Merge branch 'hotfix/aws-s3-acl-and-ownership' into devel

Signed-off-by: Webster Mudge <[email protected]>

Author: wmudge

docs/configuration.yml

@@ -374,6 +374,8 @@ infra:
       tags:
     storage:
       tags:
+      bucket_object_ownership: 
+      bucket_acl_permissions: 
     private_endpoints:
   azure:
     metagroup:

roles/infrastructure/defaults/main.yml

@@ -126,6 +126,8 @@ infra__aws_nat_gateway_suffix:      "{{ infra.aws.vpc.nat_gateway.suffix | defau
 infra__aws_role_tags:               "{{ infra.aws.role.tags | default({}) }}"
 infra__aws_policy_tags:             "{{ infra.aws.policy.tags | default({}) }}"
 infra__aws_storage_tags:            "{{ infra.aws.storage.tags | default({}) }}"
+infra__aws_bucket_object_ownership: "{{ infra.aws.storage.bucket_object_ownership | default('BucketOwnerPreferred')}}"
+infra__aws_bucket_acl_permissions:  "{{ infra.aws.storage.bucket_acl_permissions | default(['bucket-owner-full-control']) }}"
 infra__aws_private_endpoints:       "{{ infra.aws.vpc.private_endpoints | default(common__tunnel) }}"
 
 # GCP

roles/infrastructure/tasks/setup_aws_storage.yml

@@ -31,13 +31,14 @@
     loop_var: __storage_tag
 
 - name: Create AWS Buckets
-  amazon.aws.aws_s3:
+  amazon.aws.s3_bucket:
     region: "{{ infra__region }}"
-    bucket: "{{ __aws_storage_location_item.bucket }}"
-    mode: create
-    permission: private
+    name: "{{ __aws_storage_location_item.bucket }}"
+    state: present
+    object_ownership: "{{ infra__aws_bucket_object_ownership }}"
   loop_control:
     loop_var: __aws_storage_location_item
+    label: "{{ __aws_storage_location_item.bucket }}"
   loop: "{{ infra__aws_storage_locations }}"
   register: __infra_aws_storage_locations_info
 
@@ -47,8 +48,10 @@
     bucket: "{{ __aws_storage_object_item.bucket }}"
     object: "{{ __aws_storage_object_item.path }}"
     mode: create  # Put will not work here due to the way the s3 module is written
+    permission: "{{ infra__aws_bucket_acl_permissions }}"
   loop_control:
     loop_var: __aws_storage_object_item
+    label: "{{ __aws_storage_object_item.bucket }}/{{ __aws_storage_object_item.path }}"
   loop: "{{ infra__aws_storage_locations }}"
 
 - name: Update AWS Buckets tags (overwrite)
@@ -65,11 +68,11 @@
 
 - name: Ensure Download Mirror Bucket exists in target region
   when: infra__create_utility_service
-  amazon.aws.aws_s3:
+  amazon.aws.s3_bucket:
     region: "{{ infra__region }}"
-    bucket: "{{ infra__utlity_bucket_name }}"
-    mode: create
-    permission: private
+    name: "{{ infra__utlity_bucket_name }}"
+    state: present
+    object_ownership: "{{ infra__aws_bucket_object_ownership }}"
 
 - name: Update Download Mirror Buckets tags (overwrite)
   when: infra__create_utility_service and __infra_aws_storage_tags_list is defined

roles/infrastructure/tasks/teardown_aws_storage.yml

@@ -16,20 +16,22 @@
 
 - name: Remove AWS Buckets
   when: infra__teardown_deletes_data
-  amazon.aws.aws_s3:
+  amazon.aws.s3_bucket:
     region: "{{ infra__region }}"
-    bucket: "{{ __aws_storage_location_item.bucket }}"
-    mode: delete
+    name: "{{ __aws_storage_location_item.bucket }}"
+    state: absent
+    force: yes
   loop_control:
     loop_var: __aws_storage_location_item
   loop: "{{ infra__aws_storage_locations }}"
 
 - name: Remove AWS Storage Utility Bucket
   when: infra__teardown_auto_repo_mirror | bool
-  amazon.aws.aws_s3:
+  amazon.aws.s3_bucket:
     region: "{{ infra__region }}"
-    bucket: "{{ infra__utlity_bucket_name }}"
-    mode: delete
+    name: "{{ infra__utlity_bucket_name }}"
+    state: absent
+    force: yes
 
 - name: Remove AWS EFS File Systems, if Discovered during Purge
   when: