Add support for PutPublicAccessBlock (#56)

Implements aws-controllers-k8s/community#1016

Description of changes:
Adds support for the [`PutPublicAccessBlock`](https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#S3.PutPublicAccessBlock) in a new field called `PublicAccessBlock`.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: RedbackThomson

apis/v1alpha1/ack-generate-metadata.yaml

@@ -1,13 +1,13 @@
 ack_generate_info:
-  build_date: "2021-10-12T16:58:37Z"
-  build_hash: 4b30ff5578e2f570d1c5b1741f3098be0d78e246
-  go_version: go1.16.5
+  build_date: "2021-10-14T18:50:30Z"
+  build_hash: f4166ae9942034b0552f244685515eef5a92dc25
+  go_version: go1.17.1
   version: v0.15.1
-api_directory_checksum: dfcc21d3fc7fcd228ae29942f020128e7a3bdb8e
+api_directory_checksum: e1236617364bb9947bcbfbeb21ce75841b5407f3
 api_version: v1alpha1
 aws_sdk_go_version: v1.37.10
 generator_config_info:
-  file_checksum: fc075d7f34ba66f75e207a25f763a5b74de48337
+  file_checksum: 45772c7b934f89394b89fe6214164cd8fe76a59e
   original_file_name: generator.yaml
 last_modification:
   reason: API generation

apis/v1alpha1/bucket.go

@@ -65,6 +65,10 @@ resources:
         from:
           operation: PutBucketPolicy
           path: Policy
+      PublicAccessBlock:
+        from:
+          operation: PutPublicAccessBlock
+          path: PublicAccessBlockConfiguration
       Replication:
         from:
           operation: PutBucketReplication

apis/v1alpha1/generator.yaml

@@ -467,6 +467,23 @@ spec:
               policy:
                 description: The bucket policy as a JSON document.
                 type: string
+              publicAccessBlock:
+                description: The PublicAccessBlock configuration that you want to
+                  apply to this Amazon S3 bucket. You can enable the configuration
+                  options in any combination. For more information about when Amazon
+                  S3 considers a bucket or object public, see The Meaning of "Public"
+                  (https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status)
+                  in the Amazon Simple Storage Service Developer Guide.
+                properties:
+                  blockPublicACLs:
+                    type: boolean
+                  blockPublicPolicy:
+                    type: boolean
+                  ignorePublicACLs:
+                    type: boolean
+                  restrictPublicBuckets:
+                    type: boolean
+                type: object
               replication:
                 description: A container for replication rules. You can add up to
                   1,000 rules. The maximum size of a replication configuration is

apis/v1alpha1/types.go

@@ -65,6 +65,10 @@ resources:
         from:
           operation: PutBucketPolicy
           path: Policy
+      PublicAccessBlock:
+        from:
+          operation: PutPublicAccessBlock
+          path: PublicAccessBlockConfiguration
       Replication:
         from:
           operation: PutBucketReplication

apis/v1alpha1/zz_generated.deepcopy.go

@@ -467,6 +467,23 @@ spec:
               policy:
                 description: The bucket policy as a JSON document.
                 type: string
+              publicAccessBlock:
+                description: The PublicAccessBlock configuration that you want to
+                  apply to this Amazon S3 bucket. You can enable the configuration
+                  options in any combination. For more information about when Amazon
+                  S3 considers a bucket or object public, see The Meaning of "Public"
+                  (https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#access-control-block-public-access-policy-status)
+                  in the Amazon Simple Storage Service Developer Guide.
+                properties:
+                  blockPublicACLs:
+                    type: boolean
+                  blockPublicPolicy:
+                    type: boolean
+                  ignorePublicACLs:
+                    type: boolean
+                  restrictPublicBuckets:
+                    type: boolean
+                type: object
               replication:
                 description: A container for replication rules. You can add up to
                   1,000 rules. The maximum size of a replication configuration is

config/crd/bases/s3.services.k8s.aws_buckets.yaml

@@ -25,13 +25,17 @@ import (
 )
 
 var (
-	DefaultAccelerationStatus = svcsdk.BucketAccelerateStatusSuspended
-	DefaultRequestPayer       = svcsdk.PayerBucketOwner
-	DefaultVersioningStatus   = svcsdk.BucketVersioningStatusSuspended
-	DefaultACL                = svcsdk.BucketCannedACLPrivate
-)
-
-var (
+	DefaultAccelerationStatus     = svcsdk.BucketAccelerateStatusSuspended
+	DefaultRequestPayer           = svcsdk.PayerBucketOwner
+	DefaultVersioningStatus       = svcsdk.BucketVersioningStatusSuspended
+	DefaultACL                    = svcsdk.BucketCannedACLPrivate
+	DefaultPublicBlockAccessValue = false
+	DefaultPublicBlockAccess      = svcapitypes.PublicAccessBlockConfiguration{
+		BlockPublicACLs:       &DefaultPublicBlockAccessValue,
+		BlockPublicPolicy:     &DefaultPublicBlockAccessValue,
+		IgnorePublicACLs:      &DefaultPublicBlockAccessValue,
+		RestrictPublicBuckets: &DefaultPublicBlockAccessValue,
+	}
 	CannedACLJoinDelimiter = "|"
 )
 
@@ -87,6 +91,11 @@ func (rm *resourceManager) createPutFields(
 			return err
 		}
 	}
+	if r.ko.Spec.PublicAccessBlock != nil {
+		if err := rm.syncPublicAccessBlock(ctx, r); err != nil {
+			return err
+		}
+	}
 	if r.ko.Spec.Replication != nil {
 		if err := rm.syncReplication(ctx, r); err != nil {
 			return err
@@ -178,6 +187,11 @@ func (rm *resourceManager) customUpdateBucket(
 			return nil, err
 		}
 	}
+	if delta.DifferentAt("Spec.PublicAccessBlock") {
+		if err := rm.syncPublicAccessBlock(ctx, desired); err != nil {
+			return nil, err
+		}
+	}
 	if delta.DifferentAt("Spec.RequestPayment") {
 		if err := rm.syncRequestPayment(ctx, desired); err != nil {
 			return nil, err
@@ -307,6 +321,20 @@ func (rm *resourceManager) addPutFieldsToSpec(
 	}
 	ko.Spec.Policy = getPolicyResponse.Policy
 
+	getPublicAccessBlockResponse, err := rm.sdkapi.GetPublicAccessBlockWithContext(ctx, rm.newGetPublicAccessBlockPayload(r))
+	if err != nil {
+		if awsErr, ok := ackerr.AWSError(err); ok && awsErr.Code() == "NoSuchPublicAccessBlockConfiguration" {
+			getPublicAccessBlockResponse = &svcsdk.GetPublicAccessBlockOutput{}
+		} else {
+			return err
+		}
+	}
+	if getPublicAccessBlockResponse.PublicAccessBlockConfiguration != nil {
+		ko.Spec.PublicAccessBlock = rm.setResourcePublicAccessBlock(r, getPublicAccessBlockResponse)
+	} else {
+		ko.Spec.PublicAccessBlock = nil
+	}
+
 	getReplicationResponse, err := rm.sdkapi.GetBucketReplicationWithContext(ctx, rm.newGetBucketReplicationPayload(r))
 	if err != nil {
 		if awsErr, ok := ackerr.AWSError(err); ok && awsErr.Code() == "ReplicationConfigurationNotFoundError" {
@@ -436,6 +464,9 @@ func customPreCompare(
 	if a.ko.Spec.OwnershipControls == nil && b.ko.Spec.OwnershipControls != nil {
 		a.ko.Spec.OwnershipControls = &svcapitypes.OwnershipControls{}
 	}
+	if a.ko.Spec.PublicAccessBlock == nil && b.ko.Spec.PublicAccessBlock != nil {
+		a.ko.Spec.PublicAccessBlock = &DefaultPublicBlockAccess
+	}
 	if a.ko.Spec.Replication == nil && b.ko.Spec.Replication != nil {
 		a.ko.Spec.Replication = &svcapitypes.ReplicationConfiguration{}
 	}
@@ -1081,6 +1112,82 @@ func (rm *resourceManager) syncPolicy(
 
 //endregion
 
+//region publicaccessblock
+
+func (rm *resourceManager) newGetPublicAccessBlockPayload(
+	r *resource,
+) *svcsdk.GetPublicAccessBlockInput {
+	res := &svcsdk.GetPublicAccessBlockInput{}
+	res.SetBucket(*r.ko.Spec.Name)
+	return res
+}
+
+func (rm *resourceManager) newPutPublicAccessBlockPayload(
+	r *resource,
+) *svcsdk.PutPublicAccessBlockInput {
+	res := &svcsdk.PutPublicAccessBlockInput{}
+	res.SetBucket(*r.ko.Spec.Name)
+	res.SetPublicAccessBlockConfiguration(rm.newPublicAccessBlockConfiguration(r))
+
+	return res
+}
+
+func (rm *resourceManager) newDeletePublicAccessBlockPayload(
+	r *resource,
+) *svcsdk.DeletePublicAccessBlockInput {
+	res := &svcsdk.DeletePublicAccessBlockInput{}
+	res.SetBucket(*r.ko.Spec.Name)
+	return res
+}
+
+func (rm *resourceManager) putPublicAccessBlock(
+	ctx context.Context,
+	r *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.putPublicAccessBlock")
+	defer exit(err)
+	input := rm.newPutPublicAccessBlockPayload(r)
+
+	_, err = rm.sdkapi.PutPublicAccessBlockWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "PutPublicAccessBlock", err)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (rm *resourceManager) deletePublicAccessBlock(
+	ctx context.Context,
+	r *resource,
+) (err error) {
+	rlog := ackrtlog.FromContext(ctx)
+	exit := rlog.Trace("rm.deletePublicAccessBlock")
+	defer exit(err)
+	input := rm.newDeletePublicAccessBlockPayload(r)
+
+	_, err = rm.sdkapi.DeletePublicAccessBlockWithContext(ctx, input)
+	rm.metrics.RecordAPICall("UPDATE", "DeletePublicAccessBlock", err)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (rm *resourceManager) syncPublicAccessBlock(
+	ctx context.Context,
+	r *resource,
+) (err error) {
+	if r.ko.Spec.PublicAccessBlock == nil || *r.ko.Spec.PublicAccessBlock == DefaultPublicBlockAccess {
+		return rm.deletePublicAccessBlock(ctx, r)
+	}
+	return rm.putPublicAccessBlock(ctx, r)
+}
+
+//endregion
+
 //region replication
 
 func (rm *resourceManager) newGetBucketReplicationPayload(