Merge pull request #8659 from ameukam/aws-kops-disable-public-access-state-store

k8s-ci-robot · web-flow · commit 8f9c9d1db224 · 2025-10-17T03:36:42.000-07:00
AWS: Update S3 ACL resource for kOps state store
diff --git a/infra/aws/terraform/kops-infra-ci/main.tf b/infra/aws/terraform/kops-infra-ci/main.tf
@@ -34,54 +34,3 @@ resource "aws_iam_openid_connect_provider" "google_prow_idp" {
     "region" = data.aws_region.current.region
   })
 }
-
-## Used by kOps to store the state of the kOps created
-resource "aws_s3_bucket" "kops_state_store" {
-  provider = aws.kops-infra-ci
-  bucket   = "k8s-kops-ci-prow-state-store"
-  tags = merge(var.tags, var.janitor_tags, {
-    "region" = data.aws_region.current.region
-  })
-}
-
-resource "aws_s3_bucket_ownership_controls" "kops_state_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_state_store.id
-  rule {
-    object_ownership = "BucketOwnerEnforced"
-  }
-}
-
-
-## Used by kOps for hosting OIDC documents
-resource "aws_s3_bucket" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = "k8s-kops-ci-prow"
-  tags = merge(var.tags, var.janitor_tags, {
-    "region" = data.aws_region.current.region
-  })
-}
-
-resource "aws_s3_bucket_ownership_controls" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_oidc_store.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_oidc_store.id
-
-  block_public_acls       = false
-  block_public_policy     = false
-  ignore_public_acls      = false
-  restrict_public_buckets = false
-}
-
-resource "aws_s3_bucket_acl" "kops_oidc_store" {
-  provider = aws.kops-infra-ci
-  bucket   = aws_s3_bucket.kops_oidc_store.id
-  acl      = "public-read"
-}
diff --git a/infra/aws/terraform/kops-infra-ci/s3.tf b/infra/aws/terraform/kops-infra-ci/s3.tf
@@ -0,0 +1,87 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+## Used by kOps to store the state of the kOps created
+resource "aws_s3_bucket" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = "k8s-kops-ci-prow-state-store"
+  tags = merge(var.tags, var.janitor_tags, {
+    "region" = data.aws_region.current.region
+  })
+}
+
+resource "aws_s3_bucket_ownership_controls" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_state_store.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_state_store.id
+  acl      = "public-read"
+
+  depends_on = [
+    aws_s3_bucket_ownership_controls.kops_state_store,
+    aws_s3_bucket_public_access_block.kops_state_store
+  ]
+}
+
+resource "aws_s3_bucket_public_access_block" "kops_state_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_state_store.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+
+## Used by kOps for hosting OIDC documents
+resource "aws_s3_bucket" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = "k8s-kops-ci-prow"
+  tags = merge(var.tags, var.janitor_tags, {
+    "region" = data.aws_region.current.region
+  })
+}
+
+resource "aws_s3_bucket_ownership_controls" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_oidc_store.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_oidc_store.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "kops_oidc_store" {
+  provider = aws.kops-infra-ci
+  bucket   = aws_s3_bucket.kops_oidc_store.id
+  acl      = "public-read"
+}
