Adding S3 bucket policies to lock down unsecure access #236
Conversation
There was a problem hiding this comment.
Hi @jpl-btlunsfo : the changes to the code look ok, but can you try to run some DAGs to make sure they still work?
|
@LucaCinquini no issues running the cwl dag as a test, and while my attempted run of the sbg step by step dag failed I don't think that was related to this- the airflow-related S3 bucket is for the airflow logs, and the (failed) logs are present/were uploaded without issue. |
There was a problem hiding this comment.
@jpl-btlunsfo : I am getting this error when deploying Airflow with this branch. Deployment of EKS and Karpenter were successfull:
module.unity-sps-ogc-processes-api.kubernetes_deployment.ogc_processes_api: Still creating... [3m20s elapsed]
module.unity-sps-ogc-processes-api.kubernetes_deployment.ogc_processes_api: Still creating... [3m30s elapsed]
module.unity-sps-ogc-processes-api.kubernetes_deployment.ogc_processes_api: Creation complete after 3m38s [id=sps/ogc-processes-api]
╷
│ Error: creating S3 Bucket (unity-luca-1-dev-sps-airflowlogs): operation error S3: CreateBucket, https response error StatusCode: 400, RequestID: P863FADYWY73YADB, HostID: A1gMq0R27T/Xuxefmmw4qTqzyeDXTzLWsUJw7Ee1yYrywbolP9ZFgtje/+hjz44s07Z3jWs69DY=, api error TooManyBuckets: You have attempted to create more buckets than allowed
│
│ with module.unity-sps-airflow.aws_s3_bucket.airflow_logs,
│ on modules/terraform-unity-sps-airflow/main.tf line 117, in resource "aws_s3_bucket" "airflow_logs":
│ 117: resource "aws_s3_bucket" "airflow_logs" {
│
╵
╷
│ Error: creating S3 Bucket (unity-luca-1-dev-sps-config): operation error S3: CreateBucket, https response error StatusCode: 400, RequestID: AD9RZ779H94SBQQ7, HostID: bGJYw353obYeM82RX6DK/vVDuAJLUOlgUiYuKzMpIr20LMcOVQRQsG+hKtT/1mprRtgTtzst0RM=, api error TooManyBuckets: You have attempted to create more buckets than allowed
│
│ with module.unity-sps-initiators.aws_s3_bucket.config,
│ on modules/terraform-unity-sps-initiators/main.tf line 21, in resource "aws_s3_bucket" "config":
│ 21: resource "aws_s3_bucket" "config" {
│
I don't believe that's due to the S3 bucket policy change- that looks like we've made too many buckets. Maybe @galenatjpl has seen this before? |
|
I don't have that problem if I use the code in develop, though... |
|
I don't have that problem if I use the code in develop, though. I will try again later. |
|
@jpl-btlunsfo @LucaCinquini , yes it appears we are hitting a limit. I'm cleaning up some buckets now |
There was a problem hiding this comment.
@jpl-btlunsfo : the deployment with this branch works for me if this line:
is changed from "each.value" to "each.key"
|
Ah, yeah it looks like I'd left that format in when it wasn't necessary. I've reworked that resource a bit, since it doesn't really need key/values in that for_each, and retested. Could you give it a retest too @LucaCinquini ? |
Purpose
Proposed Changes
aws_s3_bucket_policyentries for the 4 buckets that are created (one interraform-unity-sps-airflow, three interraform-unity-sps-initiators)Issues
Testing