def _bucket_policy_changed(self, region, bucket):
client = boto3.client('s3', region_name=region)
current_policy = client.get_bucket_policy(Bucket=bucket)['Policy']
shelvery_bucket_policy = AwsHelper.get_shelvery_bucket_policy(
self.account_id, RuntimeConfig.get_share_with_accounts(self),
bucket)
return current_policy != shelvery_bucket_policy
def create_data_buckets(self):
regions = [self.region]
regions.extend(RuntimeConfig.get_dr_regions(None, self))
for region in regions:
bucket = self._get_data_bucket(region)
AwsHelper.boto3_client('s3', region_name=region).put_bucket_policy(
Bucket=bucket.name,
Policy=AwsHelper.get_shelvery_bucket_policy(
self.account_id,
RuntimeConfig.get_share_with_accounts(self), bucket.name))
def _bucket_policy_changed(self, region, bucket):
client = boto3.client('s3', region_name=region)
try:
current_policy = client.get_bucket_policy(Bucket=bucket)['Policy']
except ClientError as error:
if error.response["Error"]["Code"] == "NoSuchBucketPolicy":
current_policy = None
shelvery_bucket_policy = AwsHelper.get_shelvery_bucket_policy(
self.account_id, RuntimeConfig.get_share_with_accounts(self),
bucket)
return current_policy != shelvery_bucket_policy
def _get_data_bucket(self, region=None):
bucket_name = self.get_local_bucket_name(region)
if region is None:
loc_constraint = boto3.session.Session().region_name
else:
loc_constraint = region
s3 = boto3.resource('s3')
try:
AwsHelper.boto3_client('s3').head_bucket(Bucket=bucket_name)
bucket = s3.Bucket(bucket_name)
AwsHelper.boto3_client('s3').put_public_access_block(
Bucket=bucket_name,
PublicAccessBlockConfiguration={
'BlockPublicAcls': True,
'IgnorePublicAcls': True,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': True
},
)
except ClientError as e:
if e.response['Error']['Code'] == '404':
client_region = loc_constraint
s3client = AwsHelper.boto3_client('s3',
region_name=client_region)
if loc_constraint == "us-east-1":
bucket = s3client.create_bucket(Bucket=bucket_name)
else:
if loc_constraint == "eu-west-1":
loc_constraint = "EU"
bucket = s3client.create_bucket(Bucket=bucket_name,
CreateBucketConfiguration={
'LocationConstraint':
loc_constraint
})
# store the bucket policy, so the bucket can be accessed from other accounts
# that backups are shared with
s3client.put_bucket_policy(
Bucket=bucket_name,
Policy=AwsHelper.get_shelvery_bucket_policy(
self.account_id,
RuntimeConfig.get_share_with_accounts(self),
bucket_name))
return s3.Bucket(bucket_name)
else:
raise e
return bucket
def create_data_buckets(self):
regions = [self.region]
regions.extend(RuntimeConfig.get_dr_regions(None, self))
for region in regions:
bucket = self._get_data_bucket(region)
if self._bucket_policy_changed(region, bucket.name):
policy = AwsHelper.get_shelvery_bucket_policy(
self.account_id,
RuntimeConfig.get_share_with_accounts(self), bucket.name)
self.logger.info(
f"Bucket policy has changed, updating policy to {policy}")
AwsHelper.boto3_client('s3',
region_name=region).put_bucket_policy(
Bucket=bucket.name, Policy=policy)
else:
self.logger.info(f"Bucket policy hasn't changed")
