Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Termination Protection is not Enabled for Existing Stacks when Create Change Set is Enabled #2149

Closed
1 task done
jmwyson opened this issue Jun 25, 2024 · 4 comments · Fixed by #2391
Closed
1 task done

Termination Protection is not Enabled for Existing Stacks when Create Change Set is Enabled #2149

jmwyson opened this issue Jun 25, 2024 · 4 comments · Fixed by #2391
Labels
backlog jira

Comments

@jmwyson
Copy link

jmwyson commented Jun 25, 2024
edited
Loading

Summary

When both create_changeset and termination_protection are set when calling the cloudformation module, the termination_protection is not configured for the stack.

The problem seems to be the if logic in https://github.com/ansible-collections/amazon.aws/blob/52d3965188d45841495c1721aaf1615d08d6874d/plugins/modules/cloudformation.py#L779C1-L787C110 where if create changeset is enabled, then the "else" where the termination protection is updated, is not executed.

Issue Type

Bug Report

Component Name

cloudformation

Ansible Version

ansible [core 2.15.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.18 (main, Sep 22 2023, 17:58:34) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.9)
  jinja version = 3.1.3
  libyaml = True

Collection Versions

# /usr/share/ansible/collections/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    7.5.0  
ansible.windows               2.3.0  
community.aws                 7.2.0  
community.general             8.6.0

AWS SDK versions

WARNING: Package(s) not found: boto
Name: boto3
Version: 1.29.0
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: cloudformation-cli, aws-sam-translator
---
Name: botocore
Version: 1.34.90
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: None
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: urllib3, jmespath, python-dateutil
Required-by: s3transfer, cloudformation-cli, boto3

Configuration

No response

OS / Environment

No response

Steps to Reproduce

- name: Deploy CloudFormation Stack
  cloudformation:
    stack_name: my-stack
    template: "mytemplate.yml"
    on_create_failure: DELETE
    state: present
    create_changeset: true
    profile: "my-aws-profile"
    region: us-east-1
    termination_protection: true

Expected Results

For an existing stack, the stack should have termination protection enabled.

Actual Results

For an existing stack, termination protection is not enabled.

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@gravesm
Copy link
Member

gravesm commented Jul 2, 2024

@jmwyson Thanks for filing an issue. Would you be willing to create a PR for this?

@mandar242
Copy link
Contributor

Hi @jmwyson thanks for filing the issue. Could you please let me know the following

  • Are you still facing the error?
  • Do you encounter the issue when creating a completely new cloudformation stack with create_changeset and termination_protection enabled? or when working with a stack that already exists?
  • What version amazon.aws are you on currently? (issue mentioned 7.5)

From my testing locally, I am unable to reproduce the issue and am able achieve the expected result when creating a new cloudformation stack. Could you please provide more detailed example for reproducing the issue?
Playbook task used for testing is

    - name: Deploy CloudFormation Stack
      amazon.aws.cloudformation:
        stack_name: xxx-aaws-2149-stack
        template: cloudformation-example-template.json
        template_parameters:
          InstanceType: "t2.micro"
          ImageId: "ami-xxxxx"
          SubnetId: "subnet-xxxxx"
        on_create_failure: DELETE
        state: present
        create_changeset: true         #<----------- create_changeset
        # profile: "my-aws-profile"
        region: ca-central-1
        termination_protection: true #<----------- termination_protection

@iris-nortal
Copy link

Confirming I am also encountering the same error. termination_protection is not updated when create_changeset: true when rerunning the playbook for stack update (not encountered during initial stack creation).

Below is an example to replicate the issue:

  1. Create a new stack, with create_changeset: true and termination_protection: true:

     - name: Set variables
   set_fact:
     aws_profile: "dev"
     aws_region: "us-west-2"
     stack_name: "test-security-group"
     vpc_id: "vpc-XXXXX"

 - name: Deploy CloudFormation Stack
   cloudformation:
     create_changeset: true
     profile: "{{ aws_profile }}"
     region: "{{ aws_region }}"
     stack_name: "{{ stack_name }}"
     tags:
       "application": "testing-cf-termination"
     template_body: "{{ lookup('file', '../../cloudformation/temp/test-cf-termination.yml') }}"
     template_parameters:
       VpcId: "{{ vpc_id }}"
     termination_protection: true

 - name: Get Stack Info
   cloudformation_info:
     profile: "{{ aws_profile }}"
     region: "{{ aws_region }}"
     stack_name: "{{ stack_name }}"
   register: stack_info

 - name: Print stack termination protection
   debug:
     var: stack_info.cloudformation[stack_name].stack_description.enable_termination_protection

    Output:

     TASK [Set variables] ********************************************************************************************************************************************************************
 ok: [localhost]

 TASK [Deploy CloudFormation Stack] ******************************************************************************************************************************************************
 changed: [localhost]

 TASK [Get Stack Info] *******************************************************************************************************************************************************************
 ok: [localhost]

 TASK [Print stack termination protection] ***********************************************************************************************************************************************
 ok: [localhost] => {
     "stack_info.cloudformation[stack_name].stack_description.enable_termination_protection": true
 }

 PLAY RECAP ******************************************************************************************************************************************************************************
 localhost                  : ok=8    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

  2. Change the termination_protection parameter to false, and redeploy the playbook.
    Output:

     TASK [Set variables] ********************************************************************************************************************************************************************
 ok: [localhost]

 TASK [Deploy CloudFormation Stack] ******************************************************************************************************************************************************
 ok: [localhost]

 TASK [Get Stack Info] *******************************************************************************************************************************************************************
 ok: [localhost]

 TASK [Print stack termination protection] ***********************************************************************************************************************************************
 ok: [localhost] => {
     "stack_info.cloudformation[stack_name].stack_description.enable_termination_protection": true
 }

 PLAY RECAP ******************************************************************************************************************************************************************************
 localhost                  : ok=8    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

    The stack's enable_termination_protection value remains true when we are expecting it to have been set to false.

  3. Change the tag to generate a changeset. Running the playbook creates a changeset. Executing the changeset will not update the stack's Termination Protection setting.

  4. Remove the create_changeset: true parameter, and rerun the playbook. This updates the stack's enable_termination_protection to "false".

    ...
 - name: Deploy CloudFormation Stack
   cloudformation:
     # create_changeset: true
     profile: "{{ aws_profile }}"
     region: "{{ aws_region }}"
     stack_name: "{{ stack_name }}"
     tags:
       "application": "testing-cf-termination"
     template_body: "{{ lookup('file', '../../cloudformation/temp/test-cf-termination.yml') }}"
     template_parameters:
       VpcId: "{{ vpc_id }}"
     termination_protection: false
 ...

    Output:

     TASK [Set variables] ********************************************************************************************************************************************************************
 ok: [localhost]

 TASK [Deploy CloudFormation Stack] ******************************************************************************************************************************************************
 changed: [localhost]

 TASK [Get Stack Info] *******************************************************************************************************************************************************************
 ok: [localhost]

 TASK [Print stack termination protection] ***********************************************************************************************************************************************
 ok: [localhost] => {
     "stack_info.cloudformation[stack_name].stack_description.enable_termination_protection": false
 }

 PLAY RECAP ******************************************************************************************************************************************************************************
 localhost                  : ok=8    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Version

ansible [core 2.15.10]
  config file = /workspaces/testing/ansible.cfg
  configured module search path = ['/home/vscode/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/vscode/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Jun  7 2023, 19:32:10) [GCC 10.2.1 20210110] (/usr/local/bin/python)
  jinja version = 3.1.4
  libyaml = True

Collection                    Version
----------------------------- -------
amazon.aws                    8.1.0  
community.aws                 8.0.0  
community.general             9.3.0

@mandar242 mandar242 mentioned this issue Nov 15, 2024
Merged
@mandar242
Copy link
Contributor

@iris-nortal Thanks for details! #2391 should fix the issue.

softwarefactory-project-zuul bot pushed a commit that referenced this issue Dec 19, 2024
@mandar242
cloudformation: Fix bug when updating stack's termination_protection …
86b9182 
…with create_changeset set (#2391)

SUMMARY

Fixes #2149
Fix bug where termination protection is not updated when create_changeset=true is used for stack updates

ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME

cloudformation
ADDITIONAL INFORMATION

Reviewed-by: Helen Bailey <[email protected]>
Reviewed-by: Bikouo Aubin
Reviewed-by: GomathiselviS <[email protected]>
patchback bot pushed a commit that referenced this issue Dec 19, 2024
@mandar242 @patchback
cloudformation: Fix bug when updating stack's termination_protection …
f9085ee 
…with create_changeset set (#2391)

SUMMARY

Fixes #2149
Fix bug where termination protection is not updated when create_changeset=true is used for stack updates

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

cloudformation
ADDITIONAL INFORMATION

Reviewed-by: Helen Bailey <[email protected]>
Reviewed-by: Bikouo Aubin
Reviewed-by: GomathiselviS <[email protected]>
(cherry picked from commit 86b9182)
@patchback patchback bot mentioned this issue Dec 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog jira
Projects
None yet
Milestone
No milestone
5 participants
@gravesm @jmwyson @mandar242 @GomathiselviS @iris-nortal