Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elb_application_lb - support alb attributes #963

Merged
merged 5 commits into from
Mar 26, 2022
Merged

elb_application_lb - support alb attributes #963

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d9a7b75
support alb attributes and add integration tests
jatorcasso Mar 4, 2022
846d781
changelog
jatorcasso Mar 4, 2022
5b8f1c3
add check_mode support for modifying alb attributes
jatorcasso Mar 9, 2022
eec7d8f
update version_added to 3.2.0
jatorcasso Mar 23, 2022
8b37fe7
grammar fixes in documentation
jatorcasso Mar 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/963-elb_application_lb-support-alb-attributes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- elb_application_lb - Add support for alb specific attributes and check_mode support for modifying them (https://github.com/ansible-collections/community.aws/pull/963).
51 changes: 45 additions & 6 deletions plugins/modules/elb_application_lb.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,38 @@
deletion_protection:
description:
- Indicates whether deletion protection for the ALB is enabled.
- Defaults to C(false).
- Defaults to C(False).
type: bool
http2:
description:
- Indicates whether to enable HTTP2 routing.
- Defaults to C(false).
- Defaults to C(True).
type: bool
http_desync_mitigation_mode:
description:
- Determines how the load balancer handles requests that might pose a security risk to an application.
- Defaults to C('defensive')
type: str
choices: ['monitor', 'defensive', 'strictest']
version_added: 3.2.0
http_drop_invalid_header_fields:
description:
- Indicates whether HTTP headers with invalid header fields are removed by the load balancer C(True) or routed to targets C(False).
- Defaults to C(False).
type: bool
version_added: 3.2.0
http_x_amzn_tls_version_and_cipher_suite:
description:
- Indicates whether the two headers are added to the client request before sending it to the target.
- Defaults to C(False).
type: bool
version_added: 3.2.0
http_xff_client_port:
description:
- Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer.
- Defaults to C(False).
type: bool
version_added: 3.2.0
idle_timeout:
description:
- The number of seconds to wait before an idle connection is closed.
Expand Down Expand Up @@ -183,6 +208,12 @@
- Sets the type of IP addresses used by the subnets of the specified Application Load Balancer.
choices: [ 'ipv4', 'dualstack' ]
type: str
waf_fail_open:
description:
- Indicates whether to allow a AWS WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
- Defaults to C(False).
type: bool
version_added: 3.2.0
extends_documentation_fragment:
- amazon.aws.aws
- amazon.aws.ec2
Expand Down Expand Up @@ -525,6 +556,13 @@ def create_or_update_alb(alb_obj):
alb_obj.module.exit_json(changed=True, msg='Would have updated ALB if not in check mode.')
alb_obj.modify_security_groups()

# ALB attributes
if not alb_obj.compare_elb_attributes():
if alb_obj.module.check_mode:
alb_obj.module.exit_json(changed=True, msg='Would have updated ALB if not in check mode.')
alb_obj.update_elb_attributes()
alb_obj.modify_elb_attributes()

# Tags - only need to play with tags if tags parameter has been set to something
if alb_obj.tags is not None:

Expand All @@ -549,10 +587,6 @@ def create_or_update_alb(alb_obj):
alb_obj.module.exit_json(changed=True, msg='Would have created ALB if not in check mode.')
alb_obj.create_elb()

# ALB attributes
alb_obj.update_elb_attributes()
alb_obj.modify_elb_attributes()

# Listeners
listeners_obj = ELBListeners(alb_obj.connection, alb_obj.module, alb_obj.elb['LoadBalancerArn'])
listeners_to_add, listeners_to_modify, listeners_to_delete = listeners_obj.compare_listeners()
Expand Down Expand Up @@ -683,6 +717,10 @@ def main():
access_logs_s3_prefix=dict(type='str'),
deletion_protection=dict(type='bool'),
http2=dict(type='bool'),
http_desync_mitigation_mode=dict(type='str', choices=['monitor', 'defensive', 'strictest']),
http_drop_invalid_header_fields=dict(type='bool'),
http_x_amzn_tls_version_and_cipher_suite=dict(type='bool'),
http_xff_client_port=dict(type='bool'),
idle_timeout=dict(type='int'),
listeners=dict(type='list',
elements='dict',
Expand All @@ -703,6 +741,7 @@ def main():
scheme=dict(default='internet-facing', choices=['internet-facing', 'internal']),
state=dict(choices=['present', 'absent'], default='present'),
tags=dict(type='dict'),
waf_fail_open=dict(type='bool'),
wait_timeout=dict(type='int'),
wait=dict(default=False, type='bool'),
purge_rules=dict(default=True, type='bool'),
Expand Down
168 changes: 168 additions & 0 deletions tests/integration/targets/elb_application_lb/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,12 @@
- alb is changed
- alb.ip_address_type == 'dualstack'
- alb.listeners[0].rules | length == 1
- alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'defensive'
- not alb.routing_http_drop_invalid_header_fields_enabled | bool
- not alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- not alb.routing_http_xff_client_port_enabled | bool
- not alb.waf_fail_open_enabled | bool

- name: Create an ALB with ip address type (idempotence) - check_mode
elb_application_lb:
Expand Down Expand Up @@ -282,6 +288,132 @@
that:
- alb is not changed
- alb.ip_address_type == 'dualstack'
- alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'defensive'
- not alb.routing_http_drop_invalid_header_fields_enabled | bool
- not alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- not alb.routing_http_xff_client_port_enabled | bool
- not alb.waf_fail_open_enabled | bool

# ------------------------------------------------------------------------------------------

- name: Update an ALB with different attributes - check_mode
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

- assert:
that:
- alb is changed
- alb.msg is match('Would have updated ALB if not in check mode.')

- name: Update an ALB with different attributes
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is changed
- alb.ip_address_type == 'dualstack'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

- name: Update an ALB with different attributes (idempotence) - check_mode
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

- assert:
that:
- alb is not changed
- alb.msg is match('IN CHECK MODE - no changes to make to ALB specified.')

- name: Update an ALB with different attributes (idempotence)
elb_application_lb:
name: "{{ alb_name }}"
subnets: "{{ public_subnets }}"
security_groups: "{{ sec_group.group_id }}"
state: present
listeners:
- Protocol: HTTP
Port: 80
DefaultActions:
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'dualstack'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is not changed
- alb.ip_address_type == 'dualstack'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

# ------------------------------------------------------------------------------------------

Expand All @@ -298,6 +430,12 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

Expand All @@ -319,12 +457,24 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is changed
- alb.ip_address_type == 'ipv4'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

- name: Update an ALB with different ip address type (idempotence) - check_mode
elb_application_lb:
Expand All @@ -339,6 +489,12 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb
check_mode: yes

Expand All @@ -360,12 +516,24 @@
- Type: forward
TargetGroupName: "{{ tg_name }}"
ip_address_type: 'ipv4'
http2: no
http_desync_mitigation_mode: monitor
http_drop_invalid_header_fields: yes
http_x_amzn_tls_version_and_cipher_suite: yes
http_xff_client_port: yes
waf_fail_open: yes
register: alb

- assert:
that:
- alb is not changed
- alb.ip_address_type == 'ipv4'
- not alb.routing_http2_enabled | bool
- alb.routing_http_desync_mitigation_mode == 'monitor'
- alb.routing_http_drop_invalid_header_fields_enabled | bool
- alb.routing_http_x_amzn_tls_version_and_cipher_suite_enabled | bool
- alb.routing_http_xff_client_port_enabled | bool
- alb.waf_fail_open_enabled | bool

# ------------------------------------------------------------------------------------------

Expand Down