D6286: automation: wait for instance profiles and roles
indygreg (Gregory Szorc)
phabricator at mercurial-scm.org
Fri Apr 19 14:41:37 UTC 2019
indygreg created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.
REVISION SUMMARY
Otherwise there is a race condition between creating the resources
and us attempting to use them / them becoming available.
The role waiter API was recently introduced, so we had to upgrade
the boto3 package to get it. Other packages were also updated
to latest versions just because.
Even with this change, I still run into issues with the IAM instance
profile not being available when we attempt to create an EC2 instance
using a just-created profile. I'm not sure what's going on. Possibly
a bug on Amazon's end. But the new behavior is "more correct."
REPOSITORY
rHG Mercurial
REVISION DETAIL
https://phab.mercurial-scm.org/D6286
AFFECTED FILES
contrib/automation/hgautomation/aws.py
contrib/automation/requirements.txt
CHANGE DETAILS
diff --git a/contrib/automation/requirements.txt b/contrib/automation/requirements.txt
--- a/contrib/automation/requirements.txt
+++ b/contrib/automation/requirements.txt
@@ -8,12 +8,12 @@
--hash=sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87 \
--hash=sha256:9d5c20441baf0cb60a4ac34cc447c6c189024b6b4c6cd7877034f4965c464e49 \
# via cryptography
-boto3==1.9.111 \
- --hash=sha256:06414c75d1f62af7d04fd652b38d1e4fd3cfd6b35bad978466af88e2aaecd00d \
- --hash=sha256:f3b77dff382374773d02411fa47ee408f4f503aeebd837fd9dc9ed8635bc5e8e
-botocore==1.12.111 \
- --hash=sha256:6af473c52d5e3e7ff82de5334e9fee96b2d5ec2df5d78bc00cd9937e2573a7a8 \
- --hash=sha256:9f5123c7be704b17aeacae99b5842ab17bda1f799dd29134de8c70e0a50a45d7 \
+boto3==1.9.133 \
+ --hash=sha256:9fedb9ca5f5c32672f633db18d82b33bb8792506d6298602d356c16889ce504e \
+ --hash=sha256:e63831daad499191811851e6c6016b1fc710fc2d92ddc221288b26f6bdea8f74
+botocore==1.12.133 \
+ --hash=sha256:3b5968fc897b590c2b57fd6105b52ba8bdf5eb2100b7e181d4c17c7c05a2f83a \
+ --hash=sha256:cc270cc2c282b2679f44bd1de011a270c4d8b5364afc2f705152ca187821d4eb \
# via boto3, s3transfer
certifi==2019.3.9 \
--hash=sha256:59b7658e26ca9c7339e00f8f4636cdfe59d34fa37b9b04f6f9e9926b3cece1a5 \
@@ -87,9 +87,9 @@
--hash=sha256:3720a4b1bd659dd2eecad0666459b9788813e032b83e7ba58578e48254e0a0e6 \
--hash=sha256:bde2aef6f44302dfb30320115b17d030798de8c4110e28d5cf6cf91a7a31074c \
# via boto3, botocore
-ntlm-auth==1.2.0 \
- --hash=sha256:7bc02a3fbdfee7275d3dc20fce8028ed8eb6d32364637f28be9e9ae9160c6d5c \
- --hash=sha256:9b13eaf88f16a831637d75236a93d60c0049536715aafbf8190ba58a590b023e \
+ntlm-auth==1.3.0 \
+ --hash=sha256:bb2fd03c665f0f62c5f65695b62dcdb07fb7a45df6ebc86c770be2054d6902dd \
+ --hash=sha256:ce5b4483ed761f341a538a426a71a52e5a9cf5fd834ebef1d2090f9eef14b3f8 \
# via pypsrp
pycparser==2.19 \
--hash=sha256:a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3 \
@@ -113,7 +113,7 @@
--hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \
--hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73 \
# via cryptography, pypsrp, python-dateutil
-urllib3==1.24.1 \
- --hash=sha256:61bf29cada3fc2fbefad4fdf059ea4bd1b4a86d2b6d15e1c7c0b582b9752fe39 \
- --hash=sha256:de9529817c93f27c8ccbfead6985011db27bd0ddfcdb2d86f3f663385c6a9c22 \
+urllib3==1.24.2 \
+ --hash=sha256:4c291ca23bbb55c76518905869ef34bdd5f0e46af7afe6861e8375643ffee1a0 \
+ --hash=sha256:9a247273df709c4fedb38c711e44292304f73f39ab01beda9f6b9fc375669ac3 \
# via botocore, requests
diff --git a/contrib/automation/hgautomation/aws.py b/contrib/automation/hgautomation/aws.py
--- a/contrib/automation/hgautomation/aws.py
+++ b/contrib/automation/hgautomation/aws.py
@@ -196,7 +196,7 @@
if ensure_ec2_state:
ensure_key_pairs(automation.state_path, self.ec2resource)
self.security_groups = ensure_security_groups(self.ec2resource)
- ensure_iam_state(self.iamresource)
+ ensure_iam_state(self.iamclient, self.iamresource)
def key_pair_path_private(self, name):
"""Path to a key pair private key file."""
@@ -325,7 +325,7 @@
profile.delete()
-def ensure_iam_state(iamresource, prefix='hg-'):
+def ensure_iam_state(iamclient, iamresource, prefix='hg-'):
"""Ensure IAM state is in sync with our canonical definition."""
remote_profiles = {}
@@ -361,6 +361,10 @@
InstanceProfileName=actual)
remote_profiles[name] = profile
+ waiter = iamclient.get_waiter('instance_profile_exists')
+ waiter.wait(InstanceProfileName=actual)
+ print('IAM instance profile %s is available' % actual)
+
for name in sorted(set(IAM_ROLES) - set(remote_roles)):
entry = IAM_ROLES[name]
@@ -373,6 +377,10 @@
AssumeRolePolicyDocument=ASSUME_ROLE_POLICY_DOCUMENT,
)
+ waiter = iamclient.get_waiter('role_exists')
+ waiter.wait(RoleName=actual)
+ print('IAM role %s is available' % actual)
+
remote_roles[name] = role
for arn in entry['policy_arns']:
To: indygreg, #hg-reviewers
Cc: mercurial-devel
More information about the Mercurial-devel
mailing list