Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ec2_instance: Removed nested role structure in tests #56313

Open
wants to merge 13 commits into
base: devel
from

Conversation

Projects
None yet
3 participants
@Shaps
Copy link
Contributor

commented May 10, 2019

SUMMARY

This should make it possible for the tests to run in CI

ISSUE TYPE
  • Test Pull Request
COMPONENT NAME

ec2_instance

@Shaps Shaps changed the title ec2_instance Removed nested role structure in tests ec2_instance: Removed nested role structure in tests May 10, 2019

@Shaps

This comment has been minimized.

Copy link
Contributor Author

commented May 11, 2019

/cc @s-hertel
I'd appreciate your feedback on this

@Shaps Shaps closed this May 14, 2019

@Shaps Shaps reopened this May 14, 2019

@Shaps Shaps closed this May 17, 2019

@Shaps Shaps reopened this May 17, 2019

@Shaps Shaps force-pushed the Shaps:ec2_instance_tests_support branch from 6da965f to 3682ac2 May 17, 2019

@mattclay

This comment has been minimized.

Copy link
Member

commented May 20, 2019

@Shaps Now that permissions have been updated the tests are failing for a different reason:

https://app.shippable.com/github/ansible/ansible/runs/123645/102/console

09:56 TASK [ec2_instance : remove the VPC] *******************************************
10:53 An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (DependencyViolation) when calling the DeleteVpc operation: The vpc 'vpc-03be842359c4e9433' has dependencies and cannot be deleted.

@ansibot ansibot removed the ci_verified label May 20, 2019

@Shaps

This comment has been minimized.

Copy link
Contributor Author

commented May 21, 2019

@mattclay Thanks for looking a this. I have updated the tests to wait for the termination_protected instance and that now worked ( that was the initial issue, the issue you have pasted happens because of it when CI re-runs the tests in -vvvv mode ). There's now 2 new missing permissions - ec2:AttachNetworkInterface which causes the following

02:39 An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (UnauthorizedOperation) when calling the AttachNetworkInterface operation: You are not authorized to perform this operation.
02:39 fatal: [localhost]: FAILED! => {"attempts": 10, "boto3_version": "1.7.15", "botocore_version": "1.12.152", "changed": false, "error": {"code": "UnauthorizedOperation", "message": "You are not authorized to perform this operation."}, "msg": "Failed to handle existing instances i-00a10fcc21eb5aff3: An error occurred (UnauthorizedOperation) when calling the AttachNetworkInterface operation: You are not authorized to perform this operation.", "resource_actions": ["ec2:DescribeInstances", "ec2:AttachNetworkInterface"], "response_metadata": {"http_headers": {"date": "Mon, 20 May 2019 22:51:30 GMT", "server": "AmazonEC2", "transfer-encoding": "chunked"}, "http_status_code": 403, "request_id": "d8b8a6d5-cc8c-4074-9e2d-073059fd2814", "retry_attempts": 0}}
02:39 ...ignoring

I have raised #27 to fix this.

The next issue is when it tries to create an instance profile, for which it doesn't have permission. I'm not sure we want iam:CreateRole added to the policies so I have not raised a PR for that yet, let me know if you're happy with it and can either add it to the current open PR or create a new one, following the error

06:03 TASK [ec2_instance : Create IAM role for test] *********************************
06:03 task path: /root/.ansible/test/tmp/ec2_instance-IdPM0c-ÅÑŚÌβŁÈ/test/integration/targets/ec2_instance/tasks/iam_instance_role.yml:11
06:04 An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (AccessDenied) when calling the CreateRole operation: User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-prod/prod=shippable=ansible=ansible=123680.102 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::966509639900:role/shippable-123680-102-test-policy
06:04 fatal: [localhost]: FAILED! => {"changed": false, "error": {"code": "AccessDenied", "message": "User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-prod/prod=shippable=ansible=ansible=123680.102 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::966509639900:role/shippable-123680-102-test-policy", "type": "Sender"}, "msg": "Unable to create role: An error occurred (AccessDenied) when calling the CreateRole operation: User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-prod/prod=shippable=ansible=ansible=123680.102 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::966509639900:role/shippable-123680-102-test-policy", "resource_actions": ["iam:CreateRole", "iam:ListPolicies", "iam:GetRole"], "response_metadata": {"http_headers": {"content-length": "478", "content-type": "text/xml", "date": "Mon, 20 May 2019 22:54:55 GMT", "x-amzn-requestid": "4986da6c-7b52-11e9-aa3b-6f9784e2e5f5"}, "http_status_code": 403, "request_id": "4986da6c-7b52-11e9-aa3b-6f9784e2e5f5", "retry_attempts": 0}}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.