ansible/test/integration/targets/cloudformation_stack_set/tasks/main.yml

187 lines
5.6 KiB
YAML
Raw Normal View History

---
# tasks file for cloudformation_stack_set module tests
# These tests require access to two separate AWS accounts
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
aws_secondary_connection_info: &aws_secondary_connection_info
aws_access_key: "{{ secondary_aws_access_key }}"
aws_secret_key: "{{ secondary_aws_secret_key }}"
security_token: "{{ secondary_security_token }}"
region: "{{ aws_region }}"
no_log: yes
- block:
- name: Get current account ID
aws_caller_facts:
<<: *aws_connection_info
register: whoami
- name: Get current account ID
aws_caller_facts:
<<: *aws_secondary_connection_info
register: target_acct
- name: Policy to allow assuming stackset execution role
iam_managed_policy:
policy_name: AssumeCfnStackSetExecRole
state: present
<<: *aws_connection_info
policy:
Version: '2012-10-17'
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Resource: arn:aws:iam::*:role/CfnStackSetExecRole
policy_description: Assume CfnStackSetExecRole
- name: Create an execution role for us to use
iam_role:
name: CfnStackSetExecRole
<<: *aws_secondary_connection_info
assume_role_policy_document:
Version: '2012-10-17'
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
AWS: '{{ whoami.account }}'
managed_policy:
- arn:aws:iam::aws:policy/PowerUserAccess
- name: Create an administration role for us to use
iam_role:
name: CfnStackSetAdminRole
<<: *aws_connection_info
assume_role_policy_document:
Version: '2012-10-17'
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: 'cloudformation.amazonaws.com'
managed_policy:
- arn:aws:iam::{{ whoami.account }}:policy/AssumeCfnStackSetExecRole
#- arn:aws:iam::aws:policy/PowerUserAccess
- name: Should fail without account/regions
cloudformation_stack_set:
<<: *aws_connection_info
name: TestSetOne
description: TestStack Prime
tags:
Some: Thing
Type: Test
wait: true
template: test_bucket_stack.yml
register: result
ignore_errors: true
- name: assert that running with no account fails
assert:
that:
- result is failed
- >
"Can't create a stack set without choosing at least one account" in result.msg
- name: Should fail without roles
cloudformation_stack_set:
<<: *aws_connection_info
name: TestSetOne
description: TestStack Prime
tags:
Some: Thing
Type: Test
wait: true
regions:
- '{{ aws_region }}'
accounts:
- '{{ whoami.account }}'
template_body: '{{ lookup("file", "test_bucket_stack.yml") }}'
register: result
ignore_errors: true
- name: assert that running with no account fails
assert:
that:
- result is failed
- name: Create an execution role for us to use
iam_role:
name: CfnStackSetExecRole
state: absent
<<: *aws_connection_info
assume_role_policy_document:
Version: '2012-10-17'
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
AWS: arn:aws:iam::{{ whoami.account }}:root
managed_policy:
- arn:aws:iam::aws:policy/PowerUserAccess
- name: Create stack with roles
cloudformation_stack_set:
<<: *aws_connection_info
name: TestSetTwo
description: TestStack Dos
tags:
Some: Thing
Type: Test
wait: true
regions:
- '{{ aws_region }}'
accounts:
- '{{ target_acct.account }}'
exec_role_name: CfnStackSetExecRole
admin_role_arn: arn:aws:iam::{{ whoami.account }}:role/CfnStackSetAdminRole
template_body: '{{ lookup("file", "test_bucket_stack.yml") }}'
register: result
- name: Update stack with roles
cloudformation_stack_set:
<<: *aws_connection_info
name: TestSetTwo
description: TestStack Dos
tags:
Some: Thing
Type: Test
wait: true
regions:
- '{{ aws_region }}'
accounts:
- '{{ target_acct.account }}'
exec_role_name: CfnStackSetExecRole
admin_role_arn: arn:aws:iam::{{ whoami.account }}:role/CfnStackSetAdminRole
template_body: '{{ lookup("file", "test_modded_bucket_stack.yml") }}'
always:
- name: Clean up stack one
cloudformation_stack_set:
<<: *aws_connection_info
name: TestSetOne
wait: true
regions:
- '{{ aws_region }}'
accounts:
- '{{ whoami.account }}'
purge_stacks: true
state: absent
- name: Clean up stack two
cloudformation_stack_set:
<<: *aws_connection_info
name: TestSetTwo
description: TestStack Dos
purge_stacks: true
tags:
Some: Thing
Type: Test
wait: true
regions:
- '{{ aws_region }}'
accounts:
- '{{ target_acct.account }}'
template_body: '{{ lookup("file", "test_bucket_stack.yml") }}'
state: absent