search

Sceptre / sceptre

Build better AWS infrastructure
https://docs.sceptre-project.org
Other
1.48k stars 313 forks source link

Stack protection feature documentation discrepancy #605

Open zaro0508 opened 5 years ago

zaro0508 commented 5 years ago

The sceptre docs refers to stack protection feature with key protected[1] however it only seems to work when using the protect keyword (i.e. protect: true). a quick grep shows that many tests use protected keyword. Not sure which is the correct keyword to use.

[1] https://sceptre.cloudreach.com/latest/docs/stack_config.html#protected

(py36-sceptredev) ~/w/sceptre ❯❯❯ git grep protected docs/docs/stackconfig.md:* protected (optional)_ docs/docs/stack_config.md:### protected docs/docs/stack_config.md:If a user tries to run one of these commands on a protected Stack, Sceptre will sceptre/config/reader.py: protected=config.get("protect", False), sceptre/plan/actions.py: if self.stack.protected: sceptre/stack.py: :param protected: Stack protection against execution. sceptre/stack.py: :type protected: bool sceptre/stack.py: dependencies=None, role_arn=None, protected=False, tags=None, sceptre/stack.py: self.protected = protected sceptre/stack.py: "protected={protected}, " sceptre/stack.py: protected=self.protected, sceptre/stack.py: self.protected == stack.protected and tests/test_actions.py: role_arn=sentinel.role_arn, protected=False, tests/test_actions.py: self.actions.stack.protected = True tests/test_config_reader.py: protected=False, tests/test_plan.py: role_arn=sentinel.role_arn, protected=False, tests/test_stack.py: role_arn=sentinel.role_arn, protected=False, tests/test_stack.py: assert stack.protected is False tests/test_stack.py: "protected=False, "\

jmourelos commented 5 years ago

@ngfgrant after rereading my last comment in the PR I realize I did not explain myself properly.

Yes, you are right, "protected" is used in the Python API (not "protect"). The problematic is that here we have 3 aspects to be ideally in line with each other:

Additionally, I believe we need to be backwards-compatible.

Assuming all this I see 2 solutions:

  1. The solution implemented in this PR:
    • Pros:
    • Simple
    • Makes "Config API" and "Config API documentation" be in line
    • Cons:
    • "Python API" and "Config API" will continue not to be in line
  2. Keep "Config API documentation" as it is, make both "protect" and "protected" synonym keywords in the Config API and remove "protect" in a hypothetical Sceptre 3.0:
    • Pros:
    • "Python API", "Config API" and "Config API documentation" are all in line with each other
    • Cons:
    • We have to decide how to handle the case of "protect" and "protected" being used simultaneously and implement a proper solution for it (e.g. not allowing both keywords to be used in the same Stack Config file)
adamcousins commented 5 years ago

Any updates on this issue? Im still seeing this discrepency on the latest version when I define the below in my stack config .yaml file.

protect: true ##This works successfully protected: true ##This is ignored

On a side note I'd see it more useful if we could define it like this: protected:

where I can define the different types of execution which are 'protected' Is this possible?

dragarthPl commented 4 months ago

Hello, I request that either the code or the documentation be corrected so that the actual state is consistent. This should have been fixed after 4 years.