s3_bucket module: fix failed to get bucket tags (NoSuchTagSetError)

[pgerber]

SUMMARY

Correctly handle the absence of tag sets.

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

s3_bucket module

ADDITIONAL INFORMATION

According to Amazon's documentation 1 the error code returned
when no tag set can be found is NoSuchTagSetError rather than
NoSuchTagSet.

Associated error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (NoSuchTagSetError) when calling the GetBucketTagging operation: Unknown
fatal: [abc]: FAILED! => changed=false
  boto3_version: 1.14.49
  botocore_version: 1.17.49
  error:
    bucket_name: abc
    code: NoSuchTagSetError
  msg: 'Failed to get bucket tags: An error occurred (NoSuchTagSetError) when calling the GetBucketTagging operation: Unknown'
  response_metadata:
    host_id: ''
    http_headers:
      accept-ranges: bytes
      content-length: '229'
      content-type: application/xml
      date: Thu, 27 Aug 2020 07:11:11 GMT
      strict-transport-security: max-age=31536000; includeSubDomains
      x-amz-request-id: tx0000000000000003aaad6-005f475c8f-36fd35b6f-rma1
    http_status_code: 404
    request_id: tx0000000000000003aaad6-005f475c8f-36fd35b6f-rma1
    retry_attempts: 0

[tremble]

Hi @pgerber,

many thanks for taking the time to submit this Pull Request, it's very much appreciated.

As well as the use of is_boto3_error_code there are two other things it would be helpful if you could add to your PR:

1. Please add a changelog fragment https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to
2. We have a set of integration tests for this module (tests/integration/targets/s3_bucket) while they're not perfect (we didn't catch this) it would be good if you could update them to include testing of the bug fixed by this PR. This would also help avoid a future regression of the issue.

[tremble]

Well, that's interesting: It would appear that a test case was in place for this,

This change resulted in the following errors from our integration tests:
https://app.shippable.com/github/ansible-collections/amazon.aws/runs/714/19/tests

Do you have the rest of the output from the error you triggered?
Additionally, which version of Ansible are you using?

Mark

[pgerber]

There is one thing I should probably have mentioned. I'm using an S3-compatible API provided by Ceph rather than Amazon's implementation. I guess there could be some minor differences but I assumed the fix to be correct as Amazon in fact states NoSuchTagSetError as the correct code. It's a bit odd that essentially all other error codes do not use an Error suffix though.

Verison:

$ ansible-playbook --version
ansible-playbook 2.9.6
  config file = /home/user/src/ansible/tocco/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.7.3 (default, Jul 25 2020, 13:03:44) [GCC 8.3.0]

Verbose output:

TASK [tocco : create S3 buckets] ***********************************************************************
task path: /home/user/src/ansible/roles/tocco/tasks/s3_common.yml:56
Using module file /usr/lib/python3/dist-packages/ansible/modules/cloud/amazon/s3_bucket.py
Pipelining is enabled.
<toccotest> ESTABLISH LOCAL CONNECTION FOR USER: user
<toccotest> EXEC /bin/sh -c '/usr/bin/python3 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_s3_bucket_payload_2t8_hmmy/ansible_s3_bucket_payload.zip/ansible/modules/cloud/amazon/s3_bucket.py", line 276, in create_or_update_bucket
  File "/tmp/ansible_s3_bucket_payload_2t8_hmmy/ansible_s3_bucket_payload.zip/ansible/modules/cloud/amazon/s3_bucket.py", line 539, in get_current_bucket_tags_dict
  File "/tmp/ansible_s3_bucket_payload_2t8_hmmy/ansible_s3_bucket_payload.zip/ansible/modules/cloud/amazon/s3_bucket.py", line 535, in get_current_bucket_tags_dict
  File "/home/user/.local/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/user/.local/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (NoSuchTagSetError) when calling the GetBucketTagging operation: Unknown
fatal: [toccotest]: FAILED! => changed=false 
  boto3_version: 1.14.49
  botocore_version: 1.17.49
  error:
    bucket_name: tocco-nice-tocco
    code: NoSuchTagSetError
  invocation:
    module_args:
      aws_access_key: <removed>
      aws_secret_key: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
      ceph: true
      debug_botocore_endpoint_logs: false
      ec2_url: null
      encryption: null
      encryption_key_id: null
      force: false
      name: tocco-nice-tocco
      policy: '{"Version": "2012-10-17", "Statement": [{"Sid": "developers", "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam:::user/ca5e10950d18231f6eddebd1b8c7d10c97cf167dc3f9044f1ddfddacedda13b1", "arn:aws:iam:::user/45477222531b48601a93fba270bdb36ca04b27bba72a1a8db3fef99972a39143", "arn:aws:iam:::user/a29b179570a1ec3180ac4ab38eca6a8686e88d21c013bf4172528e2efb3aed55", "arn:aws:iam:::user/5c32149b51da66c6e63f4676ea7eec6dbc83c6c3c8a8ef104946d7b9caaf74b8", "arn:aws:iam:::user/d5a451fafa42d751e4c1d1eac4db4cfcae6c3c7cb3f6673a54e8f4367c67abcb", "arn:aws:iam:::user/72b884dde3599d2425377ba482295282db50b4f4044266de68e40f1267878bbc", "arn:aws:iam:::user/45929f8aeb74ca11da54b953c6abead571022f0b9141bf975f60f016284f76d9", "arn:aws:iam:::user/31fe2fd8581dd70792a20294c042219e27356bffb4b55808679a4a1e8340d6bc", "arn:aws:iam:::user/40dd6492da1fc55f5e40354a40a2a051770165f52836dd9b366cf7c94181fa5f", "arn:aws:iam:::user/771688c9d35571033c2a350f3d02c9f318b31006a7ab6ce88ec9e78a3180b27e", "arn:aws:iam:::user/0edad7a707f149244d27a6f6c400d51426d1993539e2503d8ea29d85f798462e",
        "arn:aws:iam:::user/843020e48f048a12ffb312d740e737f6dba640aff08a6f3c755a2031abd47e55", "arn:aws:iam:::user/dcadf361516809e728f93fba5bb2937f11f49ab7a9f234c216df099a5e2bd98f", "arn:aws:iam:::user/680a6423b60c0b307dd70764368004bc3ce7c68d76310cf8afb52df967e6fd27", "arn:aws:iam:::user/cdcffdaad4f9b8ccefc3b559623f0b5e13c286c65806e6046ee59d3eeabfa273", "arn:aws:iam:::user/843326b2c318ae6f1c46163997bdfd73b5504062d9763d4b8c3b670d9868190e"]}, "Action": ["s3:AbortMultipartUpload", "s3:GetObject", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetLifecycleConfiguration", "s3:ListBucket", "s3:PutObject"], "Resource": ["arn:aws:s3:::tocco-nice-tocco", "arn:aws:s3:::tocco-nice-tocco/*"]}, {"Sid": "installation", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam:::user/faa0237d9660ce059aff312b3fd991458ff63875e1576bf19a479a51d12736dd"}, "Action": "s3:*", "Resource": ["arn:aws:s3:::tocco-nice-tocco", "arn:aws:s3:::tocco-nice-tocco/*"]}, {"Sid": "tadm", "Effect":
        "Allow", "Principal": {"AWS": "arn:aws:iam:::user/28d336d919361fafe16314a3571f6b16b64cf9dcf26251045cefff69de6e4d19"}, "Action": "s3:*", "Resource": ["arn:aws:s3:::tocco-nice-tocco", "arn:aws:s3:::tocco-nice-tocco/*"]}, {"Sid": "backup", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam:::user/522d667981a941d802b0ef462b975122f65121d297cb846da9facf5de7ced977"}, "Action": ["s3:ListBucket", "s3:GetObject"], "Resource": ["arn:aws:s3:::tocco-nice-tocco", "arn:aws:s3:::tocco-nice-tocco/*"]}, {"Sid": "migration", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam:::user/96b288adce6e7f872ca082789b6024be24ede964f9a8c138da113f8ac1e6394b"}, "Action": ["s3:AbortMultipartUpload", "s3:ListBucket", "s3:PutObject"], "Resource": ["arn:aws:s3:::tocco-nice-tocco", "arn:aws:s3:::tocco-nice-tocco/*"]}]}'
      profile: null
      purge_tags: true
      region: null
      requester_pays: false
      s3_url: https://objects.rma.cloudscale.ch
      security_token: null
      state: present
      tags: null
      validate_certs: true
      versioning: null
  msg: 'Failed to get bucket tags: An error occurred (NoSuchTagSetError) when calling the GetBucketTagging operation: Unknown'
  response_metadata:
    host_id: ''
    http_headers:
      accept-ranges: bytes
      content-length: '231'
      content-type: application/xml
      date: Thu, 27 Aug 2020 09:16:46 GMT
      strict-transport-security: max-age=31536000; includeSubDomains
      x-amz-request-id: tx000000000000000492c65-005f4779fe-36fffe529-rma1
    http_status_code: 404
    request_id: tx000000000000000492c65-005f4779fe-36fffe529-rma1
    retry_attempts: 0

[tremble]

That would make sense.

Amazon's error codes are unfortunately a little inconsistent. I suspect that this is actually a documentation bug which has then propagated into Ceph as behaviour that differs between Ceph and AWS.

Where practical we do try to ensure that the S3 modules cooperate with both the AWS implementations and non-AWS equivalents (for all the pain that generates with testing and bugs).

What I'd suggest then is

1. Please add a changelog entry and mention that this is a bugfix for using s3_bucket with the Ceph S3 API.
2. Update the try/except to be as follows:

def get_current_bucket_tags_dict(s3_client, bucket_name):
    try:
        current_tags = s3_client.get_bucket_tagging(Bucket=bucket_name).get('TagSet')
    except is_boto3_error_code('NoSuchTagSet') as e:
        return {}
    # The Ceph S3 API returns a different error code to AWS.
    except is_boto3_error_code('NoSuchTagSetError') as e:  # pylint: disable=duplicate-except
        return {}

Once that's in place we should be able to get this tested and merged.

[tremble]

Looks good. Thank you for your contribution.