Fix/ssm bucket auth #854
Fix/ssm bucket auth #854
Conversation
(cherry picked from commit 663567d)
tests/integration/targets/connection_aws_ssm/aws_ssm_integration_test_setup/tasks/main.yml
Show resolved
Hide resolved
| @@ -21,6 +21,7 @@ aws_ssm_linux | |||
| [aws_ssm:vars] | |||
| ansible_connection=community.aws.aws_ssm | |||
| ansible_aws_ssm_bucket_name={{s3_bucket_name}} | |||
| ansible_aws_ssm_bucket_region={{s3_bucket_region}} | |||
There was a problem hiding this comment.
Most important part for integration test
|
Build succeeded.
|
tests/integration/targets/connection_aws_ssm/aws_ssm_integration_test_setup/defaults/main.yml
Outdated
Show resolved
Hide resolved
|
Build succeeded.
|
|
Build failed.
|
|
recheck |
|
Build failed.
|
|
Build failed.
|
| @@ -7,4 +7,5 @@ windows_ami_name: Windows_Server-2019-English-Full-Base-* | |||
| # see: | |||
| # - https://github.com/mattclay/aws-terminator/pull/181 | |||
| # - https://github.com/ansible-collections/community.aws/pull/763 | |||
| s3_bucket_name: ssm-encrypted-test-bucket | |||
| s3_bucket_name: "{{ tiny_prefix }}-ssm-encrypted-test-bucket" | |||
There was a problem hiding this comment.
@gillg Thank you for working on this. ssm-encrypted-test-bucket has been added in this PR #763 (comment) since It is an encrypted bucket requiring up to ~24hour to be created (we have to use a permanent one). At the moment, the integration tests of the aws_ssm connection plugin have been also disabled because of other issues. Please have a look at this PR #763 for a history.
@jillr can you confirm please?
There was a problem hiding this comment.
24h to create a bucket 😨 !? I'm surprised but why not.
Don't you think it could be more revelent to create an unencrypted bucket by default, but add a resource policy to ensure "PUT" commands forces encryption ? Because if you enable encryption in bucket properties that means you object will be encrypted by default event if you don't ask for it. But it seems to don't be the use case of SSM plugin where we ask explicitely to encrypt new objects.
If there is no workaround what would be the next steps ? Do we assume to skip integration tests for this plugin for now ?
Just in case... I tested it localy in my context 😅
In the meantime I try to work on other PRs because I use this plugin for the first time and I prefer make it stable and close all pending PRs since almost 1yr.
|
please take care this PR. I think #705 should not close yet. |
|
I tested with your PR's so you need to think #786 and I think you can merge that to this PR. |
|
Both PRs was independant and for 2 different things. I can merge them together but I was not sure about maintainers opinion. |
|
@alinabuzachis waiting your comment. |
Hi @Hokwang @gillg - if this PR requires the changes from #786, then we can have this PR depend on it prior to merging (see #1078 (comment) for correct formatting) |
@gillg @Hokwang I apologise for the delay, but I completely missed these mentions. I guess we can keep the PR separate. BTW, we need to test them locally since aws_ssm integration tests are disabled for the moment. |
|
Hi guys, any idea when we can have this fix merged? This issue really prevent us from using the SSM connection plugin across multiple region. |
|
@alinabuzachis Please take care all issues regarding aws_ssm. |
|
Thanks for taking this time to open this PR, and I'm sorry it's taken so long for us to deal with this. With #1428 the plugin now explicitly asks S3 which region a bucket's in and uses that. This should solve the issues you've been seeing. In some cases it may also be necessary to use #1633 to set the addressing style to 'virtual'. |
…tions#854) ec2_instance: Add example to spin up instance with a attached volume from a snapshot SUMMARY Fixes ansible-collections#803 Add example to spin up new instance with an attached volume from a snapshot ISSUE TYPE Docs Pull Request COMPONENT NAME ec2_instance Reviewed-by: Jill R <None>
SUMMARY
Duplicates stale #603 (I can't contribute directly on it)
When using ssm to connect to systems in aws it is required that we utilize an s3 bucket to transfer files from the source to the destination server. When the bucket resides in a different region than the destination server the wrong s3 endpoint is being selected. This adds a new configuration value, ansible_aws_ssm_bucket_region, to allow the s3 buckets region to be set directly allowing the transfer to occur as would be expected.
Prevent from bugs like
if you use an inventory like below where the region of the EC2 is dynamic inside the account.
ISSUE TYPE
COMPONENT NAME
plugins/connection/aws_ssm.py
Next improvement
Add 4 new vars
ansible_aws_ssm_bucket_[profile|access_key_id|secret_access_key|session_token]to allow a uniq bucket shared accross multiple account or located in a central place.