[cloud] Retry WAF actions on WAFStaleDataException (#36405)

Add a util to run functions with AWSRetry to retry on WAFStaleDataExceptions and update ChangeToken for each attempt
2025-07-02 14:40:19 -07:00 · 2018-02-21 08:14:17 -05:00 · 2018-02-21 08:14:17 -05:00 · f7d79d4789
commit f7d79d4789
parent 9598978e12
5 changed files with 65 additions and 39 deletions
--- a/lib/ansible/modules/cloud/amazon/aws_waf_web_acl.py
+++ b/lib/ansible/modules/cloud/amazon/aws_waf_web_acl.py
@ -136,7 +136,7 @@ import re

 from ansible.module_utils.aws.core import AnsibleAWSModule
 from ansible.module_utils.ec2 import boto3_conn, get_aws_connection_info, ec2_argument_spec, camel_dict_to_snake_dict
-from ansible.module_utils.aws.waf import list_rules_with_backoff, list_web_acls_with_backoff, get_change_token
+from ansible.module_utils.aws.waf import list_rules_with_backoff, list_web_acls_with_backoff, run_func_with_change_token_backoff


 def get_web_acl_by_name(client, module, name):
@ -186,16 +186,26 @@ def find_and_update_web_acl(client, module, web_acl_id):
    insertions = [format_for_update(rule, 'INSERT') for rule in missing]
    deletions = [format_for_update(rule, 'DELETE') for rule in extras]
    changed = bool(insertions + deletions)
-    if changed:
+
+    # Purge rules before adding new ones in case a deletion shares the same
+    # priority as an insertion.
+    params = {
+        'WebACLId': acl['WebACLId'],
+        'DefaultAction': acl['DefaultAction']
+    }
+    if deletions:
        try:
-            client.update_web_acl(
-                WebACLId=acl['WebACLId'],
-                ChangeToken=get_change_token(client, module),
-                Updates=insertions + deletions,
-                DefaultAction=acl['DefaultAction']
-            )
+            params['Updates'] = deletions
+            run_func_with_change_token_backoff(client, module, params, client.update_web_acl)
        except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
            module.fail_json_aws(e, msg='Could not update Web ACL')
+    if insertions:
+        try:
+            params['Updates'] = insertions
+            run_func_with_change_token_backoff(client, module, params, client.update_web_acl)
+        except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
+            module.fail_json_aws(e, msg='Could not update Web ACL')
+    if changed:
        acl = get_web_acl(client, module, web_acl_id)
    return changed, acl

@ -217,8 +227,8 @@ def remove_rules_from_web_acl(client, module, web_acl_id):
    acl = get_web_acl(client, module, web_acl_id)
    deletions = [format_for_update(rule, 'DELETE') for rule in acl['Rules']]
    try:
-        client.update_web_acl(WebACLId=acl['WebACLId'], ChangeToken=get_change_token(client, module),
-                              Updates=deletions, DefaultAction=acl['DefaultAction'])
+        params = {'WebACLId': acl['WebACLId'], 'DefaultAction': acl['DefaultAction'], 'Updates': deletions}
+        run_func_with_change_token_backoff(client, module, params, client.update_web_acl)
    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
        module.fail_json_aws(e, msg='Could not remove rule')

@ -236,9 +246,8 @@ def ensure_web_acl_present(client, module):
            metric_name = re.sub(r'[^A-Za-z0-9]', '', module.params['name'])
        default_action = module.params['default_action'].upper()
        try:
-            new_web_acl = client.create_web_acl(Name=name, MetricName=metric_name,
-                                                DefaultAction={'Type': default_action},
-                                                ChangeToken=get_change_token(client, module))
+            params = {'Name': name, 'MetricName': metric_name, 'DefaultAction': {'Type': default_action}}
+            new_web_acl = run_func_with_change_token_backoff(client, module, params, client.create_web_acl)
        except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
            module.fail_json_aws(e, msg='Could not create Web ACL')
        (changed, result) = find_and_update_web_acl(client, module, new_web_acl['WebACL']['WebACLId'])
@ -252,7 +261,7 @@ def ensure_web_acl_absent(client, module):
        if web_acl['Rules']:
            remove_rules_from_web_acl(client, module, web_acl_id)
        try:
-            client.delete_web_acl(WebACLId=web_acl_id, ChangeToken=get_change_token(client, module))
+            run_func_with_change_token_backoff(client, module, {'WebACLId': web_acl_id}, client.delete_web_acl)
            return True, {}
        except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
            module.fail_json_aws(e, msg='Could not delete Web ACL')