aws_acm - check mode

[mdavis-xyz]

SUMMARY

Fixes #451

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

aws_acm

ADDITIONAL INFORMATION

I've hard-coded the domain and ARN to return for some check_mode tasks.
I don't know if I need to bother dynamically extracting the domain from the local cert file.
I also don't know if ARNs are predictable for ACM certs.

I have not tried running these integration tests locally because the tests won't run. ansible-test tells me I need to configure stuff. I did, but ansible-test still won't run.

╭╴matthew:~/Documents/Projects/software/ansible/collections/ansible_collections/community/aws
╰╴ $ ansible-test integration --docker centos8 -v aws_acm
Falling back to tests in "tests/integration/targets/" because "roles/test/" was not found.
WARNING: Excluding tests marked "unstable" which require --allow-unstable or prefixing with "unstable/": aws_acm
WARNING: Excluding tests marked "cloud/aws" which require config (see "/home/matthew/.local/lib/python3.8/site-packages/ansible_test/config/cloud-config-aws.ini.template"): aws_acm
WARNING: All targets skipped.

So I'm just hoping that the CI bots can run the tests for me.

[ansibullbot]

cc @jillr @matt-telstra @s-hertel @tremble @wimnat
click here for bot help

[tremble]

"msg": "The conditional check '(list_tag.certificates | length) == 0' failed. The error was: error while evaluating conditional ((list_tag.certificates | length) == 0): 'dict object' has no attribute 'certificates'"

Looks like the tests need a tweak

[mdavis-xyz]

I cannot figure out how to fix the failing tests, because I cannot figure out how to run integration tests locally.

The only documentation I found was for community.general. When I ran the tests like that it told me I needed to specify my AWS credentials in a config file. I did that, but this error won't go away.

How do I resolve this?

╭╴matthew:~/Documents/Projects/software/ansible/collections/ansible_collections/community/aws
╰╴ $ ansible-test integration --docker centos8 -v aws_acm
Falling back to tests in "tests/integration/targets/" because "roles/test/" was not found.
WARNING: Excluding tests marked "unstable" which require --allow-unstable or prefixing with "unstable/": aws_acm
WARNING: Excluding tests marked "cloud/aws" which require config (see "/home/matthew/.local/lib/python3.8/site-packages/ansible_test/config/cloud-config-aws.ini.template"): aws_acm
WARNING: All targets skipped.

[tremble]

Two changes needed:

1. add the --allow-unstable flag to the command
2. add a cloud config file (telling ansible-test what credentials to use to connect to AWS) needs to be at tests/integration/cloud-config-aws.ini

I use the following (credentials redacted):

$ cat ansible_collections/community/aws/tests/integration/cloud-config-aws.ini 
[default]
aws_access_key: AKIAXXXX-REDACTED-XXXXX
aws_secret_key: XXXXXX-REDACTED-XXXXXXXX
#security_token: @SECURITY_TOKEN
aws_region: us-east-1

ec2_access_key: {{ aws_access_key }}
ec2_secret_key: {{ aws_secret_key }}
ec2_region: {{ aws_region }}

[tremble]

The README.md for this collection also includes some resources around getting the environment setup:
https://github.com/ansible-collections/community.aws#more-information-about-contributing

@jillr's blog post: https://www.ansible.com/blog/getting-started-with-aws-ansible-module-development includes a walk through.

[mdavis-xyz]

Ah I see. There's a bug in ansible-test. It told me to save that config file in the wrong location.

[mdavis-xyz]

My integration tests are failing locally with a different error to CI. It seems the community.crypto.openssl_privatekey module is not installed.

Why do I get a different error locally vs in CI? If I'm running tests in docker, shouldn't the dependencies be the same?

ansible-test integration --docker centos8 -v aws_acm

TASK [aws_acm : include_tasks] *************************************************                                                       
fatal: [testhost]: FAILED! => {"reason": "couldn't resolve module/action 'community.crypto.openssl_privatekey'. This often indicates a m
isspelling, missing collection, or incorrect module path.\n\nThe error appears to be in '/root/ansible/ansible_collections/community/aws/tests/output/.tmp/integration/aws_acm-2zn07z0p-ÅÑŚÌβŁÈ/tests/integration/targets/aws_acm/tasks/full_acm_test.yml': line 59, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n      - remote_tmp_dir is defined\n  - name: Generate private key for local certs\n    ^ here\n"}                                                               
[WARNING]: Failure using method (v2_runner_on_failed) in callback plugin                          
(<ansible.plugins.callback.junit.CallbackModule object at 0x7f52772d4518>): /ro
ot/ansible/ansible_collections/community/aws/tests/output/.tmp/integration/aws_                                                         
acm-2zn07z0p-ÅÑŚÌβŁÈ/tests/integration/targets/aws_acm/tasks/main.yml:32:
testhost: aws_acm : include_tasks _raw_params=full_acm_test.yml: duplicate host
callback: testhost

[tremble]

Some of the tests need additional modules (including the acm tests) the quickest way is to clone the community.crypto repo next to the community.aws repo. There are some extra wrappers in the main CI account which ensure the dependencies are pulled in from galaxy: https://github.com/ansible-collections/community.aws/blob/main/tests/requirements.yml these haven't been built into ansible-test yet.

[mdavis-xyz]

Ok, now I'm getting this error:

TASK [aws_acm : list certs] ****************************************************
fatal: [testhost]: FAILED! => {"msg": "Could not find imported module support code for aws_acm_info.  Looked for either AnsibleAWSModule.py or core.py"}

When running from software/ansible/collections/ansible_collections/community/aws with COLLECTIONS_PATHS set to software/ansible/collections

Note that @jillr 's blog post contains instructions which don't work for me.

The instructions say:

ansible-test integration ec2_group

So I tried with:

ansible-test integration aws_acm

which gives:

ERROR: Rename "/home/matthew/.aws" or use the --docker or --remote option to isolate tests.

[tremble]

That looks like it failed to find the amazon.aws collection. (community.aws depends on amazon.aws)

[mdavis-xyz]

Isn't aws_acm_info in the community.aws collection, not amazon.aws?

https://github.com/ansible-collections/community.aws/blob/main/plugins/modules/aws_acm_info.py

[tremble]

It is, however the "module_utils" code that it relies on (the core.py and AnsibleAwsModule it referred to) lives in amazon.aws

[tremble]

@mdavis-xyz Thanks for working on this, I'm sorry it's been a bit of a battle to get the test-suite up and running.

The test failures look like they were flakes, re-running them they pass, and the tests are still flagged as 'unstable'. We've seen some APIs return inconsistent results and I suspect that's what we saw here.

[mdavis-xyz]

I actually had a few bug fixes I hadn't pushed yet. I think the module itself is fine, but there were bugs in the test. (e.g. I actually ended up testing check mode in aws_acm_info, which doesn't seem to work as expected.) And the rest can be fixed with retry backoff logic.

Should I open another pull request once I've got them working?

[tremble]

More bug fixes would always be appreciated. Since this PR has been merged, yes a new PR would be the best bet. Thanks for your contribution, Mark