Closed pgrenaud closed 1 year ago
ansibullbot
commented
1 year ago Files identified in the description:
plugins/modules/ec2_key.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/ec2_key.py)If these files are inaccurate, please update the component name section of the description or use the !component bot command.
ansibullbot
commented
1 year ago cc @jillr @prasadkatti @s-hertel @tremble @zbal click here for bot help
abikouo
commented
1 year ago @pgrenaud, the check_mode is working as expected for this module.
Please note that in your first run, the key pair is created, therefore the 2nd run in check_mode report key is updated as this already exists. Note that If you run only once the playbook in check_mode ansible will report key pair created but you won't see the key pair in amazon.
Could you please clean your environment, run the playbook in check_mode, and validate that the key pair is not created even if ansible reports it is? Thanks
pgrenaud
commented
1 year ago @abikouo I was able to reproduce the issue many times, cleaning everything in-between tries.
If the key pair does not exist, ec2_key won't actually do anything when the playbook is run in regular mode even if changes are reported. This is expected behaviour.
If the key pair already exists, ec2_key will actually create a new key pair each time the playbook is run in check mode even if no changes are reported. This is unexpected behaviour, as no changes should be perform in check mode. See the attached screenshot above for the result in the AWS console.
abikouo
commented
1 year ago @pgrenaud seems that each time you are running using --check parameter the ssh_key_name is randomly generated,
could you please run once again using -v option (ansible-playbook play.yaml --check -v) multiple times and share traces ?
gravesm
commented
1 year ago I'm able to reproduce this. The simplest reproducer is just a single task:
- amazon.aws.ec2_key:
name: test-key
key_material: "{{ lookup('file', '/path/to/key') }}"The key does need to exist first. Running this in check mode before test-key exists won't create a new key, but running it in check mode when test-key exists will.
pgrenaud
commented
1 year ago @abikouo We don't learn much from running in verbose. Even running with ansible-playbook play.yml --check -vvv doesn't tell much. I ran it 3 times and I got the exact same output (compared with diff to make sure). Here it is:
ansible-playbook [core 2.14.2]
config file = /Users/pgrenaud/REDACTED/ansible.cfg
configured module search path = ['/Users/pgrenaud/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /Users/pgrenaud/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.11.2 (main, Feb 13 2023, 03:46:18) [Clang 14.0.0 (clang-1400.0.29.202)] (/usr/local/opt/python@3.11/bin/python3.11)
jinja version = 3.1.2
libyaml = True
Using /Users/pgrenaud/REDACTED/ansible.cfg as config file
host_list declined parsing /Users/pgrenaud/REDACTED/inventory.ini as it did not pass its verify_file() method
script declined parsing /Users/pgrenaud/REDACTED/inventory.ini as it did not pass its verify_file() method
auto declined parsing /Users/pgrenaud/REDACTED/inventory.ini as it did not pass its verify_file() method
yaml declined parsing /Users/pgrenaud/REDACTED/inventory.ini as it did not pass its verify_file() method
Parsed /Users/pgrenaud/REDACTED/inventory.ini inventory source with ini plugin
host_list declined parsing /Users/pgrenaud/REDACTED/inventory-local.ini as it did not pass its verify_file() method
script declined parsing /Users/pgrenaud/REDACTED/inventory-local.ini as it did not pass its verify_file() method
auto declined parsing /Users/pgrenaud/REDACTED/inventory-local.ini as it did not pass its verify_file() method
yaml declined parsing /Users/pgrenaud/REDACTED/inventory-local.ini as it did not pass its verify_file() method
Parsed /Users/pgrenaud/REDACTED/inventory-local.ini inventory source with ini plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: play.yml *************************************************************
1 plays in play.yml
PLAY [ec2] *********************************************************************
TASK [set ssh key pub] *********************************************************
task path: /Users/pgrenaud/REDACTED/play.yml:7
ok: [localhost -> localhost] => {
"ansible_facts": {
"ssh_key_pub": "ssh-rsa REDACTED pgrenaud@pgrenaud-2021"
},
"changed": false
}
TASK [set ssh key name] ********************************************************
task path: /Users/pgrenaud/REDACTED/play.yml:13
ok: [localhost -> localhost] => {
"ansible_facts": {
"ssh_key_name": "pgrenaud@pgrenaud-2021"
},
"changed": false
}
TASK [create key pair] *********************************************************
task path: /Users/pgrenaud/REDACTED/play.yml:19
Using module file /usr/local/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/modules/ec2_key.py
Pipelining is enabled.
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: pgrenaud
<localhost> EXEC /bin/sh -c '/usr/local/bin/python3 && sleep 0'
ok: [localhost -> localhost] => {
"changed": false,
"invocation": {
"module_args": {
"access_key": "REDACTED",
"aws_ca_bundle": null,
"aws_config": null,
"debug_botocore_endpoint_logs": false,
"endpoint_url": null,
"force": true,
"key_material": "ssh-rsa REDACTED pgrenaud@pgrenaud-2021",
"key_type": null,
"name": "pgrenaud@pgrenaud-2021",
"profile": null,
"purge_tags": true,
"region": "ca-central-1",
"secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"session_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"state": "present",
"tags": null,
"validate_certs": true
}
},
"key": {
"fingerprint": "ee:12:9c:69:81:0a:8e:0d:91:b2:92:95:e8:e3:01:15",
"id": "key-082de2518417d1795",
"name": "pgrenaud@pgrenaud-2021",
"tags": {},
"type": "rsa"
},
"msg": "key pair already exists"
}
PLAY RECAP *********************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 It does say at the end that the key pair already exists and refer to key key-082de2518417d1795 which is the key that created first when running in normal mode (not check mode).
pgrenaud
commented
1 year ago @gravesm Yes, exactly!
abikouo
commented
1 year ago @gravesm @pgrenaud thanks for the feedback, I will try to reproduce it on my side and fix the issue. I will notify you when the pull request is ready
tremble
commented
1 year ago @abikouo FYI, looking at the code I suspect this was fixed by #1288 but I don't think the code's been backported.
abikouo
commented
1 year ago @pgrenaud I can confirm that the issue has been fixed by #1288 (thanks @tremble ) I will backport to this branch, in the meantime you can use the main branch the have latest features and fixes
tremble
commented
1 year ago Relevant fixes have been landed in main/stable-5 and will be available with the next release
Summary
When running an ec2_key task in check mode, I've noticed that it creates new key pairs in AWS when it definitely should not.
Issue Type
Bug Report
Component Name
ec2_key
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
No response
Steps to Reproduce
Run the following play once to create the key pair (
ansible-playbook play.yml), then a second time in check mode (ansible-playbook play.yml --check):Expected Results
I expect Ansible to report if the key pair would be or not created when running in check mode and not actually doing something.
Actual Results
Even though Ansible does not report any changes, a new key pair is created every time when running in check mode if the key pair already exists (nothing actually happens if the key pair does not exists). When running the play 5 times, I get the following result in the AWS console:
Code of Conduct