Merge pull request #12148 from olemarkus/reconcile-public

Reconcile if managedFile is public or not
kubernetes · Aug 13, 2021 · 3afe121 · 3afe121
2 parents ab7c1e9 + 67b4024
commit 3afe121
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/upup/pkg/fi/fitasks/managedfile.go b/upup/pkg/fi/fitasks/managedfile.go
@@ -52,7 +52,9 @@ func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) {
 		return nil, nil
 	}
 
-	existingData, err := managedFiles.Join(location).ReadFile()
+	filePath := managedFiles.Join(location)
+
+	existingData, err := filePath.ReadFile()
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, nil
@@ -67,6 +69,18 @@ func (e *ManagedFile) Find(c *fi.Context) (*ManagedFile, error) {
 		Contents: fi.NewBytesResource(existingData),
 	}
 
+	if s3file, ok := filePath.(*vfs.S3Path); ok {
+		public, err := s3file.IsPublic()
+		if err != nil {
+			return nil, err
+		}
+		actual.Public = &public
+
+		if e.Public == nil {
+			e.Public = fi.Bool(false)
+		}
+	}
+
 	// Avoid spurious changes
 	actual.Lifecycle = e.Lifecycle
 

diff --git a/util/pkg/vfs/s3fs.go b/util/pkg/vfs/s3fs.go
@@ -481,6 +481,27 @@ func (p *S3Path) GetHTTPsUrl() (string, error) {
 	return strings.TrimSuffix(url, "/"), nil
 }
 
+func (p *S3Path) IsPublic() (bool, error) {
+	client, err := p.client()
+	if err != nil {
+		return false, err
+	}
+	acl, err := client.GetObjectAcl(&s3.GetObjectAclInput{
+		Bucket: &p.bucket,
+		Key:    &p.key,
+	})
+	if err != nil {
+		return false, fmt.Errorf("failed to get grant for key %q in bucket %q: %w", p.key, p.bucket, err)
+	}
+
+	for _, grant := range acl.Grants {
+		if aws.StringValue(grant.Grantee.URI) == "http://acs.amazonaws.com/groups/global/AllUsers" {
+			return aws.StringValue(grant.Permission) == "READ", nil
+		}
+	}
+	return false, nil
+}
+
 type terraformS3File struct {
 	Bucket  string                   `json:"bucket" cty:"bucket"`
 	Key     string                   `json:"key" cty:"key"`