Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue with configservice subscribe command #1223

Merged
merged 3 commits into from
Mar 18, 2015
Merged

Fix issue with configservice subscribe command #1223

merged 3 commits into from
Mar 18, 2015

Conversation

kyleknap
Copy link
Contributor

When checking to see if a bucket exists, we assumed that an exception meant that the bucket did not exist when using HeadBucket. In reality, the error could be a 403, and the user wanted to use that bucket but did not have the proper permissions to run a HEAD object on it. Also expanded the output to inform users if a new bucket/topic is being used or an existing one. This helps notify users of what resources they created and/or are using when subscribing to AWS Config.

cc @jamesls @danielgtaylor

@coveralls
Copy link

Coverage Status

Coverage increased (+0.01%) to 93.36% when pulling 9215980 on kyleknap:subscribe-fix into 9baddc8 on aws:develop.

danielgtaylor
danielgtaylor reviewed Mar 17, 2015
View reviewed changes
awscli/customizations/configservice/subscribe.py
# If it was a 404 error, than the bucket does not exist.
error_code = int(e.response['Error']['Code'])
if error_code == 404:
bucket_exists = False
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have very similar code in our CloudTrail customization. Maybe it's worth making a utility function that can be used across customizations?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure this works? In the cloudtrail customization I had to remove the error handler to get the client exceptions to propogate. I would expect we'd need something here as well right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamesls
I tested it and I have had confirmation it works. I had to disable the error handler as well:
https://github.com/aws/aws-cli/pull/1223/files#diff-9acfa1e377b87026a3322468d0755a93R150

@danielgtaylor
As to consolidating the logic, I could but it is not completely the same logic. I actually think it may be a potential bug in the cloudtrail commands as you handle 404 and 403 errors the same when they are not really the same relative to determining if a bucket exists. Is my concern correct?

Let me know.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wow, I completely missed L150-152 sorry about that.

@danielgtaylor
Copy link
Contributor

I think this is a good change, just wanted to mention the similarities between this and CloudTrail.

I'm also curious what the errors look like if I select a bucket I don't own and have zero rights to. The bucket won't be created again, but some other command will likely fail, right? The fix in this PR is really only for the case where I can write to the bucket but cannot run a HEAD operation against it. Is a rights check performed server-side?

In the CloudTrail customization we put the burden on the user by having them provide one of two mutually exclusive parameters that specify whether to create a new bucket or use an existing one. Now I'm not saying that's the best approach, but it makes the HEAD check defensive rather than part of the core logic of the command.

@jamesls
Copy link
Member

jamesls commented Mar 17, 2015

:shipit: Looks good to me. However I'll let you and Daniel hash out the details about the cloudtrail commonality. I'm neutral on it.

@kyleknap
Copy link
Contributor Author

@danielgtaylor

Actually tested what happens if you select a bucket with zero rights. The command actually works cleanly through. It looks like AWS Config does not validate whether if you have rights to the bucket when you create the delivery channel. I have yet to figure out where errors propagate when you do not have permissions to a bucket, but I believe it happens when you deliver snapshots of your AWS resources. The status of the delivery will show a fail.

That is why I decided to add the print statement on whether a previous bucket is being used or a new one is being created. So users can catch themselves (the resources created/being used is as expected) before errors show up when you check to see if the snapshots were delivered successfully. Given that it may be better, if we used the same style of the cloudtrail commands, but it may be too late to change the API for the commands so that may be the next best option.

I will update the PR with what I find. Let me know if you have any other questions.

@kyleknap
Copy link
Contributor Author

UPDATE:

Actually I just tested it out again, and actually AWS Config does validate if you have permissions to the bucket upon creating a delivery channel. You will get the following error:

A client error (InsufficientDeliveryPolicyException) occurred when calling the PutDeliveryChannel operation: Insufficient delivery policy to s3 bucket: mybucket, unable to write to bucket, provided s3 key prefix is 'null'.

So I think everything is fine there.

kyleknap added 2 commits March 18, 2015 12:15
@kyleknap
Fix issue with configservice subscribe command
bd1936f 
When checking to see if a bucket exists, we assumed that an exception
meant that the bucket did not exist when using HeadBucket. In reality,
the error could be a 403. Also expanded the output to inform users
if a new bucket/topic is being used or an existing one.
@kyleknap
Consolidate bucket_exists logic into utils file
853513d 
Added a helper function that can be used to determine if a s3 bucket
exists or not.
@kyleknap kyleknap force-pushed the subscribe-fix branch 2 times, most recently from e23110b to 0b408ed Compare March 18, 2015 19:26
@kyleknap
Copy link
Contributor Author

@danielgtaylor

I updated the code to consolidate into the helper method s3_bucket_exists() in utils.py. Should be good to look at again.

@danielgtaylor
Copy link
Contributor

LGTM 🚢-it!

@coveralls
Copy link

Coverage Status

Coverage increased (+0.01%) to 93.41% when pulling b7ac21d on kyleknap:subscribe-fix into 02c5918 on aws:develop.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage increased (+0.01%) to 93.41% when pulling b7ac21d on kyleknap:subscribe-fix into 02c5918 on aws:develop.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.01%) to 93.41% when pulling b7ac21d on kyleknap:subscribe-fix into 02c5918 on aws:develop.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage increased (+0.01%) to 93.41% when pulling b7ac21d on kyleknap:subscribe-fix into 02c5918 on aws:develop.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.22%) to 93.18% when pulling b7ac21d on kyleknap:subscribe-fix into 02c5918 on aws:develop.

kyleknap added a commit that referenced this pull request Mar 18, 2015
@kyleknap
Merge pull request #1223 from kyleknap/subscribe-fix
b1d0303 
Fix issue with configservice subscribe command
@kyleknap kyleknap merged commit b1d0303 into aws:develop Mar 18, 2015
@kyleknap kyleknap deleted the subscribe-fix branch March 18, 2015 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kyleknap @coveralls @danielgtaylor @jamesls