ansible-collections / amazon.aws

Ansible Collection for Amazon AWS
GNU General Public License v3.0
309 stars 340 forks source link

elb_application_lb: unable to use authenticate-oidc #1877

Closed markuman closed 9 months ago

markuman commented 1 year ago

Summary

In the past, you can set as rule

            Actions:
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  ClientSecret: "{{ lookup('onepassword', 'abc123') }}"
                  UseExistingClientSecret: True
                  ....

and it worked. Because of this logic, it doesn't matter if the rule is a new one or an existing one.

Currently you get back the error from the past:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true
fatal: [localhost]: FAILED! => {"boto3_version": "1.28.73", "botocore_version": "1.31.85", "changed": false, "error": {"code": "InvalidLoadBalancerAction", "message": "You cannot both specify a client secret and set UseExistingClientSecret to true", "type": "Sender"}, "msg": "An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true", "response_metadata": {"http_headers": {"connection": "close", "content-length": "352", "content-type": "text/xml", "date": "Thu, 23 Nov 2023 13:12:43 GMT", "x-amzn-requestid": "0b5b9a7b-e4f7-4c0e-9aae-cd3c4dfbe447"}, "http_status_code": 400, "request_id": "0b5b9a7b-e4f7-4c0e-9aae-cd3c4dfbe447", "retry_attempts": 0}}

You cannot both specify a client secret and set UseExistingClientSecret to true

once, fixed in https://github.com/ansible-collections/amazon.aws/pull/1270

When removing the ClientSecret key

            Actions:
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  #ClientSecret: "{{ lookup('onepassword', 'abc123') }}"
                  UseExistingClientSecret: True
                  ....

it comes to a new error

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action
fatal: [localhost]: FAILED! => {"boto3_version": "1.28.73", "botocore_version": "1.31.85", "changed": false, "error": {"code": "InvalidLoadBalancerAction", "message": "You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action", "type": "Sender"}, "msg": "An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action", "response_metadata": {"http_headers": {"connection": "close", "content-length": "373", "content-type": "text/xml", "date": "Thu, 23 Nov 2023 13:14:45 GMT", "x-amzn-requestid": "f4532a2a-397b-4efb-a906-e6a42a5ba151"}, "http_status_code": 400, "request_id": "f4532a2a-397b-4efb-a906-e6a42a5ba151", "retry_attempts": 0}}

You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action

So something new has changed/gets broken ....

Issue Type

Bug Report

Component Name

elb_application_lb

Ansible Version

ansible [core 2.15.5]
  config file = /home/m/git/lekker/iac/ansible.cfg
  configured module search path = ['/home/m/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/m/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/m/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/m/.local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

ansible-galaxy collection list

# /home/m/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
amazon.aws                     7.0.0  
ansible.netcommon              5.1.2  
ansible.posix                  1.5.4  
ansible.utils                  2.10.3 
ansible.windows                2.0.0  
community.aws                  7.0.0  
community.crypto               2.13.1 
community.general              7.4.0  
community.mysql                3.7.2  
community.postgresql           3.0.0  
community.zabbix               1.9.3  
devsec.hardening               8.7.0  
markuman.nessus                0.0.6  
markuman.nextcloud             26.0.0 
opitzconsulting.ansible_oracle 3.9.0  

# /home/m/.local/lib/python3.10/site-packages/ansible_collections
Collection                     Version
------------------------------ -------
amazon.aws                     6.5.0  
ansible.netcommon              5.2.0  
ansible.posix                  1.5.4  
ansible.utils                  2.11.0 
ansible.windows                1.14.0 
arista.eos                     6.1.2  
awx.awx                        22.7.0 
azure.azcollection             1.18.1 
check_point.mgmt               5.1.1  
chocolatey.chocolatey          1.5.1  
cisco.aci                      2.7.0  
cisco.asa                      4.0.2  
cisco.dnac                     6.7.5  
cisco.intersight               1.0.27 
cisco.ios                      4.6.1  
cisco.iosxr                    5.0.3  
cisco.ise                      2.5.16 
cisco.meraki                   2.16.5 
cisco.mso                      2.5.0  
cisco.nso                      1.0.3  
cisco.nxos                     4.4.0  
cisco.ucs                      1.10.0 
cloud.common                   2.1.4  
cloudscale_ch.cloud            2.3.1  
community.aws                  6.3.0  
community.azure                2.0.0  
community.ciscosmb             1.0.6  
community.crypto               2.15.1 
community.digitalocean         1.24.0 
community.dns                  2.6.2  
community.docker               3.4.9  
community.fortios              1.0.0  
community.general              7.5.0  
community.google               1.0.0  
community.grafana              1.5.4  
community.hashi_vault          5.0.0  
community.hrobot               1.8.1  
community.libvirt              1.3.0  
community.mongodb              1.6.3  
community.mysql                3.7.2  
community.network              5.0.0  
community.okd                  2.3.0  
community.postgresql           2.4.3  
community.proxysql             1.5.1  
community.rabbitmq             1.2.3  
community.routeros             2.10.0 
community.sap                  1.0.0  
community.sap_libs             1.4.1  
community.skydive              1.0.0  
community.sops                 1.6.6  
community.vmware               3.10.0 
community.windows              1.13.0 
community.zabbix               2.1.0  
containers.podman              1.10.3 
cyberark.conjur                1.2.2  
cyberark.pas                   1.0.23 
dellemc.enterprise_sonic       2.2.0  
dellemc.openmanage             7.6.1  
dellemc.powerflex              1.9.0  
dellemc.unity                  1.7.1  
f5networks.f5_modules          1.26.0 
fortinet.fortimanager          2.2.1  
fortinet.fortios               2.3.2  
frr.frr                        2.0.2  
gluster.gluster                1.0.2  
google.cloud                   1.2.0  
grafana.grafana                2.2.3  
hetzner.hcloud                 1.16.0 
hpe.nimble                     1.1.4  
ibm.qradar                     2.1.0  
ibm.spectrum_virtualize        1.12.0 
infinidat.infinibox            1.3.12 
infoblox.nios_modules          1.5.0  
inspur.ispim                   1.3.0  
inspur.sm                      2.3.0  
junipernetworks.junos          5.3.0  
kubernetes.core                2.4.0  
lowlydba.sqlserver             2.2.1  
microsoft.ad                   1.3.0  
netapp.aws                     21.7.0 
netapp.azure                   21.10.0
netapp.cloudmanager            21.22.0
netapp.elementsw               21.7.0 
netapp.ontap                   22.7.0 
netapp.storagegrid             21.11.1
netapp.um_info                 21.8.0 
netapp_eseries.santricity      1.4.0  
netbox.netbox                  3.14.0 
ngine_io.cloudstack            2.3.0  
ngine_io.exoscale              1.1.0  
ngine_io.vultr                 1.1.3  
openstack.cloud                2.1.0  
openvswitch.openvswitch        2.1.1  
ovirt.ovirt                    3.2.0  
purestorage.flasharray         1.21.0 
purestorage.flashblade         1.14.0 
purestorage.fusion             1.6.0  
sensu.sensu_go                 1.14.0 
servicenow.servicenow          1.0.6  
splunk.es                      2.1.0  
t_systems_mms.icinga_director  1.33.1 
telekom_mms.icinga_director    1.34.1 
theforeman.foreman             3.14.0 
vmware.vmware_rest             2.3.1  
vultr.cloud                    1.10.0 
vyos.vyos                      4.1.0  
wti.remote                     1.0.5  

AWS SDK versions

WARNING: Package(s) not found: boto
Name: boto3
Version: 1.28.73
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/m/.local/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: awslogs
---
Name: botocore
Version: 1.31.85
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/m/.local/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

CONFIG_FILE() = /home/m/git/lekker/iac/ansible.cfg
DEFAULT_ROLES_PATH(/home/m/git/lekker/iac/ansible.cfg) = ['/home/m/.ansible/roles']
INTERPRETER_PYTHON(/home/m/git/lekker/iac/ansible.cfg) = /usr/bin/python3

OS / Environment

Ubuntu 22.04

Steps to Reproduce

see in summary

Expected Results

rules are set, doens't matter if both keys UseExistingClientSecret: True and ClientSecret are set

Actual Results

see summary

Code of Conduct

abikouo commented 10 months ago

@markuman I can't reproduce the issue when modifying the existing load balancer rule. The only issue I can reproduce is when creating a new load balancer rule using both UseExistingClientSecret=true and ClientSecret

The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the CreateRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true

However this has been fixed using #1956

Could you please provide a full sequence on how to reproduce the issue ? Here is the playbook I used to reproduce

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: path-pattern
                Values:
                  - /test
            Actions:
              - TargetGroupName: test-target-01
                Type: forward
                Order: 2
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://xxxxxxxxxxx
                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
                  ClientId: myclientid123645
                  ClientSecret: abcdefghigjth1233
                  UseExistingClientSecret: True
markuman commented 10 months ago

The modified rule is correct returned at line 1186: https://github.com/ansible-collections/amazon.aws/blob/main/plugins/module_utils/elbv2.py#L1186
The key ClientSecret is popped, because UseExistingClientSecret is set to True.

To make it visible, I add some q debugging lines.

diff --git a/plugins/module_utils/elbv2.py b/plugins/module_utils/elbv2.py
index 429d5f7c..e69615f1 100644
--- a/plugins/module_utils/elbv2.py
+++ b/plugins/module_utils/elbv2.py
@@ -95,8 +95,12 @@ def _prune_ForwardConfig(action):
 # remove the client secret if UseExistingClientSecret, because aws won't return it
 # add default values when they are not requested
 def _prune_secret(action):
+    import q
+
     if action["Type"] != "authenticate-oidc":
         return action
+    else:
+        q(action)

     if not action["AuthenticateOidcConfig"].get("Scope", False):
         action["AuthenticateOidcConfig"]["Scope"] = "openid"
@@ -105,7 +109,9 @@ def _prune_secret(action):
         action["AuthenticateOidcConfig"]["SessionTimeout"] = 604800

     if action["AuthenticateOidcConfig"].get("UseExistingClientSecret", False):
+        q("must be popped")
         action["AuthenticateOidcConfig"].pop("ClientSecret", None)
+        q(action)

     return action

@@ -1131,7 +1137,7 @@ class ELBListenerRules:

         :return:
         """
-
+        import q
         rules_to_modify = []
         rules_to_delete = []
         rules_to_add = deepcopy(self.rules)
@@ -1147,6 +1153,7 @@ class ELBListenerRules:
                     if modified_rule:
                         modified_rule["Priority"] = int(current_rule["Priority"])
                         modified_rule["RuleArn"] = current_rule["RuleArn"]
+                        q("prune secret will be reverted here")
                         modified_rule["Actions"] = new_rule["Actions"]
                         modified_rule["Conditions"] = new_rule["Conditions"]
                         rules_to_modify.append(modified_rule)
@@ -1155,7 +1162,7 @@ class ELBListenerRules:
             # If the current rule was not matched against passed rules, mark for removal
             if not current_rule_passed_to_module and not current_rule["IsDefault"]:
                 rules_to_delete.append(current_rule["RuleArn"])
-
+        q(rules_to_modify)
         return rules_to_add, rules_to_modify, rules_to_delete

And after that, in Line 1190, the modified rule, where the ClientSecret was popped (because it is necessary), it is reverted by taken the requested rule again. So the popped ClientSecret is in place again and both - ClientSecret And UseExistingClientSecret: True is requested against boto3.

 4.2s _prune_secret: 
      action={'AuthenticateOidcConfig': {'AuthorizationEndpoint': 'https://login.microsoftonline.com/123/oauth2/v2.0/authorize', 'ClientId': 'ABClientID', 'ClientSecret': 'xxx', 'Issuer': 'https://login.microsoftonline.com/123/v2.0', 'OnUnauthenticatedRequest': 'authenticate', 'SessionCookieName': 'AWSELBAuthSessionCookie', 'TokenEndpoint': 'https://login.microsoftonline.com/123/oauth2/v2.0/token', 'UseExistingClientSecret': True, 'UserInfoEndpoint': 'https://graph.microsoft.com/oidc/userinfo'}, 'Order': 1, 'Type': 'authenticate-oidc'}
 4.2s _prune_secret: "must be popped"='must be popped'
 4.2s _prune_secret: 
      action={'AuthenticateOidcConfig': {'AuthorizationEndpoint': 'https://login.microsoftonline.com/123/oauth2/v2.0/authorize', 'ClientId': 'ABClientID', 'Issuer': 'https://login.microsoftonline.com/123/v2.0', 'OnUnauthenticatedRequest': 'authenticate', 'Scope': 'openid', 'SessionCookieName': 'AWSELBAuthSessionCookie', 'SessionTimeout': 604800, 'TokenEndpoint': 'https://login.microsoftonline.com/123/oauth2/v2.0/token', 'UseExistingClientSecret': True, 'UserInfoEndpoint': 'https://graph.microsoft.com/oidc/userinfo'}, 'Order': 1, 'Type': 'authenticate-oidc'}
 4.2s compare_rules: 
      "prune secret will be reverted here"='prune secret will be reverted here'
 4.2s compare_rules: 
      "prune secret will be reverted here"='prune secret will be reverted here'
 4.2s compare_rules: 
      rules_to_modify=[{'Actions': [{'AuthenticateOidcConfig': {'AuthorizationEndpoint': 'https://login.microsoftonline.com/123/oauth2/v2.0/authorize', 'ClientId': 'ABClientID', 'ClientSecret': 'xxx', 'Issuer': 'https://login.microsoftonline.com/123/v2.0', 'OnUnauthenticatedRequest': 'authenticate', 'SessionCookieName': 'AWSELBAuthSessionCookie', 'TokenEndpoint': 'https://login.microsoftonline.com/123/oauth2/v2.0/token', 'UseExistingClientSecret': True, 'UserInfoEndpoint': 'https://graph.microsoft.com/oidc/userinfo'}, 'Order': 1, 'Type': 'authenticate-oidc'}, {'Order': 2, 'TargetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:111:targetgroup/extern/c68839a5495', 'Type': 'forward'}], 'Conditions': [{'Field': 'host-header', 'Values': ['something1.lekker.de', 'something.lekker.de']}, {'Field': 'path-pattern', 'Values': ['/be.php/*']}], 'Priority': 25, 'RuleArn': 'arn:aws:elasticloadbalancing:eu-central-1:111:listener-rule/app/lekker/fba205cf17b1/c2a8d42098/7922f23be698'}, {'Actions': [{'TargetGroupArn': 'arn:aws:elasticloadbalancing:eu-central-1:111:targetgroup/ecs-energieladen-extern/dd40d9226b35', 'Type': 'forward'}], 'Conditions': [{'Field': 'path-pattern', 'Values': ['/wp-*']}], 'Priority': 47, 'RuleArn': 'arn:aws:elasticloadbalancing:eu-central-1:111:listener-rule/app/lekker/fba205cf17b9a51/c2a8420d798/eee95bdede5f529b'}]
markuman commented 10 months ago

Okey, the issue is a kind different.

The rule was detected as a modified rule, but it was a new one.
Why? Because it was added somewhere in the middle fo the rules list and ansible just used the priority key to say if a rule is a modified or a new rule https://github.com/ansible-collections/amazon.aws/blob/main/plugins/module_utils/elbv2.py#L1182

This case is not solveable!

But when the rule is added at the end of the rules list, it becomes a new rule (priority that does not exist yet), the module runs into a hen-egg problem.
You want to commit the rule with UseExistingClientSecret: True to become immutable for multiple runs of your playbook, you'll run into the same error

"msg": "An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true

When

  1. Rule is from action type authenticate-oidc AND
  2. Rule is a new one (rules_to_add)

then UseExistingClientSecret must be set to False, no matter what was requested.

markuman commented 10 months ago

So to reproduce it you need to first apply this

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

and then modify it like that

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: path-pattern
                Values:
                  - /test
            Actions:
              - TargetGroupName: test-target-01
                Type: forward
                Order: 2
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://xxxxxxxxxxx
                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
                  ClientId: myclientid123645
                  ClientSecret: abcdefghigjth1233
                  UseExistingClientSecret: True
          - Priority: 3
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward
abikouo commented 10 months ago

@markuman I have updated PR #1956 to fix this test case. Could you please validate if it is working as expected using #1956? Thanks

markuman commented 9 months ago

@markuman I have updated PR #1956 to fix this test case. Could you please validate if it is working as expected using #1956? Thanks

No, it does not solve the issue.
When you add an new authenticate-oidc rule in the middle of your existing rules, .... the rule is still detected as a changed one (because comparison is based on priority number), but strictly speaking, it is a new one.

markuman commented 9 months ago

When

1. Rule is from action type `authenticate-oidc` **AND**

2. Rule is a new one (`rules_to_add`)

then UseExistingClientSecret must be set to False, no matter what was requested.

this still failed with your branch, when adding a new rule to existing ALB at the end (priority number + 1).

abikouo commented 9 months ago

@markuman I just realized that there is an API to update the Rule priority, this will be used when the rule has just changed the priority but all the other properties remain the same. This will fix the use case where an authenticate-oidc rule is inserted in the middle of existing rules.

When

1. Rule is from action type `authenticate-oidc` **AND**

2. Rule is a new one (`rules_to_add`)

then UseExistingClientSecret must be set to False, no matter what was requested.

this still failed with your branch, when adding a new rule to existing ALB at the end (priority number + 1).

This has also been fixed.

markuman commented 6 months ago

So to reproduce it you need to first apply this

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

and then modify it like that

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: path-pattern
                Values:
                  - /test
            Actions:
              - TargetGroupName: test-target-01
                Type: forward
                Order: 2
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://xxxxxxxxxxx
                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
                  ClientId: myclientid123645
                  ClientSecret: abcdefghigjth1233
                  UseExistingClientSecret: True
          - Priority: 3
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

This issue need to be reopened @abikouo, because it still failed with 7.5.0 the other way round.
Say you've got one ALB with 3 rules. When you delete the one in the middle (priority 2), the module failed

--- /tmp/before.yml     2024-05-03 08:29:41.697584862 +0200
+++ /tmp/after.yml      2024-05-03 08:29:57.211759937 +0200
@@ -24,25 +24,6 @@
             Actions:
               - TargetGroupName: somewhere
                 Type: forward
-          - Priority: 2
-            Conditions:
-              - Field: path-pattern
-                Values:
-                  - /test
-            Actions:
-              - TargetGroupName: test-target-01
-                Type: forward
-                Order: 2
-              - Type: authenticate-oidc
-                Order: 1
-                AuthenticateOidcConfig:
-                  Issuer: https://xxxxxxxxxxx
-                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
-                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
-                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
-                  ClientId: myclientid123645
-                  ClientSecret: abcdefghigjth1233
-                  UseExistingClientSecret: True
           - Priority: 3
             Conditions:
               - Field: host-header
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.PriorityInUseException: An error occurred (PriorityInUse) when calling the SetRulePriorities operation: One or more priorities not found
fatal: [localhost]: FAILED! => {"boto3_version": "1.34.34", "botocore_version": "1.34.34", "changed": false, "error": {"code": "PriorityInUse", "message": "One or more priorities not found", "type": "Sender"}, "msg": "An error occurred (PriorityInUse) when calling the SetRulePriorities operation: One or more priorities not found", "response_metadata": {"http_headers": {"connection": "close", "content-length": "293", "content-type": "text/xml", "date": "Fri, 03 May 2024 06:26:39 GMT", "x-amzn-requestid": "134a2c29-0060-4014-a048-6fcedd701876"}, "http_status_code": 400, "request_id": "134a2c29-0060-4014-a048-6fcedd701876", "retry_attempts": 0}}