More work on ELBv2 module_utils #940
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ansibullbot
added
bug
This comment was marked as outdated.
This comment was marked as outdated.
|
recheck |
This comment was marked as outdated.
This comment was marked as outdated.
alinabuzachis
approved these changes
Jul 22, 2022
softwarefactory-project-zuul bot
pushed a commit
to ansible-collections/community.aws
that referenced
this pull request
Jul 22, 2022
Re-enable integration tests for elb_network_lb Depends-On: ansible-collections/amazon.aws#940 SUMMARY Re-enables integration tests for elb_network_lb Moves from hard-coded SSL certs to generating them on the fly Fixes bug where ip_address_type in return value wasn't updated ISSUE TYPE Bugfix Pull Request COMPONENT NAME tests/integration/targets/elb_network_lb ADDITIONAL INFORMATION Reviewed-by: Joseph Torcasso <None> Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None>
1 task
1 task
softwarefactory-project-zuul bot
pushed a commit
that referenced
this pull request
Feb 23, 2023
elbv2: respect UseExistingClientSecret SUMMARY Since amazon.aws 5.0.0, elb_application_lb runs into an exception, when using Type: authenticate-oidc in a rule, even when UseExistingClientSecret: True parameter is given. That works as expected with amazon.aws 4.x.x. The logic gets broken in #940 Basically AWS won't return both, UseExistingClientSecret and ClientSecret. But when requesting against boto3, both parameters are mutually exclusive! When the user set UseExistingClientSecret: True, the ClientSecret must be removed for the request. When the user does not set UseExistingClientSecret or set it to False, the UseExistingClientSecret must be included in the request. While diving deeper, I've noticed a basic change detection problem for default values, that are not requested, but AWS will return them. I've summerized it in #1284 However, this PR does not target #1284, it just fixes the exception and restores the functionality and hotfix the change-detection only for Type: authenticate-oidc. origin PR description The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You must either specify a client secret or set UseExistingClientSecret to true UseExistingClientSecret is not respected anymore since a.a 5 Introduced in #940 Furthermore, AWS returns also Scope and SessionTimeout parameters that are filled with default values if not requested. 'Scope': 'openid', 'SessionTimeout': 604800, That make the module always returns a change, if they are not requested. This fix does not break backwards compatibility, because the values are already set by aws, when not requested yet. ISSUE TYPE Bugfix Pull Request COMPONENT NAME plugins/module_utils/elbv2.yml ADDITIONAL INFORMATION - Conditions: - Field: host-header Values: - some.tld - Field: path-pattern Values: - "/admin/*" Actions: - Type: authenticate-oidc Order: 1 AuthenticateOidcConfig: Issuer: https://login.microsoftonline.com/32rw-ewad53te-ef/v2.0 AuthorizationEndpoint: https://login.microsoftonline.com/324re-dafs6-6tw/oauth2/v2.0/authorize TokenEndpoint: https://login.microsoftonline.com/432535ez-rfes-32543ter/oauth2/v2.0/token UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo ClientId: fasgd-235463-fsgd-243 ClientSecret: "{{ lookup('onepassword', 'some cool secret', vault='some important vault') }}" SessionCookieName: AWSELBAuthSessionCookie OnUnauthenticatedRequest: authenticate UseExistingClientSecret: True - TargetGroupName: "{{ some_tg }}" Type: forward Order: 2 Reviewed-by: Alina Buzachis Reviewed-by: Mark Chappell
patchback bot
pushed a commit
that referenced
this pull request
Feb 23, 2023
elbv2: respect UseExistingClientSecret SUMMARY Since amazon.aws 5.0.0, elb_application_lb runs into an exception, when using Type: authenticate-oidc in a rule, even when UseExistingClientSecret: True parameter is given. That works as expected with amazon.aws 4.x.x. The logic gets broken in #940 Basically AWS won't return both, UseExistingClientSecret and ClientSecret. But when requesting against boto3, both parameters are mutually exclusive! When the user set UseExistingClientSecret: True, the ClientSecret must be removed for the request. When the user does not set UseExistingClientSecret or set it to False, the UseExistingClientSecret must be included in the request. While diving deeper, I've noticed a basic change detection problem for default values, that are not requested, but AWS will return them. I've summerized it in #1284 However, this PR does not target #1284, it just fixes the exception and restores the functionality and hotfix the change-detection only for Type: authenticate-oidc. origin PR description The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You must either specify a client secret or set UseExistingClientSecret to true UseExistingClientSecret is not respected anymore since a.a 5 Introduced in #940 Furthermore, AWS returns also Scope and SessionTimeout parameters that are filled with default values if not requested. 'Scope': 'openid', 'SessionTimeout': 604800, That make the module always returns a change, if they are not requested. This fix does not break backwards compatibility, because the values are already set by aws, when not requested yet. ISSUE TYPE Bugfix Pull Request COMPONENT NAME plugins/module_utils/elbv2.yml ADDITIONAL INFORMATION - Conditions: - Field: host-header Values: - some.tld - Field: path-pattern Values: - "/admin/*" Actions: - Type: authenticate-oidc Order: 1 AuthenticateOidcConfig: Issuer: https://login.microsoftonline.com/32rw-ewad53te-ef/v2.0 AuthorizationEndpoint: https://login.microsoftonline.com/324re-dafs6-6tw/oauth2/v2.0/authorize TokenEndpoint: https://login.microsoftonline.com/432535ez-rfes-32543ter/oauth2/v2.0/token UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo ClientId: fasgd-235463-fsgd-243 ClientSecret: "{{ lookup('onepassword', 'some cool secret', vault='some important vault') }}" SessionCookieName: AWSELBAuthSessionCookie OnUnauthenticatedRequest: authenticate UseExistingClientSecret: True - TargetGroupName: "{{ some_tg }}" Type: forward Order: 2 Reviewed-by: Alina Buzachis Reviewed-by: Mark Chappell (cherry picked from commit c6906a3)
softwarefactory-project-zuul bot
pushed a commit
that referenced
this pull request
Feb 23, 2023
[PR #1270/c6906a3f backport][stable-5] elbv2: respect UseExistingClientSecret This is a backport of PR #1270 as merged into main (c6906a3). SUMMARY Since amazon.aws 5.0.0, elb_application_lb runs into an exception, when using Type: authenticate-oidc in a rule, even when UseExistingClientSecret: True parameter is given. That works as expected with amazon.aws 4.x.x. The logic gets broken in #940 Basically AWS won't return both, UseExistingClientSecret and ClientSecret. But when requesting against boto3, both parameters are mutually exclusive! When the user set UseExistingClientSecret: True, the ClientSecret must be removed for the request. When the user does not set UseExistingClientSecret or set it to False, the UseExistingClientSecret must be included in the request. While diving deeper, I've noticed a basic change detection problem for default values, that are not requested, but AWS will return them. I've summerized it in #1284 However, this PR does not target #1284, it just fixes the exception and restores the functionality and hotfix the change-detection only for Type: authenticate-oidc. origin PR description The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You must either specify a client secret or set UseExistingClientSecret to true UseExistingClientSecret is not respected anymore since a.a 5 Introduced in #940 Furthermore, AWS returns also Scope and SessionTimeout parameters that are filled with default values if not requested. 'Scope': 'openid', 'SessionTimeout': 604800, That make the module always returns a change, if they are not requested. This fix does not break backwards compatibility, because the values are already set by aws, when not requested yet. ISSUE TYPE Bugfix Pull Request COMPONENT NAME plugins/module_utils/elbv2.yml ADDITIONAL INFORMATION - Conditions: - Field: host-header Values: - some.tld - Field: path-pattern Values: - "/admin/*" Actions: - Type: authenticate-oidc Order: 1 AuthenticateOidcConfig: Issuer: https://login.microsoftonline.com/32rw-ewad53te-ef/v2.0 AuthorizationEndpoint: https://login.microsoftonline.com/324re-dafs6-6tw/oauth2/v2.0/authorize TokenEndpoint: https://login.microsoftonline.com/432535ez-rfes-32543ter/oauth2/v2.0/token UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo ClientId: fasgd-235463-fsgd-243 ClientSecret: "{{ lookup('onepassword', 'some cool secret', vault='some important vault') }}" SessionCookieName: AWSELBAuthSessionCookie OnUnauthenticatedRequest: authenticate UseExistingClientSecret: True - TargetGroupName: "{{ some_tg }}" Type: forward Order: 2 Reviewed-by: Mark Chappell
abikouo
pushed a commit
to abikouo/amazon.aws
that referenced
this pull request
Sep 18, 2023
…tions#940) Refactor s3_bucket_notifications to support SNS / SQS SUMMARY Refactor s3_bucket_notifications to extend module to support the extra targets of SNS and SQS along with the currently supported Lambda functions. Summary of changes: Refactor module to support SNS/SQS targets along with current Lambda function support. Fix check mode coverage Update integration tests to more comprehensive cover functionality. Update documentation in sns_topic and sqs_queue modules to add policy setting example. Fixes: ansible-collections#140 ISSUE TYPE Feature Pull Request COMPONENT NAME s3_bucket_notifications ADDITIONAL INFORMATION https://boto3.amazonaws.com/v1/documentation/api/1.16.0/reference/services/s3.html#S3.Client.put_bucket_notification_configuration Reviewed-by: Alina Buzachis <None> Reviewed-by: Mark Woolley <[email protected]> Reviewed-by: Markus Bergholz <[email protected]>
abikouo
pushed a commit
to abikouo/amazon.aws
that referenced
this pull request
Sep 18, 2023
) Re-enable integration tests for elb_network_lb Depends-On: ansible-collections#940 SUMMARY Re-enables integration tests for elb_network_lb Moves from hard-coded SSL certs to generating them on the fly Fixes bug where ip_address_type in return value wasn't updated ISSUE TYPE Bugfix Pull Request COMPONENT NAME tests/integration/targets/elb_network_lb ADDITIONAL INFORMATION Reviewed-by: Joseph Torcasso <None> Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None>
abikouo
pushed a commit
to abikouo/amazon.aws
that referenced
this pull request
Sep 18, 2023
…tions#940) Refactor s3_bucket_notifications to support SNS / SQS SUMMARY Refactor s3_bucket_notifications to extend module to support the extra targets of SNS and SQS along with the currently supported Lambda functions. Summary of changes: Refactor module to support SNS/SQS targets along with current Lambda function support. Fix check mode coverage Update integration tests to more comprehensive cover functionality. Update documentation in sns_topic and sqs_queue modules to add policy setting example. Fixes: ansible-collections#140 ISSUE TYPE Feature Pull Request COMPONENT NAME s3_bucket_notifications ADDITIONAL INFORMATION https://boto3.amazonaws.com/v1/documentation/api/1.16.0/reference/services/s3.html#S3.Client.put_bucket_notification_configuration Reviewed-by: Alina Buzachis <None> Reviewed-by: Mark Woolley <[email protected]> Reviewed-by: Markus Bergholz <[email protected]>
abikouo
pushed a commit
to abikouo/amazon.aws
that referenced
this pull request
Sep 18, 2023
) Re-enable integration tests for elb_network_lb Depends-On: ansible-collections#940 SUMMARY Re-enables integration tests for elb_network_lb Moves from hard-coded SSL certs to generating them on the fly Fixes bug where ip_address_type in return value wasn't updated ISSUE TYPE Bugfix Pull Request COMPONENT NAME tests/integration/targets/elb_network_lb ADDITIONAL INFORMATION Reviewed-by: Joseph Torcasso <None> Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None>
abikouo
pushed a commit
to abikouo/amazon.aws
that referenced
this pull request
Oct 24, 2023
…tions#940) Refactor s3_bucket_notifications to support SNS / SQS SUMMARY Refactor s3_bucket_notifications to extend module to support the extra targets of SNS and SQS along with the currently supported Lambda functions. Summary of changes: Refactor module to support SNS/SQS targets along with current Lambda function support. Fix check mode coverage Update integration tests to more comprehensive cover functionality. Update documentation in sns_topic and sqs_queue modules to add policy setting example. Fixes: ansible-collections#140 ISSUE TYPE Feature Pull Request COMPONENT NAME s3_bucket_notifications ADDITIONAL INFORMATION https://boto3.amazonaws.com/v1/documentation/api/1.16.0/reference/services/s3.html#S3.Client.put_bucket_notification_configuration Reviewed-by: Alina Buzachis <None> Reviewed-by: Mark Woolley <[email protected]> Reviewed-by: Markus Bergholz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
ISSUE TYPE
COMPONENT NAME
plugins/module_utils/elbv2.py
ADDITIONAL INFORMATION
Fixes: ansible-collections/community.aws#604
See also: ansible-collections/community.aws#1365