pubsys: added SSM parameter validation #2969
Conversation
mjsterckx
force-pushed
the
canary-ssm-validation
branch
from
00addcc
to
06b90a8
Compare
|
^ clippy fixes |
| #[structopt(long, parse(from_os_str))] | ||
| validation_config_path: PathBuf, | ||
|
|
||
| // Optional path where the validation results should be written |
There was a problem hiding this comment.
Actually important so that structopt will add this information to the help messages.
| // Optional path where the validation results should be written | |
| /// Optional path where the validation results should be written |
| validation_regions: Vec<String>, | ||
| } | ||
|
|
||
| /// Structure of an SSM parameter value |
There was a problem hiding this comment.
When we have to do something strange, it's a good idea to explain in detail.
| /// Structure of an SSM parameter value | |
| /// A structure that allows us to store a parameter value along with the AMI ID it refers to. In | |
| /// some cases, then AMI ID *is* the parameter value and both fields will hold the AMI ID. In other | |
| /// cases the parameter value is not the AMI ID, but we need to remember which AMI ID it refers to. |
| /// Structure of the validation configuration file | ||
| #[derive(Debug, Deserialize)] | ||
| pub(crate) struct ValidationConfig { | ||
| // Vec of paths to JSON files containing expected parameters |
There was a problem hiding this comment.
It's not as important as the structopt comments @webern pointed out, but it's good form to use docstring comments on attributes as well, since they would be added to any generated rustdocs.
tools/pubsys/src/aws/ssm/ssm.rs
Outdated
| for parameter in page | ||
| .context(error::GetParametersByPathSnafu { | ||
| path: ssm_prefix, | ||
| region: region.to_string(), | ||
| })? | ||
| .parameters() | ||
| .unwrap_or_default() |
There was a problem hiding this comment.
NIT: I think this can be easier to read.
| for parameter in page | |
| .context(error::GetParametersByPathSnafu { | |
| path: ssm_prefix, | |
| region: region.to_string(), | |
| })? | |
| .parameters() | |
| .unwrap_or_default() | |
| let retrieved_parameters = page.context(error::GetParametersByPathSnafu { | |
| path: ssm_prefix,region: region.to_string(), | |
| })? | |
| .parameters() | |
| .unwrap_or_default(); | |
| for parameter in retrieved_parameters {} |
| validation_regions: &[String], | ||
| ) -> Result<HashMap<Region, HashMap<SsmKey, SsmValue>>> { | ||
| let mut parameter_map: HashMap<Region, HashMap<SsmKey, SsmValue>> = HashMap::new(); | ||
| for list in parameter_lists { |
There was a problem hiding this comment.
NIT: I would prefer to give it to a more expressive variable name.
| for list in parameter_lists { | |
| for parameter_list in parameter_lists { |
tools/pubsys/src/aws/ssm/ssm.rs
Outdated
| ); | ||
| } | ||
| } | ||
| info!("SSM parameters in {} retrieved", region.to_string()); |
There was a problem hiding this comment.
| info!("SSM parameters in {} retrieved", region.to_string()); | |
| info!("SSM parameters in {} have been retrieved", region.to_string()); |
| @@ -41,6 +41,7 @@ serde_json = "1" | |||
| simplelog = "0.12" | |||
There was a problem hiding this comment.
The code and tests look good to me! awesome!!
I think it might be better to change the commit message to
pubsys: added SSM parameter validation
"a short paragraph to describe what changes you have and those
changes will help to build canary something like that"
06b90a8
to
d95f41d
Compare
mjsterckx
changed the title
|
^ Addressed all comments and suggested changes |
| #[snafu(display("Error reading config: {}", source))] | ||
| Config { source: pubsys_config::Error }, | ||
|
|
||
| #[snafu(display("Error reading validation config at path {:?}: {}", path, source))] |
There was a problem hiding this comment.
Paths are weird because they aren't guaranteed to be UTF-8 encoded, here's how you do it:
| #[snafu(display("Error reading validation config at path {:?}: {}", path, source))] | |
| #[snafu(display("Error reading validation config at path {}: {}", path.display(), source))] |
| #[snafu(display("Infra.toml is missing {}", missing))] | ||
| MissingConfig { missing: String }, | ||
|
|
||
| #[snafu(display("Failed to validate SSM parameters: {}", missing))] |
There was a problem hiding this comment.
The SDK will retry retryable failures twice by default. I don't think any additional retry policies are necessary on pubsys' end.
Ok, I wonder if we want to increase that number of retries. Any guesses @cbgbt or @etungsten as to how many times we should retry on SSM calls?
I usually set up retries using random jitter and exponential backoff (to avoid a thundering herd) for some reasonable amount of time based on the use-case, rather than some static retry count. Maybe 30 seconds is within reason here? We don't have great discipline with this in pubsys today. I think the functions to set parameters do their own retries, but most |
It seems like that logic should be added to all |
Added a validate-ssm command to validate SSM parameters, given a JSON config file with regions and paths to files containing the expected parameters.
mjsterckx
force-pushed
the
canary-ssm-validation
branch
from
d95f41d
to
907898f
Compare
Inspired by #2617
Related to #2621
Description of changes:
Added a
validate_ssmmod to thepubsyscrate. This mod adds a subcommandvalidate-ssmwith the following signature:validation-config-pathis the path to the file containing the validation configuration. This file should look like this:Each expected_parameter_list should have the following structure:
write-results-pathis the path to the file where the validation results will be written. The file will look like this:write-results-filteris a vec of potential statuses, which limits the validation results written to the above file. If the vec containsCorrectandIncorrect, then only the validation results with those statuses will be written to the file andMissingandUnexpectedvalidation results will not.The command outputs a tabled summary of the validation results. This table will look like this:
The meaning of the different columns is this:
correct: the expected value of the parameter is equal to the retrieved valueincorrect: the expected value of the parameter is different from the retrieved valuemissing: the parameter was expected in that region but not retrievedunexpected: the retrieved parameter was not expected in that regionaccessible: SSM parameters were successfully retrieved from that region. If an invalid region was given, this would sayfalseand all other columns in that row would show-1Testing done:
correct. After the 1.13.0 and 1.13.1 releases, each monitored region has 40 incorrect parameters (which islatest, because I didn't update my local copies of the parameters) and 200unexpectedparameters (which are the 1.13.0 and 1.13.1 parameters).Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.