-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for StackPolicyDuringUpdateBody #155
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking the time to submit this change.
A couple of tiny niggles, but mostly looking good. In addition to the inline comments, please also
- Add a (minor_changes) changelog fragment: https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to
- Please add some tests to the integration test suite to demonstrate that the change works https://github.com/ansible-collections/amazon.aws/blob/main/tests/integration/targets/cloudformation/tasks/main.yml
Co-authored-by: Mark Chappell <[email protected]>
Co-authored-by: Mark Chappell <[email protected]>
Done
For this test i need to create a stack with a policy in the first place, that test is not there atm. The stack policy support now only handles a URL, not a body. Not sure which url to use when pointing to GH ? |
Looking at the code (down around line 690) it looks like it's actually StackPolicyBody that's being set. The file that you pass is being read directly by Ansible rather than being passed as a URL to CloudWatch
I'd suspect that this was to work around a quirk in the way Ansible deals with JSON in YAML files (things can get magically converted in ways that break JSON if you're not careful). I'm not a big fan of doing things this way as it means you need to do things like writing out temporary files. So, a couple of additional suggestions:
|
Hello @fvant, are you still working on this? waiting_on_contributor |
Adding test for specifying a stack update policy
@tremble the tests i added failed as setting a stack policy is not allowed, removing the tests until further
|
Due to Access denied
Hi @fvant, new IAM policies can be added to our CI by opening a PR in this repo: https://github.com/mattclay/aws-terminator |
Trying to make this PR pass ansible-collections/amazon.aws#155 which gives this error {"code": "AccessDenied", "message": "User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-prod/prod=shippable=ansible-collections=amazon.aws=1313.24 is not authorized to perform: cloudformation:SetStackPolicy on resource: arn:aws:cloudformation:us-east-1:966509639900:stack/shippable-1313-24/7e1cbd30-63c2-11eb-996f-126643f85ad9"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor tweak to the changelog and re-enable the tests
changelogs/fragments/155-support-for-StackPolicyDuringUpdateBody.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests now pass as written by the author, and I've tweaked the changelog. I think we're ready to merge this.
@fvant : Many thanks for your work on this. I'm sorry it's taken a while to get this merged, but we got there in the end... |
SUMMARY
Cloudformation supports a policy that applies to a particular update only. This implement the functionality provided by the
aws cloudformation update-stack
command with the--stack-policy-during-update-body
option to provide a modified policy..AWS CloudFormation applies the override policy only during this update. The override policy doesn't permanently change the stack policy.
This is former PR
[ansible/ansible] Support stack policy on update (#57300)
ISSUE TYPE
COMPONENT NAME
lib/ansible/modules/cloud/amazon/cloudformation.py
ormodules/cloudformation.py
ADDITIONAL INFORMATION
Boto3 documentation of the parameter used:
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudformation.html#CloudFormation.Client.update_stack