You can now set the iam configuration for a given bucket, you can set:
1. publicAccessPrevention and
2. uniformBucketLevelAccess
no support for bucketPolicyOnly because according to the storage docs:
Note: iamConfiguration also includes the bucketPolicyOnly field, which
uses a legacy name but has the same functionality as the
uniformBucketLevelAccess field. We recommend only using
uniformBucketLevelAccess, as specifying both fields may result in
unreliable behavior.
Also added integration tests for this feature
Signed-off-by: Jorge Gallegos <jgallego@redhat.com>
The wording of the raised exception wasn't great, adding a bit more
granularity to the type of error returned
Signed-off-by: Jorge Gallegos <jgallego@redhat.com>
Fixes#434
It is basically the same as #438 but with a few extra checks, don't want
to rebase the whole thing.
Signed-off-by: Jorge Gallegos <jgallego@redhat.com>
If you have an instance with a Local (scratch) SSD attached you need to
specify the behavior for this when changing the status to TERMINATED
i.e. stopping the instance. Without setting this flag you'll get an
error back from the API.
One niche but useful feature of Ansible inventory plugins is the ability to call one plugin from another. For example, you can write a custom plugin (`my.plugin.multi_cloud`) that acts as a sort of normalization interface between project inventories deployed on multiple cloud platforms. This makes it feasible to create a single set of Ansible Playbooks that can act on hosts across cloud platforms because they can expect managed node (inventory host) data to be consistent across those cloud platform vendors.
For example, `my.plugin.multi_cloud` inventory plugin might look something like the following code, which simply dynamically loads one or another underlying (upstream) vendor'ed inventory plugins based on the value of the shell environment variable called `CLOUD_PLATFORM`:
```python
#!/usr/bin/env python3
from ansible.errors import AnsibleError, AnsibleParserError
from ansible.plugins.inventory import BaseInventoryPlugin
from ansible.plugins.loader import inventory_loader
import os
class InventoryModule(BaseInventoryPlugin):
def parse(self, inventory, loader, path, cache=True):
super(InventoryModule, self).parse(inventory, loader, path)
# Map the cloud platform to the appropriate vendor's inventory plugin.
cloud_platform = os.environ.get('CLOUD_PLATFORM', '').lower()
if cloud_platform == 'aws':
plugin_fqcn = 'amazon.aws.aws_ec2'
elif cloud_platform == 'gcp':
plugin_fqcn = 'google.cloud.gcp_compute'
else:
raise AnsibleParserError(
f"Error: Unrecognized or unset cloud platform '{cloud_platform}'. "
f"Set ENTROPY_CLOUD_PLATFORM to 'aws' or 'gcp'.\n"
)
if not inventory_loader.has_plugin(plugin_fqcn):
raise AnsibleParserError(f"Error: '{plugin_fqcn}' inventory plugin not found.\n")
# Load the requested plugin.
self.inventory_plugin = inventory_loader.get(plugin_fqcn)
```
In the above example, we see code loading either this `google.cloud.gcp_compute` inventory plugin or Amazon's `amazon.aws.aws_ec2` inventory plugin.
Later, we can invoke the underlying (upstream) plugin in a passthrough manner like this:
```python
# Passthrough to the underlying plugin.
if self.inventory_plugin.verify_file(path):
self.inventory_plugin.parse(inventory, loader, path)
else:
raise AnsibleParserError(f"Error: Inventory configuration file '{path}' failed verification by plugin '{plugin_fqcn}'")
```
However, in order for this to work, we must supply the underlying plugin with knowledge of the fact that we are calling it from a different actual plugin. This is facilitated via Ansible's built in `_redirected_names` class property. Before calling the underlying plugin's `parse()` method, we must first do:
```python
self.inventory_plugin._redirected_names.append(InventoryModule.NAME)
```
Now the underlying plugin will be permitted to run because the underlying plugin is informing Ansible that one of the names it is permitted to use is this "redirected" (aliased) name of the calling plugin. We have effectively monkey-patched the plugin during runtime, which is exactly what we want.
Unfortunately, for _this_ `google.cloud.gcp_compute` inventory plugin, that's not enough, because of the fact that the `plugin` option in its configuration file is also checked and compared against this same name. That's something that, for example, the `amazon.aws.aws_ec2` inventory plugin _doesn't_ do, and for good reason: enforcing this check with hardcoded options breaks the built-in functionality of the Ansible module loading alias features.
That's why I'm suggesting we remove this option. It isn't needed for the `auto` inventory plugin to load the plugin correctly, nor does it ever really need to be checked once this plugin is actually running; it's already running! But its presence _does_ break existing Ansible features, and makes the above use case of a pass-through plugin, for example, infeasible.
Thanks for considering this proposal.
