Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JENKINS-72643: Fixed listing regions when using ec2 ARN role with instance profile #957

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

JENKINS-72643: Fixed listing regions when using ec2 ARN role with instance profile #957

wants to merge 1 commit into from

Conversation

craigcomstock
Copy link

@craigcomstock craigcomstock commented Mar 26, 2024
edited

In the case where a user specified an ARN Role in the advanced section of cloud config we need to use that information when pulling the list of regions.

In my case without this ARN Role being used with credentials I would get an empty drop-down list with no errors.

I added a log message with the exception to expose a bit of information in case of failures.

Testing done

I did test with an ARN Role in the advanced section of cloud config.

I did not (yet) test without this but will do this next. I suppose I could check if roleArn is empty/null and use a different createCredentialsProvider() signature.

I did not see an existing test involving ec2 instance profile or listing regions so did not add one.

Submitter checklist

Edit tasklist title
Beta Give feedback Tasklist Submitter checklist, more options

Delete tasklist

Delete tasklist block?
Are you sure? All relationships in this tasklist will be removed.
  1. Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
    Options
  2. Ensure that the pull request title represents the desired changelog entry
    Options
  3. Please describe what you did
    Options
  4. Link to relevant issues in GitHub or Jira
    Options
  5. (n/a) Link to relevant pull requests, esp. upstream and downstream changes
    Options
  6. (skipped, see above comment) Ensure you have provided tests - that demonstrates feature works or fixes the issue
    Options

@craigcomstock
JENKINS-72643: Fixed listing regions when using ec2 instance profile …
16a8ba9 
…credentials

In the case where a user specified an ARN Role in the advanced section of cloud config we need to use that information when pulling the list of regions.

In my case without this ARN Role being used with credentials I would get an empty drop-down list with no errors.

I added a log message with the exception to expose a bit of information in case of failures.
craigcomstock
craigcomstock commented Mar 26, 2024
View reviewed changes
src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
@@ -185,14 +185,20 @@ public FormValidation doCheckAltEC2Endpoint(@QueryParameter String value) {
public ListBoxModel doFillRegionItems(
@QueryParameter String altEC2Endpoint,
@QueryParameter boolean useInstanceProfileForCredentials,
@QueryParameter String roleArn,
@QueryParameter String roleSessionName,
@QueryParameter String region,
@QueryParameter String credentialsId)

throws IOException, ServletException {
ListBoxModel model = new ListBoxModel();
if (Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
try {
AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials,
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as far as I can tell from EC2Cloud.java my use here should be OK because there is a guard for empty roleArn and roleSessionName

https://github.com/jenkinsci/ec2-plugin/blob/master/src/main/java/hudson/plugins/ec2/EC2Cloud.java#L956

        if (StringUtils.isNotEmpty(roleArn) && StringUtils.isNotEmpty(roleSessionName)) {
            return new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, roleSessionName)
...

craigcomstock
craigcomstock commented Mar 27, 2024
View reviewed changes
src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
@@ -201,6 +207,7 @@ public ListBoxModel doFillRegionItems(
model.add(name, name);
}
} catch (SdkClientException ex) {
LOGGER.log(Level.INFO, "AmazonEC2Cloud.doFillRegionItems() got exception: " + ex);
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking I would change this message to incorporate the comment about this may happen before credentials are specified so maybe "OK".

Can we write unit tests which check for logging? The logging would have been VERY helpful to me initially when I encountered this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@craigcomstock