Skip to content

Multiaccount action capability #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
blag merged 7 commits into from
Apr 16, 2020
Merged

Multiaccount action capability #89

blag merged 7 commits into from
Apr 16, 2020

Conversation

@stefangusa
Copy link
Contributor

@stefangusa stefangusa commented Nov 20, 2019

Fixes #70

It offers support not only for multi-region but also for multi-account actions.

blag
blag reviewed Nov 21, 2019
View reviewed changes
blag
blag suggested changes Nov 22, 2019
View reviewed changes
m4dcoder
m4dcoder reviewed Nov 22, 2019
View reviewed changes
Copy link
Contributor

@m4dcoder m4dcoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not familiar with multi-account access in AWS and so need some more explanation. The change here allows user to pass in an account_id and region when executing an AWS action. User will only need a single pair of access key and secret to be able to assume different role?

@blag
Copy link
Contributor

blag commented Nov 22, 2019

@m4dcoder brings up an excellent point and it really got me thinking. You generally want to do the minimum amount of work in a try block, and I think this mixes two separate operations that could both throw. If possible, I would break these up into two try/except blocks:

        try:
            assumed_role = self.session.client('sts').assume_role(
                RoleArn=self.cross_roles_arns[account_id],
                RoleSessionName='StackStormEvents'
            )
        except ClientError:
            self.logger.error('Could not assume role on account with id: %s', account_id)
            raise

        try:
            self.credentials.update({
                'aws_access_key_id': assumed_role["Credentials"]["AccessKeyId"],
                'aws_secret_access_key': assumed_role["Credentials"]["SecretAccessKey"],
                'security_token': assumed_role["Credentials"]["SessionToken"]
            })
        except KeyError:
            self.logger.error('Could not find cross region role ARN in the config file.')
            raise

But that also brings up the except blocks themselves. Is it really useful to add those small tidbits to the logs? Generally logging should add more context to the logs. Exactly what went wrong is already captured by exception tracebacks, which are logged anyway, so these log statements really don't contribute anything more that is actionable to a StackStorm administrator.

I would either remove the except blocks entirely, let the exceptions with their tracebacks bubble up (where they will be logged anyway), and let ST2 administrators infer the cause from the logs, or I would go the opposite direction and include as much information as I could in the logs before reraising the exception.

Useful log messages should:

  1. Clearly explain what was attempted and didn't work.
    Example: "Failed to assume role as account %d." (it's going to be obvious from the format of the account_id that it's an account ID, so you don't need to explicitly state that)
  2. Elucidate a high-level reason of what it was doing when it failed.
    Example: "when using the AWS session client"
  3. And give one or more possible breadcrumbs to the solution.
    Example: "You may want to check the roles configured for the AWS pack and ensure that the %d is still valid."

If you can save a StackStorm administrator from having to Google for a solution, or digging through Stack Overflow posts, or querying our Slack community, they will love you (and StackStorm).

@stefangusa
Copy link
Contributor Author

stefangusa commented Nov 23, 2019
edited
Loading

@blag I understood the issue regarding the format of the try/catch block but I have to highlight that its new structure could only be:

       try:
            assumed_role = self.session.client('sts').assume_role(
                RoleArn=self.cross_roles_arns[account_id],
                RoleSessionName='StackStormEvents'
            )
        except ClientError:
            self.logger.error('Could not assume role on account with id: %s', account_id)
            raise
        except KeyError:
            self.logger.error('Could not find cross region role ARN in the config file.')
            raise

        self.credentials.update({
                'aws_access_key_id': assumed_role["Credentials"]["AccessKeyId"],
                'aws_secret_access_key': assumed_role["Credentials"]["SecretAccessKey"],
                'security_token': assumed_role["Credentials"]["SessionToken"]
        })

This happens because the KeyError could only be encountered if the cross_role_arn is missing and not in the other case as the boto3 documentation [1] says that if the assume role operation succeeds (so does not return a ClientError) it must contain a dictionary containing all those keys.

Regarding the logging errors, I agree they could be more accurate.

I will make the changes these days and hope they will meet the expectations.

Until then, could you also take a look on the #87 PR which implements a similar capability for the sensor part?

Thank you!

@stefangusa stefangusa requested review from blag and m4dcoder November 26, 2019 09:10
blag
blag suggested changes Dec 5, 2019
View reviewed changes
Copy link
Contributor

@blag blag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, just a few small tweaks.

@stefangusa stefangusa requested a review from blag December 5, 2019 09:25
@stefangusa
Copy link
Contributor Author

stefangusa commented Dec 5, 2019

@blag I have squashed the new commit in the older one but I have changed the quoting style.

blag
blag approved these changes Dec 5, 2019
View reviewed changes
Copy link
Contributor

@blag blag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@stefangusa stefangusa force-pushed the multiaccount_action branch from 2f96c86 to 00e8c6f Compare April 9, 2020 17:07
@stefangusa stefangusa force-pushed the multiaccount_action branch from 00e8c6f to 6efad7d Compare April 9, 2020 18:34
This was referenced Apr 15, 2020
Merged
Closed
@blag blag mentioned this pull request Apr 16, 2020
Closed
@blag
Copy link
Contributor

blag commented Apr 16, 2020

Closes #101.

@blag blag merged commit 6077203 into StackStorm-Exchange:master Apr 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m4dcoder m4dcoder Awaiting requested review from m4dcoder

1 more reviewer

@blag blag blag approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Multi-Region action support

3 participants

@stefangusa @blag @m4dcoder