Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

s3_lifecycle module should allow setting the ChecksumAlgorithm argument to AWS SDK put_bucket_lifecycle_configuration() call #2057

Open
1 task done
mwhittington21 opened this issue Mar 6, 2024 · 0 comments

Comments

@mwhittington21
Copy link

Summary

When running on a base image that only allows FIPS cryptography algorithms the s3_lifecycle module fails to submit changes to the bucket lifecycle configuration. The call that fails is the AWS SDK call put_bucket_lifecycle_configuration.

The error returned by AWS when making this call is Missing required header for this request: Content-MD5.

This could be fixed by adding an argument to the task that allows specifying the checksum algorithm to use, from the valid list in the docs. This way, in environments that do not support certain algorithms, we can specify something like SHA256.

Example fix that worked locally:

            client.put_bucket_lifecycle_configuration(
                aws_retry=True,
                Bucket=name,
                LifecycleConfiguration=lifecycle_configuration
            )

becomes

            client.put_bucket_lifecycle_configuration(
                aws_retry=True,
                Bucket=name,
                LifecycleConfiguration=lifecycle_configuration,
                ChecksumAlgorithm="SHA256"
            )

Issue Type

Bug Report

Component Name

s3_lifecycle

Ansible Version

$ ansible --version
ansible [core 2.15.5]
  config file = None
  configured module search path = ['/opt/service/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/service/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /opt/service/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/service/.local/bin/ansible
  python version = 3.10.13 (main, Feb 16 2024, 10:51:42) [GCC 11.4.0] (/usr/local/bin/python)
  jinja version = 3.1.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
# /opt/service/.local/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    6.5.0
ansible.netcommon             5.2.0
ansible.posix                 1.5.4
ansible.utils                 2.11.0
ansible.windows               1.14.0
arista.eos                    6.1.2
awx.awx                       22.7.0
azure.azcollection            1.18.1
check_point.mgmt              5.1.1
chocolatey.chocolatey         1.5.1
cisco.aci                     2.7.0
cisco.asa                     4.0.2
cisco.dnac                    6.7.5
cisco.intersight              1.0.27
cisco.ios                     4.6.1
cisco.iosxr                   5.0.3
cisco.ise                     2.5.16
cisco.meraki                  2.16.5
cisco.mso                     2.5.0
cisco.nso                     1.0.3
cisco.nxos                    4.4.0
cisco.ucs                     1.10.0
cloud.common                  2.1.4
cloudscale_ch.cloud           2.3.1
community.aws                 6.3.0
community.azure               2.0.0
community.ciscosmb            1.0.6
community.crypto              2.15.1
community.digitalocean        1.24.0
community.dns                 2.6.2
community.docker              3.4.9
community.fortios             1.0.0
community.general             7.5.0
community.google              1.0.0
community.grafana             1.5.4
community.hashi_vault         5.0.0
community.hrobot              1.8.1
community.libvirt             1.3.0
community.mongodb             1.6.3
community.mysql               3.7.2
community.network             5.0.0
community.okd                 2.3.0
community.postgresql          2.4.3
community.proxysql            1.5.1
community.rabbitmq            1.2.3
community.routeros            2.10.0
community.sap                 1.0.0
community.sap_libs            1.4.1
community.skydive             1.0.0
community.sops                1.6.6
community.vmware              3.10.0
community.windows             1.13.0
community.zabbix              2.1.0
containers.podman             1.10.3
cyberark.conjur               1.2.2
cyberark.pas                  1.0.23
dellemc.enterprise_sonic      2.2.0
dellemc.openmanage            7.6.1
dellemc.powerflex             1.9.0
dellemc.unity                 1.7.1
f5networks.f5_modules         1.26.0
fortinet.fortimanager         2.2.1
fortinet.fortios              2.3.2
frr.frr                       2.0.2
gluster.gluster               1.0.2
google.cloud                  1.2.0
grafana.grafana               2.2.3
hetzner.hcloud                1.16.0
hpe.nimble                    1.1.4
ibm.qradar                    2.1.0
ibm.spectrum_virtualize       1.12.0
infinidat.infinibox           1.3.12
infoblox.nios_modules         1.5.0
inspur.ispim                  1.3.0
inspur.sm                     2.3.0
junipernetworks.junos         5.3.0
kubernetes.core               2.4.0
lowlydba.sqlserver            2.2.1
microsoft.ad                  1.3.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0
netapp.ontap                  22.7.0
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0
netapp_eseries.santricity     1.4.0
netbox.netbox                 3.14.0
ngine_io.cloudstack           2.3.0
ngine_io.exoscale             1.1.0
ngine_io.vultr                1.1.3
openstack.cloud               2.1.0
openvswitch.openvswitch       2.1.1
ovirt.ovirt                   3.2.0
purestorage.flasharray        1.21.0
purestorage.flashblade        1.14.0
purestorage.fusion            1.6.0
sensu.sensu_go                1.14.0
servicenow.servicenow         1.0.6
splunk.es                     2.1.0
t_systems_mms.icinga_director 1.33.1
telekom_mms.icinga_director   1.34.1
theforeman.foreman            3.14.0
vmware.vmware_rest            2.3.1
vultr.cloud                   1.10.0
vyos.vyos                     4.1.0
wti.remote                    1.0.5

AWS SDK versions

$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.34.5
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /opt/service/.local/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.34.5
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /opt/service/.local/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

No response

Steps to Reproduce

# On a system with a FIPS compiled cryptography module
export AWS_USE_FIPS_ENDPOINT=true
...
  aws.community.s3_lifecycle:
    name: "bucketname"
    rule_id: "ExpireOldObjects"
    prefix: /
    state: present
    status: enabled
    region: "us-east-1"
    expiration_days: 90
    noncurrent_version_expiration_days: 1

<error prints here in very verbose form>: Missing required header for this request: Content-MD5

Expected Results

This is the expected result if we cannot set the ChecksumAlgorithm for the call. We should be able to set that via an argument to the task, so that we can avoid this problem.

Actual Results

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant