143 lines
3.9 KiB
YAML
143 lines
3.9 KiB
YAML
|
# ============================================================
|
||
|
|
||
|
- name: create ingress and egress rules using subnet IDs
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets: "{{ subnet_ids }}"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress:
|
||
|
- [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]
|
||
|
- [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80]
|
||
|
- [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8]
|
||
|
egress:
|
||
|
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
|
||
|
- set_fact:
|
||
|
nacl_id: "{{ nacl.nacl_id }}"
|
||
|
|
||
|
- name: assert the network acl was created
|
||
|
assert:
|
||
|
that:
|
||
|
- nacl.changed
|
||
|
- nacl.nacl_id.startswith('acl-')
|
||
|
|
||
|
- name: get network ACL facts
|
||
|
ec2_vpc_nacl_info:
|
||
|
nacl_ids:
|
||
|
- "{{ nacl_id }}"
|
||
|
register: nacl_facts
|
||
|
|
||
|
- name: assert the nacl has the correct attributes
|
||
|
assert:
|
||
|
that:
|
||
|
- nacl_facts.nacls | length == 1
|
||
|
- nacl_facts.nacls[0].nacl_id == nacl_id
|
||
|
- nacl_facts.nacls[0].subnets | length == 4
|
||
|
- nacl_facts.nacls[0].subnets | sort == subnet_ids | sort
|
||
|
- nacl_facts.nacls[0].ingress | length == 3
|
||
|
- nacl_facts.nacls[0].egress | length == 1
|
||
|
- "'{{ nacl_facts.nacls[0].tags.Name }}' == '{{ resource_prefix }}-acl'"
|
||
|
|
||
|
# ============================================================
|
||
|
|
||
|
- name: test idempotence
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets: "{{ subnet_ids }}"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress:
|
||
|
- [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]
|
||
|
- [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80]
|
||
|
- [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8]
|
||
|
egress:
|
||
|
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
|
||
|
- name: assert the network acl already existed
|
||
|
assert:
|
||
|
that:
|
||
|
- not nacl.changed
|
||
|
- nacl.nacl_id == nacl_id
|
||
|
- nacl.nacl_id.startswith('acl-')
|
||
|
|
||
|
- name: get network ACL facts
|
||
|
ec2_vpc_nacl_info:
|
||
|
nacl_ids:
|
||
|
- "{{ nacl.nacl_id }}"
|
||
|
register: nacl_facts_idem
|
||
|
|
||
|
- name: assert the facts are the same as before
|
||
|
assert:
|
||
|
that:
|
||
|
- nacl_facts_idem == nacl_facts
|
||
|
|
||
|
# ============================================================
|
||
|
|
||
|
- name: remove a subnet from the network ACL
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets:
|
||
|
- "{{ subnet_ids[0] }}"
|
||
|
- "{{ subnet_ids[1] }}"
|
||
|
- "{{ subnet_ids[2] }}"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress:
|
||
|
- [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]
|
||
|
- [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80]
|
||
|
- [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8]
|
||
|
egress:
|
||
|
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
|
||
|
- name: assert the network ACL changed
|
||
|
assert:
|
||
|
that:
|
||
|
- nacl.changed
|
||
|
- nacl.nacl_id.startswith('acl-')
|
||
|
- nacl.nacl_id == nacl_id
|
||
|
|
||
|
- name: get network ACL facts
|
||
|
ec2_vpc_nacl_info:
|
||
|
nacl_id:
|
||
|
- "{{ nacl.nacl_id }}"
|
||
|
register: nacl_facts
|
||
|
|
||
|
- name: assert the nacl has the correct attributes
|
||
|
assert:
|
||
|
that:
|
||
|
- nacl_facts.nacls | length == 1
|
||
|
- nacl_facts.nacls[0].nacl_id == nacl_id
|
||
|
- nacl_facts.nacls[0].subnets | length == 3
|
||
|
- subnet_ids[3] not in nacl_facts.nacls[0].subnets
|
||
|
- nacl_facts.nacls[0].ingress | length == 3
|
||
|
- nacl_facts.nacls[0].egress | length == 1
|
||
|
- "'{{ nacl_facts.nacls[0].tags.Name }}' == '{{ resource_prefix }}-acl'"
|
||
|
|
||
|
# ============================================================
|
||
|
|
||
|
- name: remove the network ACL
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
state: absent
|
||
|
register: nacl
|
||
|
until: nacl is success
|
||
|
ignore_errors: yes
|
||
|
retries: 5
|
||
|
delay: 5
|
||
|
|
||
|
- name: assert nacl was removed
|
||
|
assert:
|
||
|
that:
|
||
|
- nacl.changed
|