ACM module has no "check" mode

[dale-c-anderson]

SUMMARY

When running a playbook in check mode, changes are affected.

ISSUE TYPE

• Bug Report

COMPONENT NAME

aws_acm

ANSIBLE VERSION

$ aws --version
aws-cli/1.19.17 Python/3.6.9 Linux/4.15.0-136-generic botocore/1.20.16

CONFIGURATION

$ ansible-config dump --only-changed
ANSIBLE_PIPELINING(./myproject/ansible.cfg) = True
ANSIBLE_SSH_CONTROL_PATH(./myproject/ansible.cfg) = ~/.ssh/ansible-ssh-%%C
COLLECTIONS_PATHS(./myproject/ansible.cfg) = ['./myproject/collections']
DEFAULT_CALLBACK_PLUGIN_PATH(./myproject/ansible.cfg) = ['./myproject/callbacks']
DEFAULT_FORKS(./myproject/ansible.cfg) = 20
DEFAULT_ROLES_PATH(./myproject/ansible.cfg) = ['./myproject/roles']
INTERPRETER_PYTHON(./myproject/ansible.cfg) = /usr/bin/python3
INVENTORY_IGNORE_PATTERNS(./myproject/ansible.cfg) = ['ssh-config']
RETRY_FILES_ENABLED(./myproject/ansible.cfg) = False

OS / ENVIRONMENT

$ uname -a
Linux mybox 4.15.0-136-generic #140-Ubuntu SMP Thu Jan 28 05:20:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE

Full playbook is at https://gist.github.com/dale-c-anderson/31c6212e8a9e86f4a829e2bdee40a6f8

The relevant portion is reproduced here:

- hosts: localhost
  run_once: true
  become: false
  connection: local
  vars_files:
    - "{{ playbook_dir }}/path_definitions.yml"
  tags:
    - install_certs
  tasks:
    - name: Import SSL cert to AWS Certificate Manager
      community.aws.aws_acm:
        state: present
        region: ca-central-1
        certificate: "{{ lookup('file', ssl_public_certs_dir + '/dummy.crt') }}"
        private_key: "{{ lookup('file', ssl_private_keys_dir + '/dummy.key') }}" # Key has already been encrypted.
        name_tag: dummy.example.com

Ran the above with

ansible-playbook --diff --check --tags install_certs

EXPECTED RESULTS

Certificate import should only be simulated.

ACTUAL RESULTS

Certificate was actually imported.

$ ansible-playbook playbooks/ssl-999-bug-report.yml --diff --check --tags install_certs

[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
[WARNING]: Skipping plugin (/home/danderson/repos/git.acromedia.com/teams/telus/project-lion/telus-lion-drupal-infrastructure/callbacks/human-log.py) as it seems to be invalid: name 'reload' is not
defined

PLAY [localhost] ********************************************************************************************************************************************************************************************

PLAY [localhost] ********************************************************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Import SSL cert to AWS Certificate Manager] ***********************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP **************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[ansibullbot]

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

Files identified in the description:

• [plugins/modules/aws_acm.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/aws_acm.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @jillr @matt-telstra @s-hertel @tremble @wimnat
click here for bot help

[matt-telstra]

Ah, woops. I never use check mode myself, so I forgot to put this in.

What's check mode supposed to do? Just check the input parameters match the module spec? Or should it check that it can find IAM credentials?

Some boto calls allow you to do a "dry_run" to check that you've got sufficient IAM permissions, but I expect that this particular call does not.

[dale-c-anderson]

@matt-telstra See https://docs.ansible.com/ansible/latest/user_guide/playbooks_checkmode.html

Yes, check mode and dry run are the same thing. If the boto call doesn't support dry run directly, the module would probably need simulate it in some other way. Having a module that affects changes when it's not supposed to will result in a never-ending litany of bug reports.

[matt-telstra]

For testing in my own projects (outside of Ansible), I use moto. I suppose I could just turn on moto and do the checks that way?
Although that would start with a clean slate for every task. So deleting a cert would throw an error because the cert doesn't exist. So I'd have to handle that case.

I'm not sure whether other Ansible AWS modules use moto. That would add a dependency to the module. Is that worth it?

[matt-telstra]

It looks like some modules only check the input. Others say supports_check_mode=False (example), although I'm not sure what that does.

@jillr what do AWS modules normally do in check mode? Just validate the input? Or is there a helper function I can call to check IAM credentials? Would we expect an AWS task to fail in check mode if no IAM credentials can be found?

[matt-telstra]

Is this the kind of thing we need?

matt-telstra@0df3af8

(I haven't created a PR yet, because I haven't written the tests for this, or tested it manually, yet)

[tremble]

The idea of "check_mode" is generally to tell you if changes would be made. The most common way to do this is just to exit with changed=True or return True from a function (depending on the structure of the module) just before you'd apply a change. Generally read-only (get, list or describe) calls should still happen. Please note, the Boto/AWS check mode only tests permissions, not if a change would occur, and is especially useless on read-only operations.

[mdavis-xyz]

Can someone confirm that these integration tests cover the functionality that needs to be added?

mdavis-xyz@2c9e2c3

[tremble]

@mdavis-xyz Those tests look right at first glance.

Normally we write the tests using a separate assert statement rather than "failed_when", this makes the logic a little simpler to flow since you can write it in the positive rather than the negative

- name: check that cert was not really uploaded during check_mode
  assert:
    that:
    - upload_check is changed
    - list_after_check_mode_upload.certificates | length == 0