken code into |
[root@localhost remote]# go test -v -parallel 128 # _/root/go-project/terragrunt/remote [_/root/go-project/terragrunt/remote.test] ./remote_state_s3.go:449:4: unknown field 'ServerSideEncryption' in struct literal of type s3.ServerSideEncryptionConfiguration ./remote_state_s3.go:450:4: unknown field 'SSEKMSKeyId' in struct literal of type s3.ServerSideEncryptionConfiguration FAIL _/root/go-project/terragrunt/remote [build failed]
[root@localhost remote]# go test -v -parallel 128 # _/root/go-project/terragrunt/remote ./remote_state_s3.go:459: Logger.Printf format %s reads arg #2, but call has 1 arg FAIL _/root/go-project/terragrunt/remote [build failed]
@brikis98 Tested with: Haven't tested it with real AWS account yet - fixed 3 bugs and it should be fine now. |
|
@brikis98 I guess I might be a geek... that couldn't resist the temptation - tested with an AWS account: |
brikis98
reviewed
Feb 4, 2019
lorengordon
reviewed
Feb 4, 2019
lorengordon
reviewed
Feb 4, 2019
@brikis98 Perfect - will update the README accordingly today in the evening. Thank you / Спасибо! |
Co-Authored-By: Xtigyro <Xtigyro@users.noreply.github.com>
Co-Authored-By: Xtigyro <Xtigyro@users.noreply.github.com>
|
I'll retest it as well today in the evening - before coming back here and letting you know the status. |
@brikis98 Tests - still OK. |
brikis98
approved these changes
Feb 5, 2019
brikis98
added a commit
that referenced
this pull request
Feb 5, 2019
This is a follow-up to #645. The tests were failing with the error: ``` InvalidTargetBucketForLogging: You must give the log-delivery group WRITE and READ_ACP permissions to the target bucket ``` This PR is an attempt to grant those permissions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Encrypt the bucket and log the access on the AWS S3 Bucket of the Terraform State - both bucket-wide.