Closed jdelaporte closed 2 years ago
I can confirm this.
In your scenario only 5 characters are missing:
---
- hosts: localhost
connection: local
tasks:
- name: Create EKS cluster
community.aws.aws_eks_cluster:
name: jdelaportek8112345
version: 1.21
role_arn: myEKSClusterRole
wait: true
region: eu-central-1
subnets:
- subnet-d8309db2
- subnet-943ad4d8
security_groups:
- sg-f32f0196
register: create_eks
This is the bug: https://github.com/ansible-collections/community.aws/blob/main/plugins/modules/aws_eks_cluster.py#L207
clientRequestToken (string) -- Unique, case-sensitive identifier you provide to ensure the idempotency of the request. This field is autopopulated if not provided.
This token must be between 33 and 126 characters ...
We can remove it to see if our integration tests still pass
I also experienced the same behavior. Could we do something like this?
clientRequestToken='ansible-create-something-very-long-just-because-%s' % name)
I also experienced the same behavior. Could we do something like this?
clientRequestToken='ansible-create-something-very-long-just-because-%s' % name)
I bet one day someone will come with a name that is longer as 126 characters :)
I guess the clientRequestToken
is not necessary. Integration test pass without it. I will append it with a short name.
I bet one day someone will come with a name that is longer as 126 characters :)
I guess the
clientRequestToken
is not necessary. Integration test pass without it. I will append it with a short name.
That's true.
I don't have much context of where this token comes from or what it's for, but if it's not required and it's safe to remove it, then I guess it's ok.
Keeping the Token with a longer prefix would be a less 'disruptive' change and we can manage/fail locally in the code and report it with a useful message to the user if the length exceeds 126 characters. I'm ok either way.
Thanks
From the AWS EKS documentation, the clientRequestToken is not required: https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html#AmazonEKS-CreateCluster-request-clientRequestToken
It is not clear if it is auto-generated if not provided, but that could be determined by examining the response (cluster) object that is created without a token. It is meant for idempotency, according to the AWS doc. So, it is good to set it when the name is short enough.
It is meant for idempotency, according to the AWS doc. So, it is good to set it when the name is short enough.
I wonder what this means in the context of ansible.
the create_cluster
function is requested only once (when the cluster does not exist).
and in a general context. Even if the token is changing, you can run the create_cluster
statement only once.
import boto3
eks = boto3.client('eks')
response = eks.create_cluster(
name='b',
version='1.21',
roleArn='arn:aws:iam::123:role/myEKSClusterRole',
resourcesVpcConfig={
'subnetIds': [
'subnet-d8309db2', 'subnet-943ad4d8'
],
'securityGroupIds': [
'sg-f32f0196',
]
},
clientRequestToken='stringstringstringstringstringstring'
)
print(response)
response = eks.create_cluster(
name='b',
version='1.21',
roleArn='arn:aws:iam::123:role/myEKSClusterRole',
resourcesVpcConfig={
'subnetIds': [
'subnet-d8309db2', 'subnet-943ad4d8'
],
'securityGroupIds': [
'sg-f32f0196',
]
},
clientRequestToken='stringstringstringstringstringstring1'
)
print(response)
restults in
{'ResponseMetadata': {'RequestId': '05bfc8b2-ee3c-4f25-ab24-bd231e5224b8', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Thu, 02 Dec 2021 19:43:59 GMT', 'content-type': 'application/json', 'content-length': '820', 'connection': 'keep-alive', 'x-amzn-requestid': '05bfc8b2-ee3c-4f25-ab24-bd231e5224b8', 'access-control-allow-origin': '*', 'access-control-allow-headers': '*,Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,content-type,x-amz-content-sha256,x-amz-user-agent,x-amzn-platform-id,x-amzn-trace-id', 'x-amz-apigw-id': 'JvI_zGeAliAFZrA=', 'access-control-allow-methods': 'GET,HEAD,PUT,POST,DELETE,OPTIONS', 'access-control-expose-headers': 'x-amzn-errortype,x-amzn-errormessage,x-amzn-trace-id,x-amzn-requestid,x-amz-apigw-id,date', 'x-amzn-trace-id': 'Root=1-61a921fe-3529fabd0c39a93b6e9340f6'}, 'RetryAttempts': 0}, 'cluster': {'name': 'b', 'arn': 'arn:aws:eks:eu-central-1:123:cluster/b', 'createdAt': datetime.datetime(2021, 12, 2, 20, 43, 59, 671000, tzinfo=tzlocal()), 'version': '1.21', 'roleArn': 'arn:aws:iam::123:role/myEKSClusterRole', 'resourcesVpcConfig': {'subnetIds': ['subnet-d8309db2', 'subnet-943ad4d8'], 'securityGroupIds': ['sg-f32f0196'], 'vpcId': 'vpc-6731f40d', 'endpointPublicAccess': True, 'endpointPrivateAccess': False, 'publicAccessCidrs': ['0.0.0.0/0']}, 'kubernetesNetworkConfig': {'serviceIpv4Cidr': '10.100.0.0/16'}, 'logging': {'clusterLogging': [{'types': ['api', 'audit', 'authenticator', 'controllerManager', 'scheduler'], 'enabled': False}]}, 'status': 'CREATING', 'certificateAuthority': {}, 'platformVersion': 'eks.3', 'tags': {}}}
Traceback (most recent call last):
File "/tmp/test_eks.py", line 6, in <module>
response = eks.create_cluster(
File "/home/m/.local/lib/python3.9/site-packages/botocore/client.py", line 388, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/m/.local/lib/python3.9/site-packages/botocore/client.py", line 708, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.ResourceInUseException: An error occurred (ResourceInUseException) when calling the CreateCluster operation: Cluster already exists with name: b
So, it is good to set it when the name is short enough.
But yes, we can implement this logic for safety
Summary
When leveraging a role that uses the aws_eks_cluster module, I encountered a repeated error about security token length. The issue was 'resolved' when I passed in a very long "name" parameter.
Issue Type
Bug Report
Component Name
aws_eks_cluster
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
EKS
Steps to Reproduce
Running the playbook from https://github.com/nleiva/ansible-kubernetes, it fails at this task if I use a short cluster name:
It fails when I use this command to run the playbook:
It succeeds when I run the playbook with this command:
Expected Results
I expected a cluster to be created based on any nominally normal cluster name length. There is no length restriction mentioned in the aws_eks_cluster module. The examples show a 10-char name length, which would be too short to succeed.
Actual Results
Using the aws eks role located here: https://github.com/nleiva/ansible-kubernetes
Code of Conduct