elbv2: respect UseExistingClientSecret #1270

markuman · 2022-11-16T10:33:47Z

SUMMARY

Since amazon.aws 5.0.0, elb_application_lb runs into an exception, when using Type: authenticate-oidc in a rule, even when UseExistingClientSecret: True parameter is given. That works as expected with amazon.aws 4.x.x.

The logic gets broken in #940

Basically AWS won't return both, UseExistingClientSecret and ClientSecret.
But when requesting against boto3, both parameters are mutually exclusive!

When the user set UseExistingClientSecret: True, the ClientSecret must be removed for the request.
When the user does not set UseExistingClientSecret or set it to False, the UseExistingClientSecret must be included in the request.

While diving deeper, I've noticed a basic change detection problem for default values, that are not requested, but AWS will return them. I've summerized it in #1284
However, this PR does not target #1284, it just fixes the exception and restores the functionality and hotfix the change-detection only for Type: authenticate-oidc.

origin PR description

The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You must either specify a client secret or set UseExistingClientSecret to true

UseExistingClientSecret is not respected anymore since a.a 5

Introduced in #940

Furthermore, AWS returns also Scope and SessionTimeout parameters that are filled with default values if not requested.

'Scope': 'openid',
'SessionTimeout': 604800,

That make the module always returns a change, if they are not requested.
This fix does not break backwards compatibility, because the values are already set by aws, when not requested yet.

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

plugins/module_utils/elbv2.yml

ADDITIONAL INFORMATION

          - Conditions:
              - Field: host-header
                Values:
                  - some.tld
              - Field: path-pattern
                Values:
                  - "/admin/*"
            Actions:
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://login.microsoftonline.com/32rw-ewad53te-ef/v2.0
                  AuthorizationEndpoint: https://login.microsoftonline.com/324re-dafs6-6tw/oauth2/v2.0/authorize
                  TokenEndpoint: https://login.microsoftonline.com/432535ez-rfes-32543ter/oauth2/v2.0/token
                  UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo
                  ClientId: fasgd-235463-fsgd-243
                  ClientSecret: "{{ lookup('onepassword', 'some cool secret', vault='some important vault') }}"
                  SessionCookieName: AWSELBAuthSessionCookie
                  OnUnauthenticatedRequest: authenticate
                  UseExistingClientSecret: True
              - TargetGroupName: "{{ some_tg }}"
                Type: forward
                Order: 2

markuman · 2022-11-16T12:18:34Z

Ah okey, the logic is nailed into an unittest...that needs some more work.

github-actions · 2022-11-17T09:32:07Z

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and your docs changes will be incorporated when they are next published.

softwarefactory-project-zuul · 2022-11-17T09:54:09Z

Build failed.

ansibullbot · 2022-11-17T10:47:45Z

cc @jillr @s-hertel @tremble
click here for bot help

softwarefactory-project-zuul · 2022-11-17T11:27:06Z

Build failed.

markuman · 2022-11-17T11:40:37Z

related to the changed detection. this is a minefield when you search for "The default is" on https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2.html
there are dozens of possibilities where a rule condition returns default parameters + values, that are not requestes by the user/module.

Just pop() the values that AWS returns but are not requested may be breaks backwards compatibility. because until the day of now, boto3 is setting those default values if not explicit requested. In other words, when an elb_application_lb is deployed via something else (clicked, terraform, cloudformation, cdk ...), with different values as the default, our elb_application_lb module is currently resetting those value to the defaults when they are not requested. That's the behavior since elb_application_lb exists.

Technically the current rules behavior must be deprecated and reworked later. parameters that are not requested, must keep the values from what AWS is returning. Or a purge_rules_parameter_values parameter must be introduced to take control of what will happen. That will be a larger work item - imo.

However, this is an important PR, because the elb_application_lb module fails since amazon.aws 5.0.0, while it was working in 4.3.0 when using a rule action of type authenticate-oidc!

cc @tremble @goneri @alinabuzachis @jillr

markuman · 2022-11-17T11:42:26Z

there are dozens of possibilities where a rule condition returns default parameters + values, that are not requestes by the user/module.

this relates to ansible-collections/community.aws#604

softwarefactory-project-zuul · 2022-11-17T12:12:34Z

Build succeeded.

alinabuzachis · 2022-11-22T13:02:13Z

related to the changed detection. this is a minefield when you search for "The default is" on https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2.html there are dozens of possibilities where a rule condition returns default parameters + values, that are not requestes by the user/module.

Just pop() the values that AWS returns but are not requested may be breaks backwards compatibility. because until the day of now, boto3 is setting those default values if not explicit requested. In other words, when an elb_application_lb is deployed via something else (clicked, terraform, cloudformation, cdk ...), with different values as the default, our elb_application_lb module is currently resetting those value to the defaults when they are not requested. That's the behavior since elb_application_lb exists.

Technically the current rules behavior must be deprecated and reworked later. parameters that are not requested, must keep the values from what AWS is returning. Or a purge_rules_parameter_values parameter must be introduced to take control of what will happen. That will be a larger work item - imo.

However, this is an important PR, because the elb_application_lb module fails since amazon.aws 5.0.0, while it was working in 4.3.0 when using a rule action of type authenticate-oidc!

cc @tremble @goneri @alinabuzachis @jillr

Can you please open an issue for rules behaviour?

markuman · 2022-11-22T18:54:28Z

Can you please open an issue for rules behaviour?

#1284

goneri · 2022-11-29T21:23:15Z

Does this PR close #1284? If so can you add Closes: #1284 in the description.

markuman · 2022-11-30T09:13:19Z

Does this PR close #1284? If so can you add Closes: #1284 in the description.

No. It's something what need to be done in the future.
This PR fixes a botocore exception that was introduced in 5.0.0

markuman · 2022-11-30T09:32:58Z

Does this PR close #1284? If so can you add Closes: #1284 in the description.

@goneri I've updates the PR summary. I hope that makes it more clear.

softwarefactory-project-zuul · 2023-02-23T14:51:21Z

Build succeeded (gate pipeline).
https://ansible.softwarefactory-project.io/zuul/buildset/39c57ef20b434b5eaf7176fb3a2a771b

✔️ ansible-galaxy-importer SUCCESS in 5m 07s
✔️ build-ansible-collection SUCCESS in 12m 48s
✔️ ansible-test-splitter SUCCESS in 4m 35s
✔️ integration-amazon.aws-1 SUCCESS in 9m 53s
✔️ integration-community.aws-1 SUCCESS in 21m 19s
✔️ integration-community.aws-2 SUCCESS in 7m 42s
Skipped 41 jobs

patchback · 2023-02-23T14:51:27Z

Backport to stable-5: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-5/c6906a3f97f776b7c6bf83ac51ee6f2456fa7ae5/pr-1270

Backported as #1387

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

elbv2: respect UseExistingClientSecret SUMMARY Since amazon.aws 5.0.0, elb_application_lb runs into an exception, when using Type: authenticate-oidc in a rule, even when UseExistingClientSecret: True parameter is given. That works as expected with amazon.aws 4.x.x. The logic gets broken in #940 Basically AWS won't return both, UseExistingClientSecret and ClientSecret. But when requesting against boto3, both parameters are mutually exclusive! When the user set UseExistingClientSecret: True, the ClientSecret must be removed for the request. When the user does not set UseExistingClientSecret or set it to False, the UseExistingClientSecret must be included in the request. While diving deeper, I've noticed a basic change detection problem for default values, that are not requested, but AWS will return them. I've summerized it in #1284 However, this PR does not target #1284, it just fixes the exception and restores the functionality and hotfix the change-detection only for Type: authenticate-oidc. origin PR description The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You must either specify a client secret or set UseExistingClientSecret to true UseExistingClientSecret is not respected anymore since a.a 5 Introduced in #940 Furthermore, AWS returns also Scope and SessionTimeout parameters that are filled with default values if not requested. 'Scope': 'openid', 'SessionTimeout': 604800, That make the module always returns a change, if they are not requested. This fix does not break backwards compatibility, because the values are already set by aws, when not requested yet. ISSUE TYPE Bugfix Pull Request COMPONENT NAME plugins/module_utils/elbv2.yml ADDITIONAL INFORMATION - Conditions: - Field: host-header Values: - some.tld - Field: path-pattern Values: - "/admin/*" Actions: - Type: authenticate-oidc Order: 1 AuthenticateOidcConfig: Issuer: https://login.microsoftonline.com/32rw-ewad53te-ef/v2.0 AuthorizationEndpoint: https://login.microsoftonline.com/324re-dafs6-6tw/oauth2/v2.0/authorize TokenEndpoint: https://login.microsoftonline.com/432535ez-rfes-32543ter/oauth2/v2.0/token UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo ClientId: fasgd-235463-fsgd-243 ClientSecret: "{{ lookup('onepassword', 'some cool secret', vault='some important vault') }}" SessionCookieName: AWSELBAuthSessionCookie OnUnauthenticatedRequest: authenticate UseExistingClientSecret: True - TargetGroupName: "{{ some_tg }}" Type: forward Order: 2 Reviewed-by: Alina Buzachis Reviewed-by: Mark Chappell (cherry picked from commit c6906a3)

[PR #1270/c6906a3f backport][stable-5] elbv2: respect UseExistingClientSecret This is a backport of PR #1270 as merged into main (c6906a3). SUMMARY Since amazon.aws 5.0.0, elb_application_lb runs into an exception, when using Type: authenticate-oidc in a rule, even when UseExistingClientSecret: True parameter is given. That works as expected with amazon.aws 4.x.x. The logic gets broken in #940 Basically AWS won't return both, UseExistingClientSecret and ClientSecret. But when requesting against boto3, both parameters are mutually exclusive! When the user set UseExistingClientSecret: True, the ClientSecret must be removed for the request. When the user does not set UseExistingClientSecret or set it to False, the UseExistingClientSecret must be included in the request. While diving deeper, I've noticed a basic change detection problem for default values, that are not requested, but AWS will return them. I've summerized it in #1284 However, this PR does not target #1284, it just fixes the exception and restores the functionality and hotfix the change-detection only for Type: authenticate-oidc. origin PR description The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You must either specify a client secret or set UseExistingClientSecret to true UseExistingClientSecret is not respected anymore since a.a 5 Introduced in #940 Furthermore, AWS returns also Scope and SessionTimeout parameters that are filled with default values if not requested. 'Scope': 'openid', 'SessionTimeout': 604800, That make the module always returns a change, if they are not requested. This fix does not break backwards compatibility, because the values are already set by aws, when not requested yet. ISSUE TYPE Bugfix Pull Request COMPONENT NAME plugins/module_utils/elbv2.yml ADDITIONAL INFORMATION - Conditions: - Field: host-header Values: - some.tld - Field: path-pattern Values: - "/admin/*" Actions: - Type: authenticate-oidc Order: 1 AuthenticateOidcConfig: Issuer: https://login.microsoftonline.com/32rw-ewad53te-ef/v2.0 AuthorizationEndpoint: https://login.microsoftonline.com/324re-dafs6-6tw/oauth2/v2.0/authorize TokenEndpoint: https://login.microsoftonline.com/432535ez-rfes-32543ter/oauth2/v2.0/token UserInfoEndpoint: https://graph.microsoft.com/oidc/userinfo ClientId: fasgd-235463-fsgd-243 ClientSecret: "{{ lookup('onepassword', 'some cool secret', vault='some important vault') }}" SessionCookieName: AWSELBAuthSessionCookie OnUnauthenticatedRequest: authenticate UseExistingClientSecret: True - TargetGroupName: "{{ some_tg }}" Type: forward Order: 2 Reviewed-by: Mark Chappell

Disable galaxy-importer docs tests SUMMARY Because galaxy-importer tests the collections in a sterile environment it can't read the shared amazon.aws fragments. We're separately testing the docs more thoroughly using a github action, so we can disable the broken docs fragment testing via galaxy-importer ISSUE TYPE Feature Pull Request COMPONENT NAME tests/galaxy-importer.cfg ADDITIONAL INFORMATION

fix condition

d7a014b

ansibullbot added WIP Work in progress bug This issue/PR relates to a bug module_utils module_utils needs_triage plugins plugin (any type) small_patch Hopefully easy to review labels Nov 16, 2022

This comment was marked as outdated.

Sign in to view

set default values

3c1c51e

ansibullbot removed the small_patch Hopefully easy to review label Nov 17, 2022

more

5d5b7ee

ansibullbot added module module tests tests labels Nov 17, 2022

fix

2d6069b

add changelog

287ca18

markuman changed the title ~~[WIP] elbv2: respect UseExistingClientSecret~~ elbv2: respect UseExistingClientSecret Nov 17, 2022

typo

7d53687

ansibullbot added community_review and removed WIP Work in progress labels Nov 17, 2022

alinabuzachis approved these changes Nov 22, 2022

View reviewed changes

goneri removed the needs_triage label Nov 29, 2022

goneri self-requested a review November 29, 2022 20:59

alinabuzachis requested a review from tremble January 5, 2023 09:06

alinabuzachis added the backport-5 PR should be backported to the stable-5 branch label Jan 5, 2023

tremble approved these changes Feb 9, 2023

View reviewed changes

tremble added the mergeit Merge the PR (SoftwareFactory) label Feb 9, 2023

tremble added mergeit Merge the PR (SoftwareFactory) and removed mergeit Merge the PR (SoftwareFactory) labels Feb 23, 2023

softwarefactory-project-zuul bot merged commit c6906a3 into ansible-collections:main Feb 23, 2023

patchback bot mentioned this pull request Feb 23, 2023

[PR #1270/c6906a3f backport][stable-5] elbv2: respect UseExistingClientSecret #1387

Merged

markuman mentioned this pull request Nov 23, 2023

elb_application_lb: unable to use authenticate-oidc #1877

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

elbv2: respect UseExistingClientSecret #1270

elbv2: respect UseExistingClientSecret #1270

markuman commented Nov 16, 2022 •

edited

Loading

This comment was marked as outdated.

markuman commented Nov 16, 2022

github-actions bot commented Nov 17, 2022 •

edited

Loading

softwarefactory-project-zuul bot commented Nov 17, 2022

ansibullbot commented Nov 17, 2022

softwarefactory-project-zuul bot commented Nov 17, 2022

markuman commented Nov 17, 2022

markuman commented Nov 17, 2022

softwarefactory-project-zuul bot commented Nov 17, 2022

alinabuzachis commented Nov 22, 2022

markuman commented Nov 22, 2022

goneri commented Nov 29, 2022

markuman commented Nov 30, 2022

markuman commented Nov 30, 2022

softwarefactory-project-zuul bot commented Feb 23, 2023

patchback bot commented Feb 23, 2023 •

edited

Loading

elbv2: respect UseExistingClientSecret #1270

elbv2: respect UseExistingClientSecret #1270

Conversation

markuman commented Nov 16, 2022 • edited Loading

SUMMARY

origin PR description

ISSUE TYPE

COMPONENT NAME

ADDITIONAL INFORMATION

This comment was marked as outdated.

markuman commented Nov 16, 2022

github-actions bot commented Nov 17, 2022 • edited Loading

Docs Build 📝

softwarefactory-project-zuul bot commented Nov 17, 2022

ansibullbot commented Nov 17, 2022

softwarefactory-project-zuul bot commented Nov 17, 2022

markuman commented Nov 17, 2022

markuman commented Nov 17, 2022

softwarefactory-project-zuul bot commented Nov 17, 2022

alinabuzachis commented Nov 22, 2022

markuman commented Nov 22, 2022

goneri commented Nov 29, 2022

markuman commented Nov 30, 2022

markuman commented Nov 30, 2022

softwarefactory-project-zuul bot commented Feb 23, 2023

patchback bot commented Feb 23, 2023 • edited Loading

Backport to stable-5: 💚 backport PR created

markuman commented Nov 16, 2022 •

edited

Loading

github-actions bot commented Nov 17, 2022 •

edited

Loading

patchback bot commented Feb 23, 2023 •

edited

Loading