ansible/test/integration/targets/aws_secret/tasks/main.yaml

251 lines
6.6 KiB
YAML
Raw Normal View History

---
- module_defaults:
group/aws:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token | default(omit) }}"
region: "{{ aws_region }}"
block:
- name: retrieve caller facts
aws_caller_info:
register: test_caller_facts
- name: ensure IAM role exists
iam_role:
name: "{{ secret_manager_role }}"
assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}"
state: present
create_instance_profile: no
managed_policy:
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
register: iam_role
ignore_errors: yes
- name: wait 10 seconds for role to become available
pause:
seconds: 10
when: iam_role.changed
# CI does not remove the role and comparing policies has a bug on Python3; fall back to use iam_role_info
- name: get IAM role
iam_role_info:
name: "{{ secret_manager_role }}"
register: iam_role_info
- name: set iam_role_output
set_fact:
iam_role_output: "{{ iam_role_info.iam_roles[0] }}"
when: iam_role_info is defined
- name: create a temporary directory
tempfile:
state: directory
register: tmp
- name: move lambda into place for upload
copy:
src: "files/hello_world.zip"
dest: "{{ tmp.path }}/hello_world.zip"
- name: dummy lambda for testing
lambda:
name: "{{ lambda_name }}"
state: present
zip_file: "{{ tmp.path }}/hello_world.zip"
runtime: 'python2.7'
role: "{{ iam_role_output.arn }}"
handler: 'hello_world.lambda_handler'
register: lambda_output
until: not lambda_output.failed
retries: 10
delay: 5
- debug:
var: lambda_output
# ============================================================
# Module parameter testing
# ============================================================
- name: test with no parameters
aws_secret:
register: result
ignore_errors: true
check_mode: true
- name: assert failure when called with no parameters
assert:
that:
- result.failed
- 'result.msg.startswith("missing required arguments:")'
# ============================================================
# Creation/Deletion testing
# ============================================================
- name: add secret to AWS Secrets Manager
aws_secret:
name: "{{ secret_name }}"
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result
- name: assert correct keys are returned
assert:
that:
- result.changed
- result.arn is not none
- result.name is not none
- result.tags is not none
- result.version_ids_to_stages is not none
- name: no changes to secret
aws_secret:
name: "{{ secret_name }}"
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result
- name: assert correct keys are returned
assert:
that:
- not result.changed
- result.arn is not none
- name: make change to secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result
- debug:
var: result
- name: assert correct keys are returned
assert:
that:
- result.changed
- result.arn is not none
- result.name is not none
- result.tags is not none
- result.version_ids_to_stages is not none
- name: add tags to secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
tags:
Foo: 'Bar'
Test: 'Tag'
register: result
- name: assert correct keys are returned
assert:
that:
- result.changed
- name: remove tags from secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result
- name: assert correct keys are returned
assert:
that:
- result.changed
- name: lambda policy for secrets manager
lambda_policy:
state: present
function_name: "{{ lambda_name }}"
statement_id: LambdaSecretsManagerTestPolicy
action: 'lambda:InvokeFunction'
principal: "secretsmanager.amazonaws.com"
- name: add rotation lambda to secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
rotation_lambda: "arn:aws:lambda:{{ aws_region }}:{{ test_caller_facts.account }}:function:{{ lambda_name }}"
register: result
retries: 100
delay: 5
until: not result.failed
- name: assert correct keys are returned
assert:
that:
- result.changed
- name: remove rotation lambda from secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result
- name: assert correct keys are returned
assert:
that:
- result.changed
always:
- name: remove secret
aws_secret:
name: "{{ secret_name }}"
state: absent
secret_type: 'string'
secret: "{{ super_secret_string }}"
recovery_window: 0
ignore_errors: yes
- name: remove lambda policy
lambda_policy:
state: absent
function_name: "{{ lambda_name }}"
statement_id: lambda-secretsmanager-test-policy
action: lambda:InvokeFunction
principal: secretsmanager.amazonaws.com
ignore_errors: yes
- name: remove dummy lambda
lambda:
name: "{{ lambda_name }}"
state: absent
zip_file: "{{ tmp.path }}/hello_world.zip"
runtime: 'python2.7'
role: "{{ secret_manager_role }}"
handler: 'hello_world.lambda_handler'
ignore_errors: yes
# CI does not remove the IAM role
- name: remove IAM role
iam_role:
name: "{{ secret_manager_role }}"
assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}"
state: absent
create_instance_profile: no
managed_policy:
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
ignore_errors: yes
- name: remove temporary dir
file:
path: "{{ tmp.path }}"
state: absent