From 0e701bbecec26df41dab8c65036252532d624f47 Mon Sep 17 00:00:00 2001
From: cbackas <zgibson@live.com>
Date: Tue, 13 Jun 2023 11:08:14 -0500
Subject: [PATCH] add var to make the creds optional

---
 roles/custom/matrix-synapse/defaults/main.yml |  2 ++
 .../s3-storage-provider/validate_config.yml   | 21 +++++++++++++++----
 .../synapse/ext/s3-storage-provider/env.j2    |  4 ++++
 .../media_storage_provider.yaml.j2            |  4 ++++
 4 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 32d63df7d..fa09d83f7 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -885,6 +885,8 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: ''
+# Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly.
+matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256'
diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml
index dfa3d9e5a..c3034531d 100644
--- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml
@@ -1,14 +1,27 @@
 ---
+- name: Set base required s3-storage-provider settings
+  set_fact:
+    base_s3_storage_provider_config:
+      - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket"
+      - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name"
+      - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url"
+
+- name: Set optional required s3-storage-provider settings
+  set_fact:
+    optional_s3_storage_provider_config:
+      - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id"
+      - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key"
+
+- name: Prepare a list of required s3-storage-provider settings
+  set_fact:
+    required_s3_settings: "{{ base_s3_storage_provider_config + (optional_s3_storage_provider_config if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool else []) }}"
 
 - name: Fail if required s3-storage-provider settings not defined
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
   when: "vars[item] == ''"
-  with_items:
-    - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket"
-    - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name"
-    - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url"
+  with_items: "{{ required_s3_settings }}"
 
 - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid
   ansible.builtin.fail:
diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
index d895b742d..c5e896032 100644
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
@@ -1,3 +1,7 @@
+{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %}
+AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }}
+AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }}
+{% endif %}
 AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }}
 
 ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }}
diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
index 71394acef..32c8a0d17 100644
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
@@ -6,6 +6,10 @@ config:
   bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }}
   region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }}
   endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }}
+{% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile|default(false)|bool %}
+  access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }}
+  secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }}
+{% endif %}
 
 {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
   sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }}