ansible/module_utils/ec2.py - Should Support AWS_CA_BUNDLE Environment Variable

[iamperson347]

SUMMARY

Ansible should be able to support the AWS_CA_BUNDLE environment variable for corporate environments that perform SSL break/inspect and require trust of non-default CAs.

ansible/module_utils/ec2.py

Currently, the only want to affect AWS ssl connectivity in the ansible aws modules is to use validate_certs module parameter (if present for the desired module). However, this complete disable the ssl verification against the aws endpoint (which is not desired). It would be nice if ansible could read the AWS_CA_BUNDLE environment variable when using boto3 aws connectivity. This would give implementers a way to consume their own CA bundle.

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#configuration

Boto3 supports setting "verify" to a string as well (to point to a pem ca bundle)

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html#module-boto3.session

I tested a small fix for this. (Keep in mind, I don't know much about the Ansible code, so I don't know the repercussions of this fix.)

in ansible/module_utils/ec2.py - def get_aws_connection_info

#In the boto3 section:

    if HAS_BOTO3 and boto3:
        boto_params = dict(aws_access_key_id=access_key,
                           aws_secret_access_key=secret_key,
                           aws_session_token=security_token)
        boto_params['verify'] = validate_certs

        #Added this section of code to pull env var if found
        if os.environ.get('AWS_CA_BUNDLE'):
             boto_params['verify'] = os.environ['AWS_CA_BUNDLE']

        if profile_name:
            boto_params = dict(aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None)
            boto_params['profile_name'] = profile_name

    else:
        boto_params = dict(aws_access_key_id=access_key,
                           aws_secret_access_key=secret_key,
                           security_token=security_token)

        # only set profile_name if passed as an argument
        if profile_name:
            boto_params['profile_name'] = profile_name

        boto_params['validate_certs'] = validate_certs

ISSUE TYPE

• Bug Report

COMPONENT NAME

lib/ansible/module_utils/ec2.py

ANSIBLE VERSION

ansible 2.9.2

CONFIGURATION

DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 25
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/inventory']
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible/ansible.log
TRANSFORM_INVALID_GROUP_CHARS(/etc/ansible/ansible.cfg) = ignore

OS / ENVIRONMENT

Ubuntu 16.04

STEPS TO REPRODUCE

• Setup Break/Inspection on outbound SSL connectivity on the network
• On the ansible host, attempt to run ec2_group module WITHOUT validate_certs parameter set and WITH AWS_CA_BUNDLE environment variable defined.

EXPECTED RESULTS

Ansible honors the AWS_CA_BUNDLE when setting up boto3 connections to connect to AWS

ACTUAL RESULTS

"msg": "Error in describe_security_groups: SSL validation failed for https://ec2.us-gov-west-1.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)"

Migrated from ansible/ansible#68997

[iamperson347]

Possible duplicate of ansible-collections/community.aws#20

[jainnikhil30]

@jillr @tremble

One way to do this would be to add a ca-bundle param, which can also use the env variable AWS_CA_BUNDLE and pass the value to "verify" while making the session.
or
Just read the AWS_CA_BUNDLE and pass the value to "verify".

I can try to work on a PR. But I wanted to get your opinion on this before starting.

[tremble]

Hi @jainnikhil30,

Thanks for your offer, were you to go down this route I think it would be good to support both AWS_CA_BUNDLE, and add a 'ca_bundle' option to the shared parameters. (This in turn will also need adding to the relevant document fragment)

Before we commit any changes to the AuthN pieces for AnsibleAWSModule I'd really like for there to be some solid integration testing for it. The bare bones for which I've started working on in #99

I'll start poking away at that PR to expand the testing, and if I've not seen a PR around the CA bundle I'll work on that once I'm happy with the tests.

Mark