Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS_S3_002 Check is not accurate #5

Closed
piaverous opened this issue Sep 9, 2022 · 0 comments · Fixed by #87
Closed

AWS_S3_002 Check is not accurate #5

piaverous opened this issue Sep 9, 2022 · 0 comments · Fixed by #87
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@piaverous
Copy link
Contributor

It seems like S3 location check is not working as it should. Here is a quick explanation of the observed behaviour
I anonymized this example by changing account names and bucket names for privacy.

Test conditions & setup

Situation :

  • single AWS Account, spanning over 2 regions (us-east-1 and eu-west-1)
  • 2 config entries in .yayas.yml, one per region : 
    aws:
  - name: "Account EU WEST 1"
    profile: "profile"
    sso: false
    region: "eu-west-1"
  - name: "Account US EAST 1"
    profile: "profile"
    sso: false
    region: "us-east-1"

Setup :

  • create bucket "eu-storage" in "eu-west-1"
  • create bucket "us-storage" in "us-east-1"

Observed behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :

Name: Account EU WEST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket eu-storage is in eu-west-1
	S3 bucket us-storage is global but should be in eu-west-1
[...]
Name: Account US EAST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket eu-storage is global but shoud be in us-east-1
	S3 bucket us-storage is in us-east-1
[...]

Expected behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :

Name: Account EU WEST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket eu-storage is in eu-west-1
[...]
Name: Account US EAST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket us-storage is in us-east-1
[...]

Identified cause of bug

In plugins/aws/s3/getter.go, L19 :

	resp, err := svc.ListBuckets(context.TODO(), params)

The ListBuckets function here uses the equivalent ListBuckets AWS API endpoint. This is therefore the same as running aws s3 ls. It turns out that the returned list of buckets is a global list, even if AWS_REGION=eu-west-1 is set : the region parameter is ignored.

Maybe this check should be modified, in order to check in bucket options of global replication is enabled rather than comparing the LocationConstraint on buckets ?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(s3): S3_002: check bucket has no replication to other region padok-team/yatas-aws
2 participants
@StanGirard @piaverous