Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use reverse ordering for post-command hooks #1646

Open
jessebye opened this issue May 20, 2022 · 3 comments
Open

Use reverse ordering for post-command hooks #1646

jessebye opened this issue May 20, 2022 · 3 comments
Labels
breaking Changes to existing behaviour users might rely on experiment thinking🤔 v4 Breaking changes that will be included in Agent v4

Comments

@jessebye
Copy link

Is your feature request related to a problem? Please describe.

We use a plugin that assumes an AWS role during the pre-command hook. We also use a plugin (https://github.com/gencer/cache-buildkite-plugin) for caching, which reads from an s3 bucket using the agent's instance role credentials.

The pre-command hooks work fine, since we can rely on ordering and have the cache plugin go first. Then the assume role plugin runs and injects AWS_ACCESS_KEY type environment variables, which we use in the command.

The post-command hooks fail though, because the cache plugin goes first, but tries to write to s3 using the assumed role.

Describe the solution you'd like

Use reverse ordering for post-command hooks. This ensures that they can clean up in the proper order and avoid this type of problem.

Describe alternatives you've considered

We've just stopped using the cache plugin for now, but that isn't ideal.

Additional context

n/a

@pda pda added experiment thinking🤔 breaking Changes to existing behaviour users might rely on labels Jul 5, 2022
@pda
Copy link
Member

pda commented Jul 5, 2022

Are you describing this as the current behaviour?

  • plugin 1 (cache) pre-command hook
  • plugin 2 (assume-role) pre-command hook
  • plugin 3 (whatever) pre-command hook
  • command
  • plugin 1 (cache) post-command hook
  • plugin 2 (assume-role) post-command hook
  • plugin 3 (whatever) post-command hook

And you're suggesting:

  • plugin 1 (cache) pre-command hook
  • plugin 2 (assume-role) pre-command hook
  • plugin 3 (whatever) pre-command hook
  • command
  • plugin 3 (whatever) pre-command hook
  • plugin 2 (assume-role) post-command hook
  • plugin 1 (cache) post-command hook

… because tear-down should happen in the opposite order to setup?

 - plugin 1 (cache) pre-command hook
 - plugin 2 (assume-role) pre-command hook
 - plugin 3 (whatever) pre-command hook
 - command
-- plugin 1 (cache) post-command hook
-- plugin 2 (assume-role) post-command hook
-- plugin 3 (whatever) post-command hook
+- plugin 3 (whatever) post-command hook
+- plugin 2 (assume-role) post-command hook
+- plugin 1 (cache) post-command hook

That does sound sensible.
It's probably also a breaking change for many pipelines 😬
I wonder if there's a way we can introduce it… perhaps as an agent 4.x thing, or as an experiment in the mean time, or some other type of opt-in flag 🤔

@moskyb moskyb added the v4 Breaking changes that will be included in Agent v4 label Nov 30, 2022
@franklin-ross
Copy link

Hitting this exact issue right now. The only workaround I can think of is that every plugin that wants to run in a specific scope needs to somehow snapshot that scope during the pre-command hook and do a context shuffle inside its own post-command hook, which feels 😞

@franklin-ross
Copy link

franklin-ross commented Dec 15, 2023

Here it is. Works OK for my needs: https://github.com/franklin-ross/aws-restore-role-buildkite-plugin

An alternative to a breaking change would be to add a new hook, like post-command-teardown, that runs in reverse order and is specifically designed for this kind of thing. That wouldn't need any major version bump. Then the aws-assume-role plugin could restore the role during teardown and other plugins using the teardown wouldn't get any weird, interleaved roles. I guess that would be a breaking change for the assume role plugin itself, but that seems much easier for everyone to manage, and a much faster solve than waiting for the next agent major version bump.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
breaking Changes to existing behaviour users might rely on experiment thinking🤔 v4 Breaking changes that will be included in Agent v4
Projects
None yet
Development

No branches or pull requests

4 participants