ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Fix ec2_instance eventual consistency when wait: false (#51885)

Browse source 
* Do not return 'instances' when wait is false

* Added integration tests for wait: false

* Added changelog fragment

* Fix test suite to work with ec2_instance

* Additional permissions
* Enforce boto3 version
* Fix broken tests
* Improve error messages

* fix linter issues
This commit is contained in:
Andrea Tartaglia 2019-03-06 12:46:37 +00:00 committed by Will Thames
parent d0db99e023
commit 5c6b16edc3
10 changed files with 145 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/51885-ec2_instance-fix-eventual-consistency.yaml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- "ec2_instance - Does not return ``instances`` when ``wait: false`` is specified"

4
hacking/aws_config/testing_policies/compute-policy.json
View file

@ -42,6 +42,7 @@
"ec2:AssociateVpcCidrBlock", "ec2:AssociateVpcCidrBlock",
"ec2:AssociateSubnetCidrBlock", "ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway", "ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVpnGateway", "ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway", "ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions", "ec2:CreateDhcpOptions",
@ -80,6 +81,7 @@
"ec2:DisassociateSubnetCidrBlock", "ec2:DisassociateSubnetCidrBlock",
"ec2:ImportKeyPair", "ec2:ImportKeyPair",
"ec2:ModifyImageAttribute", "ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySubnetAttribute", "ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute", "ec2:ModifyVpcAttribute",
"ec2:RegisterImage", "ec2:RegisterImage",
@ -102,6 +104,8 @@
"ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances", "ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances", "ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress" "ec2:UpdateSecurityGroupRuleDescriptionsEgress"

2
hacking/aws_config/testing_policies/container-policy.json
View file

@ -45,8 +45,6 @@
"ecs:StopTask", "ecs:StopTask",
"ecs:UpdateService", "ecs:UpdateService",
"elasticloadbalancing:Describe*", "elasticloadbalancing:Describe*",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:GetPolicy", "iam:GetPolicy",
"iam:GetPolicyVersion", "iam:GetPolicyVersion",
"iam:GetRole", "iam:GetRole",

37
hacking/aws_config/testing_policies/security-policy.json
View file

@ -26,6 +26,43 @@
"Effect": "Allow", "Effect": "Allow",
"Sid": "AllowReadOnlyIAMUse" "Sid": "AllowReadOnlyIAMUse"
}, },
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:PassRole"
],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificRoles"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificInstanceProfiles"
},
{
"Action": [
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
}
},
"Effect": "Allow",
"Sid": "AllowReplacementOfSpecificInstanceProfiles"
},
{ {
"Sid": "AllowWAFusage", "Sid": "AllowWAFusage",
"Action": "waf:*", "Action": "waf:*",

41
lib/ansible/modules/cloud/amazon/ec2_instance.py
View file

@ -301,7 +301,7 @@ EXAMPLES = '''
RETURN = ''' RETURN = '''
instances: instances:
description: a list of ec2 instances description: a list of ec2 instances
returned: always returned: when wait == true
type: complex type: complex
contains: contains:
ami_launch_index: ami_launch_index:
@ -1335,11 +1335,11 @@ def ensure_instance_state(state, ec2=None):
if ec2 is None: if ec2 is None:
module.client('ec2') module.client('ec2')
if state in ('running', 'started'): if state in ('running', 'started'):
changed, failed, instances = change_instance_state(filters=module.params.get('filters'), desired_state='RUNNING') changed, failed, instances, failure_reason = change_instance_state(filters=module.params.get('filters'), desired_state='RUNNING')
if failed: if failed:
module.fail_json( module.fail_json(
msg="Unable to start instances", msg="Unable to start instances: {0}".format(failure_reason),
reboot_success=list(changed), reboot_success=list(changed),
reboot_failed=failed) reboot_failed=failed)
@ -1351,16 +1351,16 @@ def ensure_instance_state(state, ec2=None):
instances=[pretty_instance(i) for i in instances], instances=[pretty_instance(i) for i in instances],
) )
elif state in ('restarted', 'rebooted'): elif state in ('restarted', 'rebooted'):
changed, failed, instances = change_instance_state( changed, failed, instances, failure_reason = change_instance_state(
filters=module.params.get('filters'), filters=module.params.get('filters'),
desired_state='STOPPED') desired_state='STOPPED')
changed, failed, instances = change_instance_state( changed, failed, instances, failure_reason = change_instance_state(
filters=module.params.get('filters'), filters=module.params.get('filters'),
desired_state='RUNNING') desired_state='RUNNING')
if failed: if failed:
module.fail_json( module.fail_json(
msg="Unable to restart instances", msg="Unable to restart instances: {0}".format(failure_reason),
reboot_success=list(changed), reboot_success=list(changed),
reboot_failed=failed) reboot_failed=failed)
@ -1372,13 +1372,13 @@ def ensure_instance_state(state, ec2=None):
instances=[pretty_instance(i) for i in instances], instances=[pretty_instance(i) for i in instances],
) )
elif state in ('stopped',): elif state in ('stopped',):
changed, failed, instances = change_instance_state( changed, failed, instances, failure_reason = change_instance_state(
filters=module.params.get('filters'), filters=module.params.get('filters'),
desired_state='STOPPED') desired_state='STOPPED')
if failed: if failed:
module.fail_json( module.fail_json(
msg="Unable to stop instances", msg="Unable to stop instances: {0}".format(failure_reason),
stop_success=list(changed), stop_success=list(changed),
stop_failed=failed) stop_failed=failed)
@ -1390,13 +1390,13 @@ def ensure_instance_state(state, ec2=None):
instances=[pretty_instance(i) for i in instances], instances=[pretty_instance(i) for i in instances],
) )
elif state in ('absent', 'terminated'): elif state in ('absent', 'terminated'):
terminated, terminate_failed, instances = change_instance_state( terminated, terminate_failed, instances, failure_reason = change_instance_state(
filters=module.params.get('filters'), filters=module.params.get('filters'),
desired_state='TERMINATED') desired_state='TERMINATED')
if terminate_failed: if terminate_failed:
module.fail_json( module.fail_json(
msg="Unable to terminate instances", msg="Unable to terminate instances: {0}".format(failure_reason),
terminate_success=list(terminated), terminate_success=list(terminated),
terminate_failed=terminate_failed) terminate_failed=terminate_failed)
module.exit_json( module.exit_json(
@ -1418,6 +1418,7 @@ def change_instance_state(filters, desired_state, ec2=None):
instances = find_instances(ec2, filters=filters) instances = find_instances(ec2, filters=filters)
to_change = set(i['InstanceId'] for i in instances if i['State']['Name'].upper() != desired_state) to_change = set(i['InstanceId'] for i in instances if i['State']['Name'].upper() != desired_state)
unchanged = set() unchanged = set()
failure_reason = ""
for inst in instances: for inst in instances:
try: try:
@ -1448,16 +1449,18 @@ def change_instance_state(filters, desired_state, ec2=None):
resp = ec2.start_instances(InstanceIds=[inst['InstanceId']]) resp = ec2.start_instances(InstanceIds=[inst['InstanceId']])
[changed.add(i['InstanceId']) for i in resp['StartingInstances']] [changed.add(i['InstanceId']) for i in resp['StartingInstances']]
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError): except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
# we don't care about exceptions here, as we'll fail out if any instances failed to terminate try:
pass failure_reason = to_native(e.message)
except AttributeError:
failure_reason = to_native(e)
if changed: if changed:
await_instances(ids=list(changed) + list(unchanged), state=desired_state) await_instances(ids=list(changed) + list(unchanged), state=desired_state)
change_failed = list(to_change - changed) change_failed = list(to_change - changed)
instances = find_instances(ec2, ids=list(i['InstanceId'] for i in instances)) instances = find_instances(ec2, ids=list(i['InstanceId'] for i in instances))
return changed, change_failed, instances return changed, change_failed, instances, failure_reason
def pretty_instance(i): def pretty_instance(i):
@ -1481,7 +1484,9 @@ def determine_iam_role(name_or_arn):
def handle_existing(existing_matches, changed, ec2, state): def handle_existing(existing_matches, changed, ec2, state):
if state in ('running', 'started') and [i for i in existing_matches if i['State']['Name'] != 'running']: if state in ('running', 'started') and [i for i in existing_matches if i['State']['Name'] != 'running']:
ins_changed, failed, instances = change_instance_state(filters=module.params.get('filters'), desired_state='RUNNING') ins_changed, failed, instances, failure_reason = change_instance_state(filters=module.params.get('filters'), desired_state='RUNNING')
if failed:
module.fail_json(msg="Couldn't start instances: {0}. Failure reason: {1}".format(instances, failure_reason))
module.exit_json( module.exit_json(
changed=bool(len(ins_changed)) or changed, changed=bool(len(ins_changed)) or changed,
instances=[pretty_instance(i) for i in instances], instances=[pretty_instance(i) for i in instances],
@ -1532,6 +1537,12 @@ def ensure_present(existing_matches, changed, ec2, state):
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
module.fail_json_aws(e, msg="Could not apply change {0} to new instance.".format(str(c))) module.fail_json_aws(e, msg="Could not apply change {0} to new instance.".format(str(c)))
if not module.params.get('wait'):
module.exit_json(
changed=True,
instance_ids=instance_ids,
spec=instance_spec,
)
await_instances(instance_ids) await_instances(instance_ids)
instances = ec2.get_paginator('describe_instances').paginate( instances = ec2.get_paginator('describe_instances').paginate(
InstanceIds=instance_ids InstanceIds=instance_ids

4
test/integration/targets/ec2_instance/playbooks/roles/ec2_instance/tasks/checkmode_tests.yml
View file

@ -20,7 +20,7 @@
ebs: ebs:
delete_on_termination: true delete_on_termination: true
<<: *aws_connection_info <<: *aws_connection_info
register: instance_creation register: basic_instance
- name: Make basic instance(check mode) - name: Make basic instance(check mode)
ec2_instance: ec2_instance:
@ -28,7 +28,7 @@
image_id: "{{ ec2_ami_image[aws_region] }}" image_id: "{{ ec2_ami_image[aws_region] }}"
security_groups: "{{ sg.group_id }}" security_groups: "{{ sg.group_id }}"
instance_type: t2.micro instance_type: t2.micro
vpc_subnet_id: "{{ testing_subnet_c.subnet.id }}" vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
volumes: volumes:
- device_name: /dev/sda1 - device_name: /dev/sda1
ebs: ebs:

64
test/integration/targets/ec2_instance/playbooks/roles/ec2_instance/tasks/instance_no_wait.yml Normal file
View file

@ -0,0 +1,64 @@
- name: set connection information for all tasks
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: true
- name: New instance and don't wait for it to complete
ec2_instance:
name: "{{ resource_prefix }}-test-no-wait"
image_id: "{{ ec2_ami_image[aws_region] }}"
vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
tags:
TestId: "{{ resource_prefix }}"
wait: false
instance_type: t2.micro
<<: *aws_connection_info
register: in_test_vpc
- assert:
that:
- in_test_vpc is not failed
- in_test_vpc is changed
- in_test_vpc.instances is not defined
- in_test_vpc.instance_ids is defined
- in_test_vpc.instance_ids | length > 0
- name: New instance and don't wait for it to complete ( check mode )
ec2_instance:
name: "{{ resource_prefix }}-test-no-wait-checkmode"
image_id: "{{ ec2_ami_image[aws_region] }}"
vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
tags:
TestId: "{{ resource_prefix }}"
wait: false
instance_type: t2.micro
<<: *aws_connection_info
check_mode: yes
- name: Facts for ec2 test instance
ec2_instance_facts:
filters:
"tag:Name": "{{ resource_prefix }}-test-no-wait"
"instance-state-name": "running"
<<: *aws_connection_info
register: real_instance_fact
until: real_instance_fact.instances | length > 0
retries: 10
- name: Facts for checkmode ec2 test instance
ec2_instance_facts:
filters:
"tag:Name": "{{ resource_prefix }}-test-no-wait-checkmode"
"instance-state-name": "running"
<<: *aws_connection_info
register: checkmode_instance_fact
- name: "Confirm whether the check mode is working normally."
assert:
that:
- "{{ real_instance_fact.instances | length }} > 0"
- "{{ checkmode_instance_fact.instances | length }} == 0"

2
test/integration/targets/ec2_instance/playbooks/roles/ec2_instance/tasks/main.yml
View file

@ -98,7 +98,7 @@
- include_tasks: iam_instance_role.yml - include_tasks: iam_instance_role.yml
- include_tasks: checkmode_tests.yml - include_tasks: checkmode_tests.yml
- include_tasks: ebs_optimized.yml - include_tasks: ebs_optimized.yml
- include_tasks: instance_no_wait.yml
# ============================================================ # ============================================================

8
test/integration/targets/ec2_instance/playbooks/version_fail.yml
View file

@ -36,3 +36,11 @@
that: that:
- ec2_instance_cpu_options_creation.failed - ec2_instance_cpu_options_creation.failed
- 'ec2_instance_cpu_options_creation.msg == "cpu_options is only supported with botocore >= 1.10.16"' - 'ec2_instance_cpu_options_creation.msg == "cpu_options is only supported with botocore >= 1.10.16"'
always:
- name: cleanup c4.large in case graceful failure was in fact a graceful success
ec2_instance:
state: absent
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
<<: *aws_connection_info
ignore_errors: yes

2
test/integration/targets/ec2_instance/runme.sh
View file

@ -16,7 +16,7 @@ PYTHON=${ANSIBLE_TEST_PYTHON_INTERPRETER:-python}
export ANSIBLE_ROLES_PATH=../ export ANSIBLE_ROLES_PATH=../
virtualenv --system-site-packages --python "${PYTHON}" "${MYTMPDIR}/botocore-less-than-1.10.16" virtualenv --system-site-packages --python "${PYTHON}" "${MYTMPDIR}/botocore-less-than-1.10.16"
source "${MYTMPDIR}/botocore-less-than-1.10.16/bin/activate" source "${MYTMPDIR}/botocore-less-than-1.10.16/bin/activate"
"${PYTHON}" -m pip install 'botocore<1.10.16' boto3 "${PYTHON}" -m pip install 'botocore<1.10.16' 'boto3<1.7.16'
ansible-playbook -i ../../inventory -e @../../integration_config.yml -e @../../cloud-config-aws.yml -v playbooks/version_fail.yml "$@" ansible-playbook -i ../../inventory -e @../../integration_config.yml -e @../../cloud-config-aws.yml -v playbooks/version_fail.yml "$@"
# Run full test suite # Run full test suite