New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New module for AWS SES DKIM identity #71
New module for AWS SES DKIM identity #71
Conversation
IAM user for CI tests still needs the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I apologise that the review on ansible/ansible didn't get done.
@jillr Now that we're in our own namespace I personally would suggest naming this module ses_identity_dkim
rather than aws_ses_identity_dkim
(it's FQCN would currently be community.aws.aws_ses_identity_dkim
which seems silly) I know going through and mass-renaming will be painful, but for new modules I think it's worth starting as we'd like to go forward.
please also update
meta/action_groups.yml
This means that module_defaults: { group/aws: .... }
works
return response | ||
except (BotoCoreError) as e: | ||
module.fail_json_aws(e, msg='Failed to enable DKIM for {identity}.'.format(identity=identity)) | ||
except (ClientError) as e: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you've got the explicit error it would be better to catch it with except is_boto3_error_code('ErrorType')
there are other reasons ClientError can be thrown.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, will look into that
"identity": dict(required=True, type='str'), | ||
"state": dict(default='enabled', choices=['enabled', 'disabled']), | ||
}, | ||
supports_check_mode=False, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not supporting check mode is irritating for users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I didn't realize it was that important. I just set it to false here as in my last PR we got lost in implementing check-mode logic. So thought I would simply skip this this time. :P
that: | ||
- email_result.changed == False | ||
- email_result.dkim_attributes.dkim_enabled == False | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please test delete mode (including trying to re-delete the object)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is not delete mode as actions are just made on the existing identities. Hence also using the enable/disable terminology instead of present/absent (or add/delete).
The deletion of the test objects is done in the always: section with the already existing aws_ses_identity
module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the advantage of this being a separate module instead of extending aws_ses_identity?
def ses_verify_dkim_domain(module, client, identity): | ||
domain = identity.split('@')[-1] | ||
try: | ||
response = client.verify_domain_dkim(Domain=domain) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using except is_boto_error_code('SomeErrorIndicatingAbsence'):
it should be possible to catch 'NotFound' and return a null here. This might make it easier to add check_mode support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But isn't it better to fail if s.th. goes wrong here? As returning with a null here, will just break anything a user was intending to do with return values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant to attach this comment to get_identity_dkim_settings thinking that this was creating a separate object... If this is just setting a flag on an SES identity, then it's probably better handled as an extension of aws_ses_identity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a valid point. I guess I just started a seperate module back then because I thought there is not much overlap between the two modules in terms of logic and params needed. But as both modules use the same Boto3 module one could also argue to keep things together. Not sure what the general policy is for AWS modules. As it seems newer modules rather go the one purpose one module approach, but I could be wrong.
We should probably decide on this first before putting more effort into this PR.
CI policy can be updated with a PR against https://github.com/mattclay/aws-terminator/tree/master/aws/policy |
Also opened PR against aws-terminator for SES permissions: mattclay/aws-terminator#99 |
No worries, it was partly my own fault. Lost focus after a while of discussion and suggested changes on how to best implement check mode and keep responses idempotent etc.
Renamed the module now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this module. A couple of things here that stood out while testing the policy change, I was able to test enough to get the policies approved and deployed though.
region: "{{ aws_region }}" | ||
no_log: yes | ||
|
||
- block: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- block: | |
block: |
aws_secret_key: "{{ aws_secret_key }}" | ||
security_token: "{{ security_token | default(omit) }}" | ||
region: "{{ aws_region }}" | ||
no_log: yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no_log
needs to be used if setting authentication via set_fact
and a yaml anchor, but not with module_defaults
. This has the effect of suppressing all task output for the entire playbook.
That said, module_defaults
for new collection modules is still WIP. For testing I've added this module to lib/ansible/config/module_defaults.yml
in my local checkout of devel but we're going to need to coordinate making sure that when this lands, the necessary bits are in place for these tests to run in CI (apologies for the unfortunate timing of so many things being in-flights still).
Normally this would need to be:
module_defaults:
group/aws:
But let's pause on making any actual changes until this PR is further along: ansible/ansible#67291
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Module defaults can now be added by listing the module in action_groups
in https://github.com/ansible-collections/community.aws/blob/main/meta/runtime.yml
ses_verify_dkim_domain(module, client, identity) | ||
enable_identity_dkim_settings(module, client, identity) | ||
# TODO: find a way to easily detect changes (updates to identity) | ||
changed = True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is always returning changed=True, which causes your assertion for - name: Enable DKIM verification on email identity (rerun)
to fail.
will close this, as I don't think it's going anywhere. |
* Remove legacy files in plugins/module_utils/aws * ci_complete * Clean up remaining instances of module_utils[./]aws
SUMMARY
New module
aws_ses_identity_dkim
. I already opened a PR for this once quite a while ago, see ansible/ansible#53637ISSUE TYPE
COMPONENT NAME
aws_ses_identity_dkim
ADDITIONAL INFORMATION
Allows to setup DKIM configurations on AWS SES identities (i.e. validated domains or email-addresses).