search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
186 stars 396 forks source link

aws cloudformation_stack_set module ignores check_mode under specific circumstances #1599

Open fschroder-slyp opened 1 year ago

fschroder-slyp commented 1 year ago

Summary

The specific case is triggered when state = 'present' and no stack set or stack instances are about to be created or deleted, but rather when resources inside the stack instances are affected. For example, add or remove a cloudformation resource in the template.

Looking at the code, in main/plugins/modules/cloudformation_stack_set.py, I believe there's a missing else: for elif unspecified_stacks and module.params.get('purge_stack_instances'): so that the module never proceeds with the change when check_mode is set.

Issue Type

Bug Report

Component Name

cloudformation_stack_set

Ansible Version

$ ansible --version

ansible [core 2.13.1]
  config file = None
  configured module search path = ['/Users/.../.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/6.0.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/.../.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.5 (main, Jun 23 2022, 17:15:25) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list

# /usr/local/Cellar/ansible/6.0.0/libexec/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    3.2.0  
ansible.netcommon             3.0.1  
ansible.posix                 1.4.0  
ansible.utils                 2.6.1  
ansible.windows               1.10.0 
arista.eos                    5.0.1  
awx.awx                       21.0.0 
azure.azcollection            1.12.0 
check_point.mgmt              2.3.0  
chocolatey.chocolatey         1.2.0  
cisco.aci                     2.2.0  
cisco.asa                     3.0.0  
cisco.dnac                    6.4.0  
cisco.intersight              1.0.19 
cisco.ios                     3.0.0  
cisco.iosxr                   3.0.0  
cisco.ise                     2.4.1  
cisco.meraki                  2.6.2  
cisco.mso                     2.0.0  
cisco.nso                     1.0.3  
cisco.nxos                    3.0.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.1  
cloudscale_ch.cloud           2.2.2  
community.aws                 3.2.1  
community.azure               1.1.0  
community.ciscosmb            1.0.5  
community.crypto              2.3.2  
community.digitalocean        1.19.0 
community.dns                 2.1.1  
community.docker              2.6.0  
community.fortios             1.0.0  
community.general             5.0.2  
community.google              1.0.0  
community.grafana             1.4.0  
community.hashi_vault         3.0.0  
community.hrobot              1.3.1  
community.libvirt             1.1.0  
community.mongodb             1.4.0  
community.mysql               3.2.1  
community.network             4.0.1  
community.okd                 2.2.0  
community.postgresql          2.1.5  
community.proxysql            1.4.0  
community.rabbitmq            1.2.1  
community.routeros            2.1.0  
community.sap                 1.0.0  
community.sap_libs            1.1.0  
community.skydive             1.0.0  
community.sops                1.2.2  
community.vmware              2.5.0  
community.windows             1.10.0 
community.zabbix              1.7.0  
containers.podman             1.9.3  
cyberark.conjur               1.1.0  
cyberark.pas                  1.0.14 
dellemc.enterprise_sonic      1.1.1  
dellemc.openmanage            5.4.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
f5networks.f5_modules         1.17.0 
fortinet.fortimanager         2.1.5  
fortinet.fortios              2.1.6  
frr.frr                       2.0.0  
gluster.gluster               1.0.2  
google.cloud                  1.0.2  
hetzner.hcloud                1.6.0  
hpe.nimble                    1.1.4  
ibm.qradar                    2.0.0  
infinidat.infinibox           1.3.3  
infoblox.nios_modules         1.2.2  
inspur.sm                     2.0.0  
junipernetworks.junos         3.0.1  
kubernetes.core               2.3.1  
mellanox.onyx                 1.0.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.17.0
netapp.elementsw              21.7.0 
netapp.ontap                  21.19.1
netapp.storagegrid            21.10.0
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.3.0  
netbox.netbox                 3.7.1  
ngine_io.cloudstack           2.2.4  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.1  
openstack.cloud               1.8.0  
openvswitch.openvswitch       2.1.0  
ovirt.ovirt                   2.0.4  
purestorage.flasharray        1.13.0 
purestorage.flashblade        1.9.0  
sensu.sensu_go                1.13.1 
servicenow.servicenow         1.0.6  
splunk.es                     2.0.0  
t_systems_mms.icinga_director 1.29.0 
theforeman.foreman            3.4.0  
vmware.vmware_rest            2.1.5  
vyos.vyos                     3.0.1  
wti.remote                    1.0.3  

# /Users/.../.ansible/collections/ansible_collections
Collection           Version
-------------------- -------
amazon.aws           2.1.0  
ansible.netcommon    1.0.0  
ansible.posix        1.1.1  
community.aws        1.0.0  
community.general    1.2.0  
community.kubernetes 1.1.1  
google.cloud         1.0.1

Note: I originally run this role using a very old version of the library. Since then I've updated to 5.0.0 and behaviour remains the same. Also, my original analysis of the source code was of the latest version.

AWS SDK versions

$ pip show boto boto3 botocore

WARNING: Package(s) not found: boto
Name: boto3
Version: 1.19.0
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.22.0
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

MacOS 12.6.1 (Monterrey)

Steps to Reproduce

Expected Results

Ideally, the ansible module would list what is about to be changed in the stack instance(s) and not deploy the changes. I believe this functionality is currently not provided by aws, so it would need a custom implementation.

At a minimum, the module should output a message like Resources in stack instance(s) are potentially going to be modified and exit the module.

Actual Results

Resources in the stack instances were changed.

Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @jillr @markuman @s-hertel @tremble click here for bot help

alinabuzachis commented 1 year ago

@fschroder-slyp Thank you for reporting this. Would you be willing to open a pull request with a patch and some integration tests?

fschroder-slyp commented 1 year ago

@alinabuzachis tbh It's going to be hard to do that in the near future, but I take from your comment that you agree that the current behaviour is a bug?