New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New module = elb_application_lb #19491
New module = elb_application_lb #19491
Conversation
Migrated from ansible/ansible-modules-extras#2946 |
099b04a
to
996323b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs_revision
choices: [ 'yes', 'no' ] | ||
idle_timeout: | ||
description: | ||
- The number of seconds to wait before an idle connection is closed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing full stop. descriptions:
must be sentences.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
For those asking about a name change here are my reasons:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can definitely add an elb_classic_lb
alias that will point at ec2_elb_lb
, the renaming process takes multiple cycles because we must have one release (at least) for each phase (numbers assume starting now):
- Allow the new name (release the alias) in 2.3 and add a warning on the old name
- Release 2.4 and continue warning on the old name
- Release 2.5 and rename
ec2_elb_lb
to_ec2_elb_lb
- Release 2.6 without
_ec2_elb_lb
|
||
DOCUMENTATION = ''' | ||
--- | ||
module: elb_lb_application |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix this name to match file name
- A list of the names or IDs of the security groups to assign to the load balancer. Required if state=present. | ||
required: false | ||
default: [] | ||
scheme: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be more obvious to name this parameter something like public
as a boolean, but I'd be worried about AWS adding some third scheme meaning we have to obsolete the boolean and use their new value. No change required here, but would like your thoughts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree. Chances of AWS creating a third schema are not low.
Also, with this scheme, at least we're following AWS API convention.
ssl_policy: # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. | ||
certificates: # The ARN of the certificate (only one certficate ARN should be provided) | ||
default_actions: | ||
- type: forward # Required. Only 'forward' is accepted at this time |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this default to forward
since that's the only accepted value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't default this as it's not actually an Ansilble parameter. It's a child of listeners
.
Rules: | ||
- Conditions: | ||
- Field: path-pattern | ||
Values: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this needs to move out one indentation level to match Field
- '/test' | ||
Priority: '1' | ||
Actions: | ||
- 'TargetGroupName': 'test-target-group' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove these single-quotes.
- Field: path-pattern | ||
Values: | ||
- '/test' | ||
Priority: '1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this work as an int as well, or must it be quoted?
try: | ||
response = connection.describe_target_groups(Names=[tg_name]) | ||
except botocore.exceptions.ClientError as e: | ||
module.fail_json(msg=e.message, **camel_dict_to_snake_dict(e.response)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the kwarg exception=traceback.format_exc()
to this failure.
|
||
try: | ||
return connection.describe_load_balancers(Names=[module.params.get("name")])['LoadBalancers'][0] | ||
except (ClientError, NoCredentialsError) as e: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you handle NoCreds separately to raise a less generic message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The handling of the exception will be identical as it just uses the message passed from AWS
try: | ||
connection.modify_load_balancer_attributes(LoadBalancerArn=elb['LoadBalancerArn'], Attributes=params['Attributes']) | ||
except (ClientError, NoCredentialsError) as e: | ||
module.fail_json(msg=e.message, **camel_dict_to_snake_dict(e.response)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add exception=traceback.format_exc()
here as well please.
try: | ||
params['SecurityGroups'] = get_ec2_security_group_ids_from_names(module.params.get('security_groups'), connection_ec2, boto3=True) | ||
except ValueError as e: | ||
module.fail_json(msg=str(e)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add traceback here as well (for line numbers).
certificates: # The ARN of the certificate (only one certficate ARN should be provided) | ||
default_actions: | ||
- type: forward # Required. Only 'forward' is accepted at this time | ||
target_group_arn: # Required. The ARN of the target group |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This protests if I only specify TargetGroupArn and only uses TargetGroupName (to then get the ARN).
- subnet-012345678 | ||
- subnet-abcdef000 | ||
listeners: | ||
- protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since these are being passed directly to boto3 we should fix the docs to reflect what is expected. Only accepts Protocol
and HTTP
as opposed to protocol
and http
right now. CamelCase all the listeners options.
- subnet-012345678 | ||
- subnet-abcdef000 | ||
listeners: | ||
- protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The listeners options all need to be CamelCase for the example to work.
|
||
# Now, if required, set ELB listeners. Use try statement here so we can remove the ELB if this stage fails | ||
try: | ||
listener_changed = create_or_update_elb_listeners(connection, module, elb) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker, but do we want a purge_listeners option? To do any modification to the ELB all the listeners must be specified each time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would prefer to do this later
for listener in listeners: | ||
for key in listener.keys(): | ||
if key not in ['Protocol', 'Port', 'SslPolicy', 'Certificates', 'DefaultActions', 'Rules']: | ||
module.fail_json(msg="listeners parameter contains invalid dict keys") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could add the expected keys to the error since CamelCase may be unexpected.
returned: when status is present | ||
type: string | ||
sample: internal-my-elb-123456789.ap-southeast-2.elb.amazonaws.com | ||
idle_timeout_timeout_seconds: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this return value unrelated to the idle_timeout option?
try: | ||
import boto3 | ||
from botocore.exceptions import ClientError, NoCredentialsError | ||
HAS_BOTO3 = True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can import HAS_BOTO3 instead from ansible.module_utils.ec2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
The test
|
- Protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). | ||
Port: 80 # Required. The port on which the load balancer is listening. | ||
SslPolicy: # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. | ||
Certificates: # The ARN of the certificate (only one certficate ARN should be provided) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The later example of the Certificates parameter is much more clear about what's expected here (a list of dicts, and not a string of the ARN, which is what the comment here made it sound like) -- it might be nice if this example matched.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
- Protocol: http # Required. The protocol for connections from clients to the load balancer (http or https). | ||
Port: 80 # Required. The port on which the load balancer is listening. | ||
SslPolicy: # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. | ||
Certificates: # The ARN of the certificate (only one certficate ARN should be provided) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The later example of the Certificates parameter is much more clear about what's expected here (a list of dicts, and not a string of the ARN, which is what the comment here made it sound like) -- it might be nice if this example matched.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
The test
|
The test
|
shipit |
@wimnat Looking forward to getting this merged. LMK if you want me to make pep8 fixes. |
@s-hertel i think we're there. Once this and target_group is merged i'm going to have such a party :D |
shipit |
shipit |
In a followup PR it would be nice to wrap these calls in AWSRetry.backoff, since there are lots of calls hitting the same API in this module, so it'd be easy to hit limits at scale. |
This PR is not python3 compatible so added a follow up #25300 |
ISSUE TYPE
COMPONENT NAME
elb_application_lb
ANSIBLE VERSION
2.3
SUMMARY
New module for AWS application ELBs. I have broken with naming convention compared to the classic elb module ec2_elb_lb because ELB is actually a separate part of boto3 and not part of ec2. I suggest we rename ec2_elb_lb to elb_classic_lb.
I have also not attempted to merge classic and application load balancers in to one module because they are again separate in boto3 API and operate different enough to warrant two modules.
The module is currently unfinished. I know there are bugs and modification of listeners doesn't work properly at the moment either but i have created the PR to get some feedback from the community as I imagine this module is probably quite sought after.