CFn: implement DeletionPolicy and UpdateReplacePolicy#13535
Conversation
simonrw
added
semver: patch
simonrw
force-pushed
the
cfn/handle-policies
branch
from
2e205bc to
7c41c83
Compare
Test Results - Alternative Providers590 tests 323 ✅ 17m 54s ⏱️ Results for commit 988559e. ♻️ This comment has been updated with latest results. |
Test Results (amd64) - Integration, Bootstrap 5 files 5 suites 2h 39m 46s ⏱️ Results for commit 988559e. ♻️ This comment has been updated with latest results. |
simonrw
force-pushed
the
cfn/handle-policies
branch
from
7c41c83 to
f53ac96
Compare
pinzon
left a comment
pinzon
left a comment
There was a problem hiding this comment.
Great PR.
The only blocking issues are the lack of cleanup of the retained parameters and the commented out code, feel free to ignore my suggestion on the snapshot skip if you deem it unimportant.
| # TODO: provider parity issue with error message | ||
| # snapshot.match("error", exc_info.value) |
There was a problem hiding this comment.
Can't we add a snapshot skip so we can keep the snapshot?
|
|
||
| stack.destroy() | ||
|
|
||
| value = aws_client.ssm.get_parameter(Name=parameter_name)["Parameter"]["Value"] |
There was a problem hiding this comment.
We should add a cleanup for the parameter
There was a problem hiding this comment.
Great catch, thank you!
| with pytest.raises(ClientError): | ||
| aws_client.ssm.get_parameter(Name=parameter_name)["Parameter"]["Value"] |
There was a problem hiding this comment.
Let's also add the snapshot here
| ) | ||
|
|
||
| # check the previous parameter was not deleted | ||
| aws_client.ssm.get_parameter(Name=parameter_name)["Parameter"]["Value"] |
There was a problem hiding this comment.
Here we should also add a cleanup for the retained parameter
There was a problem hiding this comment.
We should consider splitting this file in two files: test_deletion_policy.py and test_update_replace_policy.py.
So in the future we can cleanly expand to test the other policy configurations.
simonrw
force-pushed
the
cfn/handle-policies
branch
from
f53ac96 to
e78199a
Compare
|
Thanks for the review @pinzon I've hopefully addressed your (very valid!) comments. Please take another look |
pinzon
left a comment
pinzon
left a comment
There was a problem hiding this comment.
Pretty good PR. The blocking issues are the comments in the tests and the templates.
|
|
||
| @markers.aws.validated | ||
| @markers.snapshot.skip_snapshot_verify( | ||
| paths=[ |
There was a problem hiding this comment.
Change: we should transform the PhysicalResourceId
There was a problem hiding this comment.
Except this is a parameter that's not output by LocalStack. It's not just that the value is different.
There was a problem hiding this comment.
Still the snapshot won't match even if we run the test against AWS again.
|
|
||
| @markers.snapshot.skip_snapshot_verify( | ||
| paths=[ | ||
| # our message is different. The AWS message does not seem to include the parameter |
There was a problem hiding this comment.
Nit: I don't think this comment is necessary. Adding 'message' to the skips already tells us there is something to fix.
There was a problem hiding this comment.
It's more about the reason why this is skipped, which is that we output a value extra to AWS.
|
|
||
| @markers.aws.validated | ||
| @markers.snapshot.skip_snapshot_verify( | ||
| paths=[ |
There was a problem hiding this comment.
Change: Same here. we should use a Regex transform even if the stack events are not in parity.
| Resources: | ||
| MyParameter: | ||
| Type: AWS::SSM::Parameter | ||
| DeletionPolicy: !If [IsPermanentEnvironment, Retain, Delete] |
There was a problem hiding this comment.
Change: It hides a bit what we're actually testing.
There was a problem hiding this comment.
What is the alternative? AWS::NoValue? I don't think that's much clearer. Or do you mean creating more templates?
There was a problem hiding this comment.
My idea here was to have a different test for deletion policy behavior and support for intrinsic functions. But @nik-localstack recently closed his pr about the later. So let's ignore my comment here.
| deletion_policy_before = Nothing | ||
| deletion_policy_after = Nothing | ||
| if not is_nothing(node_resource.deletion_policy): | ||
| deletion_policy_delta = self.visit(node_resource.deletion_policy) | ||
| deletion_policy_before = deletion_policy_delta.before | ||
| deletion_policy_after = deletion_policy_delta.after | ||
|
|
||
| update_replace_policy_before = Nothing | ||
| update_replace_policy_after = Nothing | ||
| if not is_nothing(node_resource.update_replace_policy): | ||
| update_replace_policy_delta = self.visit(node_resource.update_replace_policy) | ||
| update_replace_policy_before = update_replace_policy_delta.before | ||
| update_replace_policy_after = update_replace_policy_delta.after |
There was a problem hiding this comment.
Nit: IMO, extracting the delta values here is unnecessary, you could just get the deltas here, and use the .before and .after when needed.
There was a problem hiding this comment.
Unfortunately if the node_resource.*_policy is nothing then we get the 'NothingType' object has no attribute 'after' error.
localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_executor.py
Show resolved
Hide resolved
simonrw
force-pushed
the
cfn/handle-policies
branch
from
e78199a to
fd6db3a
Compare
# Motivation A user has reported that setting policies is not only not implemented by our engigne, but actually incorrectly raises an error. # Changes * Don't raise error when modeling the policy fields * Skip deletion if `UpdateReplacePolicy=Retain` and a resource is updated * Skip deletion if `DeletionPolicy=Retain` and a resource is deleted # Related to Resolves ENG-200
simonrw
force-pushed
the
cfn/handle-policies
branch
from
fd6db3a to
988559e
Compare
2 participants
Motivation
A user has reported that setting policies is not only not implemented by our engigne, but actually incorrectly raises an error.
Changes
UpdateReplacePolicy=Retainand a resource is updatedDeletionPolicy=Retainand a resource is deletedRelated to
Resolves ENG-200