Skip to content

Commit

Permalink
elb_application_lb - support alb attributes (#963)
Browse files Browse the repository at this point in the history 
elb_application_lb - support alb attributes

SUMMARY

Support modifying different alb specific attributes
Fixes #571
Depends-On ansible-collections/amazon.aws#696

ISSUE TYPE

Feature Pull Request

COMPONENT NAME
elb_application_lb

Reviewed-by: Jill R <None>
Reviewed-by: Markus Bergholz <git@osuv.de>
Reviewed-by: Alina Buzachis <None>
Reviewed-by: Joseph Torcasso <None>
  • Loading branch information
@jatorcasso
jatorcasso committed Mar 26, 2022
1 parent be4a4a2 commit 85bfce4
Show file tree
Hide file tree
Showing 3 changed files with 215 additions and 6 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/963-elb_application_lb-support-alb-attributes.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- elb_application_lb - Add support for alb specific attributes and check_mode support for modifying them (https://github.com/ansible-collections/community.aws/pull/963).
51 changes: 45 additions & 6 deletions plugins/modules/elb_application_lb.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,38 @@
deletion_protection:
description:
- Indicates whether deletion protection for the ALB is enabled.
- Defaults to C(false).
- Defaults to C(False).
type: bool
http2:
description:
- Indicates whether to enable HTTP2 routing.
- Defaults to C(false).
- Defaults to C(True).
type: bool
http_desync_mitigation_mode:
description:
- Determines how the load balancer handles requests that might pose a security risk to an application.
- Defaults to C('defensive')
type: str
choices: ['monitor', 'defensive', 'strictest']
version_added: 3.2.0
http_drop_invalid_header_fields:
description:
- Indicates whether HTTP headers with invalid header fields are removed by the load balancer C(True) or routed to targets C(False).
- Defaults to C(False).
type: bool
version_added: 3.2.0
http_x_amzn_tls_version_and_cipher_suite:
description:
- Indicates whether the two headers are added to the client request before sending it to the target.
- Defaults to C(False).
type: bool
version_added: 3.2.0
http_xff_client_port:
description:
- Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer.
- Defaults to C(False).
type: bool
version_added: 3.2.0
idle_timeout:
description:
- The number of seconds to wait before an idle connection is closed.
Expand Down Expand Up @@ -183,6 +208,12 @@
- Sets the type of IP addresses used by the subnets of the specified Application Load Balancer.
choices: [ 'ipv4', 'dualstack' ]
type: str
waf_fail_open:
description:
- Indicates whether to allow a AWS WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
- Defaults to C(False).
type: bool
version_added: 3.2.0
extends_documentation_fragment:
- amazon.aws.aws
- amazon.aws.ec2
Expand Down Expand Up @@ -554,6 +585,13 @@ def create_or_update_alb(alb_obj):
alb_obj.module.exit_json(changed=True, msg='Would have updated ALB if not in check mode.')
alb_obj.modify_security_groups()

# ALB attributes
if not alb_obj.compare_elb_attributes():
if alb_obj.module.check_mode:
alb_obj.module.exit_json(changed=True, msg='Would have updated ALB if not in check mode.')
alb_obj.update_elb_attributes()
alb_obj.modify_elb_attributes()

# Tags - only need to play with tags if tags parameter has been set to something
if alb_obj.tags is not None:

Expand All @@ -578,10 +616,6 @@ def create_or_update_alb(alb_obj):
alb_obj.module.exit_json(changed=True, msg='Would have created ALB if not in check mode.')
alb_obj.create_elb()

# ALB attributes
alb_obj.update_elb_attributes()
alb_obj.modify_elb_attributes()

# Listeners
listeners_obj = ELBListeners(alb_obj.connection, alb_obj.module, alb_obj.elb['LoadBalancerArn'])
listeners_to_add, listeners_to_modify, listeners_to_delete = listeners_obj.compare_listeners()
Expand Down Expand Up @@ -712,6 +746,10 @@ def main():
access_logs_s3_prefix=dict(type='str'),
deletion_protection=dict(type='bool'),
http2=dict(type='bool'),
http_desync_mitigation_mode=dict(type='str', choices=['monitor', 'defensive', 'strictest']),
http_drop_invalid_header_fields=dict(type='bool'),
http_x_amzn_tls_version_and_cipher_suite=dict(type='bool'),
http_xff_client_port=dict(type='bool'),
idle_timeout=dict(type='int'),
listeners=dict(type='list',
elements='dict',
Expand All @@ -732,6 +770,7 @@ def main():
scheme=dict(default='internet-facing', choices=['internet-facing', 'internal']),
state=dict(choices=['present', 'absent'], default='present'),
tags=dict(type='dict'),
waf_fail_open=dict(type='bool'),
wait_timeout=dict(type='int'),
wait=dict(default=False, type='bool'),
purge_rules=dict(default=True, type='bool'),
Expand Down
168 changes: 168 additions & 0 deletions tests/integration/targets/elb_application_lb/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,12 @@
- alb is changed
- alb.ip_address_type == 'dualstack'
- alb.listeners[0].rules | length == 1
- alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'defensive'
- not alb.routing_http_drop_invalid_header_fields_enabled | bool
- not alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- not alb.routing_http_xff_client_port_enabled | bool
- not alb.waf_fail_open_enabled | bool

- name: Create an ALB with ip address type (idempotence) - check_mode
elb_application_lb:
Expand Down Expand Up @@ -371,6 +377,132 @@
that:
- alb is not changed
- alb.ip_address_type == 'dualstack'
- alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'defensive'
- not alb.routing_http_drop_invalid_header_fields_enabled | bool
- not alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- not alb.routing_http_xff_client_port_enabled | bool
- not alb.waf_fail_open_enabled | bool

# ------------------------------------------------------------------------------------------

- name: Update an ALB with different attributes - check_mode
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

- assert:
that:
- alb is changed
- alb.msg is match('Would have updated ALB if not in check mode.')

- name: Update an ALB with different attributes
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is changed
- alb.ip_address_type == 'dualstack'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

- name: Update an ALB with different attributes (idempotence) - check_mode
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

- assert:
that:
- alb is not changed
- alb.msg is match('IN CHECK MODE - no changes to make to ALB specified.')

- name: Update an ALB with different attributes (idempotence)
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is not changed
- alb.ip_address_type == 'dualstack'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

# ------------------------------------------------------------------------------------------

Expand All @@ -387,6 +519,12 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

Expand All @@ -408,12 +546,24 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is changed
- alb.ip_address_type == 'ipv4'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

- name: Update an ALB with different ip address type (idempotence) - check_mode
elb_application_lb:
Expand All @@ -428,6 +578,12 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

Expand All @@ -449,12 +605,24 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is not changed
- alb.ip_address_type == 'ipv4'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

# ------------------------------------------------------------------------------------------

Expand Down

0 comments on commit 85bfce4

Please sign in to comment.