search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
188 stars 397 forks source link

aws_waf_web_acl failing when configuring rules of type rate_based #1510

Open MrBones757 opened 2 years ago

MrBones757 commented 2 years ago

Summary

When running the aws_waf_web_acl module with a list of rules that contain a mix of regular and rate_based rules, an error is returned when looking up the name of a rate_based rule.

Issue Type

Bug Report

Component Name

aws_waf_web_acl

Ansible Version

2.9.x, 2.12.x

Collection Versions

amazon.aws - 4.2.0
community.aws - 4.2.0

amazon.aws - 2.2.0
community.aws - 2.2.0

AWS SDK versions

botocore-1.27.77
boto3-1.24.77

Configuration

OS / Environment

N/A

Steps to Reproduce

# anonomised
- name: "Change Web ACL"
  community.aws.aws_waf_web_acl:
    aws_access_key: "some-key"
    aws_secret_key: "some-secret-key"
    security_token: "some-session-token"
    region: "some-region"
    name: "some-waf-classic-name"
    default_action: block
    purge_rules: true
    rules:
      - name: "rule-1"
        priority: 1
        action: allow
        type: "regular"
      - name: "rule-2"
        priority: 2
        action: block
        type: "regular"
      - name: "rule-3"
        priority: 3
        action: block
        type: "regular"
      - name: "rule-4"
        priority: 4
        action: allow
        type: "regular"
      - name: "rule-5"
        priority: 5
        action: block
        type: "regular"
      - name: "rule-6"
        priority: 6
        action: block
        type: "regular"
      - name: "rule-7"
        priority: 7
        action: block
        type: "regular"
      - name: "rule-8"
        priority: 8
        action: allow
        type: "regular"
      - name: "rule-9"
        priority: 9
        action: count
        type: "rate_based"
      - name: "rule-10"
        priority: 10
        action: block
        type: "regular"

Expected Results

Rules are updated as per config

Actual Results

A stack trace is returned, stating that the key is not found.

I believe the root cause of the stack trace below is that this module consumes https://github.com/ansible-collections/community.aws/blob/main/plugins/modules/waf_web_acl.py#L176

Which in the amazon.aws collection, calls list_web_acls: https://github.com/ansible-collections/amazon.aws/blob/main/plugins/module_utils/waf.py#L182

I believe something needs to be changed here to call list_rate_based_rules in addition:

@AWSRetry.backoff(tries=5, delay=5, backoff=2.0)
def list_rate_based_rules_with_backoff(client):
    paginator = client.get_paginator('list_rate_based_rules')
    return paginator.paginate().build_full_result()['Rules']

in this modle, this would be consumed here: https://github.com/ansible-collections/community.aws/blob/main/plugins/modules/waf_web_acl.py#L193 where the two dictionaries would need to be merged, before being returned

# anonomised
Traceback (most recent call last):
  File \"/root/.ansible/tmp/ansible-tmp-1663744496.6413488-455-280617290021228/AnsiballZ_aws_waf_web_acl.py\", line 107, in <module>
    _ansiballz_main()
  File \"/root/.ansible/tmp/ansible-tmp-1663744496.6413488-455-280617290021228/AnsiballZ_aws_waf_web_acl.py\", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File \"/root/.ansible/tmp/ansible-tmp-1663744496.6413488-455-280617290021228/AnsiballZ_aws_waf_web_acl.py\", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.community.aws.plugins.modules.aws_waf_web_acl', init_globals=dict(_module_fqn='ansible_collections.community.aws.plugins.modules.aws_waf_web_acl', _modlib_path=modlib_path),
  File \"/usr/lib64/python3.8/runpy.py\", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File \"/usr/lib64/python3.8/runpy.py\", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File \"/usr/lib64/python3.8/runpy.py\", line 87, in _run_code
    exec(code, run_globals)
  File \"/tmp/ansible_community.aws.aws_waf_web_acl_payload_57rh61yt/ansible_community.aws.aws_waf_web_acl_payload.zip/ansible_collections/community/aws/plugins/modules/aws_waf_web_acl.py\", line 361, in <module>
  File \"/tmp/ansible_community.aws.aws_waf_web_acl_payload_57rh61yt/ansible_community.aws.aws_waf_web_acl_payload.zip/ansible_collections/community/aws/plugins/modules/aws_waf_web_acl.py\", line 353, in main
  File \"/tmp/ansible_community.aws.aws_waf_web_acl_payload_57rh61yt/ansible_community.aws.aws_waf_web_acl_payload.zip/ansible_collections/community/aws/plugins/modules/aws_waf_web_acl.py\", line 307, in ensure_web_acl_present
  File \"/tmp/ansible_community.aws.aws_waf_web_acl_payload_57rh61yt/ansible_community.aws.aws_waf_web_acl_payload.zip/ansible_collections/community/aws/plugins/modules/aws_waf_web_acl.py\", line 226, in find_and_update_web_acl
  File \"/tmp/ansible_community.aws.aws_waf_web_acl_payload_57rh61yt/ansible_community.aws.aws_waf_web_acl_payload.zip/ansible_collections/community/aws/plugins/modules/aws_waf_web_acl.py\", line 226, in <listcomp>
KeyError: 'rule-9'

Code of Conduct

MrBones757 commented 2 years ago

I can submit a PR for this, if the above fix / method is desired, though im not sure if the new list_rate_based_rules_with_backoff belongs here or in amazon.aws