Enable cert updates #50
Conversation
| # necessarily a problem | ||
| logging.info("ELB::set_ssl_certificates: " | ||
| "No load balancers found in stack, " | ||
| "no certificate updates needed") |
There was a problem hiding this comment.
This probably be a warning or an error - the user has requested something to be updated that couldn't be. This also means we should likely return a non-0 exit code.
There was a problem hiding this comment.
I was going to throw an exception here to allow the caller to deal with there being no elbs or ignoring, exiting seems a little strict?
|
Can you also rebase this into a small number of commits? In this case probably just 1. |
sevenmachines
force-pushed
the
enable_cert_updates
branch
2 times, most recently
from
5eab969
to
1ee7124
Compare
|
@niallcreech Travis is reporting that the tests are failing Did you change the API here perhaps? |
|
Yep, I'm on it. its not the API, delete checks to see if the cert exists. I'm setting up the test to mock the call to list_server_certs. |
sevenmachines
force-pushed
the
enable_cert_updates
branch
from
1ee7124
to
a15ee7f
Compare
Now expanding tests to cover update_certs fab_task |
sevenmachines
force-pushed
the
enable_cert_updates
branch
3 times, most recently
from
3f096af
to
9e63a10
Compare
|
Need to fill out the test cases then hopefully done |
sevenmachines
force-pushed
the
enable_cert_updates
branch
from
9e63a10
to
d604429
Compare
|
Added more test cases, hopefully ready for review |
| Also handle settings the certificates on ELB's | ||
| """ | ||
| if verbose: | ||
| logging.basicConfig(level=logging.INFO) |
There was a problem hiding this comment.
Rather than setting a flag called verbose here, it would be better to just use the logger with different levels. Like logging.info when you want it to appear for everyone and logging.debug when you want it only if the verbosity is increased. Then we can set the level globally in the fabfile maybe?
|
sevenmachines
force-pushed
the
enable_cert_updates
branch
from
8960c4c
to
54f1243
Compare
|
Not sure about some of this 'forcing' logic |
| load_balancer_resources = self.cfn.get_stack_load_balancers(stack_name) | ||
| found_load_balancer_names = [lb.physical_resource_id for lb in load_balancer_resources] | ||
| # Use load balancer names to filter gettingload balancer details | ||
| if len(found_load_balancer_names) > 0: |
There was a problem hiding this comment.
think we might want load_balancers=[] here or in the else block because if this is not true the next if statement will fail (if I'm reading it right).
|
@niallcreech and I have just had a good chat about this. Two things we thought of:
|
|
This is a massive PR, I have no idea where to start |
|
Mostly covered with Matt yesterday, I’ve got a couple of small changes to make but unfortunately I’ve no internet until the afternoon. Press on with any bootstrap work you’re doing, I’ll fix this up around it once you’re finished |
sevenmachines
force-pushed
the
enable_cert_updates
branch
2 times, most recently
from
0ef9337
to
ebe625b
Compare
|
|
Will need to wait until trim_the_fat has been merged and see how rebasey this will be before moving to review |
|
Cool, thanks @niallcreech I've got my fingers crossed with the git gods that it won't be too conflicty 😄 |
Created a fab task to update certificates on a stack. Checks are carried out to see if the current local and remote certificates are the same,
if not the certificates are uploaded and and load balancers with certificates in the stack will be updated
fab_tasks:
- Create a fab task update_certs to update the ssl certificates from the config
- Small delay between updating certificates on instances and load balancer to avoid setting the load balancer cert when ARN is available but the
certificate is not properly registered
iam:
- Added getting an arn from a certificate name to the IAM class.
- Simplify getting an arn for certs using boto get_server_certificate
- Handle exceptions when trying to delete/upload a certificate
- Simplify upload ssl logic to error on trying to update a missing
certificate
elb:
- Create an ELB class to handle interaction with the stacks load balancers.
- Throw an exception if we try to set certs on elbs when none are defined in the config
cloudformation:
- Added utility method to get a list of load balancers for the stack
test_iam:
- Added test cases to cover noew iam things
sevenmachines
force-pushed
the
enable_cert_updates
branch
from
ebe625b
to
70de16a
Compare
|
I'd say this looks good now. Anyone else want to comment before I merge? |
When we change the certificate in our cloud formation config we want a way to update the certificates on instances, and to set these certificates on any https load balancers on the stack.
This patch creates a fab_task update_certs() to carry out both of these tasks, first removing/adding the certificates using IAM, then using a simple ELB class to set_ssl_certificates() on any https listeners on the stacks load_balancers