-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iam_role not idempotent #115
Comments
I'm unable to tag the author @wimnat |
Oh, it seems tags do work. It just doesn't look like it when I'm typing. Anyway, I'm trying to look at the code to figure out what's happening. I think the problem is that I find it hard to read Ansible code. But I'm guessing that the call in get_role is calling If |
I can see that you're testing against 2.9.0, there's been some fairly major surgery to the module between the version in Ansible 2.9 and this collection. Are you able to reproduce the issue using the version from this repo? |
I haven't tested against the latest version. After the big split, is this collection usable yet? Do I just do Note that whilst I haven't executed the code to test my PR (due to #120 ) I have read the code in the master branch, and it looks like the bug is still there. Both in terms of functionality, and a missing I'll try executing with the latest release. |
The 'not' in the test is correct. I've done a little testing and I think I've narrowed down the actual bug. The following results in
This, however, does not:
Notice the added "Version" in the policy What's complex is that this would technically be a bug over in amazon.aws (the compare_policy function lives over there) |
I believe so, Yes |
The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115
The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115
The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115
The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115
The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115
The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115
…omparisons (#98) * Update compare_policies to add a Version string when missing The Version component of an IAM policy is optional. However, AWS will automatically add a Version entry once a policy is uploaded. This means that comparing a 'live' policy to the policy that created it only gives the correct result if we add a Version entry in when missing. fixes: ansible-collections/community.aws#115 * Cope with missing/None policies * update comment to match what's tested Co-authored-by: Jill R <4121322+jillr@users.noreply.github.com> Co-authored-by: Jill R <4121322+jillr@users.noreply.github.com>
Moving this ticket from ansible-base.
SUMMARY
If I try to create an IAM role, I can.
When I run the task a second time, it fails, because I don't have
iam:UpdateAssumeRolePolicy
permissions in my IAM role.But if the role policy document hasn't changed, I shouldn't need
iam:UpdateAssumeRolePolicy
.ISSUE TYPE
COMPONENT NAME
iam_role
ANSIBLE VERSION
Note that I tried to reproduce this off thedevel
branch, but gotIt seems that all the cloud modules have been removed fromdevel
?link
Is that deliberate?
CONFIGURATION
OS / ENVIRONMENT
Amazon Linux
STEPS TO REPRODUCE
Run this playbook twice, running this as an IAM role with
iam:UpdateAssumeRolePolicy
denied.EXPECTED RESULTS
The playbook should succeed. The first run creates the role. The second run does nothing,
ACTUAL RESULTS
The first run successfully creates the role.
When I try the second time:
I wondered whether it's because
assume_role_policy_document
converts the yaml to json in a non-deterministic way. When I extracted that policy into json and didlookup('file', 'policy.json')
, the result is the same. So I don't think that's the cause.The text was updated successfully, but these errors were encountered: