Conversation
required: false | ||
default: 300 | ||
region: | ||
description: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't add region. extend with 'ec2' doc fragment instead
b658c84
to
cea6aa9
Compare
@wimnat I've corrected and squashed previous commits. |
Thanks @jonhadfield for this new module. When this module receives 'shipit' comments from two community members and any 'needs_revision' comments have been resolved, we will mark for inclusion. |
I'm not able associate with an eip allocation when assuming a role in another account. I don't have any problem creating the eip and it seems valid, correct id and VPC. Any idea what could be wrong? I'm getting a similar issue with the #1446 nat gateway facts module not authenticating. Other AWS modules work fine, ec2_vpc_net_facts, ec2_vpc_subnet_facts. Thanks! |
Nevermind, this has been fixed in ansible/ansible/pull/14633 |
I think this is missing something, or maybe I'm missing something... currently, the method of identification (and therefore idempotency) is EIP allocation. EIPs are by design not identifiable (allocate when needed, or take an available allocated IP if possible), so they are unusable as ID. It seems there needs to be a field like |
Thanks for the feedback @khogeland. |
Right, it's the "with a specific EIP" part that is a problem. The |
It is possible to have more than one NAT gateway per subnet, so to ensure idempotency of ensuring one exists, you must provide a combination of allocation-id and subnet-id. So the second flow would prevent more than one being created. |
I don't agree, but I don't have a better solution. Maybe an |
I guess I should have put 'I imagine the flows can only be' as it's not really a preference but a limitation. |
Where does this stand? Is it waiting on further review or [tag] modifications from Amazon? |
@gaieges The module has been created and reviewed by myself and @Etherdaemon and tested by ourselves and other community members: #1438 |
Related #1882 |
@jonhadfield @Etherdaemon is it possibly to add this file to my project and reference it someone in order to test/use it before it is merged into 2.1? |
@aioue for sure - I already do this now for modules that I have written and hasn't been merged yet due to reviews etc. Just add it to your library folder and ensure it includes the contributor. EG:
|
type: string | ||
sample: "nat-0d1e3a878585988f8" | ||
''' | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need some RETURN documentation
needs_revision |
Will sort out today. Thanks. |
Thanks @jonhadfield for this PR. This PR requires revisions, either because it fails to build or by reviewer request. Please make the suggested revisions. When you are done, please comment with text 'ready_for_review' and we will put this PR back into review. [This message brought to you by your friendly Ansibull-bot.] |
d9a85ee
to
4582872
Compare
@gregdek It failed to build due to an issue with an unrelated module that's now fixed. |
Thanks @jonhadfield -- it appears to be related to "old" PRs, for some value of "old" that we can't quite nail down. I hesitate to say "just rebase and it'll probably go away," but that seems to be the answer in most cases. |
shipit works_for_me |
# Check max_count has not been exceeded before attempting to create | ||
if module.params.get('max_count') < num_nat_gateways: | ||
module.fail_json( | ||
msg="The maximum desired number of NAT Gateways specified in " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't fail when the right number exist - that's a desired scenario.
I'm not quite happy with the behavior yet. If the right number of instances do exist, the module fails. My play:
The first time it works great, but all subsequent runs fail with:
|
The logic flow is:
On your second run, you've specified a different EIP, so it will attempt to create a new NAT GW but fail because it's reached max_count. If the EIP was the same, then it would exit unchanged. |
check for error code rather than look for matching substring. combine module exit statements. return all nat gateway details on creation. update RETURN documentation. increase version to 2.2 - modify RETURN output. implement a max_count parameter on number of nat gateways. tidy up exception handling. NoCredentialsError instance does not return a response attribute, so drop. improve logic.
4582872
to
852ed0d
Compare
Removed 'inline if' as suggested by @ryansb, re-tested scenarios and re-based.
|
I disagree with the logic in the module. Since you have to specify an allocation ID, how does having a To have a playbook run on the first try, I have to:
I think a sensible tweak would be:
|
max_count is to limit the number of NAT Gateways per subnet, not per allocation ID (specified in document string). |
@jonhadfield A friendly reminder: this pull request has been marked as needing your action. If you still believe that this PR applies, and you intend to address the issues with this PR, just let us know in the PR itself and we will keep it open pending your changes. When you do address the issues, please respond with ready_for_review in your comment, so that we can notify the maintainer. [This message brought to you by your friendly Ansibull-bot.] |
No change made yet, but looking for feedback to previous comment. |
Thanks @jonhadfield for this new module. When this module receives 'shipit' comments from two community members and any 'needs_revision' comments have been resolved, we will mark for inclusion. [This message brought to you by your friendly Ansibull-bot.] |
Thanks @jonhadfield for putting this module together - and apologies in advance for the long post. Just a thought - it appears that the "clientToken" parameter is intended to combat the issues with idempotency... So why not introduce it as a variable and let AWS's API handle any Idempotency mismatch issues (i.e., overlapping clientToken names in the same region)? Based on AWS docs, the clientToken should only allow the request to be executed the FIRST time, given that no other settings change (i.e., subnet, EIP allocation, etc.), with each subsequent run simply returning the same values, but not actually taking action. Looks accurate, based on my testing: AWS CLI command:
First run:
and once it is out of "pending" state, another run with the exact same configuration results in:
If an attempt to modify the EIP, Subnet, etc. is made, and the clientToken is not modified, AWS will return (in this example, subnet), or if someone mistakenly names 2 NGWs in the same region the same, they'll get:
If the gateway is subsequently deleted via DeleteNatGateway, the clientToken is reset on the AWS side as soon as the NGW state goes to "Deleted". So, for example, if a NGW is accidentally deleted, ansible will fail while the state is in "Deleting":
...but will succeed and build a new NGW as soon as the old one goes to "Deleted" (a few mins). Taking @ryansb example (modified for use with clientToken):
and you'll get exactly 3 NGWs with 3 EIPs in 3 specific subnets, every time. Delete functionality would need to remain as-is with the nat-id, I think. DescribeNatGateways doesn't return a clientToken, and you wouldn't want to create a NGW if it didn't exist, only to turn around and delete it, of course. No need for arbitrary counts (max or exact). I would think the clientToken should be required, but I may not be thinking of a case where that's not ideal... Thoughts? K |
@jonhadfield so it looks like we've got a situation where we've got two modules that do more or less the same things, and they're both close to the finish line: this one and #1882. An embarrassment of riches, in this case. Thanks to both you and @linuxdynasty, and apologies to both of you for not asking you to join forces sooner; we're still not very good at identifying potentially duplicated modules. The one thing in favor of #1882, from my perspective, is that it appears to have tests with it. @jonhadfield could I ask you to take a look at this and #1882 and let me know if there are substantial differences/improvements with this PR that we could incorporate into #1882? Or, if you think this PR is superior to #1882, I'd like to hear that as well. |
@gregdek I first submitted this module 30th December 2015 and then discovered @Etherdaemon had previously submitted one to perform the same task. We worked together and @Etherdaemon then generously closed their PR so we could expedite the inclusion of this functionality into Ansible. I've had a brief look at #1882 and I think the main difference is that our submission is less complex. For example, I intentionally don't use a public IP as a parameter as I think it unnecessary, but you could also argue that some users may prefer to specify a public IP. I think both modules achieve the same goal and are well written, so it's more of a subjective choice for yourselves and the community. I appreciate the inclusion of tests for #1882 is a definite advantage. I'd be happy to write them for this module also if it's decided to continue with my PR. Also happy to close this and help out with @linuxdynasty's submission as I'm more interested in getting the functionality merged than attribution for my efforts (assuming @Etherdaemon feels the same way as #1882 is based off their original module). |
After discussion, it's time to make a decision, and the decision I'm making is that we're going with #1882 because it has tests. @jonhadfield and @Etherdaemon, thanks to both of you for your help and your patience throughout this process. |
This adds the functionality to manage a VPC Managed NAT Gateway.
Previous PR #1438 closed as github won't allow me to re-open after a forced push.