Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Terminate force=True work with Stop Protection #7598

Merged
merged 4 commits into from
Aug 9, 2022
Merged

Make Terminate force=True work with Stop Protection #7598

merged 4 commits into from
Aug 9, 2022

Conversation

ijrsvt
Copy link
Contributor

@ijrsvt ijrsvt commented Aug 1, 2022
edited
Loading

Closes #7597

@ijrsvt ijrsvt requested a review from kapilt as a code owner August 1, 2022 21:47
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Aug 1, 2022
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@ajkerrigan
Copy link
Member

@ijrsvt - could you please complete the EasyCLA when you get a chance? There's a link in the comment from the cla bot.

@ajkerrigan
Copy link
Member

FYI - those lint failures aren't due to anything you added. Looks like they're subtly wrong bits of code that pycodestyle started flagging in its latest version. Opened #7600 to track that.

@ijrsvt
Copy link
Contributor Author

ijrsvt commented Aug 2, 2022

@ajkerrigan CLA signed!

@ijrsvt ijrsvt requested a review from ajkerrigan August 2, 2022 18:02
ajkerrigan
ajkerrigan approved these changes Aug 3, 2022
View reviewed changes
Copy link
Member

@ajkerrigan ajkerrigan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, thanks for the thorough investigation with new & old botocore versions too 👍 .

@ajkerrigan
Copy link
Member

One lingering question before merging this (@thisisshi @kapilt @darrendao may have thoughts): this effectively doubles the modify attribute calls for any policy that uses force: True, even if only a small portion of the target instance pool has stop or termination protection enabled. I'm wondering if it would make more sense to try terminating first and only trigger attribute mods if we hit an OperationNotPermitted error 🤔

@kapilt
Copy link
Collaborator

kapilt commented Aug 4, 2022

ideally we parse the failure to identify the instance and remove from the set, as it does feel like it would only be a fraction of the set in common case.

@ijrsvt
Copy link
Contributor Author

ijrsvt commented Aug 4, 2022

ideally we parse the failure

@kapilt Is there any existing logic for that in cloud-custodian? I'm unsure of the stability of AWS error message strings.

@ijrsvt
Copy link
Contributor Author

ijrsvt commented Aug 4, 2022

@kapilt I also noticed that the call to terminate instances[1] does not actually batch. I could add a function like[2] to only call disable termination protection on the instances in the batch that fails with OperationNotPermitted?

[1]

cloud-custodian/c7n/resources/ec2.py

Line 1544 in d91b6c4

self.manager.retry(

[2]

def process_terminate_instances(self, client, instances):
   try:
      return self.manager.retry(client.terminate_instances, InstanceIds=[i['InstanceId'] for i in instances]))
   except OperationNotPermitted:
      if self.data.get("force"):
            self.log.info("Disabling termination protection on instances")
            self.disable_deletion_protection(
                client,
                [i for i in instances if i.get('InstanceLifecycle') != 'spot'])
         return self.manager.retry(client.terminate_instances, InstanceIds=[i['InstanceId'] for i in instances]))
     else:
         raise

@kapilt
Copy link
Collaborator

kapilt commented Aug 9, 2022

@kapilt I also noticed that the call to terminate instances[1] does not actually batch.

fwiw, the terminate batch behavior was addressed in a separate pr #7607

@kapilt
Copy link
Collaborator

kapilt commented Aug 9, 2022

I'm okay with the merge as is, since it matches extant behavior of the implementation, but it would be nice as a separate pr to convert this to doing the disable on exception to minimize api calls.

kapilt
kapilt approved these changes Aug 9, 2022
View reviewed changes
Copy link
Collaborator

@kapilt kapilt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks

@kapilt kapilt merged commit ab33f5e into cloud-custodian:master Aug 9, 2022
@ijrsvt ijrsvt mentioned this pull request Aug 9, 2022
Merged
@gnokoheat gnokoheat mentioned this pull request Nov 17, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kapilt kapilt kapilt approved these changes

@ajkerrigan ajkerrigan ajkerrigan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[EC2] Force Terminate does not work when disableApiStop is set
3 participants
@ijrsvt @ajkerrigan @kapilt