New module = elb_application_lb #19491
Conversation
|
Migrated from ansible/ansible-modules-extras#2946 |
ansibot
added
affects_2.3
wimnat
force-pushed
the
ansible-modules-extras/pull/2946
branch
from
099b04a
to
996323b
Compare
ansibot
added
needs_triage
| choices: [ 'yes', 'no' ] | ||
| idle_timeout: | ||
| description: | ||
| - The number of seconds to wait before an idle connection is closed |
There was a problem hiding this comment.
Missing full stop. descriptions: must be sentences.
gundalow
removed
the
needs_triage
ansibot
added
needs_rebase
|
For those asking about a name change here are my reasons:
|
ansibot
added
needs_revision
There was a problem hiding this comment.
We can definitely add an elb_classic_lb alias that will point at ec2_elb_lb, the renaming process takes multiple cycles because we must have one release (at least) for each phase (numbers assume starting now):
- Allow the new name (release the alias) in 2.3 and add a warning on the old name
- Release 2.4 and continue warning on the old name
- Release 2.5 and rename
ec2_elb_lbto_ec2_elb_lb - Release 2.6 without
_ec2_elb_lb
|
|
||
| DOCUMENTATION = ''' | ||
| --- | ||
| module: elb_lb_application |
There was a problem hiding this comment.
Fix this name to match file name
| - A list of the names or IDs of the security groups to assign to the load balancer. Required if state=present. | ||
| required: false | ||
| default: [] | ||
| scheme: |
There was a problem hiding this comment.
It may be more obvious to name this parameter something like public as a boolean, but I'd be worried about AWS adding some third scheme meaning we have to obsolete the boolean and use their new value. No change required here, but would like your thoughts.
There was a problem hiding this comment.
I agree. Chances of AWS creating a third schema are not low.
Also, with this scheme, at least we're following AWS API convention.
| ssl_policy: # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. | ||
| certificates: # The ARN of the certificate (only one certficate ARN should be provided) | ||
| default_actions: | ||
| - type: forward # Required. Only 'forward' is accepted at this time |
There was a problem hiding this comment.
Can this default to forward since that's the only accepted value?
There was a problem hiding this comment.
Can't default this as it's not actually an Ansilble parameter. It's a child of listeners.
| Rules: | ||
| - Conditions: | ||
| - Field: path-pattern | ||
| Values: |
There was a problem hiding this comment.
I think this needs to move out one indentation level to match Field
| - '/test' | ||
| Priority: '1' | ||
| Actions: | ||
| - 'TargetGroupName': 'test-target-group' |
There was a problem hiding this comment.
Remove these single-quotes.
| - Field: path-pattern | ||
| Values: | ||
| - '/test' | ||
| Priority: '1' |
There was a problem hiding this comment.
Can this work as an int as well, or must it be quoted?
| try: | ||
| response = connection.describe_target_groups(Names=[tg_name]) | ||
| except botocore.exceptions.ClientError as e: | ||
| module.fail_json(msg=e.message, **camel_dict_to_snake_dict(e.response)) |
There was a problem hiding this comment.
Please add the kwarg exception=traceback.format_exc() to this failure.
|
|
||
| try: | ||
| return connection.describe_load_balancers(Names=[module.params.get("name")])['LoadBalancers'][0] | ||
| except (ClientError, NoCredentialsError) as e: |
There was a problem hiding this comment.
Can you handle NoCreds separately to raise a less generic message?
There was a problem hiding this comment.
The handling of the exception will be identical as it just uses the message passed from AWS
| try: | ||
| connection.modify_load_balancer_attributes(LoadBalancerArn=elb['LoadBalancerArn'], Attributes=params['Attributes']) | ||
| except (ClientError, NoCredentialsError) as e: | ||
| module.fail_json(msg=e.message, **camel_dict_to_snake_dict(e.response)) |
There was a problem hiding this comment.
Add exception=traceback.format_exc() here as well please.
| try: | ||
| params['SecurityGroups'] = get_ec2_security_group_ids_from_names(module.params.get('security_groups'), connection_ec2, boto3=True) | ||
| except ValueError as e: | ||
| module.fail_json(msg=str(e)) |
There was a problem hiding this comment.
Add traceback here as well (for line numbers).
ansibot
added
needs_revision
| certificates: # The ARN of the certificate (only one certficate ARN should be provided) | ||
| default_actions: | ||
| - type: forward # Required. Only 'forward' is accepted at this time | ||
| target_group_arn: # Required. The ARN of the target group |
There was a problem hiding this comment.
This protests if I only specify TargetGroupArn and only uses TargetGroupName (to then get the ARN).
| - subnet-012345678 | ||
| - subnet-abcdef000 | ||
| listeners: | ||
| - protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). |
There was a problem hiding this comment.
Since these are being passed directly to boto3 we should fix the docs to reflect what is expected. Only accepts Protocol and HTTP as opposed to protocol and http right now. CamelCase all the listeners options.
| - subnet-012345678 | ||
| - subnet-abcdef000 | ||
| listeners: | ||
| - protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). |
There was a problem hiding this comment.
The listeners options all need to be CamelCase for the example to work.
|
|
||
| # Now, if required, set ELB listeners. Use try statement here so we can remove the ELB if this stage fails | ||
| try: | ||
| listener_changed = create_or_update_elb_listeners(connection, module, elb) |
There was a problem hiding this comment.
Not a blocker, but do we want a purge_listeners option? To do any modification to the ELB all the listeners must be specified each time.
There was a problem hiding this comment.
Would prefer to do this later
| for listener in listeners: | ||
| for key in listener.keys(): | ||
| if key not in ['Protocol', 'Port', 'SslPolicy', 'Certificates', 'DefaultActions', 'Rules']: | ||
| module.fail_json(msg="listeners parameter contains invalid dict keys") |
There was a problem hiding this comment.
Could add the expected keys to the error since CamelCase may be unexpected.
| returned: when status is present | ||
| type: string | ||
| sample: internal-my-elb-123456789.ap-southeast-2.elb.amazonaws.com | ||
| idle_timeout_timeout_seconds: |
There was a problem hiding this comment.
Is this return value unrelated to the idle_timeout option?
| try: | ||
| import boto3 | ||
| from botocore.exceptions import ClientError, NoCredentialsError | ||
| HAS_BOTO3 = True |
There was a problem hiding this comment.
Can import HAS_BOTO3 instead from ansible.module_utils.ec2
|
The test |
| - Protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). | ||
| Port: 80 # Required. The port on which the load balancer is listening. | ||
| SslPolicy: # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. | ||
| Certificates: # The ARN of the certificate (only one certficate ARN should be provided) |
There was a problem hiding this comment.
The later example of the Certificates parameter is much more clear about what's expected here (a list of dicts, and not a string of the ARN, which is what the comment here made it sound like) -- it might be nice if this example matched.
| - Protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). | ||
| Port: 80 # Required. The port on which the load balancer is listening. | ||
| SslPolicy: # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. | ||
| Certificates: # The ARN of the certificate (only one certficate ARN should be provided) |
There was a problem hiding this comment.
The later example of the Certificates parameter is much more clear about what's expected here (a list of dicts, and not a string of the ARN, which is what the comment here made it sound like) -- it might be nice if this example matched.
|
The test |
|
The test |
|
shipit |
|
@wimnat Looking forward to getting this merged. LMK if you want me to make pep8 fixes. |
ansibot
added
the
stale_ci
|
@s-hertel i think we're there. Once this and target_group is merged i'm going to have such a party :D |
|
shipit |
|
shipit |
|
In a followup PR it would be nice to wrap these calls in AWSRetry.backoff, since there are lots of calls hitting the same API in this module, so it'd be easy to hit limits at scale. |
|
This PR is not python3 compatible so added a follow up #25300 |
ISSUE TYPE
COMPONENT NAME
elb_application_lb
ANSIBLE VERSION
2.3
SUMMARY
New module for AWS application ELBs. I have broken with naming convention compared to the classic elb module ec2_elb_lb because ELB is actually a separate part of boto3 and not part of ec2. I suggest we rename ec2_elb_lb to elb_classic_lb.
I have also not attempted to merge classic and application load balancers in to one module because they are again separate in boto3 API and operate different enough to warrant two modules.
The module is currently unfinished. I know there are bugs and modification of listeners doesn't work properly at the moment either but i have created the PR to get some feedback from the community as I imagine this module is probably quite sought after.