-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aws ses rule set module for inbound email processing #42781
Conversation
88ffb1d
to
bfd524b
Compare
Failing test is due to missing AWS permission in the CI build
Relevant permission updates are included in compute-policy.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The module looks great but the tests are a little unstable. Those should probably be fixed if possible before merging. We're tracking unstable and broken AWS tests here https://github.com/ansible/ansible/projects/21 and trying to not add more.
- name: assert changed is False | ||
assert: | ||
that: | ||
- result.changed == False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be periodically failing with changed is True. I think the module may need a waiter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be wrong, but I don't think this is a timing / eventual consistency thing.
There can only be one active rule set per-region per-account. I think what's happening is the python2 and python3 tests are running in parallel and if we're unlucky, the other test creates an active rule in the gap here and the test fails becuse this rule is no-longer active so making it active is a change.
Hard to be sure because it's intermittent, but I've repeatedly run ths test on an ec2 instance in the same region as the SES instance and not had a single failure, but when I run 2 instances in parallel of just this test it fails reliably as described.
I'll have to give some thought to how to have a reliable test here since the active ruleset really is global state.
Any advice or thoughts would be appreciated.
name: "{{ default_rule_set }}" | ||
<<: *aws_connection_info | ||
register: result | ||
- name: assert not changed and still active |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is also sometimes failing with changed is True
CI failure in integration tests: https://app.shippable.com/github/ansible/ansible/runs/75475/66/tests |
The test
The test
|
The test
|
…ittent test failures.
… set when force deleting an inactive rule set.
851293d
to
bc367ab
Compare
Latest update should fix the intermittent test failures. As suggested on the IRC channel I've introduced a per region/account lock around tests that rely on the rule set being active since there can only be one active rule set. Explanation of the locking approach is in the comment at the top of obtain-lock.yaml Basically it's creating cloudwatch log groups as the central coordination resource. This necessitated updating the testing iam policies to allow access to cloudwatch logs. The integration build is now failing because of the missing cloudwatch logs permissions. In testing the locking I found an bug in the module that was also causing intermittent failures which is fixed by this commit. Essentially the bug was that when state=absent and force=true I was deactivating the active rule set even if it wasn't the rule set being deleted. This is fixed by only deactivating the active rule set if it's the rule set being deleted. |
@orthanc Thanks for the fantastic work, as usual. Sorry this took a while to address the needs_ci_update. |
* Add module ses_rule_set for Amazon SES * Update behaviours and naming to be consistent with other aws_ses_ modules. * Add global lock around tests using active rule sets to prevent intermittent test failures. * Fix deletion of rule sets so that we don't inactivate the active rule set when force deleting an inactive rule set.
* Add module ses_rule_set for Amazon SES * Update behaviours and naming to be consistent with other aws_ses_ modules. * Add global lock around tests using active rule sets to prevent intermittent test failures. * Fix deletion of rule sets so that we don't inactivate the active rule set when force deleting an inactive rule set.
SUMMARY
This is intended to superceed the abandoned pull request #22854 by @tomislacker which was trying to contribute modules for managing SES rule_sets and rules to allow for email to be recieved and processed with SES.
I've updated the modules from that PR to adhear to the same naming conventions and behaviours as the other SES modules and comply with the current AWS module guidelines including integration tests.
The major behavioural changes from the starting point modules are:
aws_
to match the preferred conventionactive
parameter does not change the activation of the rule set rather than deactiving the rule set as it did in the earlier PRforce
option that can be set whenstate=absent
to allow the deletion of active rule setsExamples:
ISSUE TYPE
COMPONENT NAME
aws_ses_rule_set
ANSIBLE VERSION
ADDITIONAL INFORMATION
This module is the first of three in a chain that should fully superceed #22854 fully:
aws_ses_rule_set
- management of rule setsaws_ses_rule_set_facts
- get information on existing rule sets and the rules within themaws_ses_rule
- management of individual rules within a rule setaws_ses_rule_set_facts
is required in order to write integration tests foraws_ses_rule
. Similarly we can't fully testaws_ses_rule_set_facts
withoutaws_ses_rule
to enable the creation of rules.So to comply with the one module per PR rule the plan is to contribute
aws_ses_rule_set_facts
with a basic test suite focusing on the rule-set info, then include additional tests for facts abouut the rules in a rule set as part of the subsequent PR foraws_ses_rule
.