New module for AWS SES DKIM identity #71
Conversation
|
IAM user for CI tests still needs the |
There was a problem hiding this comment.
I apologise that the review on ansible/ansible didn't get done.
@jillr Now that we're in our own namespace I personally would suggest naming this module ses_identity_dkim rather than aws_ses_identity_dkim (it's FQCN would currently be community.aws.aws_ses_identity_dkim which seems silly) I know going through and mass-renaming will be painful, but for new modules I think it's worth starting as we'd like to go forward.
please also update
meta/action_groups.yml
This means that module_defaults: { group/aws: .... } works
| return response | ||
| except (BotoCoreError) as e: | ||
| module.fail_json_aws(e, msg='Failed to enable DKIM for {identity}.'.format(identity=identity)) | ||
| except (ClientError) as e: |
There was a problem hiding this comment.
If you've got the explicit error it would be better to catch it with except is_boto3_error_code('ErrorType') there are other reasons ClientError can be thrown.
There was a problem hiding this comment.
ok, will look into that
| "identity": dict(required=True, type='str'), | ||
| "state": dict(default='enabled', choices=['enabled', 'disabled']), | ||
| }, | ||
| supports_check_mode=False, |
There was a problem hiding this comment.
not supporting check mode is irritating for users.
There was a problem hiding this comment.
Ok, I didn't realize it was that important. I just set it to false here as in my last PR we got lost in implementing check-mode logic. So thought I would simply skip this this time. :P
| that: | ||
| - email_result.changed == False | ||
| - email_result.dkim_attributes.dkim_enabled == False | ||
|
|
There was a problem hiding this comment.
Please test delete mode (including trying to re-delete the object)
There was a problem hiding this comment.
There is not delete mode as actions are just made on the existing identities. Hence also using the enable/disable terminology instead of present/absent (or add/delete).
The deletion of the test objects is done in the always: section with the already existing aws_ses_identity module.
There was a problem hiding this comment.
What's the advantage of this being a separate module instead of extending aws_ses_identity?
| def ses_verify_dkim_domain(module, client, identity): | ||
| domain = identity.split('@')[-1] | ||
| try: | ||
| response = client.verify_domain_dkim(Domain=domain) |
There was a problem hiding this comment.
using except is_boto_error_code('SomeErrorIndicatingAbsence'): it should be possible to catch 'NotFound' and return a null here. This might make it easier to add check_mode support.
There was a problem hiding this comment.
But isn't it better to fail if s.th. goes wrong here? As returning with a null here, will just break anything a user was intending to do with return values.
There was a problem hiding this comment.
I meant to attach this comment to get_identity_dkim_settings thinking that this was creating a separate object... If this is just setting a flag on an SES identity, then it's probably better handled as an extension of aws_ses_identity
There was a problem hiding this comment.
That's a valid point. I guess I just started a seperate module back then because I thought there is not much overlap between the two modules in terms of logic and params needed. But as both modules use the same Boto3 module one could also argue to keep things together. Not sure what the general policy is for AWS modules. As it seems newer modules rather go the one purpose one module approach, but I could be wrong.
We should probably decide on this first before putting more effort into this PR.
|
CI policy can be updated with a PR against https://github.com/mattclay/aws-terminator/tree/master/aws/policy |
|
Also opened PR against aws-terminator for SES permissions: mattclay/aws-terminator#99 |
No worries, it was partly my own fault. Lost focus after a while of discussion and suggested changes on how to best implement check mode and keep responses idempotent etc.
Renamed the module now |
| region: "{{ aws_region }}" | ||
| no_log: yes | ||
|
|
||
| - block: |
There was a problem hiding this comment.
| - block: | |
| block: |
| aws_secret_key: "{{ aws_secret_key }}" | ||
| security_token: "{{ security_token | default(omit) }}" | ||
| region: "{{ aws_region }}" | ||
| no_log: yes |
There was a problem hiding this comment.
no_log needs to be used if setting authentication via set_fact and a yaml anchor, but not with module_defaults. This has the effect of suppressing all task output for the entire playbook.
That said, module_defaults for new collection modules is still WIP. For testing I've added this module to lib/ansible/config/module_defaults.yml in my local checkout of devel but we're going to need to coordinate making sure that when this lands, the necessary bits are in place for these tests to run in CI (apologies for the unfortunate timing of so many things being in-flights still).
Normally this would need to be:
module_defaults:
group/aws:
But let's pause on making any actual changes until this PR is further along: ansible/ansible#67291
There was a problem hiding this comment.
Module defaults can now be added by listing the module in action_groups in https://github.com/ansible-collections/community.aws/blob/main/meta/runtime.yml
| ses_verify_dkim_domain(module, client, identity) | ||
| enable_identity_dkim_settings(module, client, identity) | ||
| # TODO: find a way to easily detect changes (updates to identity) | ||
| changed = True |
There was a problem hiding this comment.
This is always returning changed=True, which causes your assertion for - name: Enable DKIM verification on email identity (rerun) to fail.
ansibullbot
added
affects_2.10
integration
tremble
added
the
pr_day
|
will close this, as I don't think it's going anywhere. |
* Remove legacy files in plugins/module_utils/aws * ci_complete * Clean up remaining instances of module_utils[./]aws
SUMMARY
New module
aws_ses_identity_dkim. I already opened a PR for this once quite a while ago, see ansible/ansible#53637ISSUE TYPE
COMPONENT NAME
aws_ses_identity_dkim
ADDITIONAL INFORMATION
Allows to setup DKIM configurations on AWS SES identities (i.e. validated domains or email-addresses).