Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS security group description mismatch causes module ec2_group to fail #31704

Closed
luqasz opened this issue Oct 13, 2017 · 9 comments
Closed

AWS security group description mismatch causes module ec2_group to fail #31704

luqasz opened this issue Oct 13, 2017 · 9 comments
Labels
affects_2.4 This issue/PR affects Ansible v2.4 aws bot_closed bug This issue/PR relates to a bug. cloud collection:amazon.aws collection Related to Ansible Collections work has_pr This issue has an associated PR. module This issue/PR relates to a module. needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md support:community This issue/PR relates to code supported by the Ansible community.

Comments

@luqasz
Copy link
Contributor

luqasz commented Oct 13, 2017

ISSUE TYPE
  • Bug Report
COMPONENT NAME

ec2_group

ANSIBLE VERSION
2.4.0.0
CONFIGURATION

ANSIBLE_PIPELINING(/Users/lkostka/devbox/prov/ansible.cfg) = True
ANSIBLE_SSH_ARGS(env: ANSIBLE_SSH_ARGS) =
DEFAULT_CALLBACK_PLUGIN_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/callbacks']
DEFAULT_FILTER_PLUGIN_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/filters']
DEFAULT_FORKS(/Users/lkostka/devbox/prov/ansible.cfg) = 40
DEFAULT_LOOKUP_PLUGIN_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/lookups']
DEFAULT_MODULE_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/modules']
DEFAULT_SCP_IF_SSH(/Users/lkostka/devbox/prov/ansible.cfg) = true
DEFAULT_TRANSPORT(/Users/lkostka/devbox/prov/ansible.cfg) = ssh
DEPRECATION_WARNINGS(/Users/lkostka/devbox/prov/ansible.cfg) = True
RETRY_FILES_ENABLED(/Users/lkostka/devbox/prov/ansible.cfg) = False

OS / ENVIRONMENT

mac os x. same problem on ubuntu 17.04

SUMMARY

In the case where an ec2 security group configuration is attempted with a description which does not match a currently existing security group with the same name Ansible now aborts where previously it used to ignore the situation. Bug was reported #23602 in a different issue for different version.

STEPS TO REPRODUCE
  • create security group "abc" with description "def"
  • tell ansible to create "abc" with description "ghi"
    try on 2.3. - no complaint; try on 2.4 fails.
EXPECTED RESULTS

Module should not fail when description in ansible does not match that in AWS.

ACTUAL RESULTS

Group description does not match existing group. ec2_group does not support this case.
@ansibot
Copy link
Contributor

ansibot commented Oct 13, 2017

cc @adq
click here for bot help

@ansibot ansibot added affects_2.4 This issue/PR affects Ansible v2.4 aws bug_report cloud module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Oct 13, 2017
@s-hertel s-hertel removed the needs_triage Needs a first human triage before being processed. label Oct 13, 2017
nomarek added a commit to nomarek/ansible that referenced this issue Oct 14, 2017
@nomarek
ec2_group: do not fail on description mismatch (ansible#31704)
2f35157
@nomarek nomarek mentioned this issue Oct 14, 2017
Merged
nomarek added a commit to nomarek/ansible that referenced this issue Oct 14, 2017
@nomarek
ec2_group: do not fail on description mismatch (ansible#31704) - fix …
421e9bb 
…test case
s-hertel pushed a commit that referenced this issue Oct 18, 2017
@nomarek @s-hertel
ec2_group: do not fail on description mismatch (#31704) (#31734)
b9223cd 
* ec2_group: do not fail on description mismatch (#31704)

* ec2_group: do not fail on description mismatch (#31704) - fix test case
@fishfacemcgee
Copy link

It looks like the fix is targeting 2.5. Is there any chance it'll come to 2.4.x or should we just plan to work around it until 2.5's released?

@ansibot
Copy link
Contributor

ansibot commented Nov 23, 2017

cc @willthames
click here for bot help

@ansibot ansibot added bug This issue/PR relates to a bug. and removed bug_report labels Mar 1, 2018
@ElijahLynn
Copy link
Contributor

ElijahLynn commented Jun 28, 2018
edited

update-security-group-rule-descriptions-ingress and update-security-group-rule-descriptions-egress are available now. We should be able to get this into Ansible somehow, without deleting/recreating the security groups.

source: https://aws.amazon.com/blogs/aws/new-descriptions-for-security-group-rules/ (Aug 31st, 2017)

@ElijahLynn ElijahLynn mentioned this issue Jun 28, 2018
Closed
@ElijahLynn
Copy link
Contributor

Blargh, I totally misread that, those are just for rules (which is awesome BTW), but looks like updating a SG description is still not changeable.

@ElijahLynn
Copy link
Contributor

I am thinking that now with rule descriptions, maybe a best practice is to just not use a SG description at all, and just use rule descriptions since they are updateable.

@ryansb
Copy link
Contributor

ryansb commented Jul 2, 2018

I don't think that Ansible should be taking a stance on that. Rule descriptions and group descriptions have different purposes. Rule descriptions are generally used to describe the reason for the ingress/egress rule, where group descriptions tend to be more for the purpose of the group itself. Such as "Group for production webapp servers in the FooBar service".

In theory, there isn't a reason to change the purpose of a security group so that's one of the reasons AWS hasn't enabled editing for group descriptions. If the purpose changes, you are "supposed to" create a new group and update your resources to use the new one. We've remedied the immediate problem (the module failing if the group description is mismatched), but the broader issue on the AWS side is out of our control.

@ansibot ansibot added the has_pr This issue has an associated PR. label Jul 27, 2019
@ansibot
Copy link
Contributor

ansibot commented Jan 31, 2020

cc @jillr @s-hertel @tremble
click here for bot help

@ansibot ansibot added collection Related to Ansible Collections work collection:amazon.aws needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md and removed support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Apr 29, 2020
@ansibot ansibot added the support:community This issue/PR relates to code supported by the Ansible community. label Apr 29, 2020
@ansibot
Copy link
Contributor

ansibot commented Aug 16, 2020

Thank you very much for your interest in Ansible. Ansible has migrated much of the content into separate repositories to allow for more rapid, independent development. We are closing this issue/PR because this content has been moved to one or more collection repositories.

For further information, please see:
https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md

@ansibot ansibot closed this as completed Aug 16, 2020
@ansible ansible locked and limited conversation to collaborators Sep 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.4 This issue/PR affects Ansible v2.4 aws bot_closed bug This issue/PR relates to a bug. cloud collection:amazon.aws collection Related to Ansible Collections work has_pr This issue has an associated PR. module This issue/PR relates to a module. needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ryansb @luqasz @ElijahLynn @fishfacemcgee @ansibot @s-hertel