--- - name: 'Run integration tests for IAM (inline) Policy management on {{ iam_type }}s' vars: iam_object_key: '{{ iam_type }}_name' block: # ============================================================ - name: 'Fetch policies from {{ iam_type }} before making changes' iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' register: iam_policy_info - name: 'Assert empty policy list' assert: that: - iam_policy_info is succeeded - iam_policy_info.policies | length == 0 - iam_policy_info.all_policy_names | length == 0 - iam_policy_info.policy_names | length == 0 - name: 'Fetch policies from non-existent {{ iam_type }}' iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}-junk' register: iam_policy_info - name: 'Assert not failed' assert: that: - iam_policy_info is succeeded # ============================================================ #- name: 'Create policy using document for {{ iam_type }} (check mode)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_a }}' # policy_document: '{{ tmpdir.path }}/no_access.json' # skip_duplicates: yes # register: result #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result is changed - name: 'Create policy using document for {{ iam_type }}' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' policy_document: '{{ tmpdir.path }}/no_access.json' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' register: iam_policy_info - name: 'Assert policy was added for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 1 - iam_policy_name_a in result.policies - result[iam_object_key] == iam_name - iam_policy_name_a in iam_policy_info.policy_names - iam_policy_info.policy_names | length == 1 - iam_policy_info.policies | length == 1 - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_info.all_policy_names | length == 1 - iam_policy_info.policies[0].policy_name == iam_policy_name_a - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Create policy using document for {{ iam_type }} (idempotency)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' policy_document: '{{ tmpdir.path }}/no_access.json' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 1 - iam_policy_name_a in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies | length == 1 - iam_policy_info.all_policy_names | length == 1 - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_info.policies[0].policy_name == iam_policy_name_a - '"Id" not in iam_policy_info.policies[0].policy_document' # ============================================================ #- name: 'Create policy using document for {{ iam_type }} (check mode) (skip_duplicates)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_b }}' # policy_document: '{{ tmpdir.path }}/no_access.json' # skip_duplicates: yes # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_b }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result is not changed # - iam_policy_info.all_policy_names | length == 1 # - '"policies" not in iam_policy_info' # - iam_policy_name_b not in iam_policy_info.all_policy_names - name: 'Create policy using document for {{ iam_type }} (skip_duplicates)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' policy_document: '{{ tmpdir.path }}/no_access.json' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: iam_policy_info - name: 'Assert policy was not added for {{ iam_type }} (skip_duplicates)' assert: that: - result is not changed - result.policies | length == 1 - iam_policy_name_b not in result.policies - result[iam_object_key] == iam_name - '"policies" not in iam_policy_info' - '"policy_names" not in iam_policy_info' - iam_policy_info.all_policy_names | length == 1 - iam_policy_name_b not in iam_policy_info.all_policy_names #- name: 'Create policy using document for {{ iam_type }} (check mode) (skip_duplicates = no)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_b }}' # policy_document: '{{ tmpdir.path }}/no_access.json' # skip_duplicates: no # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_b }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result.changed == True # - '"policies" not in iam_policy_info' # - iam_policy_info.all_policy_names | length == 1 # - iam_policy_name_a in iam_policy_info.all_policy_names # - iam_policy_name_b not in iam_policy_info.all_policy_names - name: 'Create policy using document for {{ iam_type }} (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' policy_document: '{{ tmpdir.path }}/no_access.json' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: iam_policy_info - name: 'Assert policy was added for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 2 - iam_policy_name_b in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies | length == 1 - iam_policy_info.all_policy_names | length == 2 - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_info.policies[0].policy_name == iam_policy_name_b - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Create policy using document for {{ iam_type }} (idempotency) (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' policy_document: '{{ tmpdir.path }}/no_access.json' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 2 - iam_policy_name_b in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies | length == 1 - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_info.all_policy_names | length == 2 - iam_policy_info.policies[0].policy_name == iam_policy_name_b - '"Id" not in iam_policy_info.policies[0].policy_document' # ============================================================ #- name: 'Create policy using json for {{ iam_type }} (check mode)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_c }}' # policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' # skip_duplicates: yes # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_c }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result is changed # - '"policies" not in iam_policy_info' # - iam_policy_info.all_policy_names | length == 2 # - iam_policy_name_c not in iam_policy_info.all_policy_names # - iam_policy_name_a in iam_policy_info.all_policy_names # - iam_policy_name_b in iam_policy_info.all_policy_names - name: 'Create policy using json for {{ iam_type }}' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: iam_policy_info - name: 'Assert policy was added for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 3 - iam_policy_name_c in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies | length == 1 - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_name_c in iam_policy_info.all_policy_names - iam_policy_info.all_policy_names | length == 3 - iam_policy_info.policies[0].policy_name == iam_policy_name_c - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Create policy using json for {{ iam_type }} (idempotency)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 3 - iam_policy_name_c in result.policies - result[iam_object_key] == iam_name - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_name_c in iam_policy_info.all_policy_names - iam_policy_info.all_policy_names | length == 3 - iam_policy_info.policies[0].policy_name == iam_policy_name_c - iam_policy_info.policies[0].policy_document.Id == 'MyId' # ============================================================ #- name: 'Create policy using json for {{ iam_type }} (check mode) (skip_duplicates)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' # skip_duplicates: yes # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result is not changed # - iam_policy_name_a in iam_policy_info.all_policy_names # - iam_policy_name_b in iam_policy_info.all_policy_names # - iam_policy_name_c in iam_policy_info.all_policy_names # - iam_policy_name_d not in iam_policy_info.all_policy_names # - iam_policy_info.all_policy_names | length == 3 # - '"policies" not in iam_policy_info' - name: 'Create policy using json for {{ iam_type }} (skip_duplicates)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert policy was not added for {{ iam_type }} (skip_duplicates)' assert: that: - result is not changed - result.policies | length == 3 - iam_policy_name_d not in result.policies - result[iam_object_key] == iam_name - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_name_c in iam_policy_info.all_policy_names - iam_policy_name_d not in iam_policy_info.all_policy_names - iam_policy_info.all_policy_names | length == 3 - '"policies" not in iam_policy_info' #- name: 'Create policy using json for {{ iam_type }} (check mode) (skip_duplicates = no)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' # skip_duplicates: no # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result.changed == True - name: 'Create policy using json for {{ iam_type }} (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert policy was added for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 4 - iam_policy_name_d in result.policies - result[iam_object_key] == iam_name - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_name_c in iam_policy_info.all_policy_names - iam_policy_name_d in iam_policy_info.all_policy_names - iam_policy_name_a not in iam_policy_info.policy_names - iam_policy_name_b not in iam_policy_info.policy_names - iam_policy_name_c not in iam_policy_info.policy_names - iam_policy_name_d in iam_policy_info.policy_names - iam_policy_info.policy_names | length == 1 - iam_policy_info.all_policy_names | length == 4 - iam_policy_info.policies[0].policy_name == iam_policy_name_d - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Create policy using json for {{ iam_type }} (idempotency) (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 4 - iam_policy_name_d in result.policies - result[iam_object_key] == iam_name - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_name_c in iam_policy_info.all_policy_names - iam_policy_name_d in iam_policy_info.all_policy_names - iam_policy_info.all_policy_names | length == 4 - iam_policy_info.policies[0].policy_name == iam_policy_name_d - iam_policy_info.policies[0].policy_document.Id == 'MyId' # ============================================================ - name: 'Test fetching multiple policies from {{ iam_type }}' iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' register: iam_policy_info - name: 'Assert all policies returned' assert: that: - iam_policy_info is succeeded - iam_policy_info.policies | length == 4 - iam_policy_info.all_policy_names | length == 4 - iam_policy_name_a in iam_policy_info.all_policy_names - iam_policy_name_b in iam_policy_info.all_policy_names - iam_policy_name_c in iam_policy_info.all_policy_names - iam_policy_name_d in iam_policy_info.all_policy_names # Quick test that the policies are the ones we expect - iam_policy_info.policies | json_query('[*].policy_name') | length == 4 - iam_policy_info.policies | json_query('[?policy_document.Id == `MyId`].policy_name') | length == 2 - iam_policy_name_c in (iam_policy_info.policies | json_query('[?policy_document.Id == `MyId`].policy_name') | list) - iam_policy_name_d in (iam_policy_info.policies | json_query('[?policy_document.Id == `MyId`].policy_name') | list) # ============================================================ #- name: 'Update policy using document for {{ iam_type }} (check mode) (skip_duplicates)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_a }}' # policy_document: '{{ tmpdir.path }}/no_access_with_id.json' # skip_duplicates: yes # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_a }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result is not changed # - iam_policy_info.policies[0].policy_name == iam_policy_name_a # - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Update policy using document for {{ iam_type }} (skip_duplicates)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' policy_document: '{{ tmpdir.path }}/no_access_with_id.json' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' register: iam_policy_info - name: 'Assert policy was not updated for {{ iam_type }} (skip_duplicates)' assert: that: - result is not changed - result.policies | length == 4 - iam_policy_name_a in result.policies - result[iam_object_key] == iam_name - iam_policy_info.all_policy_names | length == 4 - iam_policy_info.policies[0].policy_name == iam_policy_name_a - '"Id" not in iam_policy_info.policies[0].policy_document' #- name: 'Update policy using document for {{ iam_type }} (check mode) (skip_duplicates = no)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_a }}' # policy_document: '{{ tmpdir.path }}/no_access_with_id.json' # skip_duplicates: no # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_a }}' # register: iam_policy_info #- name: 'Assert policy would be updated for {{ iam_type }}' # assert: # that: # - result.changed == True # - iam_policy_info.all_policy_names | length == 4 # - iam_policy_info.policies[0].policy_name == iam_policy_name_a # - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Update policy using document for {{ iam_type }} (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' policy_document: '{{ tmpdir.path }}/no_access_with_id.json' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' register: iam_policy_info - name: 'Assert policy was updated for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 4 - iam_policy_name_a in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Update policy using document for {{ iam_type }} (idempotency) (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' policy_document: '{{ tmpdir.path }}/no_access_with_id.json' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 4 - iam_policy_name_a in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Delete policy A' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' register: iam_policy_info - name: 'Assert deleted' assert: that: - result is changed - result.policies | length == 3 - iam_policy_name_a not in result.policies - result[iam_object_key] == iam_name - '"policies" not in iam_policy_info' - iam_policy_info.all_policy_names | length == 3 - iam_policy_name_a not in iam_policy_info.all_policy_names # ============================================================ # Update C with no_access.json # Delete C # #- name: 'Update policy using json for {{ iam_type }} (check mode) (skip_duplicates)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_c }}' # policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}' # skip_duplicates: yes # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_c }}' # register: iam_policy_info #- name: 'Assert policy would be added for {{ iam_type }}' # assert: # that: # - result is not changed # - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Update policy using json for {{ iam_type }} (skip_duplicates)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}' skip_duplicates: yes register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: iam_policy_info - name: 'Assert policy was not updated for {{ iam_type }} (skip_duplicates)' assert: that: - result is not changed - result.policies | length == 3 - iam_policy_name_c in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyId' #- name: 'Update policy using json for {{ iam_type }} (check mode) (skip_duplicates = no)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_c }}' # policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}' # skip_duplicates: no # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_c }}' # register: iam_policy_info #- name: 'Assert policy would be updated for {{ iam_type }}' # assert: # that: # - result.changed == True # - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Update policy using json for {{ iam_type }} (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: iam_policy_info - name: 'Assert policy was updated for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 3 - iam_policy_name_c in result.policies - result[iam_object_key] == iam_name - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Update policy using json for {{ iam_type }} (idempotency) (skip_duplicates = no)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 3 - iam_policy_name_c in result.policies - result[iam_object_key] == iam_name - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Delete policy C' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' register: iam_policy_info - name: 'Assert deleted' assert: that: - result is changed - result.policies | length == 2 - iam_policy_name_c not in result.policies - result[iam_object_key] == iam_name - '"policies" not in iam_policy_info' - iam_policy_info.all_policy_names | length == 2 - iam_policy_name_c not in iam_policy_info.all_policy_names # ============================================================ #- name: 'Update policy using document for {{ iam_type }} (check mode)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_b }}' # policy_document: '{{ tmpdir.path }}/no_access_with_second_id.json' # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_b }}' # register: iam_policy_info #- name: 'Assert policy would be updated for {{ iam_type }}' # assert: # that: # - result.changed == True # - '"Id" not in iam_policy_info.policies[0].policy_document' - name: 'Update policy using document for {{ iam_type }}' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' policy_document: '{{ tmpdir.path }}/no_access_with_second_id.json' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: iam_policy_info - name: 'Assert policy was updated for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 2 - iam_policy_name_b in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyOtherId' - name: 'Update policy using document for {{ iam_type }} (idempotency)' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' policy_document: '{{ tmpdir.path }}/no_access_with_second_id.json' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 2 - iam_policy_name_b in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyOtherId' - name: 'Delete policy B' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' register: iam_policy_info - name: 'Assert deleted' assert: that: - result is changed - result.policies | length == 1 - iam_policy_name_b not in result.policies - result[iam_object_key] == iam_name - '"policies" not in iam_policy_info' - iam_policy_info.all_policy_names | length == 1 - iam_policy_name_b not in iam_policy_info.all_policy_names # ============================================================ #- name: 'Update policy using json for {{ iam_type }} (check mode)' # check_mode: yes # iam_policy: # state: present # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_second_id.json") }}' # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # register: iam_policy_info #- name: 'Assert policy would be updated for {{ iam_type }}' # assert: # that: # - result.changed == True # - iam_policy_info.policies[0].policy_document.Id == 'MyId' - name: 'Update policy using json for {{ iam_type }}' iam_policy: state: present iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_second_id.json") }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert policy was updated for {{ iam_type }}' assert: that: - result is changed - result.policies | length == 1 - iam_policy_name_d in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyOtherId' - name: 'Update policy using json for {{ iam_type }} (idempotency)' iam_policy: state: present skip_duplicates: no iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_second_id.json") }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert no change' assert: that: - result is not changed - result.policies | length == 1 - iam_policy_name_d in result.policies - result[iam_object_key] == iam_name - iam_policy_info.policies[0].policy_document.Id == 'MyOtherId' # ============================================================ #- name: 'Delete policy D (check_mode)' # check_mode: yes # iam_policy: # state: absent # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # register: result #- iam_policy_info: # iam_type: '{{ iam_type }}' # iam_name: '{{ iam_name }}' # policy_name: '{{ iam_policy_name_d }}' # register: iam_policy_info #- name: 'Assert not deleted' # assert: # that: # - result is changed # - result.policies | length == 1 # - iam_policy_name_d in result.policies # - result[iam_object_key] == iam_name # - iam_policy_info.all_policy_names | length == 1 # - iam_policy_name_d in iam_policy_info.all_policy_names # - iam_policy_info.policies[0].policy_document.Id == 'MyOtherId' - name: 'Delete policy D' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert deleted' assert: that: - result is changed - '"policies" not in iam_policy_info' - iam_policy_name_d not in result.policies - result[iam_object_key] == iam_name - '"policies" not in iam_policy_info' - iam_policy_info.all_policy_names | length == 0 - name: 'Delete policy D (test idempotency)' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: result - iam_policy_info: iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' register: iam_policy_info - name: 'Assert deleted' assert: that: - result is not changed - '"policies" not in iam_policy_info' - iam_policy_info.all_policy_names | length == 0 always: # ============================================================ - name: 'Delete policy A for {{ iam_type }}' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_a }}' ignore_errors: yes - name: 'Delete policy B for {{ iam_type }}' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_b }}' ignore_errors: yes - name: 'Delete policy C for {{ iam_type }}' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_c }}' ignore_errors: yes - name: 'Delete policy D for {{ iam_type }}' iam_policy: state: absent iam_type: '{{ iam_type }}' iam_name: '{{ iam_name }}' policy_name: '{{ iam_policy_name_d }}' ignore_errors: yes