def _bucket_policy_changed(self, region, bucket): client = boto3.client('s3', region_name=region) current_policy = client.get_bucket_policy(Bucket=bucket)['Policy'] shelvery_bucket_policy = AwsHelper.get_shelvery_bucket_policy( self.account_id, RuntimeConfig.get_share_with_accounts(self), bucket) return current_policy != shelvery_bucket_policy
def create_data_buckets(self): regions = [self.region] regions.extend(RuntimeConfig.get_dr_regions(None, self)) for region in regions: bucket = self._get_data_bucket(region) AwsHelper.boto3_client('s3', region_name=region).put_bucket_policy( Bucket=bucket.name, Policy=AwsHelper.get_shelvery_bucket_policy( self.account_id, RuntimeConfig.get_share_with_accounts(self), bucket.name))
def _bucket_policy_changed(self, region, bucket): client = boto3.client('s3', region_name=region) try: current_policy = client.get_bucket_policy(Bucket=bucket)['Policy'] except ClientError as error: if error.response["Error"]["Code"] == "NoSuchBucketPolicy": current_policy = None shelvery_bucket_policy = AwsHelper.get_shelvery_bucket_policy( self.account_id, RuntimeConfig.get_share_with_accounts(self), bucket) return current_policy != shelvery_bucket_policy
def _get_data_bucket(self, region=None): bucket_name = self.get_local_bucket_name(region) if region is None: loc_constraint = boto3.session.Session().region_name else: loc_constraint = region s3 = boto3.resource('s3') try: AwsHelper.boto3_client('s3').head_bucket(Bucket=bucket_name) bucket = s3.Bucket(bucket_name) AwsHelper.boto3_client('s3').put_public_access_block( Bucket=bucket_name, PublicAccessBlockConfiguration={ 'BlockPublicAcls': True, 'IgnorePublicAcls': True, 'BlockPublicPolicy': True, 'RestrictPublicBuckets': True }, ) except ClientError as e: if e.response['Error']['Code'] == '404': client_region = loc_constraint s3client = AwsHelper.boto3_client('s3', region_name=client_region) if loc_constraint == "us-east-1": bucket = s3client.create_bucket(Bucket=bucket_name) else: if loc_constraint == "eu-west-1": loc_constraint = "EU" bucket = s3client.create_bucket(Bucket=bucket_name, CreateBucketConfiguration={ 'LocationConstraint': loc_constraint }) # store the bucket policy, so the bucket can be accessed from other accounts # that backups are shared with s3client.put_bucket_policy( Bucket=bucket_name, Policy=AwsHelper.get_shelvery_bucket_policy( self.account_id, RuntimeConfig.get_share_with_accounts(self), bucket_name)) return s3.Bucket(bucket_name) else: raise e return bucket
def create_data_buckets(self): regions = [self.region] regions.extend(RuntimeConfig.get_dr_regions(None, self)) for region in regions: bucket = self._get_data_bucket(region) if self._bucket_policy_changed(region, bucket.name): policy = AwsHelper.get_shelvery_bucket_policy( self.account_id, RuntimeConfig.get_share_with_accounts(self), bucket.name) self.logger.info( f"Bucket policy has changed, updating policy to {policy}") AwsHelper.boto3_client('s3', region_name=region).put_bucket_policy( Bucket=bucket.name, Policy=policy) else: self.logger.info(f"Bucket policy hasn't changed")