Especially problematic when running on travis. Many AWS operations take longer than 10 minutes and travis gets bored of waiting.

Why does it want to upload stuff all the time now?

If TerminateInstanceInAutoScalingGroup is called and an instance was already deleted the error is:

ClientError: An error occurred (ValidationError) when calling the TerminatedInstanceInAutoScalingGroup operation: Instance Id not found - No managed instance found for instance ID .*

Capture it and ignore it (perhaps log it was already terminated) - it means we don't need to do anything.

delete_server_certificate does not support dry run so we can't detect this ahead of time.

If the graph querying API was rich enough we could find all elb's and cloudfront distributions in the current configuration and ensure they didn't use the cert (we depend on then, so we know their 'describe' service will have a plan.object['ServerCertificateId'] or similar already populated by the time we run).

The alternative is to query for elb and cloudfront distributions that use the cert. For cloudfront that is not so bad, but for elb we'd technically have to do it in every region!!!

Alternatively we can try to delete stale things, but make it a soft-fail as we know its not a crucial part of the deployment.

In particular ensure there is an add_foo example for each resource.

ClouldWatch alarms and associated autoscaling policies are added happily. Changes to their config, however, are not reflected in future updates. They need to be manually deleted before the new config is applied.

Is this by design? Is there an underlying reason why touchdown doesn't maintain consistency as it does with other components?

Can take longer than 10m on travis to copy an ec2 instance to an AMI, during which time the build is silent and thus it fails.

Traceback (most recent call last):
  File "/app/bin/tenops", line 9, in <module>
    load_entry_point('ten-self-service==2.16.4.dev0', 'console_scripts', 'tenops')()
  File "/app/src/ten_self_service/scripts/tenops.py", line 7, in main
    Console()()
  File "/app/src/ten_self_service/ops/console.py", line 231, in __call__
    return self.args.func(self.args)
  File "/app/local/lib/python2.7/site-packages/touchdown/core/main.py", line 55, in __call__
    return g.execute(*args, **kwargs)
  File "/app/local/lib/python2.7/site-packages/touchdown/goals/action.py", line 72, in execute
    self.apply_resources()
  File "/app/local/lib/python2.7/site-packages/touchdown/goals/action.py", line 57, in apply_resources
    for status in self.Map(self.ui, dep_map, self.apply_resource):
  File "/app/local/lib/python2.7/site-packages/touchdown/core/map.py", line 172, in __iter__
    raise caught_error
botocore.exceptions.ClientError: An error occurred (BucketNotEmpty) when calling the DeleteBucket operation: The bucket you tried to delete is not empty

This is typically an issue when dealing with e.g. cloudfront logs which continue to arrive even after a cloudfront distribution has been deleted.

Or at least use stderr.

Should be in the setup.py

An error occurred (ValidationError) when calling the UpdateAutoScalingGroup operation: The AutoScaling group may not be modified while it is pending delete

Exception when connecting to server with SSH:

paramiko.ssh_exception.SSHException: No existing session

Turned out to be wrong key and low number of allowed attempts.

They should all be lower case. They should be valid as dns records.

See http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

Fix need for special casing.

If you wait too long for something to be ready fail more gracefully.

botocore.exceptions.ClientError: An error occurred (InvalidCloudWatchLogsLogGroupArnException) when calling the CreateTrail operation: Access denied. Check the permissions for your role.

This needs wrapping in a retry action that retries on InvalidCloudWatchLogsLogGroupArnException.

But this isn't properly caught.

self.get_bucket_policy()['Statement'][0]['Principal']['AWS'] in the S3 bucket code is a random order, so not cannot reliably compare to the local definition of the policy.

For now will need to massage policy comparison so principals are sets.

Long term, policies need to be fully fledged resources.

(Used to work - is this a change to the API? Check releases notes etc)

The idea here is that you can declare an interface. Something like singlevaluedispatch in python3.4.

An example might be Route53. The interface might be PublicNetworkInterface and a Route53 record might have:

class Record(Resource):
    name = argument.String()
    value = argument.Resource(PublicNetworkInterface)

A hypothetical Heroku backend might define an Application resource that implements this interface:

@PublicNetworkInterface.register
class Application(Resource):
    name = argument.String()
    ....

And then your HostedZone in a Touchdownfile can:

my_heroku_app = workspace.add_heroku_app(...)

aws.add_hosted_zone(
    name='example.com',
    records=[
        {"name": "www", "type": "CNAME", "value": my_heroku_app},
    ],
)

Initial use cases for this are::

• A network interface type should expose the IP or domain name of a service (ec2 instance, database, cache, load balancer).
• An AliasTarget type should provide a HostedCanonicalName and HostedZoneId.
• A networked service type should expose the IP and port of a service

However this actually works under the hood:

• Third party components should be able to provide the "interface"
• Resource dependencies should be tracked
• It should compliment the type checking done by argument.Resource()

When re-running the same Touchdownfile that contains the following:

vpc = aws.add_vpc(name='test-vpc', cidr_block='192.168.0.0/22')
subnet1 = vpc.add_subnet(name='subnet1', cidr_block='192.168.0.1/24')

I receive the error:

ClientError: An error occurred (InvalidSubnet.Conflict) when calling the CreateSubnet operation: The CIDR '192.168.0.1/24' conflicts with another subnet

Sets are used in the synchronous mode of the dep solver. This means if you run 'touchdown plan' twice you get different (but equivalent) plans.

For example:

botocore.exceptions.ClientError: An error occurred (InvalidRouteTableID.NotFound) when calling the CreateTags operation: The routeTable ID 'rtb-ddd98eb9' does not exist

And also 'Object creation failed'. Just needs more retrying.