caa5abdfc9
* Fix TypeError in ec2_group.py for Python3 when sorting dictionary list * Using json.loads() and dumps() to replace sorting * Bug fixes for ec2_group.py * Dictionaries cannot be compared/sorted in Python3 * Diff will occur when the IpPermissions have the same IpRanges but have different ordering * 'before' will be sorted by 'Type' with high priority than 'IP', but 'boto3.describe_security_groups()' function cannot get 'Type' from Amazon * Add some basic diff mode testing to exercise the rule-sorting code
184 lines
4.6 KiB
YAML
184 lines
4.6 KiB
YAML
---
|
|
- name: set up aws connection info
|
|
set_fact:
|
|
aws_connection_info: &aws_connection_info
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token }}"
|
|
region: "{{ aws_region }}"
|
|
no_log: yes
|
|
|
|
# ============================================================
|
|
|
|
- name: create a group with a rule (CHECK MODE + DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
description: '{{ ec2_group_description }}'
|
|
state: present
|
|
rules:
|
|
- proto: tcp
|
|
from_port: 80
|
|
to_port: 80
|
|
cidr_ip: 0.0.0.0/0
|
|
rules_egress:
|
|
- proto: all
|
|
cidr_ip: 0.0.0.0/0
|
|
<<: *aws_connection_info
|
|
register: check_mode_result
|
|
check_mode: true
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- check_mode_result.changed
|
|
|
|
- name: create a group with a rule (DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
description: '{{ ec2_group_description }}'
|
|
state: present
|
|
rules:
|
|
- proto: tcp
|
|
from_port: 80
|
|
to_port: 80
|
|
cidr_ip: 0.0.0.0/0
|
|
rules_egress:
|
|
- proto: all
|
|
cidr_ip: 0.0.0.0/0
|
|
<<: *aws_connection_info
|
|
register: result
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- result.changed
|
|
- result.diff.0.after.ip_permissions == check_mode_result.diff.0.after.ip_permissions
|
|
- result.diff.0.after.ip_permissions_egress == check_mode_result.diff.0.after.ip_permissions_egress
|
|
|
|
- name: add rules to make sorting occur (CHECK MODE + DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
description: '{{ ec2_group_description }}'
|
|
state: present
|
|
rules:
|
|
- proto: tcp
|
|
from_port: 80
|
|
to_port: 80
|
|
cidr_ip: 0.0.0.0/0
|
|
- proto: tcp
|
|
from_port: 22
|
|
to_port: 22
|
|
cidr_ip: 20.0.0.0/8
|
|
- proto: tcp
|
|
from_port: 22
|
|
to_port: 22
|
|
cidr_ip: 10.0.0.0/8
|
|
rules_egress:
|
|
- proto: all
|
|
cidr_ip: 0.0.0.0/0
|
|
<<: *aws_connection_info
|
|
register: check_mode_result
|
|
check_mode: true
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- check_mode_result.changed
|
|
|
|
- name: add rules in a different order to test sorting consistency (DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
description: '{{ ec2_group_description }}'
|
|
state: present
|
|
rules:
|
|
- proto: tcp
|
|
from_port: 22
|
|
to_port: 22
|
|
cidr_ip: 20.0.0.0/8
|
|
- proto: tcp
|
|
from_port: 80
|
|
to_port: 80
|
|
cidr_ip: 0.0.0.0/0
|
|
- proto: tcp
|
|
from_port: 22
|
|
to_port: 22
|
|
cidr_ip: 10.0.0.0/8
|
|
rules_egress:
|
|
- proto: all
|
|
cidr_ip: 0.0.0.0/0
|
|
<<: *aws_connection_info
|
|
register: result
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- result.changed
|
|
- result.diff.0.after.ip_permissions == check_mode_result.diff.0.after.ip_permissions
|
|
- result.diff.0.after.ip_permissions_egress == check_mode_result.diff.0.after.ip_permissions_egress
|
|
|
|
- name: purge rules (CHECK MODE + DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
description: '{{ ec2_group_description }}'
|
|
state: present
|
|
rules:
|
|
- proto: tcp
|
|
from_port: 80
|
|
to_port: 80
|
|
cidr_ip: 0.0.0.0/0
|
|
rules_egress: []
|
|
<<: *aws_connection_info
|
|
register: check_mode_result
|
|
check_mode: true
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- check_mode_result.changed
|
|
|
|
- name: purge rules (DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
description: '{{ ec2_group_description }}'
|
|
state: present
|
|
rules:
|
|
- proto: tcp
|
|
from_port: 80
|
|
to_port: 80
|
|
cidr_ip: 0.0.0.0/0
|
|
rules_egress: []
|
|
<<: *aws_connection_info
|
|
register: result
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- result.changed
|
|
- result.diff.0.after.ip_permissions == check_mode_result.diff.0.after.ip_permissions
|
|
- result.diff.0.after.ip_permissions_egress == check_mode_result.diff.0.after.ip_permissions_egress
|
|
|
|
- name: delete the security group (CHECK MODE + DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: check_mode_result
|
|
diff: true
|
|
check_mode: true
|
|
|
|
- assert:
|
|
that:
|
|
- check_mode_result.changed
|
|
|
|
- name: delete the security group (DIFF)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
diff: true
|
|
|
|
- assert:
|
|
that:
|
|
- result.changed
|
|
- not result.diff.0.after and not check_mode_result.diff.0.after
|