Add integration tests for iam_policy (#40115)

* Add integration tests for iam_policy

* Fix indentation and ignore errors during clean up

* Mark iam_policy integration tests as unsupported by CI

* Add policies to a temporary folder that is cleaned up

* Add tasks to verify that iam_policy can remove policies from users, roles, and groups
This commit is contained in:
Kyle Knapp 2018-11-14 17:14:19 -08:00 committed by Sloane Hertel
parent 54c54fc960
commit e822450a79
6 changed files with 363 additions and 0 deletions

View file

@ -0,0 +1,2 @@
cloud/aws
unsupported

View file

@ -0,0 +1,5 @@
---
iam_user_name: '{{resource_prefix}}'
iam_role_name: '{{resource_prefix}}'
iam_group_name: '{{resource_prefix}}'
iam_policy_name: '{{resource_prefix}}'

View file

@ -0,0 +1,10 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}
]
}

View file

@ -0,0 +1,11 @@
{
"Id": "MyId",
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}
]
}

View file

@ -0,0 +1,10 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {"AWS": "*"},
"Action": "sts:AssumeRole"
}
]
}

View file

@ -0,0 +1,325 @@
---
- block:
# ============================================================
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: yes
# ============================================================
- name: Create a temporary folder for the policies
tempfile:
state: directory
register: tmpdir
# ============================================================
- name: Copy over policy
copy:
src: no_access.json
dest: "{{ tmpdir.path }}"
# ============================================================
- name: Copy over other policy
copy:
src: no_access_with_id.json
dest: "{{ tmpdir.path }}"
# ============================================================
- name: Create user for tests
iam_user:
name: "{{ iam_user_name }}"
state: present
<<: *aws_connection_info
# ============================================================
- name: Create role for tests
iam_role:
name: "{{ iam_role_name }}"
assume_role_policy_document: "{{ lookup('file','no_trust.json') }}"
state: present
<<: *aws_connection_info
# ============================================================
- name: Create group for tests
iam_group:
name: "{{ iam_group_name }}"
state: present
<<: *aws_connection_info
# ============================================================
- name: Create policy for user
iam_policy:
iam_type: user
iam_name: "{{ iam_user_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was added for user
assert:
that:
- result.changed == True
- result.policies == ["{{ iam_policy_name }}"]
- result.user_name == "{{ iam_user_name }}"
# ============================================================
- name: Update policy for user
iam_policy:
iam_type: user
iam_name: "{{ iam_user_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was updated for user
assert:
that:
- result.changed == True
# ============================================================
- name: Update policy for user with same policy
iam_policy:
iam_type: user
iam_name: "{{ iam_user_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy did not change for user
assert:
that:
- result.changed == False
# ============================================================
- name: Create policy for user using policy_json
iam_policy:
iam_type: user
iam_name: "{{ iam_user_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was added for user
assert:
that:
- result.changed == True
- result.policies == ["{{ iam_policy_name }}"]
- result.user_name == "{{ iam_user_name }}"
# ============================================================
- name: Create policy for role
iam_policy:
iam_type: role
iam_name: "{{ iam_role_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was added for role
assert:
that:
- result.changed == True
- result.policies == ["{{ iam_policy_name }}"]
- result.role_name == "{{ iam_role_name }}"
# ============================================================
- name: Update policy for role
iam_policy:
iam_type: role
iam_name: "{{ iam_role_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was updated for role
assert:
that:
- result.changed == True
# ============================================================
- name: Update policy for role with same policy
iam_policy:
iam_type: role
iam_name: "{{ iam_role_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy did not change for role
assert:
that:
- result.changed == False
# ============================================================
- name: Create policy for role using policy_json
iam_policy:
iam_type: role
iam_name: "{{ iam_role_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was added for role
assert:
that:
- result.changed == True
- result.policies == ["{{ iam_policy_name }}"]
- result.role_name == "{{ iam_role_name }}"
# ============================================================
- name: Create policy for group
iam_policy:
iam_type: group
iam_name: "{{ iam_group_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was added for group
assert:
that:
- result.changed == True
- result.policies == ["{{ iam_policy_name }}"]
- result.group_name == "{{ iam_group_name }}"
# ============================================================
- name: Update policy for group
iam_policy:
iam_type: group
iam_name: "{{ iam_group_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was updated for group
assert:
that:
- result.changed == True
# ============================================================
- name: Update policy for group with same policy
iam_policy:
iam_type: group
iam_name: "{{ iam_group_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy did not change for group
assert:
that:
- result.changed == False
# ============================================================
- name: Create policy for group using policy_json
iam_policy:
iam_type: group
iam_name: "{{ iam_group_name }}"
policy_name: "{{ iam_policy_name }}"
state: present
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
<<: *aws_connection_info
register: result
# ============================================================
- name: Assert policy was added for group
assert:
that:
- result.changed == True
- result.policies == ["{{ iam_policy_name }}"]
- result.group_name == "{{ iam_group_name }}"
# ============================================================
- name: Delete policy for user
iam_policy:
iam_type: user
iam_name: "{{ iam_user_name }}"
policy_name: "{{ iam_policy_name }}"
state: absent
<<: *aws_connection_info
- assert:
that:
- result.changed == True
# ============================================================
- name: Delete policy for role
iam_policy:
iam_type: role
iam_name: "{{ iam_role_name }}"
policy_name: "{{ iam_policy_name }}"
state: absent
<<: *aws_connection_info
- assert:
that:
- result.changed == True
# ============================================================
- name: Delete policy for group
iam_policy:
iam_type: group
iam_name: "{{ iam_group_name }}"
policy_name: "{{ iam_policy_name }}"
state: absent
<<: *aws_connection_info
- assert:
that:
- result.changed == True
# ============================================================
always:
# ============================================================
- name: Delete policy for user
iam_policy:
iam_type: user
iam_name: "{{ iam_user_name }}"
policy_name: "{{ iam_policy_name }}"
state: absent
<<: *aws_connection_info
ignore_errors: yes
# ============================================================
- name: Delete user for tests
iam_user:
name: "{{ iam_user_name }}"
state: absent
<<: *aws_connection_info
ignore_errors: yes
# ============================================================
- name: Delete policy for role
iam_policy:
iam_type: role
iam_name: "{{ iam_role_name }}"
policy_name: "{{ iam_policy_name }}"
state: absent
<<: *aws_connection_info
ignore_errors: yes
# ============================================================
- name: Delete role for tests
iam_role:
name: "{{ iam_role_name }}"
state: absent
<<: *aws_connection_info
ignore_errors: yes
# ============================================================
- name: Delete policy for group
iam_policy:
iam_type: group
iam_name: "{{ iam_group_name }}"
policy_name: "{{ iam_policy_name }}"
state: absent
<<: *aws_connection_info
ignore_errors: yes
# ============================================================
- name: Delete group for tests
iam_group:
name: "{{ iam_group_name }}"
state: absent
<<: *aws_connection_info
ignore_errors: yes
# ============================================================
- name: Delete temporary folder containing the policies
file:
state: absent
path: "{{ tmpdir.path }}/"