Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Select subnet based on az machine type availability #373

Merged
merged 7 commits into from
Apr 26, 2023
Merged

Select subnet based on az machine type availability #373

merged 7 commits into from
Apr 26, 2023

Conversation

lbajolet-hashicorp
Copy link
Contributor

@lbajolet-hashicorp lbajolet-hashicorp commented Apr 21, 2023
edited
Loading

This PR is an attempt to fix the problem where we pick a subnet that cannot spawn an instance of the type requested as the AZ linked to the subnet does not support it.

We also add some basic unit-tests for the step, which will be improved upon in upcoming PRs.

Related to #368
Related to #371

@lbajolet-hashicorp lbajolet-hashicorp requested a review from a team as a code owner April 21, 2023 17:28
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the select_subnet_based_on_az_machine_type_availability branch 4 times, most recently from a6a1fb7 to 4f74fbc Compare April 21, 2023 19:11
@nywilken nywilken mentioned this pull request Apr 24, 2023
Merged
nywilken
nywilken reviewed Apr 24, 2023
View reviewed changes
Copy link
Contributor

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a few small change requests. This is looks good. The testing is a nice addition, which looks to cover the potential failures.

Does the call to describeInstnaceOfferings require a different set of permissions?

builder/common/step_network_info.go Show resolved Hide resolved
builder/common/step_network_info_test.go Outdated Show resolved Hide resolved
builder/common/step_network_info_test.go Outdated Show resolved Hide resolved
builder/common/step_network_info_test.go Outdated Show resolved Hide resolved
builder/common/step_network_info.go Outdated Show resolved Hide resolved
builder/common/step_network_info_test.go Outdated Show resolved Hide resolved
builder/common/step_network_info_test.go Outdated Show resolved Hide resolved
builder/common/step_network_info_test.go Outdated Show resolved Hide resolved
@lbajolet-hashicorp
Copy link
Contributor Author

Does the call to describeInstnaceOfferings require a different set of permissions?

I'm not completely sure, but it may require the ec2:DescribeInstanceTypeOfferings action to be allowed for the account indeed.
We could amend the code so that if the call fails because of a missing permission, we still attempt to pick a subnet, without checking for the capability to host the type of instance requested, along with a warning that we may pick a subnet that can't support it without having this capability.

@lbajolet-hashicorp lbajolet-hashicorp force-pushed the select_subnet_based_on_az_machine_type_availability branch from 4f74fbc to a43243e Compare April 24, 2023 19:37
@lbajolet-hashicorp
builder: consider machine type for picking subnet
7c33286 
When a configuration enables associate_public_ip_address, we pick a
subnet from the default VPC, should one not be specified in the configs.

However, based on the type on machine being created, we may not always
pick the most available subnet out of all the possible ones exposed.

This commit filters out the subnets based on the AZ they're linked to,
and whether or not the AZ supports the instance type requested in the
template.
@lbajolet-hashicorp
step_network_info: add tests for AZ/subnet select
2d79117 
The step_network_info step was only tested via acceptance tests, which
considering the complexity of the code, is not enough.

To remedy this, we add some unit tests on the functions added for
filtering the subnets based on their AZ and the machine type, and for
testing the step itself in this configuration.
@lbajolet-hashicorp
network: don't fail when getting default VPC fails
55cf4bc 
When the associate_public_ip_address attribute is set in a template,
without a VPC or a Subnet, we attempt to get the default VPC for the
account.

This may however fail if the `ec2:DescribeVpcs' permission is not set.
This is a regression compared to older versions of the plugin, where the
builds succeeded, and the associate_public_ip_address was silently
ignored.

To avoid breaking more clients, we decide to not treat errors when
attempting to infer a default subnet or VPC from the account, and
instead warn that the option will be ignored.
@lbajolet-hashicorp
builder: fix message in acceptance tests
43c7309
@lbajolet-hashicorp
network: don't fail if can't pick AZ by capability
e2b2c19 
When selecting a default subnet, we describe the instance type offering
of each AZ linked to the subnets available in the VPC we picked.

This may fail if we don't have the permissions to do so, and in this
case, rather than failing to pick one, and ignore the
associate_public_ip_address, we continue without filtering by AZ
capability, and end-up picking the most available subnet out of all the
available ones.

We also print a message so users know which permission may be missing
from their IAM configs, and they can decide to fix that.
@lbajolet-hashicorp
network: fix test verbosity, and add a few more
1a6fb30
@lbajolet-hashicorp
run_config: add documentation on extra permissions
8f64933 
Since the DescribeInstanceTypeOfferings API call may require an extra
action to be allowed in the IAM roles defined, we add an extra exerpt in
the documentation for the `associate_public_ip_address' configuration
flag, so that users understand the implication of not being able to
perform this call.
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the select_subnet_based_on_az_machine_type_availability branch from a43243e to 8f64933 Compare April 24, 2023 19:54
JenGoldstrich
JenGoldstrich approved these changes Apr 25, 2023
View reviewed changes
Copy link
Contributor

@JenGoldstrich JenGoldstrich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, I left two small comments let me know what you think!

builder/ebs/builder_acc_test.go
@@ -1283,14 +1283,10 @@ func TestAccBuilder_AssociatePublicIPWithoutSubnet(t *testing.T) {
return fmt.Errorf("did not change the public IP setting for the instance")
}

if !strings.Contains(string(logs), "No VPC ID provided, Packer will choose one from the provided or default VPC") {
if !strings.Contains(string(logs), "No VPC ID provided, Packer will use the default VPC") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It might be worth adding the same acceptance test to the other builders

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed it can't hurt, that being said, since the step is common, all the builders that import it will have the same behaviour.
And in terms of acceptance testing right now, besides ebs, the only builder that has the infra to run them is ebssurrogate, which essentially works the same as ebs, so I think for now we can consider this good to go.
Independently from this PR, we should add acceptance tests for the other builders at some point.

builder/common/step_network_info.go Show resolved Hide resolved
@lbajolet-hashicorp
Copy link
Contributor Author

Had verbal confirmation that Wilken was OK with the current state of the PR, so I'm merging this as-is.

@lbajolet-hashicorp lbajolet-hashicorp merged commit 49bc8fe into main Apr 26, 2023
@lbajolet-hashicorp lbajolet-hashicorp deleted the select_subnet_based_on_az_machine_type_availability branch April 26, 2023 20:15
@nywilken nywilken mentioned this pull request May 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JenGoldstrich JenGoldstrich JenGoldstrich approved these changes

@nywilken nywilken nywilken left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lbajolet-hashicorp @nywilken @JenGoldstrich