pubsys: added ami validation

[mjsterckx]

Description of changes:

Added a validate-ami subcommand to the pubsys tool. This command has the following signature:

pubsys-validate-ami 0.1.0
Validates EC2 images

USAGE:
    pubsys --infra-config-path <infra-config-path> validate-ami [FLAGS] [OPTIONS] --expected-amis-path <expected-amis-path>

FLAGS:
        --json       If this argument is given, print the validation results summary as a JSON object instead of a
                     plaintext table
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
        --expected-amis-path <expected-amis-path>           File holding the expected amis
        --write-results-path <write-results-path>           Optional path where the validation results should be written
        --write-results-filter <write-results-filter>...
            Optional filter to only write validation results with these statuses to the above path The available
            statuses are: `Correct`, `Incorrect`, `Missing`
        --log-level <log-level>
            How much detail to log; from least to most: ERROR, WARN, INFO, DEBUG, TRACE [default: INFO]

The function takes a path to a file containing an image object per region. An example file looks like this:

{
  "us-west-2": {
    "id": "ami-012345678",
    "name": "bottlerocket-aws-k8s-1.24-x86_64-v1.14.0-abcdef-dirty",
    "public": true,
    "launch_permissions": [
      {
        "group": "all"
      }
    ]
  }
}

The function will call the describe-images function on each image in the file to ensure that the retrieved id, name, and publicity match the expected values. If public is false, then the specific launch_permissions are retrieved using describe-image-attribute and included in the comparison. Aside from publicity and launch_permissions, the function will check that sriov_net_support is simple and ena_support is true.

The result of the function looks like this:

+-----------+---------+-----------+---------+------------+
| String    | correct | incorrect | missing | unreachable |
+-----------+---------+-----------+---------+------------+
| us-west-2 | 0       | 0         | 1       | 0          |
+-----------+---------+-----------+---------+------------+

• correct indicates that all retrieved values match the expected values
• incorrect indicates that at least one value does not match the expected value
• missing indicates that the specific image failed to be retrieved
• unreachable indicates that the images in this region could not be retrieved because the region could not be reached

--write-results-path and --write-results-filter allow the user to write the results of the ami validation to a JSON file. The filter determines which statuses will be written to this file. The file looks like this:

[
  {
    "id": "ami-012345678",
    "expected_image_def": {
      "id": "ami-012345678",
      "name": "bottlerocket-aws-k8s-1.24-x86_64-v1.14.0-abcdef-dirty",
      "public": true,
      "launch_permissions": null,
      "ena_support": true,
      "sriov_net_support": "simple"
    },
    "actual_image_def": null,
    "region": "us-west-2",
    "status": "Missing"
  }
]

Modified the SSM validation results to represent the new Unreachable status as well.

Testing done:

• Unit tests
• Ran the program on an unregistered ami (results seen above) and on registered public ones, which showed as correct.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[cbgbt]

Nice work! Most of these are just nitpicks or tips. The thing that I care the most to see changed is to add a test for the AMI file parsing code. The function is a pure function and the logic inside is complex enough to warrant it.

[cbgbt]

nit, but the help text looks funky without this.

Suggested change

	/// Optional filter to only write validation results with these statuses to the above path
	/// Optional filter to only write validation results with these statuses to the above path.

[cbgbt]

Could use a docstring here to explain why we need this.

[cbgbt]

I'd document what the purpose of this parameter is in the docstring, since it's not obvious from the function signature.

[cbgbt]

I don't have strong feelings about rewriting this, but I'm realizing that because accessible removes meaning from the other values here, I think a more maintainable way to write this would be to:

• Change AmiValidationRegionSummary to an enum of something like

enum AmiValiationRegionSummary {
    Results {
        correct: u64, // etc
    },
    Unreachable,

• Modify display() to render this by copying it to a private implementation which uses the marker values, or n/a or something similar in the table.

[mjsterckx]

It's currently implemented the same way in the ssm-validation so I will address those together in a different PR.

[cbgbt]

Bit of a gnarly turbofish that probably isn't needed, since there's a type specifier on the variable binding.

Suggested change

	.collect::<HashMap<Region, ami::Result<HashSet<AmiValidationResult>>>>();
	.collect();

[cbgbt]

nit, but usually new isn't appropriate when you're initializing something that's computation heavy like that. A better name would be from_result_map or evaluate_results() or something.

Suggested change

	let validation_results = AmiValidationResults::new(results);
	let validation_results = AmiValidationResults::new(results);

[cbgbt]

Can we write a test for this behavior? As an alternative tip, you can get Serde to parse this for you "for free" via #[serde(untagged)] on an enum.

enum ImageDef {
    Image(Image),
    ImageList(Vec<Image>),
}

impl ImageDef {
    fn images(&self) -> Vec<Image> {
        match self {
            // etc
        }
    }
}

[ecpullen]

Still need to check validate_ami/results.rs

[ecpullen]

Suggested change

	let ec2_client: &Ec2Client = &clients[region];
	let ec2_client: &Ec2Client = &clients.get(region).context()...;

Indexing with [] can panic.

[ecpullen]

Using an iterator for this function could simplify some of the logic below.

[ecpullen]

Can this go above 141 and then make ImageDef::from() take in the bool so image_def doesn't need to be mut?

[ecpullen]

Does this need .clone()

[ecpullen]

Suggested change

	let base_region = &Region::new(aws.regions[0].clone());
	let base_region = &Region::new(aws.regions.get(0).context()...);

[] can panic

[ecpullen]

Super nit

Suggested change

	/// Validates EC2 images in a single region, based on a Vec (ImageDef) of expected images
	/// and a HashMap (AmiId, ImageDef) of actual retrieved images. Returns a HashSet of
	/// Validates EC2 images in a single region, based on a `Vec<ImageDef>` of expected images
	/// and a `HashMap<AmiId, ImageDef>` of actual retrieved images. Returns a `HashSet<AmiValidationResult>` containing ...

[ecpullen]

Is there a reason 1 is a reference and the other is taking ownership?

[ecpullen]

Why isn't image.launch_permissions set to None when the ImageDef is created? If that's not possible can launch_permissions be a function?

[ecpullen]

Do we need to duplicate the image.id?

[ecpullen]

What would cause the value to be an object instead of an array? This is a file that another pubsys command is writing right?

[mjsterckx]

Correct, this takes a file that is written by pubsys ami where each region has a single AMI object. However, I wanted to add functionality where the command can take a file containing an array of AMI objects per region as well.

[ecpullen]

+1 to the suggested AmiValidationRegionSummary refactor. Otherwise just a few small things.

[ecpullen]

Suggested change

	impl Display for AmiValidationResultStatus {
	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
	match self {
	AmiValidationResultStatus::Correct => write!(f, "Correct"),
	AmiValidationResultStatus::Incorrect => write!(f, "Incorrect"),
	AmiValidationResultStatus::Missing => write!(f, "Missing"),
	}
	}
	}
	derive_display_from_serialize!(AmiValidationResultStatus);

That will have the same effect. And expand if new variants of the enum are added.

[ecpullen]

Suggested change

	impl FromStr for AmiValidationResultStatus {
	type Err = super::Error;
	fn from_str(s: &str) -> std::result::Result<Self, Self::Err> {
	match s {
	"Correct" => Ok(Self::Correct),
	"Incorrect" => Ok(Self::Incorrect),
	"Missing" => Ok(Self::Missing),
	filter => Err(Self::Err::InvalidStatusFilter {
	filter: filter.to_string(),
	}),
	}
	}
	}
	derive_fromstr_from_deserialize!(AmiValidationResultStatus)

[ecpullen]

This should just be a function since it is described by other fields of this enum.

[cbgbt]

I think I suggested this be added as a field in a prior revision, since it's otherwise not really a Result being computed, but rather a validation computation being created which is later used to compute the result.

I guess if we renamed this AmiValidation with a method AmiValidation::get_result() or something, I'd be ok with that.

But aren't these serialized? Do we want to keep the status so that the computation result is specifically kept?

[etungsten]

nit:

Suggested change

	.unwrap_or(vec![]),
	.unwrap_or_default();,

[etungsten]

Please check the error enum variants and ensure they're being used. I see a few that aren't being used anywhere. e.g. ReadValidationConfig, ParseValidationConfig, MissingField etc.

[webern]

Please check the error enum variants and ensure they're being used. I see a few that aren't being used anywhere. e.g. ReadValidationConfig, ParseValidationConfig, MissingField etc.

As an aside, the reason you have to check is because the code that Snafu generates "uses" each enum variant so the compiler can't warn you about unused variants.

[etungsten]

nit: proper capitalization

Suggested change

	/// The id of the image
	/// The ID of the image

and where ever else this may apply

[etungsten]

nit:

Suggested change

	/// ImageDef containing expected values for the image
	/// `ImageDef` containing expected values for the image

and where ever else this may apply.

[webern]

I love the testing.

[webern]

Describe this in more detail. What's the input, what's the output, etc.

[webern]

Writing nit

Suggested change

	// If a path was given to write the results to, write the results
	// If a path was given, write the results

[webern]

Please check the error enum variants and ensure they're being used. I see a few that aren't being used anywhere. e.g. ReadValidationConfig, ParseValidationConfig, MissingField etc.

As an aside, the reason you have to check is because the code that Snafu generates "uses" each enum variant so the compiler can't warn you about unused variants.

[etungsten]

Where-ever we're using a SdkError as source we need to do this to get the full error message:

Suggested change

	#[snafu(display("Failed to describe images in {}: {}", region, source))]
	DescribeImages {
	region: String,
	source: SdkError<DescribeImagesError>,
	},
	use aws_smithy_types::error::display::DisplayErrorContext;
	#[snafu(display("Failed to describe images in {}: {}", region, DisplayErrorContext(source)))]
	DescribeImages {
	region: String,
	source: SdkError<DescribeImagesError>,
	},

See https://docs.rs/aws-smithy-client/latest/aws_smithy_client/enum.SdkError.html

When logging an error from the SDK, it is recommended that you either wrap the error in DisplayErrorContext, use another error reporter library that visits the error’s cause/source chain, or call Error::source for more details about the underlying cause.

Note: This needs to be a tree wide change, but might as well start here.

Please create an issue for the other places if you're willing.

[cbgbt]

Looks good!

Sorry to pile on more feedback -- this is a substantial change! Just some tidying up.

[cbgbt]

It looks like the docstrings for this and describe_images_in_region may not have been updated for some subsequent changes to the code. I would fix this before merging.

[cbgbt]

nit/tip (don't feel compelled to change this): I think this is the same as

result.map_err(|_| error::Error::UnreachableRegion { region: region.to_string() })

match on Result and Option when the operation to be carried out is already expressed as a method on those structs tends to result in deep nesting.

[cbgbt]

nit: these should probably be unsigned.

[cbgbt]

Does it make sense for this to hold onto the original error?

I think we just want to make sure the reason for the unavailability can be surfaced. Ensuring that it is logged somewhere at ERROR level probably suffices, since it's not like the deeper result information is stored in our serialized format.