Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elb_application_lb: unable to use authenticate-oidc #1877

Closed
1 task done
markuman opened this issue Nov 23, 2023 · 9 comments · Fixed by #1956
Closed
1 task done

elb_application_lb: unable to use authenticate-oidc #1877

markuman opened this issue Nov 23, 2023 · 9 comments · Fixed by #1956
Assignees
@abikouo
Labels
jira needs_info This issue requires further information. Please answer any outstanding questions WIP Work in progress

Comments

@markuman
Copy link
Member

Summary

In the past, you can set as rule

            Actions:
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  ClientSecret: "{{ lookup('onepassword', 'abc123') }}"
                  UseExistingClientSecret: True
                  ....

and it worked. Because of this logic, it doesn't matter if the rule is a new one or an existing one.

Currently you get back the error from the past:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true
fatal: [localhost]: FAILED! => {"boto3_version": "1.28.73", "botocore_version": "1.31.85", "changed": false, "error": {"code": "InvalidLoadBalancerAction", "message": "You cannot both specify a client secret and set UseExistingClientSecret to true", "type": "Sender"}, "msg": "An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true", "response_metadata": {"http_headers": {"connection": "close", "content-length": "352", "content-type": "text/xml", "date": "Thu, 23 Nov 2023 13:12:43 GMT", "x-amzn-requestid": "0b5b9a7b-e4f7-4c0e-9aae-cd3c4dfbe447"}, "http_status_code": 400, "request_id": "0b5b9a7b-e4f7-4c0e-9aae-cd3c4dfbe447", "retry_attempts": 0}}

You cannot both specify a client secret and set UseExistingClientSecret to true

once, fixed in #1270

When removing the ClientSecret key

            Actions:
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  #ClientSecret: "{{ lookup('onepassword', 'abc123') }}"
                  UseExistingClientSecret: True
                  ....

it comes to a new error

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action
fatal: [localhost]: FAILED! => {"boto3_version": "1.28.73", "botocore_version": "1.31.85", "changed": false, "error": {"code": "InvalidLoadBalancerAction", "message": "You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action", "type": "Sender"}, "msg": "An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action", "response_metadata": {"http_headers": {"connection": "close", "content-length": "373", "content-type": "text/xml", "date": "Thu, 23 Nov 2023 13:14:45 GMT", "x-amzn-requestid": "f4532a2a-397b-4efb-a906-e6a42a5ba151"}, "http_status_code": 400, "request_id": "f4532a2a-397b-4efb-a906-e6a42a5ba151", "retry_attempts": 0}}

You can only set UseExistingClientSecret to true if the rule already has an authenticate-oidc action

So something new has changed/gets broken ....

Issue Type

Bug Report

Component Name

elb_application_lb

Ansible Version

ansible [core 2.15.5]
  config file = /home/m/git/lekker/iac/ansible.cfg
  configured module search path = ['/home/m/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/m/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/m/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/m/.local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

ansible-galaxy collection list

# /home/m/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
amazon.aws                     7.0.0  
ansible.netcommon              5.1.2  
ansible.posix                  1.5.4  
ansible.utils                  2.10.3 
ansible.windows                2.0.0  
community.aws                  7.0.0  
community.crypto               2.13.1 
community.general              7.4.0  
community.mysql                3.7.2  
community.postgresql           3.0.0  
community.zabbix               1.9.3  
devsec.hardening               8.7.0  
markuman.nessus                0.0.6  
markuman.nextcloud             26.0.0 
opitzconsulting.ansible_oracle 3.9.0  

# /home/m/.local/lib/python3.10/site-packages/ansible_collections
Collection                     Version
------------------------------ -------
amazon.aws                     6.5.0  
ansible.netcommon              5.2.0  
ansible.posix                  1.5.4  
ansible.utils                  2.11.0 
ansible.windows                1.14.0 
arista.eos                     6.1.2  
awx.awx                        22.7.0 
azure.azcollection             1.18.1 
check_point.mgmt               5.1.1  
chocolatey.chocolatey          1.5.1  
cisco.aci                      2.7.0  
cisco.asa                      4.0.2  
cisco.dnac                     6.7.5  
cisco.intersight               1.0.27 
cisco.ios                      4.6.1  
cisco.iosxr                    5.0.3  
cisco.ise                      2.5.16 
cisco.meraki                   2.16.5 
cisco.mso                      2.5.0  
cisco.nso                      1.0.3  
cisco.nxos                     4.4.0  
cisco.ucs                      1.10.0 
cloud.common                   2.1.4  
cloudscale_ch.cloud            2.3.1  
community.aws                  6.3.0  
community.azure                2.0.0  
community.ciscosmb             1.0.6  
community.crypto               2.15.1 
community.digitalocean         1.24.0 
community.dns                  2.6.2  
community.docker               3.4.9  
community.fortios              1.0.0  
community.general              7.5.0  
community.google               1.0.0  
community.grafana              1.5.4  
community.hashi_vault          5.0.0  
community.hrobot               1.8.1  
community.libvirt              1.3.0  
community.mongodb              1.6.3  
community.mysql                3.7.2  
community.network              5.0.0  
community.okd                  2.3.0  
community.postgresql           2.4.3  
community.proxysql             1.5.1  
community.rabbitmq             1.2.3  
community.routeros             2.10.0 
community.sap                  1.0.0  
community.sap_libs             1.4.1  
community.skydive              1.0.0  
community.sops                 1.6.6  
community.vmware               3.10.0 
community.windows              1.13.0 
community.zabbix               2.1.0  
containers.podman              1.10.3 
cyberark.conjur                1.2.2  
cyberark.pas                   1.0.23 
dellemc.enterprise_sonic       2.2.0  
dellemc.openmanage             7.6.1  
dellemc.powerflex              1.9.0  
dellemc.unity                  1.7.1  
f5networks.f5_modules          1.26.0 
fortinet.fortimanager          2.2.1  
fortinet.fortios               2.3.2  
frr.frr                        2.0.2  
gluster.gluster                1.0.2  
google.cloud                   1.2.0  
grafana.grafana                2.2.3  
hetzner.hcloud                 1.16.0 
hpe.nimble                     1.1.4  
ibm.qradar                     2.1.0  
ibm.spectrum_virtualize        1.12.0 
infinidat.infinibox            1.3.12 
infoblox.nios_modules          1.5.0  
inspur.ispim                   1.3.0  
inspur.sm                      2.3.0  
junipernetworks.junos          5.3.0  
kubernetes.core                2.4.0  
lowlydba.sqlserver             2.2.1  
microsoft.ad                   1.3.0  
netapp.aws                     21.7.0 
netapp.azure                   21.10.0
netapp.cloudmanager            21.22.0
netapp.elementsw               21.7.0 
netapp.ontap                   22.7.0 
netapp.storagegrid             21.11.1
netapp.um_info                 21.8.0 
netapp_eseries.santricity      1.4.0  
netbox.netbox                  3.14.0 
ngine_io.cloudstack            2.3.0  
ngine_io.exoscale              1.1.0  
ngine_io.vultr                 1.1.3  
openstack.cloud                2.1.0  
openvswitch.openvswitch        2.1.1  
ovirt.ovirt                    3.2.0  
purestorage.flasharray         1.21.0 
purestorage.flashblade         1.14.0 
purestorage.fusion             1.6.0  
sensu.sensu_go                 1.14.0 
servicenow.servicenow          1.0.6  
splunk.es                      2.1.0  
t_systems_mms.icinga_director  1.33.1 
telekom_mms.icinga_director    1.34.1 
theforeman.foreman             3.14.0 
vmware.vmware_rest             2.3.1  
vultr.cloud                    1.10.0 
vyos.vyos                      4.1.0  
wti.remote                     1.0.5

AWS SDK versions

WARNING: Package(s) not found: boto
Name: boto3
Version: 1.28.73
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/m/.local/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: awslogs
---
Name: botocore
Version: 1.31.85
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /home/m/.local/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer

Configuration

CONFIG_FILE() = /home/m/git/lekker/iac/ansible.cfg
DEFAULT_ROLES_PATH(/home/m/git/lekker/iac/ansible.cfg) = ['/home/m/.ansible/roles']
INTERPRETER_PYTHON(/home/m/git/lekker/iac/ansible.cfg) = /usr/bin/python3

OS / Environment

Ubuntu 22.04

Steps to Reproduce

see in summary

Expected Results

rules are set, doens't matter if both keys UseExistingClientSecret: True and ClientSecret are set

Actual Results

see summary

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@hakbailey hakbailey added needs_verified Some one might want to take a look at this and reproduce it to confirm jira and removed needs_triage labels Nov 28, 2023
@abikouo abikouo self-assigned this Jan 22, 2024
@abikouo abikouo added the WIP Work in progress label Jan 22, 2024
abikouo added a commit to abikouo/amazon.aws that referenced this issue Jan 24, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
14c9d94 
…type=authenticate-oidc ansible-collections#1877
@abikouo abikouo mentioned this issue Jan 24, 2024
Merged
@abikouo
Copy link
Contributor

abikouo commented Jan 24, 2024

@markuman I can't reproduce the issue when modifying the existing load balancer rule.
The only issue I can reproduce is when creating a new load balancer rule using both UseExistingClientSecret=true and ClientSecret

The error was: botocore.errorfactory.InvalidLoadBalancerActionException: An error occurred (InvalidLoadBalancerAction) when calling the CreateRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true

However this has been fixed using #1956

Could you please provide a full sequence on how to reproduce the issue ?
Here is the playbook I used to reproduce

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: path-pattern
                Values:
                  - /test
            Actions:
              - TargetGroupName: test-target-01
                Type: forward
                Order: 2
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://xxxxxxxxxxx
                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
                  ClientId: myclientid123645
                  ClientSecret: abcdefghigjth1233
                  UseExistingClientSecret: True

@abikouo abikouo added needs_info This issue requires further information. Please answer any outstanding questions and removed needs_verified Some one might want to take a look at this and reproduce it to confirm labels Jan 24, 2024
@markuman

This comment was marked as outdated.

Sign in to view
@markuman
Copy link
Member Author

Okey, the issue is a kind different.

The rule was detected as a modified rule, but it was a new one.
Why? Because it was added somewhere in the middle fo the rules list and ansible just used the priority key to say if a rule is a modified or a new rule https://github.com/ansible-collections/amazon.aws/blob/main/plugins/module_utils/elbv2.py#L1182

This case is not solveable!

But when the rule is added at the end of the rules list, it becomes a new rule (priority that does not exist yet), the module runs into a hen-egg problem.
You want to commit the rule with UseExistingClientSecret: True to become immutable for multiple runs of your playbook, you'll run into the same error

"msg": "An error occurred (InvalidLoadBalancerAction) when calling the ModifyRule operation: You cannot both specify a client secret and set UseExistingClientSecret to true

When

  1. Rule is from action type authenticate-oidc AND
  2. Rule is a new one (rules_to_add)

then UseExistingClientSecret must be set to False, no matter what was requested.

@markuman
Copy link
Member Author

So to reproduce it you need to first apply this

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

and then modify it like that

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: path-pattern
                Values:
                  - /test
            Actions:
              - TargetGroupName: test-target-01
                Type: forward
                Order: 2
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://xxxxxxxxxxx
                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
                  ClientId: myclientid123645
                  ClientSecret: abcdefghigjth1233
                  UseExistingClientSecret: True
          - Priority: 3
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

abikouo added a commit to abikouo/amazon.aws that referenced this issue Jan 30, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
08ad224 
…type=authenticate-oidc ansible-collections#1877
@abikouo
Copy link
Contributor

abikouo commented Jan 30, 2024

@markuman I have updated PR #1956 to fix this test case.
Could you please validate if it is working as expected using #1956? Thanks

abikouo added a commit to abikouo/amazon.aws that referenced this issue Jan 30, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
96c377b 
…type=authenticate-oidc ansible-collections#1877
abikouo added a commit to abikouo/amazon.aws that referenced this issue Feb 9, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
76c2802 
…type=authenticate-oidc ansible-collections#1877
abikouo added a commit to abikouo/amazon.aws that referenced this issue Feb 12, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
d484d1a 
…type=authenticate-oidc ansible-collections#1877
@markuman
Copy link
Member Author

@markuman I have updated PR #1956 to fix this test case. Could you please validate if it is working as expected using #1956? Thanks

No, it does not solve the issue.
When you add an new authenticate-oidc rule in the middle of your existing rules, .... the rule is still detected as a changed one (because comparison is based on priority number), but strictly speaking, it is a new one.

@markuman
Copy link
Member Author

When

1. Rule is from action type `authenticate-oidc` **AND**

2. Rule is a new one (`rules_to_add`)

then UseExistingClientSecret must be set to False, no matter what was requested.

this still failed with your branch, when adding a new rule to existing ALB at the end (priority number + 1).

abikouo added a commit to abikouo/amazon.aws that referenced this issue Feb 15, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
9d4a11a 
…type=authenticate-oidc ansible-collections#1877
@abikouo
Copy link
Contributor

abikouo commented Feb 15, 2024

@markuman I just realized that there is an API to update the Rule priority, this will be used when the rule has just changed the priority but all the other properties remain the same. This will fix the use case where an authenticate-oidc rule is inserted in the middle of existing rules.

When

1. Rule is from action type `authenticate-oidc` **AND**

2. Rule is a new one (`rules_to_add`)

then UseExistingClientSecret must be set to False, no matter what was requested.

this still failed with your branch, when adding a new rule to existing ALB at the end (priority number + 1).

This has also been fixed.

@hakbailey hakbailey mentioned this issue Feb 20, 2024
Closed
1 task
abikouo added a commit to abikouo/amazon.aws that referenced this issue Feb 28, 2024
@abikouo
Fixing issue when creating/updating Load balancer listener rule with …
a24afaa 
…type=authenticate-oidc ansible-collections#1877
@patchback patchback bot mentioned this issue Mar 1, 2024
Merged
softwarefactory-project-zuul bot pushed a commit that referenced this issue Mar 1, 2024
@abikouo
module_utils/elbv2 - fix issue with authenticate-oidc listener rule (#…
470ca0a 
…1956)

module_utils/elbv2 - fix issue with authenticate-oidc listener rule

SUMMARY

fixes #1877
The module now detect rule which changing priority, they are no more considered as new rules but we are using the set_rule_priorities API instead to update the priority.
For authenticated-oidc rule, we set always set the UseExistingSecret to False for new rule to create and when the rule need to be modified and the user has provided a ClientSecret.

ISSUE TYPE


Bugfix Pull Request

Reviewed-by: Helen Bailey <[email protected]>
Reviewed-by: Bikouo Aubin
Reviewed-by: Alina Buzachis
patchback bot pushed a commit that referenced this issue Mar 1, 2024
@abikouo @patchback
module_utils/elbv2 - fix issue with authenticate-oidc listener rule (#…
2230169 
…1956)

module_utils/elbv2 - fix issue with authenticate-oidc listener rule

SUMMARY

fixes #1877
The module now detect rule which changing priority, they are no more considered as new rules but we are using the set_rule_priorities API instead to update the priority.
For authenticated-oidc rule, we set always set the UseExistingSecret to False for new rule to create and when the rule need to be modified and the user has provided a ClientSecret.

ISSUE TYPE

Bugfix Pull Request

Reviewed-by: Helen Bailey <[email protected]>
Reviewed-by: Bikouo Aubin
Reviewed-by: Alina Buzachis
(cherry picked from commit 470ca0a)
softwarefactory-project-zuul bot pushed a commit that referenced this issue Mar 1, 2024
@patchback
module_utils/elbv2 - fix issue with authenticate-oidc listener rule (#…
26ac3b0 
…1956) (#2008)

[PR #1956/470ca0a0 backport][stable-7] module_utils/elbv2 - fix issue with authenticate-oidc listener rule

This is a backport of PR #1956 as merged into main (470ca0a).
SUMMARY

fixes #1877
The module now detect rule which changing priority, they are no more considered as new rules but we are using the set_rule_priorities API instead to update the priority.
For authenticated-oidc rule, we set always set the UseExistingSecret to False for new rule to create and when the rule need to be modified and the user has provided a ClientSecret.

ISSUE TYPE


Bugfix Pull Request

Reviewed-by: Alina Buzachis
Reviewed-by: Bikouo Aubin
@markuman
Copy link
Member Author

markuman commented May 3, 2024

So to reproduce it you need to first apply this

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

and then modify it like that

- name: Create an ALB with different listener by adding rule
  amazon.aws.elb_application_lb:
    name: sample-lb
    subnets: 
      - subnet-xxxxxxxxxxxxxxxxx
      - subnet-xxxxxxxxxxxxxxxxx
    security_groups: sg-xxxxxxxxxxxxxx
    state: present
    listeners:
      - Protocol: HTTPS
        Port: 443
        Certificates:
          - CertificateArn: arn:aws:iam::0123456789:server-certificate/ansible-test-xxxxxxxxxxx
        SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
        DefaultActions:
          - Type: forward
            TargetGroupName: test-target-01
        Rules:
          - Priority: 1
            Conditions:
              - Field: host-header
                Values:
                  - bla.tld
            Actions:
              - TargetGroupName: somewhere
                Type: forward
          - Priority: 2
            Conditions:
              - Field: path-pattern
                Values:
                  - /test
            Actions:
              - TargetGroupName: test-target-01
                Type: forward
                Order: 2
              - Type: authenticate-oidc
                Order: 1
                AuthenticateOidcConfig:
                  Issuer: https://xxxxxxxxxxx
                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
                  ClientId: myclientid123645
                  ClientSecret: abcdefghigjth1233
                  UseExistingClientSecret: True
          - Priority: 3
            Conditions:
              - Field: host-header
                Values:
                  - yolo.rocks
            Actions:
              - TargetGroupName: yeah
                Type: forward

This issue need to be reopened @abikouo, because it still failed with 7.5.0 the other way round.
Say you've got one ALB with 3 rules. When you delete the one in the middle (priority 2), the module failed

--- /tmp/before.yml     2024-05-03 08:29:41.697584862 +0200
+++ /tmp/after.yml      2024-05-03 08:29:57.211759937 +0200
@@ -24,25 +24,6 @@
             Actions:
               - TargetGroupName: somewhere
                 Type: forward
-          - Priority: 2
-            Conditions:
-              - Field: path-pattern
-                Values:
-                  - /test
-            Actions:
-              - TargetGroupName: test-target-01
-                Type: forward
-                Order: 2
-              - Type: authenticate-oidc
-                Order: 1
-                AuthenticateOidcConfig:
-                  Issuer: https://xxxxxxxxxxx
-                  AuthorizationEndpoint: https://xxxxxxxxxxxxxx
-                  TokenEndpoint: https://xxxxxxxxxxxxxx/oauth/token
-                  UserInfoEndpoint: https://xxxxxxxxxxxxx/userinfo
-                  ClientId: myclientid123645
-                  ClientSecret: abcdefghigjth1233
-                  UseExistingClientSecret: True
           - Priority: 3
             Conditions:
               - Field: host-header
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.PriorityInUseException: An error occurred (PriorityInUse) when calling the SetRulePriorities operation: One or more priorities not found
fatal: [localhost]: FAILED! => {"boto3_version": "1.34.34", "botocore_version": "1.34.34", "changed": false, "error": {"code": "PriorityInUse", "message": "One or more priorities not found", "type": "Sender"}, "msg": "An error occurred (PriorityInUse) when calling the SetRulePriorities operation: One or more priorities not found", "response_metadata": {"http_headers": {"connection": "close", "content-length": "293", "content-type": "text/xml", "date": "Fri, 03 May 2024 06:26:39 GMT", "x-amzn-requestid": "134a2c29-0060-4014-a048-6fcedd701876"}, "http_status_code": 400, "request_id": "134a2c29-0060-4014-a048-6fcedd701876", "retry_attempts": 0}}

abikouo pushed a commit to abikouo/amazon.aws that referenced this issue Sep 19, 2024
@GomathiselviS @abikouo
Add transit-gateway-id parameter to ec2_vpc_vpn module (ansible-colle…
580bad0 
…ctions#1877)

Add transit-gateway-id parameter to ec2_vpc_vpn module

SUMMARY

This PR adds transit_gateway_id parameter to ec2_vpc_vpn module. It is needed for the validated content role that manages the creation of transit gateway and attaches VPN to the created transit gateway.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME

ADDITIONAL INFORMATION

Reviewed-by: Bikouo Aubin
Reviewed-by: Alina Buzachis
Reviewed-by: GomathiselviS
Reviewed-by: Mark Chappell

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@d74c698
alinabuzachis pushed a commit to alinabuzachis/amazon.aws that referenced this issue Oct 16, 2024
@GomathiselviS @alinabuzachis
Add transit-gateway-id parameter to ec2_vpc_vpn module (ansible-colle…
e788823 
…ctions#1877)

Add transit-gateway-id parameter to ec2_vpc_vpn module

SUMMARY

This PR adds transit_gateway_id parameter to ec2_vpc_vpn module. It is needed for the validated content role that manages the creation of transit gateway and attaches VPN to the created transit gateway.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME

ADDITIONAL INFORMATION

Reviewed-by: Bikouo Aubin
Reviewed-by: Alina Buzachis
Reviewed-by: GomathiselviS
Reviewed-by: Mark Chappell

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@d74c698
alinabuzachis pushed a commit to alinabuzachis/amazon.aws that referenced this issue Oct 16, 2024
@GomathiselviS @alinabuzachis
Add transit-gateway-id parameter to ec2_vpc_vpn module (ansible-colle…
8658d9c 
…ctions#1877)

Add transit-gateway-id parameter to ec2_vpc_vpn module

SUMMARY

This PR adds transit_gateway_id parameter to ec2_vpc_vpn module. It is needed for the validated content role that manages the creation of transit gateway and attaches VPN to the created transit gateway.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME

ADDITIONAL INFORMATION

Reviewed-by: Bikouo Aubin
Reviewed-by: Alina Buzachis
Reviewed-by: GomathiselviS
Reviewed-by: Mark Chappell

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@d74c698
alinabuzachis pushed a commit to alinabuzachis/amazon.aws that referenced this issue Oct 24, 2024
@GomathiselviS @alinabuzachis
Add transit-gateway-id parameter to ec2_vpc_vpn module (ansible-colle…
9c2ea91 
…ctions#1877)

Add transit-gateway-id parameter to ec2_vpc_vpn module

SUMMARY

This PR adds transit_gateway_id parameter to ec2_vpc_vpn module. It is needed for the validated content role that manages the creation of transit gateway and attaches VPN to the created transit gateway.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME

ADDITIONAL INFORMATION

Reviewed-by: Bikouo Aubin
Reviewed-by: Alina Buzachis
Reviewed-by: GomathiselviS
Reviewed-by: Mark Chappell

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@d74c698
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abikouo abikouo

Labels
jira needs_info This issue requires further information. Please answer any outstanding questions WIP Work in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

module_utils/elbv2 - fix issue with authenticate-oidc listener rule abikouo/amazon.aws
3 participants
@markuman @hakbailey @abikouo