Resolve queues by exact name; accept all credential providers (fixes #43, #61, #62)#68
Open
1waterrj wants to merge 1 commit into
Open
Resolve queues by exact name; accept all credential providers (fixes #43, #61, #62)#681waterrj wants to merge 1 commit into
1waterrj wants to merge 1 commit into
Conversation
Fixes three related issues with queue discovery and credential handling. Queue discovery (jegesh#61, jegesh#43): queues were located via `list_queues(QueueNamePrefix=...)` using the main queue's name as the prefix. An error queue whose name does not share that prefix (or a CloudFormation-generated name) was never matched, so the listener tried to create it and hit `QueueNameExists` when it already existed with different attributes. Both SqsListener and SqsLauncher now resolve each queue by its exact name with `get_queue_url`, creating it only when it genuinely does not exist. The resolved error-queue URL is now stored and reused when forwarding failed messages. Credentials (jegesh#62): the AWS_ACCOUNT_ID gate only accepted a hard-coded set of role-based credential methods, rejecting valid providers such as a shared credentials file, env vars, or a config-file profile (and raising AttributeError instead of EnvironmentError when no credentials resolved). The gate now accepts credentials from any provider boto3 can resolve and only falls back to requiring AWS_ACCOUNT_ID when none are found. Adds a moto-based test suite covering all three cases. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #43. Closes #61. Closes #62.
Fixes three related issues. All changes are covered by a new moto-based test suite.
Queue discovery — fixes #61 and #43
Both
SqsListenerandSqsLauncherlocated queues withlist_queues(QueueNamePrefix=<main queue name>). This breaks down whenever a queue's name doesn't fall under the main queue's prefix:process-queue+error-queue) is never matched, so the listener tries to create it and getsQueueNameExistswhen it already exists with different attributes (botocore.errorfactory.QueueNameExists when error_queue_name does not share a "prefix" with queue_name #43).Stack-MailQueue-UPCWLG…/Stack-MailDeadLetterQueue-1TD3W…) share no common prefix and hit the same problem (botocore.errorfactory.QueueNameExists when error_queue_name does not share a "prefix" with queue_name #43).ordersvsorders-archive) is ambiguous under prefix matching (Error queue excluded from list queues prefix in ListQueues check #61).Each queue is now resolved by its exact name via
get_queue_url, and created only when it genuinely doesn't exist (caught viaQueueDoesNotExist). The resolved error-queue URL is stored and reused when forwarding failed messages, instead of re-discovering it on every failure.Credentials — fixes #62
The
AWS_ACCOUNT_IDgate only accepted a hard-coded set of role-based credential methods (iam-role,assume-role, …), so valid providers like a shared credentials file, environment variables, or a config-file profile were rejected withEnvironmentError— and when no credentials resolved at all the code raisedAttributeError(None.method) rather than a clear error.The gate now accepts credentials from any provider boto3 can resolve and only falls back to requiring
AWS_ACCOUNT_IDwhen no credentials are found.AWS_ACCOUNT_ID, when set, is still passed through asQueueOwnerAWSAccountId.Tests
Added
tests/(moto + pytest):Covers: exact-name discovery of pre-existing non-prefix-sharing error queues, prefix-collision resolution, queue creation when absent, the error-queue push path, and the credential gate (accept resolvable providers, still error when nothing resolves).
Notes
The remaining open issues (#39 service-resource refactor, #51 heartbeat) are larger changes and intentionally left out of this PR to keep it focused and low-risk.
🤖 Generated with Claude Code