Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: modifying existing application lb using certificates now properl… #28217

Merged
merged 1 commit into from
Sep 7, 2017
Merged

Fix: modifying existing application lb using certificates now properl… #28217

merged 1 commit into from
Sep 7, 2017

Conversation

tsifrer
Copy link
Contributor

@tsifrer tsifrer commented Aug 15, 2017

…y sets certificates

SUMMARY

Fixed an issue where modifying an existing application load balancer fails because certificates are not copied to a new dictionary correctly.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

lib/ansible/modules/cloud/amazon/elb_application_lb.py

ANSIBLE VERSION
2.4.0

@ansibot
Copy link
Contributor

ansibot commented Aug 15, 2017

cc @willthames @wimnat
click here for bot help

@ansibot ansibot added affects_2.4 This issue/PR affects Ansible v2.4 aws bugfix_pull_request cloud community_review In order to be merged, this PR must follow the community review workflow. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. labels Aug 15, 2017
@wimnat
Copy link
Contributor

wimnat commented Aug 15, 2017

Can you better explain the problem please? Did the module fail or were the results unexpected?

@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Aug 15, 2017
@tsifrer
Copy link
Contributor Author

tsifrer commented Aug 15, 2017

When modifying an existing application LB that has a certificate set for HTTPS connection, the script raised an exception KeyError: 'Certificates' which causes the module to fail. As a result of failure, it doesn't update the application LB.

Example:

- local_action:
    module: elb_application_lb
    name: "my-alb"
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        SslPolicy: ELBSecurityPolicy-2016-08
        Certificates:
          - CertificateArn: "arn:aws:iam::my-account-id:certificate/my-certificate"
        DefaultActions:
          - Type: forward
            TargetGroupName: "my-target-group"

This will eventually call compare_listener function in the module which will raise a KeyError: 'Certificates' exception on line 541 (in this case, but the same would happen on line 544 if we would be changing HTTP listener to HTTPS one). The problem happens because the compare_listener function is creating a new modified_listener dictionary but in cases where you have certificates set for HTTPS connection, it doesn't correctly set the Certificates key on the new modified_listener dictionary.

Sorry for not explaining it better in the summary. Hope this helps.

@s-hertel
Copy link
Contributor

s-hertel commented Aug 17, 2017
edited
Loading

@wimnat I think this issue looks akin to #27332.
^ Nope.

@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Aug 25, 2017
s-hertel
s-hertel approved these changes Sep 5, 2017
View reviewed changes
lib/ansible/modules/cloud/amazon/elb_application_lb.py
@@ -538,9 +538,13 @@ def compare_listener(current_listener, new_listener):
if current_listener['SslPolicy'] != new_listener['SslPolicy']:
modified_listener['SslPolicy'] = new_listener['SslPolicy']
if current_listener['Certificates'][0]['CertificateArn'] != new_listener['Certificates'][0]['CertificateArn']:
modified_listener['Certificates'] = []
modified_listener['Certificates'].append({})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you just do something like modified_listener['Certificates'] = [{'CertificateArn': new_listener['Certificates'][0]['CertificateArn']}] rather than making it an empty list and appending an empty dict?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that it's the same as done elsewhere in the module though. Fine as-is.

@s-hertel
Copy link
Contributor

s-hertel commented Sep 5, 2017

@wimnat This fix makes sense to me. Basically the same as what's happening on line 549-551: https://github.com/ansible/ansible/pull/28217/files#diff-a1bcebad578f0e6bfd841049d327a587L549
Are you happy with it?

@wimnat
Copy link
Contributor

wimnat commented Sep 6, 2017

Yep i'm ok with it shipit

@s-hertel s-hertel merged commit 3bd89f8 into ansible:devel Sep 7, 2017
prasadkatti pushed a commit to prasadkatti/ansible that referenced this pull request Oct 1, 2017
@tsifrer
Fix: modifying existing application lb using certificates now properl…
912c03f 
…y sets certificates (ansible#28217)
willthames pushed a commit to willthames/ansible that referenced this pull request Nov 8, 2017
@tsifrer
Fix: modifying existing application lb using certificates now properl…
2896574 
…y sets certificates (ansible#28217)

(cherry picked from commit 3bd89f8)
@willthames willthames mentioned this pull request Nov 8, 2017
Closed
s-hertel pushed a commit that referenced this pull request Nov 15, 2017
@tsifrer @s-hertel
Fix: modifying existing application lb using certificates now properl…
6f7259d 
…y sets certificates (#28217)

(cherry picked from commit 3bd89f8)
@ansibot ansibot added bug This issue/PR relates to a bug. and removed bugfix_pull_request labels Mar 6, 2018
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@s-hertel s-hertel s-hertel approved these changes

Assignees
No one assigned
Labels
affects_2.4 This issue/PR affects Ansible v2.4 aws bug This issue/PR relates to a bug. cloud community_review In order to be merged, this PR must follow the community review workflow. module This issue/PR relates to a module. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tsifrer @ansibot @wimnat @s-hertel