From bb64ccf71efba5677f91ff56fc6434590438ae82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=A4rlocher?= <simon@whatwedo.ch>
Date: Tue, 26 May 2026 15:40:21 +0200
Subject: [PATCH] fix(send): assert S3 credentials when storage backend is s3

When send_storage_backend=s3 the role previously deployed the container
with whatever was in send_s3_* (often empty strings from the defaults).
The container would then start, accept uploads, and fail to persist
anything silently. Same pattern as the validate blocks in coturn,
talk, bookstack and opnform: fail fast at task time with a clear error
that points at the four missing variables.

Skipped entirely when send_storage_backend=local (the default).
---
 roles/send/tasks/main.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/roles/send/tasks/main.yml b/roles/send/tasks/main.yml
index 9ed8dd8..2ed91c9 100644
--- a/roles/send/tasks/main.yml
+++ b/roles/send/tasks/main.yml
@@ -2,6 +2,20 @@
 ---
 # tasks file for send
 
+- name: Assert S3 backend configuration when enabled
+  ansible.builtin.assert:
+    that:
+      - send_s3_endpoint | length > 0
+      - send_s3_bucket | length > 0
+      - send_s3_access_key | length > 0
+      - send_s3_secret_key | length > 0
+    fail_msg: >-
+      send_storage_backend is 's3' but one or more of send_s3_endpoint,
+      send_s3_bucket, send_s3_access_key, send_s3_secret_key is unset.
+      Provide via OpenBao, Ansible Vault or extra-vars — or switch
+      send_storage_backend to 'local'.
+  when: send_storage_backend == "s3"
+
 - name: Create docker compose directory
   ansible.builtin.file:
     path: "{{ send_docker_compose_dir }}"