Skip to content

Commit 890e8d4

Browse files
RedbackThomsonRedbackThomson
authored
Ensure public access is set before policy (#110)
Issue #, if available: aws-controllers-k8s/community#1796 Description of changes: Ensures that the bucket hook code syncs the `publicAccessBlock` settings before `policy`, so that policies which expose objects publicly are allowed. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
1 parent d2596c7 commit 890e8d4

File tree

1 file changed

+14
-10
lines changed

1 file changed

+14
-10
lines changed

pkg/resource/bucket/hook.go

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -121,16 +121,18 @@ func (rm *resourceManager) createPutFields(
121121
return errors.Wrapf(err, ErrSyncingPutProperty, "OwnershipControls")
122122
}
123123
}
124-
if r.ko.Spec.Policy != nil {
125-
if err := rm.syncPolicy(ctx, r); err != nil {
126-
return errors.Wrapf(err, ErrSyncingPutProperty, "Policy")
127-
}
128-
}
124+
// PublicAccessBlock may need to be set in order to use Policy, so sync it
125+
// first
129126
if r.ko.Spec.PublicAccessBlock != nil {
130127
if err := rm.syncPublicAccessBlock(ctx, r); err != nil {
131128
return errors.Wrapf(err, ErrSyncingPutProperty, "PublicAccessBlock")
132129
}
133130
}
131+
if r.ko.Spec.Policy != nil {
132+
if err := rm.syncPolicy(ctx, r); err != nil {
133+
return errors.Wrapf(err, ErrSyncingPutProperty, "Policy")
134+
}
135+
}
134136
if r.ko.Spec.Replication != nil {
135137
if err := rm.syncReplication(ctx, r); err != nil {
136138
return errors.Wrapf(err, ErrSyncingPutProperty, "Replication")
@@ -237,16 +239,18 @@ func (rm *resourceManager) customUpdateBucket(
237239
return nil, errors.Wrapf(err, ErrSyncingPutProperty, "OwnershipControls")
238240
}
239241
}
240-
if delta.DifferentAt("Spec.Policy") {
241-
if err := rm.syncPolicy(ctx, desired); err != nil {
242-
return nil, errors.Wrapf(err, ErrSyncingPutProperty, "Policy")
243-
}
244-
}
242+
// PublicAccessBlock may need to be set in order to use Policy, so sync it
243+
// first
245244
if delta.DifferentAt("Spec.PublicAccessBlock") {
246245
if err := rm.syncPublicAccessBlock(ctx, desired); err != nil {
247246
return nil, errors.Wrapf(err, ErrSyncingPutProperty, "PublicAccessBlock")
248247
}
249248
}
249+
if delta.DifferentAt("Spec.Policy") {
250+
if err := rm.syncPolicy(ctx, desired); err != nil {
251+
return nil, errors.Wrapf(err, ErrSyncingPutProperty, "Policy")
252+
}
253+
}
250254
if delta.DifferentAt("Spec.RequestPayment") {
251255
if err := rm.syncRequestPayment(ctx, desired); err != nil {
252256
return nil, errors.Wrapf(err, ErrSyncingPutProperty, "RequestPayment")

0 commit comments

Comments
 (0)