data/aws/bootstrap: Block public ACLs, etc. for the S3 bucket

[wking]

The bucket is already private, but when browsing S3 in the AWS web console today (e.g. here), I noticed these buckets had public access settings described as:

  Manage public access control lists (ACLs)
  Block new public ACLs and uploading public objects (Recommended)
    False
  Remove public access granted through public ACLs (Recommended)
    False

  Manage public bucket policies
  Block new public bucket policies (Recommended)
    False
  Block public and cross-account access if bucket has public policies (Recommended)
    False

and the overview tab had Access warnings like "Objects can be public". We might as well shut all of that down, by using this access-block resource.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wking]

CC @cuppett

[wking]

e2e-aws:

level=error msg="Error: module.bootstrap.aws_s3_bucket_public_access_block.ignition: Provider doesn't support resource: aws_s3_bucket_public_access_block"

I guess I need to bump our provider.

[eparis]

Since there is no implicit dependency between
resource "aws_s3_bucket_public_access_block" "ignition" {
and
resource "aws_s3_bucket_object" "ignition" {
We could race and put data in the bucket before these controls are set, No? Do you need to set the explicit dependency?

[abhinavdahiya]

closing due to inactivity. Please reopen if needed.

/close

[openshift-ci-robot]

@abhinavdahiya: Closed this PR.

Details

In response to this:

closing due to inactivity. Please reopen if needed.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wking]

#1442 brought in aws_s3_bucket_public_access_block.

[wking]

e2e-aws-upgrade:

Cluster did not complete upgrade: timed out waiting for the condition: Working towards registry.svc.ci.openshift.org/ci-op-qyrxdxpx/release@sha256:f52e9cd8208916c19798cc2b1aa6cc697f97f865a5a9241b8dd582ffff32e68d: downloading update

Dunno about that, but it seems to be pretty common at 32% of all upgrade failures:

/test e2e-aws-upgrade

[openshift-ci-robot]

@wking: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/launch-aws	1b51342	link	/test launch-aws
ci/prow/e2e-aws-scaleup-rhel7	1b51342	link	/test e2e-aws-scaleup-rhel7
ci/prow/e2e-aws-disruptive	1b51342	link	/test e2e-aws-disruptive

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[abhinavdahiya]

Closing due to this being open for a long time, Please feel free to reopen

/close

[openshift-ci-robot]

@abhinavdahiya: Closed this PR.

Details

In response to this:

Closing due to this being open for a long time, Please feel free to reopen

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.