Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add permissions and terminator for rds global cluster #287

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

jillr
Copy link
Collaborator

@jillr jillr commented Aug 1, 2023

I'm not convinced we'll be able to enable this due to the global nature of the policy, but I'm experimenting with it. This is not working as-is (policies are presently deployed to stage=dev).

Supports redhat-cop/cloud.aws_ops#79

@jillr
Copy link
Collaborator Author

jillr commented Aug 17, 2023

I've tested this with redhat-cop/cloud.aws_ops#83 (supersedes 79) but only once since RDS is so slow. If reviewers have time it wouldn't hurt IMO to test again (or we can iterate based on 83's CI runs).

@jillr jillr changed the title [WIP] Add permissions and terminator for rds global cluster Add permissions and terminator for rds global cluster Aug 17, 2023
@alinabuzachis
Copy link
Collaborator

I've tested this with redhat-cop/cloud.aws_ops#83 (supersedes 79) but only once since RDS is so slow. If reviewers have time it wouldn't hurt IMO to test again (or we can iterate based on 83's CI runs).

I've tested this with redhat-cop/cloud.aws_ops#83 but I got:

TASK [cloud.aws_ops.create_rds_global_cluster : Create a read replica cluster for global database "ansible-test-global-df6407032580" in "us-west-2"] ***
task path: /root/ansible_collections/cloud/aws_ops/roles/create_rds_global_cluster/tasks/create.yml:34
Using module file /root/ansible_collections/amazon/aws/plugins/modules/rds_cluster.py
Pipelining is enabled.
<testhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<testhost> EXEC /bin/sh -c 'ANSIBLE_DEBUG_BOTOCORE_LOGS=True /usr/bin/python3.11 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_amazon.aws.rds_cluster_payload__18if7ue/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/rds.py", line 254, in call_method
    result = AWSRetry.jittered_backoff(catch_extra_error_codes=retry_codes)(method)(**parameters)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/ansible_amazon.aws.rds_cluster_payload__18if7ue/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 119, in _retry_wrapper
    return _retry_func(
           ^^^^^^^^^^^^
  File "/tmp/ansible_amazon.aws.rds_cluster_payload__18if7ue/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 68, in _retry_func
    return func()
           ^^^^^^
  File "/tmp/ansible_amazon.aws.rds_cluster_payload__18if7ue/ansible_amazon.aws.rds_cluster_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 107, in deciding_wrapper
    return unwrapped(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/botocore/client.py", line 415, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/botocore/client.py", line 745, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidParameterValue) when calling the CreateDBCluster operation: Replication from cluster in same region is not supported
fatal: [testhost]: FAILED! => {
    "boto3_version": "1.22.0",
    "botocore_version": "1.25.0",
    "changed": false,
    "error": {
        "code": "InvalidParameterValue",
        "message": "Replication from cluster in same region is not supported",
        "type": "Sender"
    },
    "invocation": {
        "module_args": {
            "access_key": "xxxxx",
            "allocated_storage": null,
            "apply_immediately": false,
            "availability_zones": null,
            "aws_access_key": "xxx",
            "aws_ca_bundle": null,
            "aws_config": null,
            "aws_region": "us-east-1",
            "aws_secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "aws_security_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "backtrack_to": null,
            "backtrack_window": null,
            "backup_retention_period": 1,
            "character_set_name": null,
            "copy_tags_to_snapshot": null,
            "creation_source": null,
            "database_name": null,
            "db_cluster_identifier": "ansible-test-replica-df6407032580",
            "db_cluster_instance_class": null,
            "db_cluster_parameter_group_name": null,
            "db_subnet_group_name": null,
            "debug_botocore_endpoint_logs": true,
            "deletion_protection": null,
            "domain": null,
            "domain_iam_role_name": null,
            "enable_cloudwatch_logs_exports": null,
            "enable_global_write_forwarding": null,
            "enable_http_endpoint": null,
            "enable_iam_database_authentication": null,
            "endpoint_url": null,
            "engine": "aurora-mysql",
            "engine_mode": null,
            "engine_version": "5.7",
            "final_snapshot_identifier": null,
            "force_backtrack": null,
            "force_update_password": false,
            "global_cluster_identifier": "ansible-test-global-df6407032580",
            "iops": null,
            "kms_key_id": null,
            "master_user_password": null,
            "master_username": null,
            "new_db_cluster_identifier": null,
            "option_group_name": null,
            "port": null,
            "preferred_backup_window": null,
            "preferred_maintenance_window": null,
            "profile": null,
            "promote": false,
            "purge_cloudwatch_logs_exports": true,
            "purge_security_groups": true,
            "purge_tags": true,
            "region": "us-east-1",
            "replication_source_identifier": null,
            "restore_to_time": null,
            "restore_type": null,
            "role_arn": null,
            "s3_bucket_name": null,
            "s3_ingestion_role_arn": null,
            "s3_prefix": null,
            "secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "session_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "skip_final_snapshot": false,
            "snapshot_identifier": null,
            "source_db_cluster_identifier": null,
            "source_engine": null,
            "source_engine_version": null,
            "source_region": null,
            "state": "present",
            "storage_encrypted": null,
            "storage_type": null,
            "tags": null,
            "use_earliest_time_on_point_in_time_unavailable": null,
            "use_latest_restorable_time": null,
            "validate_certs": true,
            "vpc_security_group_ids": null,
            "wait": true
        }
    },
    "msg": "Unable to create DB cluster: An error occurred (InvalidParameterValue) when calling the CreateDBCluster operation: Replication from cluster in same region is not supported",
    "resource_actions": [
        "rds:CreateDBCluster",
        "rds:DescribeDBClusters"
    ],

What did I miss?

@jillr
Copy link
Collaborator Author

jillr commented Aug 22, 2023

I get the same error. I must have missed that. @mandar242 should we be able to run the tests from cloud.aws_ops.create_rds_global_cluster in CI? is there a way to configure the tests to use a single region (like only having one node in the cluster maybe?)

@mandar242
Copy link
Contributor

mandar242 commented Aug 24, 2023

@alinabuzachis @jillr the tests work fine locally using team account

however as per the jira description, we need to create following ->

  1. Global db cluster
  2. primary cluster (in region X)
  3. replica cluster (in region Y)

issue is that

  1. CI doesn't allow using any other region than us-east-1
  2. AWS does not allow creating replica cluster in same region as primary

I have added a note in tests as well
https://github.com/redhat-cop/cloud.aws_ops/pull/83/files#diff-1e8de620fd8c0b1515e8d34b1e9d0e7bf02e90eb79b30ad4e2e855811f1348fdR15-R17

here's OP of running the integration tests locally for redhat-cop/cloud.aws_ops#83 on team aws account

image

@mandar242
Copy link
Contributor

@jillr this (#287 ) will also support
ansible-collections/amazon.aws#1705

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants