179 lines
5.4 KiB
YAML
179 lines
5.4 KiB
YAML
|
- block:
|
||
|
- name: create a VPC
|
||
|
ec2_vpc_net:
|
||
|
cidr_block: 10.230.231.0/24
|
||
|
name: "{{ resource_prefix }}-ipv6"
|
||
|
state: present
|
||
|
ipv6_cidr: yes
|
||
|
register: vpc_result
|
||
|
|
||
|
- set_fact:
|
||
|
vpc_ipv6_cidr: "{{ vpc_result.vpc.ipv6_cidr_block_association_set[0].ipv6_cidr_block }}"
|
||
|
|
||
|
# ============================================================
|
||
|
- name: create subnet with IPv6 (expected changed=true)
|
||
|
ec2_vpc_subnet:
|
||
|
cidr: 10.230.231.0/26
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
ipv6_cidr: "{{ vpc_ipv6_cidr | regex_replace('::/56', '::/64') }}"
|
||
|
state: present
|
||
|
tags:
|
||
|
Name: "{{ resource_prefix }}-ipv6-subnet-1"
|
||
|
register: vpc_subnet_ipv6
|
||
|
|
||
|
- name: assert creation with IPv6 happened (expected changed=true)
|
||
|
assert:
|
||
|
that:
|
||
|
- "vpc_subnet_ipv6.subnet.ipv6_cidr_block == '{{ vpc_ipv6_cidr | regex_replace('::/56', '::/64') }}'"
|
||
|
|
||
|
# ============================================================
|
||
|
|
||
|
- name: create ingress and egress rules using subnet names
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets:
|
||
|
- "{{ resource_prefix }}-ipv6-subnet-1"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress:
|
||
|
- [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]
|
||
|
- [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80]
|
||
|
- [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8]
|
||
|
egress:
|
||
|
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
- assert:
|
||
|
that:
|
||
|
- nacl.nacl_id
|
||
|
|
||
|
- set_fact:
|
||
|
nacl_id: "{{ nacl.nacl_id }}"
|
||
|
|
||
|
- name: add ipv6 entries
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets:
|
||
|
- "{{ resource_prefix }}-ipv6-subnet-1"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress:
|
||
|
- [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]
|
||
|
- [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80]
|
||
|
- [205, 'ipv6-tcp', 'allow', '::/0', null, null, 80, 80]
|
||
|
- [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8]
|
||
|
- [305, 'ipv6-icmp', 'allow', '::/0', 0, 8]
|
||
|
egress:
|
||
|
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
|
||
|
- [105, 'all', 'allow', '::/0', null, null, null, null]
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
# FIXME: Currently IPv6 rules are not supported - uncomment assertion when
|
||
|
# fixed (and add some nacl_info tests)
|
||
|
ignore_errors: yes
|
||
|
- name: get network ACL facts (test that it works with ipv6 entries)
|
||
|
ec2_vpc_nacl_info:
|
||
|
nacl_ids:
|
||
|
- "{{ nacl_id }}"
|
||
|
register: nacl_facts
|
||
|
|
||
|
|
||
|
#- assert:
|
||
|
# that:
|
||
|
# - nacl.changed
|
||
|
# - nacl.nacl_id == nacl_id
|
||
|
|
||
|
- name: purge ingress entries
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets:
|
||
|
- "{{ resource_prefix }}-ipv6-subnet-1"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress: []
|
||
|
egress:
|
||
|
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
|
||
|
- [105, 'all', 'allow', '::/0', null, null, null, null]
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
# FIXME: Currently IPv6 rules are not supported - uncomment assertion when
|
||
|
# fixed (and add some nacl_info tests)
|
||
|
ignore_errors: yes
|
||
|
|
||
|
#- assert:
|
||
|
# that:
|
||
|
# - nacl.changed
|
||
|
# - nacl.nacl_id == nacl_id
|
||
|
|
||
|
- name: purge egress entries
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
subnets:
|
||
|
- "{{ resource_prefix }}-ipv6-subnet-1"
|
||
|
tags:
|
||
|
Created_by: "Ansible test {{ resource_prefix }}"
|
||
|
ingress: []
|
||
|
egress: []
|
||
|
state: 'present'
|
||
|
register: nacl
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- nacl.changed
|
||
|
|
||
|
# ============================================================
|
||
|
- name: remove subnet ipv6 cidr (expected changed=true)
|
||
|
ec2_vpc_subnet:
|
||
|
cidr: 10.230.231.0/26
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
state: absent
|
||
|
register: vpc_remove_ipv6_cidr
|
||
|
|
||
|
- name: assert subnet ipv6 cidr removed (expected changed=true)
|
||
|
assert:
|
||
|
that:
|
||
|
- 'vpc_remove_ipv6_cidr.changed'
|
||
|
|
||
|
always:
|
||
|
|
||
|
################################################
|
||
|
# TEARDOWN STARTS HERE
|
||
|
################################################
|
||
|
|
||
|
- name: remove network ACL
|
||
|
ec2_vpc_nacl:
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
name: "{{ resource_prefix }}-acl"
|
||
|
state: absent
|
||
|
register: removed_acl
|
||
|
until: removed_acl is success
|
||
|
retries: 5
|
||
|
delay: 5
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- name: tidy up subnet
|
||
|
ec2_vpc_subnet:
|
||
|
cidr: 10.230.231.0/26
|
||
|
vpc_id: "{{ vpc_result.vpc.id }}"
|
||
|
state: absent
|
||
|
register: removed_subnet
|
||
|
until: removed_subnet is success
|
||
|
retries: 5
|
||
|
delay: 5
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- name: tidy up VPC
|
||
|
ec2_vpc_net:
|
||
|
name: "{{ resource_prefix }}-ipv6"
|
||
|
state: absent
|
||
|
cidr_block: 10.230.231.0/24
|
||
|
register: removed_vpc
|
||
|
until: removed_vpc is success
|
||
|
retries: 5
|
||
|
delay: 5
|
||
|
ignore_errors: yes
|