From 056d54ebd344178db96c9d10b40394b593e3bdda Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Thu, 13 Feb 2014 12:12:08 -0600 Subject: [PATCH 1/2] Adding 'validate_certs' option to EC2 modules When disabled, the boto connection will be instantiated without validating the SSL certificate from the target endpoint. This allows the modules to connect to Eucalyptus instances running with self-signed certs without errors. Fixes #3978 --- lib/ansible/module_utils/ec2.py | 18 ++++++++++++++++-- library/cloud/cloudformation | 8 ++++++++ library/cloud/ec2 | 9 ++++++++- library/cloud/ec2_ami | 8 ++++++++ library/cloud/ec2_eip | 9 +++++++++ library/cloud/ec2_elb | 8 ++++++++ library/cloud/ec2_elb_lb | 8 ++++++++ library/cloud/ec2_group | 8 ++++++++ library/cloud/ec2_key | 8 ++++++++ library/cloud/ec2_tag | 9 +++++++++ library/cloud/ec2_vol | 9 +++++++++ library/cloud/ec2_vpc | 9 +++++++++ 12 files changed, 108 insertions(+), 3 deletions(-) diff --git a/lib/ansible/module_utils/ec2.py b/lib/ansible/module_utils/ec2.py index bbcd30be213..2bdfe35afee 100644 --- a/lib/ansible/module_utils/ec2.py +++ b/lib/ansible/module_utils/ec2.py @@ -1,3 +1,9 @@ +try: + from distutils.version import LooseVersion + HAS_LOOSE_VERSION = True +except: + HAS_LOOSE_VERSION = False + AWS_REGIONS = ['ap-northeast-1', 'ap-southeast-1', 'ap-southeast-2', @@ -14,6 +20,7 @@ def ec2_argument_spec(): ec2_url=dict(), ec2_secret_key=dict(aliases=['aws_secret_key', 'secret_key'], no_log=True), ec2_access_key=dict(aliases=['aws_access_key', 'access_key']), + validate_certs=dict(default=True, type='bool'), ) @@ -62,17 +69,24 @@ def ec2_connect(module): """ Return an ec2 connection""" ec2_url, aws_access_key, aws_secret_key, region = get_ec2_creds(module) + validate_certs = module.get('validate_certs', True) # If we have a region specified, connect to its endpoint. if region: try: - ec2 = boto.ec2.connect_to_region(region, aws_access_key_id=aws_access_key, aws_secret_access_key=aws_secret_key) + if HAS_LOOSE_VERSION and LooseVersion(boto.Version) >= LooseVersion("2.6.0"): + ec2 = boto.ec2.connect_to_region(region, aws_access_key_id=aws_access_key, aws_secret_access_key=aws_secret_key, validate_certs=validate_certs) + else: + ec2 = boto.ec2.connect_to_region(region, aws_access_key_id=aws_access_key, aws_secret_access_key=aws_secret_key) except boto.exception.NoAuthHandlerFound, e: module.fail_json(msg = str(e)) # Otherwise, no region so we fallback to the old connection method elif ec2_url: try: - ec2 = boto.connect_ec2_endpoint(ec2_url, aws_access_key, aws_secret_key) + if HAS_LOOSE_VERSION and LooseVersion(boto.Version) >= LooseVersion("2.6.0"): + ec2 = boto.connect_ec2_endpoint(ec2_url, aws_access_key, aws_secret_key, validate_certs=validate_certs) + else: + ec2 = boto.connect_ec2_endpoint(ec2_url, aws_access_key, aws_secret_key) except boto.exception.NoAuthHandlerFound, e: module.fail_json(msg = str(e)) else: diff --git a/library/cloud/cloudformation b/library/cloud/cloudformation index e072f3923f8..606458b3f3c 100644 --- a/library/cloud/cloudformation +++ b/library/cloud/cloudformation @@ -88,6 +88,14 @@ options: required: false aliases: ['aws_region', 'ec2_region'] version_added: "1.5" + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" requirements: [ "boto" ] author: James S. Martin diff --git a/library/cloud/ec2 b/library/cloud/ec2 index 1b22496c8eb..e590b40fbdc 100644 --- a/library/cloud/ec2 +++ b/library/cloud/ec2 @@ -212,7 +212,14 @@ options: required: false default: null aliases: [] - + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" requirements: [ "boto" ] author: Seth Vidal, Tim Gerla, Lester Wade diff --git a/library/cloud/ec2_ami b/library/cloud/ec2_ami index a6e449cbce9..ae2eca4fa4e 100644 --- a/library/cloud/ec2_ami +++ b/library/cloud/ec2_ami @@ -101,6 +101,14 @@ options: required: false default: null aliases: [] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" requirements: [ "boto" ] author: Evan Duffield diff --git a/library/cloud/ec2_eip b/library/cloud/ec2_eip index ab6056ae4ad..de041f42227 100644 --- a/library/cloud/ec2_eip +++ b/library/cloud/ec2_eip @@ -53,6 +53,15 @@ options: required: false default: false version_added: "1.4" + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" + requirements: [ "boto" ] author: Lorin Hochstein notes: diff --git a/library/cloud/ec2_elb b/library/cloud/ec2_elb index 1927d6c3a7a..c6f4a72b0e1 100644 --- a/library/cloud/ec2_elb +++ b/library/cloud/ec2_elb @@ -74,6 +74,14 @@ options: required: false default: yes choices: [ "yes", "no" ] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" """ diff --git a/library/cloud/ec2_elb_lb b/library/cloud/ec2_elb_lb index 5e4db144c87..f7d23631bc0 100644 --- a/library/cloud/ec2_elb_lb +++ b/library/cloud/ec2_elb_lb @@ -73,6 +73,14 @@ options: - The AWS region to use. If not specified then the value of the EC2_REGION environment variable, if any, is used. required: false aliases: ['aws_region', 'ec2_region'] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" """ diff --git a/library/cloud/ec2_group b/library/cloud/ec2_group index 552f6a503e0..34d9b161244 100644 --- a/library/cloud/ec2_group +++ b/library/cloud/ec2_group @@ -57,6 +57,14 @@ options: required: false default: 'present' aliases: [] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" requirements: [ "boto" ] ''' diff --git a/library/cloud/ec2_key b/library/cloud/ec2_key index e3bcbec50c7..5e6950d2c8b 100644 --- a/library/cloud/ec2_key +++ b/library/cloud/ec2_key @@ -48,6 +48,14 @@ options: required: false default: 'present' aliases: [] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" requirements: [ "boto" ] author: Vincent Viallet diff --git a/library/cloud/ec2_tag b/library/cloud/ec2_tag index 1bdcd404f57..ca5a337646f 100644 --- a/library/cloud/ec2_tag +++ b/library/cloud/ec2_tag @@ -59,6 +59,15 @@ options: required: false default: null aliases: [] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" + requirements: [ "boto" ] author: Lester Wade ''' diff --git a/library/cloud/ec2_vol b/library/cloud/ec2_vol index 815460f5e65..bdd2eae3822 100644 --- a/library/cloud/ec2_vol +++ b/library/cloud/ec2_vol @@ -82,6 +82,15 @@ options: - snapshot ID on which to base the volume required: false default: null + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" + requirements: [ "boto" ] author: Lester Wade ''' diff --git a/library/cloud/ec2_vpc b/library/cloud/ec2_vpc index d50bed4bcba..7671e6314fa 100644 --- a/library/cloud/ec2_vpc +++ b/library/cloud/ec2_vpc @@ -99,6 +99,15 @@ options: required: false default: None aliases: ['ec2_access_key', 'access_key' ] + validate_certs: + description: + - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. + required: false + default: "yes" + choices: ["yes", "no"] + aliases: [] + version_added: "1.5" + requirements: [ "boto" ] author: Carson Gee ''' From fdb7c733c1c7c18ee2ee452e57f5bca64bb308db Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Thu, 13 Feb 2014 14:32:04 -0600 Subject: [PATCH 2/2] Updating CHANGELOG for the new validate_certs feature Also removing validate_cert option from the cloudformation module docs, as it does not use the standard ec2 connection. --- CHANGELOG.md | 1 + library/cloud/cloudformation | 8 -------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21eb57269f3..332224d7420 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ Major features/changes: * acl module now handles 'default' and allows for either shorthand entry or specific fields per entry section * play_hosts is a new magic variable to provide a list of hosts in scope for the current play. * ec2 module now accepts 'exact_count' and 'count_tag' as a way to enforce a running number of nodes by tags. +* all ec2 modules that work with Eucalyptus also now support a 'validate_certs' option, which can be set to 'off' for installations using self-signed certs. New modules: diff --git a/library/cloud/cloudformation b/library/cloud/cloudformation index 606458b3f3c..e072f3923f8 100644 --- a/library/cloud/cloudformation +++ b/library/cloud/cloudformation @@ -88,14 +88,6 @@ options: required: false aliases: ['aws_region', 'ec2_region'] version_added: "1.5" - validate_certs: - description: - - When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0. - required: false - default: "yes" - choices: ["yes", "no"] - aliases: [] - version_added: "1.5" requirements: [ "boto" ] author: James S. Martin