diff --git a/hacking/aws_config/testing_policies/ec2-policy.json b/hacking/aws_config/testing_policies/ec2-policy.json index 2ccababf7f0..54c8c53fba1 100644 --- a/hacking/aws_config/testing_policies/ec2-policy.json +++ b/hacking/aws_config/testing_policies/ec2-policy.json @@ -17,6 +17,7 @@ "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNatGateway", + "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", @@ -24,14 +25,18 @@ "ec2:CreateTags", "ec2:CreateVpc", "ec2:DeleteKeyPair", + "ec2:DeleteInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DeleteTags", "ec2:DeregisterImage", "ec2:Describe*", + "ec2:DetachInternetGateway", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:ImportKeyPair", diff --git a/test/integration/targets/ec2_vpc_route_table/aliases b/test/integration/targets/ec2_vpc_route_table/aliases new file mode 100644 index 00000000000..ebdf4aa5720 --- /dev/null +++ b/test/integration/targets/ec2_vpc_route_table/aliases @@ -0,0 +1,2 @@ +cloud/aws +posix/ci/cloud/group1/aws diff --git a/test/integration/targets/ec2_vpc_route_table/meta/main.yml b/test/integration/targets/ec2_vpc_route_table/meta/main.yml new file mode 100644 index 00000000000..1f64f1169a9 --- /dev/null +++ b/test/integration/targets/ec2_vpc_route_table/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - prepare_tests + - setup_ec2 diff --git a/test/integration/targets/ec2_vpc_route_table/tasks/main.yml b/test/integration/targets/ec2_vpc_route_table/tasks/main.yml new file mode 100644 index 00000000000..6e5fa8ef6b4 --- /dev/null +++ b/test/integration/targets/ec2_vpc_route_table/tasks/main.yml @@ -0,0 +1,372 @@ +- block: + + - name: set connection information for all tasks + set_fact: + aws_connection_info: &aws_connection_info + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region }}" + no_log: yes + + - name: create VPC + ec2_vpc_net: + cidr_block: 10.228.228.0/22 + name: "{{ resource_prefix }}_vpc" + state: present + <<: *aws_connection_info + register: vpc + + - name: create public subnet + ec2_vpc_subnet: + cidr: "{{ item.cidr }}" + az: "{{ aws_region}}{{ item.az }}" + vpc_id: "{{ vpc.vpc.id }}" + state: present + tags: + Public: "{{ item.public|string }}" + Name: "{{ item.public|ternary('public', 'private') }}-{{ item.az }}" + <<: *aws_connection_info + with_items: + - cidr: 10.228.228.0/24 + az: "a" + public: "True" + - cidr: 10.228.229.0/24 + az: "b" + public: "True" + - cidr: 10.228.230.0/24 + az: "a" + public: "False" + - cidr: 10.228.231.0/24 + az: "b" + public: "False" + register: subnets + + - ec2_vpc_subnet_facts: + filters: + vpc-id: "{{ vpc.vpc.id }}" + <<: *aws_connection_info + register: vpc_subnets + + - name: create IGW + ec2_vpc_igw: + vpc_id: "{{ vpc.vpc.id }}" + <<: *aws_connection_info + + + - name: create NAT GW + ec2_vpc_nat_gateway: + if_exist_do_not_create: yes + wait: yes + subnet_id: "{{ subnets.results[0].subnet.id }}" + <<: *aws_connection_info + register: nat_gateway + + + - name: create public route table + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + <<: *aws_connection_info + register: create_public_table + + - name: assert that public route table has an id + assert: + that: + - create_public_table.changed + - "create_public_table.route_table.id.startswith('rtb-')" + - "'Public' in create_public_table.route_table.tags and create_public_table.route_table.tags['Public'] == 'true'" + + - name: recreate public route table + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + <<: *aws_connection_info + register: recreate_public_route_table + + - name: assert that public route table did not change + assert: + that: + - not recreate_public_route_table.changed + + - name: add a route to public route table + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + routes: + - dest: 0.0.0.0/0 + gateway_id: igw + <<: *aws_connection_info + register: add_routes + + - name: add subnets to public route table + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + routes: + - dest: 0.0.0.0/0 + gateway_id: igw + subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `True`].id') }}" + <<: *aws_connection_info + register: add_subnets + + + - name: add a route to public route table + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + routes: + - dest: 0.0.0.0/0 + gateway_id: igw + <<: *aws_connection_info + register: add_routes + + - name: rerun with purge_routes set to false + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + purge_routes: no + subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `True`].id') }}" + <<: *aws_connection_info + register: no_purge_routes + + - name: assert route table still has routes + assert: + that: + - not no_purge_routes.changed + - no_purge_routes.route_table.routes|length == 2 + # FIXME: - no_purge_routes.route_table.associations|length == 2 + + - name: rerun with purge_subnets set to false + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + purge_subnets: no + routes: + - dest: 0.0.0.0/0 + <<: *aws_connection_info + register: no_purge_subnets + + - name: assert route table still has subnets + assert: + that: + # FIXME: - not no_purge_subnets.changed + - no_purge_subnets.route_table.routes|length == 2 + # FIXME: - no_purge_subnets.route_table.associations|length == 2 + +# FIXME: purge_tags doesn't exist yet +# +# - name: rerun with purge_tags not set (implicitly false) +# ec2_vpc_route_table: +# vpc_id: "{{ vpc.vpc.id }}" +# routes: +# - dest: 0.0.0.0/0 +# subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `True`].id') }}" +# <<: *aws_connection_info +# register: no_purge_tags +# +# - name: assert route table still has tags +# assert: +# that: +# - not no_purge_tags.changed +# - "'Public' in no_purge_tags.route_table.tags and no_purge_tags.route_table.tags['Public'] == 'true'" + + - name: purge subnets + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + routes: + - dest: 0.0.0.0/0 + tags: + Public: "true" + Name: "Public route table" + <<: *aws_connection_info + register: purge_subnets + +# FIXME: this doesn't currently work but with no associations present difficult to see why not +# - name: assert purge subnets worked +# assert: +# that: +# - purge_subnets.changed +# # FIXME: - purge_subnets.route_table.associations|length == 0 +# - purge_subnets.route_table.id == create_public_table.route_table.id + + - name: purge routes + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: "true" + Name: "Public route table" + <<: *aws_connection_info + register: purge_routes + + - name: assert purge routes worked + assert: + that: + - purge_routes.changed + # FIXME: purge_routes does work but the result is not up to date and returns + # the route - a wait period might help + # - purge_routes.route_table.routes|length == 1 + - purge_routes.route_table.id == create_public_table.route_table.id + + - name: update tags + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + route_table_id: "{{ create_public_table.route_table.id }}" + lookup: id + # FIXME: purge_tags: yes + tags: + Updated: new_tag + <<: *aws_connection_info + register: update_tags + + - name: assert purge tags worked + assert: + that: + - update_tags.changed + - "'Updated' in update_tags.route_table.tags and update_tags.route_table.tags['Updated'] == 'new_tag'" + # FIXME: - "'Public' not in update_tags.route_table.tags" + + - name: create private route table + ec2_vpc_route_table: + vpc_id: "{{ vpc.vpc.id }}" + tags: + Public: no + Name: private route table + routes: + - gateway_id: "{{ nat_gateway.nat_gateway_id }}" + dest: 0.0.0.0/0 + subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `False`].id') }}" + <<: *aws_connection_info + register: create_private_table + + - name: assert creating private route table worked + assert: + that: + - create_private_table.changed + - create_private_table.route_table.id != create_public_table.route_table.id + - "'Public' in create_private_table.route_table.tags" + + - name: destroy public route table + ec2_vpc_route_table: + route_table_id: "{{ create_public_table.route_table.id }}" + lookup: id + vpc_id: "{{ vpc.vpc.id }}" # FIXME: why is this required? + state: absent + <<: *aws_connection_info + register: destroy_table + + - name: assert destroy table worked + assert: + that: + - destroy_table.changed + +# FIXME: this currently throws an exception +# - name: redestroy public route table +# ec2_vpc_route_table: +# route_table_id: "{{ create_public_table.route_table.id }}" +# lookup: id +# state: absent +# <<: *aws_connection_info +# register: redestroy_table +# +# - name: assert redestroy table worked +# assert: +# that: +# - not redestroy_table.changed + +# FIXME: After boto3 port, test updating NAT gateway +# +# - name: destroy NAT GW +# ec2_vpc_nat_gateway: +# vpc_id: "{{ vpc.vpc.id }}" +# state: absent +# wait: yes +# release_eip: yes +# <<: *aws_connection_info +# register: nat_gateway +# +# - name: create NAT GW +# ec2_vpc_nat_gateway: +# vpc_id: "{{ vpc.vpc.id }}" +# if_exist_do_not_create: yes +# <<: *aws_connection_info +# register: nat_gateway + + always: + ############################################################################# + # TEAR DOWN STARTS HERE + ############################################################################# + - name: destroy route tables + ec2_vpc_route_table: + route_table_id: "{{ item.route_table.id }}" + vpc_id: "{{ vpc.vpc.id }}" # FIXME: why is this required? + lookup: id + state: absent + <<: *aws_connection_info + with_items: + - "{{ create_public_table|default() }}" + - "{{ create_private_table|default() }}" + when: item and not item.failed + ignore_errors: yes + + - name: destroy NAT GW + ec2_vpc_nat_gateway: + state: absent + wait: yes + release_eip: yes + subnet_id: "{{ subnets.results[0].subnet.id }}" + nat_gateway_id: "{{ nat_gateway.nat_gateway_id }}" + <<: *aws_connection_info + ignore_errors: yes + + - name: destroy IGW + ec2_vpc_igw: + vpc_id: "{{ vpc.vpc.id }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + + - name: destroy subnets + ec2_vpc_subnet: + cidr: "{{ item.cidr }}" + vpc_id: "{{ vpc.vpc.id }}" + state: absent + <<: *aws_connection_info + with_items: + - cidr: 10.228.228.0/24 + - cidr: 10.228.229.0/24 + - cidr: 10.228.230.0/24 + - cidr: 10.228.231.0/24 + ignore_errors: yes + + # FIXME: ec2_vpc_nat_gateway should take care of this, but clearly doesn't always + - name: ensure EIP is actually released + ec2_eip: + state: absent + device_id: "{{ item.network_interface_id }}" + in_vpc: yes + <<: *aws_connection_info + with_items: "{{ nat_gateway.nat_gateway_addresses }}" + ignore_errors: yes + + - name: destroy VPC + ec2_vpc_net: + cidr_block: 10.228.228.0/22 + name: "{{ resource_prefix }}_vpc" + state: absent + <<: *aws_connection_info + ignore_errors: yes