Merge branch 'mr/forestier/add-default-lifecycle-rule' into 'master'

jeromef853 · jeromef853 · commit 392ba87dde1f · 2025-03-06T11:33:58.000Z
Add a default LifeCycle rule when creating a bucket

See merge request it/e3-aws!46
diff --git a/src/e3/aws/troposphere/s3/bucket.py b/src/e3/aws/troposphere/s3/bucket.py
@@ -20,6 +20,17 @@
     from e3.aws.troposphere import Stack
     from typing import Any
 
+# A default lifecycle rule to abort and delete incomplete multipart upload
+# This rule is recommended by AWS Trusted advisor to avoid excess costs
+DEFAULT_LIFECYCLE_RULE = s3.LifecycleRule(
+    Id="AbortIncompleteMultipartUpload",
+    AbortIncompleteMultipartUpload=s3.AbortIncompleteMultipartUpload(
+        DaysAfterInitiation=7
+    ),
+    Prefix="",
+    Status="Enabled",
+)
+
 
 class EncryptionAlgorithm(Enum):
     """Provide an Enum to describe encryption algorithms."""
@@ -40,6 +51,7 @@ def __init__(
             EncryptionAlgorithm | None
         ) = EncryptionAlgorithm.AES256,
         authorized_encryptions: list[EncryptionAlgorithm] | None = None,
+        add_multipart_lifecycle_rule: bool = False,
         **bucket_kwargs: Any,
     ):
         """Initialize a bucket.
@@ -51,11 +63,21 @@ def __init__(
         :param default_bucket_encryption: type of the default bucket encryption.
         :param authorized_encryptions: types of the server side encryptions
             to authorize.
+        :param add_multipart_lifecycle_rule: add default rule is to abort multipart
+            uploads that remain incomplete after 7 days.
         :param bucket_kwargs: keyword arguments to pass to the bucket constructor
         """
         self.name = name
         self.enable_versioning = enable_versioning
         self.lifecycle_rules = lifecycle_rules
+
+        if add_multipart_lifecycle_rule:
+            self.lifecycle_rules = (
+                self.lifecycle_rules + [DEFAULT_LIFECYCLE_RULE]
+                if self.lifecycle_rules
+                else [DEFAULT_LIFECYCLE_RULE]
+            )
+
         self.default_bucket_encryption = default_bucket_encryption
         if authorized_encryptions is None:
             self.authorized_encryptions = [EncryptionAlgorithm.AES256]
diff --git a/tests/tests_e3_aws/troposphere/s3/bucket-with-multipart-lifecycle-rule.json b/tests/tests_e3_aws/troposphere/s3/bucket-with-multipart-lifecycle-rule.json
@@ -0,0 +1,65 @@
+{
+    "TestBucket": {
+        "DeletionPolicy": "Retain",
+        "Properties": {
+            "BucketName": "test-bucket",
+            "BucketEncryption": {
+                "ServerSideEncryptionConfiguration": [
+                    {
+                        "ServerSideEncryptionByDefault": {
+                            "SSEAlgorithm": "AES256"
+                        }
+                    }
+                ]
+            },
+            "PublicAccessBlockConfiguration": {
+                "BlockPublicAcls": true,
+                "BlockPublicPolicy": true,
+                "IgnorePublicAcls": true,
+                "RestrictPublicBuckets": true
+            },
+            "LifecycleConfiguration": {
+                "Rules": [
+                    {
+                        "Id": "AbortIncompleteMultipartUpload",
+                        "AbortIncompleteMultipartUpload": {
+                            "DaysAfterInitiation": 7
+                        },
+                        "Status": "Enabled",
+                        "Prefix": ""
+                    }
+                ]
+            },
+            "VersioningConfiguration": {
+                "Status": "Enabled"
+            }
+        },
+        "Type": "AWS::S3::Bucket"
+    },
+    "TestBucketPolicy": {
+        "Properties": {
+            "Bucket": {
+                "Ref": "TestBucket"
+            },
+            "PolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Deny",
+                        "Principal": {
+                            "AWS": "*"
+                        },
+                        "Action": "s3:*",
+                        "Resource": "arn:aws:s3:::test-bucket/*",
+                        "Condition": {
+                            "Bool": {
+                                "aws:SecureTransport": "false"
+                            }
+                        }
+                    }
+                ]
+            }
+        },
+        "Type": "AWS::S3::BucketPolicy"
+    }
+}
diff --git a/tests/tests_e3_aws/troposphere/s3/s3_test.py b/tests/tests_e3_aws/troposphere/s3/s3_test.py
@@ -210,3 +210,16 @@ def test_bucket_with_roles_and_trust_policies_error(stack: Stack) -> None:
         str(exc.value) == "You cannot set 'trust_policy' and "
         "'trusted_accounts' at the same time , please use one or the other."
     )
+
+
+def test_bucket_with_default_lifecycle_rule(stack: Stack) -> None:
+    """Test bucket creation with default lifecycle rule."""
+    bucket = Bucket(name="test-bucket", add_multipart_lifecycle_rule=True)
+    stack.add(bucket)
+
+    with open(
+        os.path.join(TEST_DIR, "bucket-with-multipart-lifecycle-rule.json")
+    ) as fd:
+        expected_template = json.load(fd)
+
+    assert stack.export()["Resources"] == expected_template
