allow AWS-managed ssh key pairs to be disabled

[cheeseplus]

Fixes #391. When adding the new auto-generation feature of keys/security groups, the option to not pass any SSH key id at all was lost. This means that aws_ssh_key_id now has three states:

• if nil we auto-create a key-pair
• if "/path/to/key.pem" or ENV["AWS_SSH_KEY_ID"] is set, we use specified key
• if "_disable", don't provide any key-pair at all - this requires the remote image/instance to have this configured out of band (baking, user_data)

TODO

• Update the docs once the triple-option is settled upon.

[robbkidd]

Maybe include a negative expectation for setting aws_ssh_key_id to false?

expect(driver).to_not receive(:create_key)

Looking at the spec, I found myself wondering what was different.

[cheeseplus]

The key won't get created if you provide a path either so not sure checking this is any more meaningful but I do see what you are saying. Initially I'd added this to the instance_generator but that felt like more code that wasn't really doing much.

[ghost]

Just throwing this out there .... should ENV["AWS_SSH_KEY_ID"] also be allowed to be set to false.

[cheeseplus]

No, env vars have no concept of boolean - they are always strings and we're going to respect whatever a person sets there and fail if it's bad data.

[cheeseplus]

@pantocrator27 so we've figured out the fix (mostly) but bike shedding on the option, would you prefer:

aws_ssh_key_id: false

OR

aws_ssh_key_id: disable #perhaps a symbol even, :disable

We definitely want to keep auto-generation as the default when Nil and given this is a relatively niche use case you kinda get to pick what sounds best!

[robbkidd]

@pantocrator27 Updated this PR with what :disable might look like.

[ghost]

@cheeseplus @robbkidd Thanks for all of your work on this guys! It honestly feels to me that "disable" may sound better than "false". It semantically feels better to me if this makes sense because we are essentially disabling this feature ....

Thoughts?

[cheeseplus]

That was pretty much our thinking too but just wanted to shop it out since, as of now, you are the primary use case.

[robbkidd]

🤔 This should probably be config[:aws_ssh_key_id] = nil to accurately reflect the default config where the key is present and its value is nil. config.delete(:aws_ssh_key_id) as setup is technically testing when the key is not present.

[coderanger]

Hmm, I am :-/ on using disable since we shouldn't do stuff that requires symbols (as opposed to strings) and magic string values are usually a thing that will bite people later.

[robbkidd]

@coderanger Do you have a suggestion for a better way to disable the current SET KEY NAME || GENERATE KEY behavior? @cheeseplus and I talked about Yet Another Config Option and didn't like the taste of that either.

we shouldn't do stuff that requires symbols (as opposed to strings)

The current code handles either with a config[:aws_ssh_key_id].to_sym == :disable tucked in there after the nil check.

relevant specs

Run options: include {:focus=>true, :locations=>{"./spec/kitchen/driver/ec2_spec.rb"=>[686]}}

Randomized with seed 62956

Kitchen::Driver::Ec2
  #create
    and AWS SSH keys
      with AWS-managed ssh key pair disabled, does not create a key pair or pass a key id
        (disable as a string)
          successfully creates and tags the instance
        (disable as a symbol)
          successfully creates and tags the instance
      with no AWS-managed ssh key pair configured, creates a key pair to use
        successfully creates and tags the instance
      with AWS ssh key pair set, uses set key and does not create a key pair
        successfully creates and tags the instance

Finished in 0.0321 seconds (files took 2.81 seconds to load)
4 examples, 0 failures

[cheeseplus]

I'm not super opposed to false as it fits in with everything else in the ecosystem even if semantically it's not great.

[ghost]

At this point ... I am not going to look a gift horse in the mouth :) or ask you guys to do something contrary to the set of current coding standards

[ghost]

As the customer, I will be equally pleased with either approach so long as it is documented. Please and thanks!

[robbkidd]

Alternate proposal: config[:aws_ssh_key_id] = ⛔️

[ghost]

@robbkidd can that be done :)

[ghost]

also I hate to ask this, could this make its way into the next release of ChefDK ... I don't know how that process would work?

[cheeseplus]

The deps in ChefDK just need to get bumped - the catch being that the ChefDK release is on it's own monthly schedule so if you wanted it sooner you'd have to consume a build from the current channel once the Gemfile.lock has been bumped.

[ghost]

thanks for the info @cheeseplus!

[coderanger]

I think I've convinced myself that a magic string is fine but what if we do _disabled instead just to make it clear it's a special value? And re: to_sym, better to do .to_s == 'whatever' since to_sym involves permanent allocs ;-)

[robbkidd]

Updated for "_disabled".

[coderanger]

Just needs some text in the readme to document it :) I can do that post merge if you're low on cycles since you already put in a 💯 effort <3

[robbkidd]

Regarding ...

should ENV["AWS_SSH_KEY_ID"] also be allowed to be set to [_disabled]?

As things currently stand in this PR, if the environment variable is set to "_disabled", that value will carry in and apply in the same way as if you had set aws_ssh_key_id: _disabled in kitchen.yml.

[robbkidd]

@coderanger I'm working on the README update right now! Thanks for the offer, though.

[coderanger]

[robbkidd]

Did a quick rearrangement within the doc section. Does that make things better or worse?

[ghost]

I personally feel it makes sense

[cheeseplus]

We've got two thumbs and since I started the PR I can't approve -