Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam_role : support managing max session duration and deleting the instance profile it creates #62014

Merged
merged 7 commits into from
Sep 20, 2019
Merged

iam_role : support managing max session duration and deleting the instance profile it creates #62014

merged 7 commits into from
Sep 20, 2019

Conversation

tremble
Copy link
Contributor

@tremble tremble commented Sep 9, 2019
edited

SUMMARY

Add support for managing max session duration and deleting the instance profile we create

Additionally add a test suite for iam_role and iam_role_info

  • Split from basic testing in sts_assume_role
  • More comprehensive iam_role tests
  • iam_role_info tests
ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

lib/ansible/modules/cloud/amazon/iam_role.py
lib/ansible/modules/cloud/amazon/iam_role_info.py

ADDITIONAL INFORMATION

@ansibot
Copy link
Contributor

ansibot commented Sep 9, 2019

cc @bekelchik @piontas @wimnat
click here for bot help

@ansibot ansibot added WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. affects_2.10 This issue/PR affects Ansible v2.10 cloud feature This issue/PR relates to a feature request. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. aws module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Sep 9, 2019
@ansibot

This comment has been minimized.

Sign in to view
@ansibot ansibot added the ci_verified Changes made in this PR are causing tests to fail. label Sep 10, 2019
@ansibot ansibot removed the ci_verified Changes made in this PR are causing tests to fail. label Sep 10, 2019
@ansibot

This comment has been minimized.

Sign in to view
@ansibot ansibot added the ci_verified Changes made in this PR are causing tests to fail. label Sep 12, 2019
@ansibot ansibot removed the ci_verified Changes made in this PR are causing tests to fail. label Sep 12, 2019
@tremble tremble mentioned this pull request Sep 13, 2019
Closed
@tremble tremble changed the title WIP: iam_role iam_role_info tests and support managing max session duration iam_role : support managing max session duration and deleting the instance profile it creates Sep 13, 2019
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. has_issue and removed WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. labels Sep 13, 2019
tremble added a commit to tremble/ansible that referenced this pull request Sep 13, 2019
@tremble
iam_role : ansible#62014 Changelog
566168c
tremble added a commit to tremble/ansible that referenced this pull request Sep 13, 2019
@tremble
iam_role : ansible#62014 Changelog
3389368
@tremble
Copy link
Contributor Author

tremble commented Sep 14, 2019

Note: While this should possibly be split up into multiple PRs, I chose not to for the following reasons:

  1. The change I actually wanted was supporting managing MaxSessionDuration
  2. While writing the remaining test cases I ran into weird issues if the instance profiles weren't cleaned up, specifically because the roles had the same name but different paths. Hence the addition of support for removing the instance policy we create.
  3. Because of the lack of existing (comprehensive) test suite the new features would need to depend on the test suite PRs and I'd end up rebasing over and over.

@sivel sivel removed the needs_triage Needs a first human triage before being processed. label Sep 17, 2019
@gundalow gundalow added the pr_day Has been reviewed during a PR review Day label Sep 19, 2019
jillr
jillr reviewed Sep 19, 2019
View reviewed changes
Copy link
Contributor

@jillr jillr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this lgtm, a few very minor notes. Thank you so much for all these tests @tremble!

lib/ansible/modules/cloud/amazon/iam_role.py Outdated Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml Outdated Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml
- iam_role is changed
- name: Short pause for role creation to finish
pause:
seconds: 10
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pause shouldn't be necessary in check mode.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put the sleep in there to allow for the case of check_mode not being honoured and there being a delay before the role showed up. I don't mind removing it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jillr I've made the pauses optional. Interestingly I've not hit any issues yet, maybe something's been slowed down just enough, so I'm tempted to leave them all disabled.

If we remove the 'unsupported' flag we can keep an eye open for flakes and re-enable them easily.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the pauses on the cases we expect to do real work are fine, if we can get this test suite supported I'd definitely want them disabled on the check mode tests but happy to leave them off everywhere and see how it goes. If check mode actually makes changes that's a bug, so the risk of that bug is preferable to having every CI run take longer.

test/integration/targets/iam_role/tasks/main.yml Outdated Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml Outdated Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml Show resolved Hide resolved
test/integration/targets/iam_role/tasks/main.yml
# Inline Policy (test _info behaviour)

# XXX Not sure if it's a bug in Ansible or a "quirk" of AWS, but these two
# policies need to have at least different Sids or the second doesn't show
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The console will let me have both of these policies with the same Sid and the docs suggest uniqueness is only required within a single JSON doc so I'm going to assume it's something we're doing. Do you think this is worth a bug to investigate? My inclination is that it's still less than desirable to duplicate Sids but I could be overlooking some use case.

Copy link
Contributor Author

@tremble tremble Sep 20, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After taking a quick look at the iam_policy code, I'm inclined to suspect it's a bug in iam_policy. Possibly one we've had for a while: #30071 (comment)

Copy link
Contributor Author

@tremble tremble Sep 21, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ergh, FYI, not a bug just annoying default behaviour:

skip_duplicates:
By default the module looks for any policies that match the document you pass in, if there is a match it will not make a new policy object with the same rules. You can override this by specifying false which would allow for two policy objects with different names but same rules.

test/integration/targets/iam_role/tasks/main.yml Outdated
# Cleanup

# XXX iam_role fails to remove inline policies before deleting the role
- name: 'Attach inline policy a'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: 'Attach inline policy a'
- name: 'Detach inline policy a'

And below

tremble added a commit to tremble/ansible that referenced this pull request Sep 20, 2019
@tremble
iam_role : ansible#62014 Changelog
5101e44
@tremble
iam_role: (integration tests) Split iam_role integration tests from s…
aaf6871 
…ts_assume_role tests

- Make the iam_role tests more comprehensive
- Add tests for iam_role_info
tremble added a commit to tremble/ansible that referenced this pull request Sep 20, 2019
@tremble
iam_role : ansible#62014 Changelog
bb6c47b
@tremble
iam_role: (integration tests) Make some of our pauses optional
aa903c7 
If the tests appear to be flakey we may need to enable standard_pauses
@tremble
iam_role : ansible#62014 Changelog
04400c0
jillr
jillr approved these changes Sep 20, 2019
View reviewed changes
Copy link
Contributor

@jillr jillr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are passing, thanks again!

@jillr jillr merged commit 40660e7 into ansible:devel Sep 20, 2019
anas-shami pushed a commit to anas-shami/ansible that referenced this pull request Sep 23, 2019
@tremble @anas-shami
iam_role : support managing max session duration and deleting the ins…
7124ea1 
…tance profile it creates (ansible#62014)

* iam_role: Add support for managing MaxSessionDuration

* iam_role: Add support for deleting the IAM Instance Profiles we created

* iam_role: migrate all boto failures to fail_json_aws for consistency

* iam_role: test validity of path so we can throw a more understandable error

* iam_role: (integration tests) Split iam_role integration tests from sts_assume_role tests

- Make the iam_role tests more comprehensive
- Add tests for iam_role_info

* iam_role: (integration tests) Make some of our pauses optional

If the tests appear to be flakey we may need to enable standard_pauses
@tremble tremble deleted the role_sessions branch October 8, 2019 08:08
@ansible ansible locked and limited conversation to collaborators Oct 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jillr jillr jillr approved these changes

Assignees
No one assigned
Labels
affects_2.10 This issue/PR affects Ansible v2.10 aws cloud core_review In order to be merged, this PR must follow the core review workflow. feature This issue/PR relates to a feature request. has_issue module This issue/PR relates to a module. pr_day Has been reviewed during a PR review Day support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tremble @ansibot @jillr @sivel @gundalow