feat: support for StackPolicyDuringUpdateBody

[fvant]

SUMMARY

Cloudformation supports a policy that applies to a particular update only. This implement the functionality provided by the aws cloudformation update-stack command with the --stack-policy-during-update-body option to provide a modified policy..

AWS CloudFormation applies the override policy only during this update. The override policy doesn't permanently change the stack policy.

This is former PR [ansible/ansible] Support stack policy on update (#57300)

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

lib/ansible/modules/cloud/amazon/cloudformation.py or modules/cloudformation.py

ADDITIONAL INFORMATION

Boto3 documentation of the parameter used:
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudformation.html#CloudFormation.Client.update_stack

[tremble]

Thanks for taking the time to submit this change.

A couple of tiny niggles, but mostly looking good. In addition to the inline comments, please also

1. Add a (minor_changes) changelog fragment: https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to
2. Please add some tests to the integration test suite to demonstrate that the change works https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/cloudformation/tasks/main.yml

[ansibullbot]

cc @jillr @jsmartin @s-hertel @tremble @wimnat
click here for bot help

[fvant]

Thanks for taking the time to submit this change.

A couple of tiny niggles, but mostly looking good. In addition to the inline comments, please also

1. Add a (minor_changes) changelog fragment: https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to

Done

2. Please add some tests to the integration test suite to demonstrate that the change works https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/cloudformation/tasks/main.yml

For this test i need to create a stack with a policy in the first place, that test is not there atm. The stack policy support now only handles a URL, not a body. Not sure which url to use when pointing to GH ?
Alternatively, this test is postponed and i add a new attribute for stack_policy_body: in addition to the current stack_policy:

[tremble]

For this test i need to create a stack with a policy in the first place, that test is not there atm. The stack policy support now only handles a URL, not a body. Not sure which url to use when pointing to GH ?

Looking at the code (down around line 690) it looks like it's actually StackPolicyBody that's being set. The file that you pass is being read directly by Ansible rather than being passed as a URL to CloudWatch

    if module.params['stack_policy'] is not None and not module.check_mode and not module.params['create_changeset']:
        with open(module.params['stack_policy'], 'r') as stack_policy_fh:
            stack_params['StackPolicyBody'] = stack_policy_fh.read()

I'd suspect that this was to work around a quirk in the way Ansible deals with JSON in YAML files (things can get magically converted in ways that break JSON if you're not careful). I'm not a big fan of doing things this way as it means you need to do things like writing out temporary files.

So, a couple of additional suggestions:

1. Update your new parameter to be of type json (this avoids the problems I hinted at)
2. For testing this PR: You can add a file in files/ (you may need to copy this to a temporary location where you know the absolute path to get this to behave) and then pass the filename to the module. The docs imply stack_policy: files/<filename>, but I'm not 100% this is correct.
3. A new stack_policy_body parameter (either in this PR or another) would be good, then we could look at deprecating template, stack_policy and template (direct use of file_handle.read() doesn't use the search paths that folks might expect from the file lookup).

[alinabuzachis]

Hello @fvant, are you still working on this?

waiting_on_contributor

[fvant]

@tremble the tests i added failed as setting a stack policy is not allowed, removing the tests until further

{"code": "AccessDenied", "message": "User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-prod/prod=shippable=ansible-collections=amazon.aws=1313.24 is not authorized to perform: cloudformation:SetStackPolicy on resource: arn:aws:cloudformation:us-east-1:966509639900:stack/shippable-1313-24/7e1cbd30-63c2-11eb-996f-126643f85ad9"

[jillr]

Hi @fvant, new IAM policies can be added to our CI by opening a PR in this repo: https://github.com/mattclay/aws-terminator

https://docs.ansible.com/ansible/devel/dev_guide/platforms/aws_guidelines.html#aws-permissions-for-integration-tests

[tremble]

Minor tweak to the changelog and re-enable the tests

[tremble]

Tests now pass as written by the author, and I've tweaked the changelog. I think we're ready to merge this.

[tremble]

@fvant : Many thanks for your work on this. I'm sorry it's taken a while to get this merged, but we got there in the end...