cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/test/integration/targets/iam_policy/tasks/object.yml
Mark Chappell f1311d3e98 Rewrite iam_policy using boto3 (#63924) 
* reworked iam_policy

* Deprecate policy_document option

* deprecate defaulting skip_duplicates to true

* No longer explicitly catch ParamValidationError.

ParamValidationErrror is already caught by ClientError

* Work with complex policy objects rather than json documents

comparisons can better cope with the special cases (eg True vs "True" )

* Enable check_mode tests and fix related 'changed' bug

* changelog

* doc cleanup based on review
2019-11-20 16:59:02 -07:00

1065 lines
36 KiB
YAML
Raw Blame History

---
- name: 'Run integration tests for IAM (inline) Policy management on {{ iam_type }}s'
vars:
iam_object_key: '{{ iam_type }}_name'
block:
# ============================================================
- name: 'Fetch policies from {{ iam_type }} before making changes'
iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
register: iam_policy_info
- name: 'Assert empty policy list'
assert:
that:
- iam_policy_info is succeeded
- iam_policy_info.policies | length == 0
- iam_policy_info.all_policy_names | length == 0
- iam_policy_info.policy_names | length == 0
- name: 'Fetch policies from non-existent {{ iam_type }}'
iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}-junk'
register: iam_policy_info
- name: 'Assert not failed'
assert:
that:
- iam_policy_info is succeeded
# ============================================================
- name: 'Create policy using document for {{ iam_type }} (check mode)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
skip_duplicates: yes
register: result
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result is changed
- name: 'Create policy using document for {{ iam_type }}'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
register: iam_policy_info
- name: 'Assert policy was added for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 1
- iam_policy_name_a in result.policies
- result[iam_object_key] == iam_name
- iam_policy_name_a in iam_policy_info.policy_names
- iam_policy_info.policy_names | length == 1
- iam_policy_info.policies | length == 1
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 1
- iam_policy_info.policies[0].policy_name == iam_policy_name_a
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Create policy using document for {{ iam_type }} (idempotency)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 1
- iam_policy_name_a in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies | length == 1
- iam_policy_info.all_policy_names | length == 1
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_info.policies[0].policy_name == iam_policy_name_a
- '"Id" not in iam_policy_info.policies[0].policy_document'
# ============================================================
- name: 'Create policy using document for {{ iam_type }} (check mode) (skip_duplicates)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result is not changed
- iam_policy_info.all_policy_names | length == 1
- '"policies" not in iam_policy_info'
- iam_policy_name_b not in iam_policy_info.all_policy_names
- name: 'Create policy using document for {{ iam_type }} (skip_duplicates)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert policy was not added for {{ iam_type }} (skip_duplicates)'
assert:
that:
- result is not changed
- result.policies | length == 1
- iam_policy_name_b not in result.policies
- result[iam_object_key] == iam_name
- '"policies" not in iam_policy_info'
- '"policy_names" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 1
- iam_policy_name_b not in iam_policy_info.all_policy_names
- name: 'Create policy using document for {{ iam_type }} (check mode) (skip_duplicates = no)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
skip_duplicates: no
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result.changed == True
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 1
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b not in iam_policy_info.all_policy_names
- name: 'Create policy using document for {{ iam_type }} (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert policy was added for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 2
- iam_policy_name_b in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies | length == 1
- iam_policy_info.all_policy_names | length == 2
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_info.policies[0].policy_name == iam_policy_name_b
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Create policy using document for {{ iam_type }} (idempotency) (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 2
- iam_policy_name_b in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies | length == 1
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 2
- iam_policy_info.policies[0].policy_name == iam_policy_name_b
- '"Id" not in iam_policy_info.policies[0].policy_document'
# ============================================================
- name: 'Create policy using json for {{ iam_type }} (check mode)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result is changed
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 2
- iam_policy_name_c not in iam_policy_info.all_policy_names
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- name: 'Create policy using json for {{ iam_type }}'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert policy was added for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 3
- iam_policy_name_c in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies | length == 1
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 3
- iam_policy_info.policies[0].policy_name == iam_policy_name_c
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Create policy using json for {{ iam_type }} (idempotency)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 3
- iam_policy_name_c in result.policies
- result[iam_object_key] == iam_name
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 3
- iam_policy_info.policies[0].policy_name == iam_policy_name_c
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
# ============================================================
- name: 'Create policy using json for {{ iam_type }} (check mode) (skip_duplicates)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result is not changed
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_name_d not in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 3
- '"policies" not in iam_policy_info'
- name: 'Create policy using json for {{ iam_type }} (skip_duplicates)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert policy was not added for {{ iam_type }} (skip_duplicates)'
assert:
that:
- result is not changed
- result.policies | length == 3
- iam_policy_name_d not in result.policies
- result[iam_object_key] == iam_name
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_name_d not in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 3
- '"policies" not in iam_policy_info'
- name: 'Create policy using json for {{ iam_type }} (check mode) (skip_duplicates = no)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
skip_duplicates: no
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result.changed == True
- name: 'Create policy using json for {{ iam_type }} (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert policy was added for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 4
- iam_policy_name_d in result.policies
- result[iam_object_key] == iam_name
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_name_d in iam_policy_info.all_policy_names
- iam_policy_name_a not in iam_policy_info.policy_names
- iam_policy_name_b not in iam_policy_info.policy_names
- iam_policy_name_c not in iam_policy_info.policy_names
- iam_policy_name_d in iam_policy_info.policy_names
- iam_policy_info.policy_names | length == 1
- iam_policy_info.all_policy_names | length == 4
- iam_policy_info.policies[0].policy_name == iam_policy_name_d
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Create policy using json for {{ iam_type }} (idempotency) (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_id.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 4
- iam_policy_name_d in result.policies
- result[iam_object_key] == iam_name
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_name_d in iam_policy_info.all_policy_names
- iam_policy_info.all_policy_names | length == 4
- iam_policy_info.policies[0].policy_name == iam_policy_name_d
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
# ============================================================
- name: 'Test fetching multiple policies from {{ iam_type }}'
iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
register: iam_policy_info
- name: 'Assert all policies returned'
assert:
that:
- iam_policy_info is succeeded
- iam_policy_info.policies | length == 4
- iam_policy_info.all_policy_names | length == 4
- iam_policy_name_a in iam_policy_info.all_policy_names
- iam_policy_name_b in iam_policy_info.all_policy_names
- iam_policy_name_c in iam_policy_info.all_policy_names
- iam_policy_name_d in iam_policy_info.all_policy_names
# Quick test that the policies are the ones we expect
- iam_policy_info.policies | json_query('[*].policy_name') | length == 4
- iam_policy_info.policies | json_query('[?policy_document.Id == `MyId`].policy_name') | length == 2
- iam_policy_name_c in (iam_policy_info.policies | json_query('[?policy_document.Id == `MyId`].policy_name') | list)
- iam_policy_name_d in (iam_policy_info.policies | json_query('[?policy_document.Id == `MyId`].policy_name') | list)
# ============================================================
- name: 'Update policy using document for {{ iam_type }} (check mode) (skip_duplicates)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access_with_id.json'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result is not changed
- iam_policy_info.policies[0].policy_name == iam_policy_name_a
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Update policy using document for {{ iam_type }} (skip_duplicates)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access_with_id.json'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: iam_policy_info
- name: 'Assert policy was not updated for {{ iam_type }} (skip_duplicates)'
assert:
that:
- result is not changed
- result.policies | length == 4
- iam_policy_name_a in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.all_policy_names | length == 4
- iam_policy_info.policies[0].policy_name == iam_policy_name_a
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Update policy using document for {{ iam_type }} (check mode) (skip_duplicates = no)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access_with_id.json'
skip_duplicates: no
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: iam_policy_info
- name: 'Assert policy would be updated for {{ iam_type }}'
assert:
that:
- result.changed == True
- iam_policy_info.all_policy_names | length == 4
- iam_policy_info.policies[0].policy_name == iam_policy_name_a
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Update policy using document for {{ iam_type }} (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access_with_id.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: iam_policy_info
- name: 'Assert policy was updated for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 4
- iam_policy_name_a in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Update policy using document for {{ iam_type }} (idempotency) (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
policy_document: '{{ tmpdir.path }}/no_access_with_id.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 4
- iam_policy_name_a in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Delete policy A'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
register: iam_policy_info
- name: 'Assert deleted'
assert:
that:
- result is changed
- result.policies | length == 3
- iam_policy_name_a not in result.policies
- result[iam_object_key] == iam_name
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 3
- iam_policy_name_a not in iam_policy_info.all_policy_names
# ============================================================
# Update C with no_access.json
# Delete C
- name: 'Update policy using json for {{ iam_type }} (check mode) (skip_duplicates)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert policy would be added for {{ iam_type }}'
assert:
that:
- result is not changed
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Update policy using json for {{ iam_type }} (skip_duplicates)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}'
skip_duplicates: yes
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert policy was not updated for {{ iam_type }} (skip_duplicates)'
assert:
that:
- result is not changed
- result.policies | length == 3
- iam_policy_name_c in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Update policy using json for {{ iam_type }} (check mode) (skip_duplicates = no)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}'
skip_duplicates: no
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert policy would be updated for {{ iam_type }}'
assert:
that:
- result.changed == True
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Update policy using json for {{ iam_type }} (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert policy was updated for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 3
- iam_policy_name_c in result.policies
- result[iam_object_key] == iam_name
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Update policy using json for {{ iam_type }} (idempotency) (skip_duplicates = no)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 3
- iam_policy_name_c in result.policies
- result[iam_object_key] == iam_name
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Delete policy C'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
register: iam_policy_info
- name: 'Assert deleted'
assert:
that:
- result is changed
- result.policies | length == 2
- iam_policy_name_c not in result.policies
- result[iam_object_key] == iam_name
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 2
- iam_policy_name_c not in iam_policy_info.all_policy_names
# ============================================================
- name: 'Update policy using document for {{ iam_type }} (check mode)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access_with_second_id.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert policy would be updated for {{ iam_type }}'
assert:
that:
- result.changed == True
- '"Id" not in iam_policy_info.policies[0].policy_document'
- name: 'Update policy using document for {{ iam_type }}'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access_with_second_id.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert policy was updated for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 2
- iam_policy_name_b in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyOtherId'
- name: 'Update policy using document for {{ iam_type }} (idempotency)'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
policy_document: '{{ tmpdir.path }}/no_access_with_second_id.json'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 2
- iam_policy_name_b in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyOtherId'
- name: 'Delete policy B'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
register: iam_policy_info
- name: 'Assert deleted'
assert:
that:
- result is changed
- result.policies | length == 1
- iam_policy_name_b not in result.policies
- result[iam_object_key] == iam_name
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 1
- iam_policy_name_b not in iam_policy_info.all_policy_names
# ============================================================
- name: 'Update policy using json for {{ iam_type }} (check mode)'
check_mode: yes
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_second_id.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert policy would be updated for {{ iam_type }}'
assert:
that:
- result.changed == True
- iam_policy_info.policies[0].policy_document.Id == 'MyId'
- name: 'Update policy using json for {{ iam_type }}'
iam_policy:
state: present
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_second_id.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert policy was updated for {{ iam_type }}'
assert:
that:
- result is changed
- result.policies | length == 1
- iam_policy_name_d in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyOtherId'
- name: 'Update policy using json for {{ iam_type }} (idempotency)'
iam_policy:
state: present
skip_duplicates: no
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
policy_json: '{{ lookup("file", "{{ tmpdir.path }}/no_access_with_second_id.json") }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert no change'
assert:
that:
- result is not changed
- result.policies | length == 1
- iam_policy_name_d in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.policies[0].policy_document.Id == 'MyOtherId'
# ============================================================
- name: 'Delete policy D (check_mode)'
check_mode: yes
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert not deleted'
assert:
that:
- result is changed
- result.policies | length == 1
- iam_policy_name_d in result.policies
- result[iam_object_key] == iam_name
- iam_policy_info.all_policy_names | length == 1
- iam_policy_name_d in iam_policy_info.all_policy_names
- iam_policy_info.policies[0].policy_document.Id == 'MyOtherId'
- name: 'Delete policy D'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert deleted'
assert:
that:
- result is changed
- '"policies" not in iam_policy_info'
- iam_policy_name_d not in result.policies
- result[iam_object_key] == iam_name
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 0
- name: 'Delete policy D (test idempotency)'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert deleted'
assert:
that:
- result is not changed
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 0
- name: 'Delete policy D (check_mode) (test idempotency)'
check_mode: yes
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: result
- iam_policy_info:
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
register: iam_policy_info
- name: 'Assert deleted'
assert:
that:
- result is not changed
- '"policies" not in iam_policy_info'
- iam_policy_info.all_policy_names | length == 0
always:
# ============================================================
- name: 'Delete policy A for {{ iam_type }}'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_a }}'
ignore_errors: yes
- name: 'Delete policy B for {{ iam_type }}'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_b }}'
ignore_errors: yes
- name: 'Delete policy C for {{ iam_type }}'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_c }}'
ignore_errors: yes
- name: 'Delete policy D for {{ iam_type }}'
iam_policy:
state: absent
iam_type: '{{ iam_type }}'
iam_name: '{{ iam_name }}'
policy_name: '{{ iam_policy_name_d }}'
ignore_errors: yes
Reference in a new issue View git blame Copy permalink