dbc9444572
* Move EC2 networking objects into network-policy.json * ec2_vpc_nacl: Add integration tests * ec2_vpc_nacl: Migrate tests to use module_defaults * ec2_vpc_nacl: (integration tests) Add missing AWS permissions * ec2_vpc_nacl: (integration tests) Update tests for ipv6 support * ec2_vpc_nacl: Migrate to AnsibleAWSModule * Fix sanity tests for ec2_vpc_nacl and ec2_vpc_nacl_info * ec2_vpc_nacl_info: Migrate to AnsibleAWSModule * ec2_vpc_nacl_info: (integration tests) Rename from ec2_vpc_nacl_facts to ec2_vpc_nacl_info and add a test using a filter (by tag) * Pick availability zones dynamically Rather than assuming that AZa and AZb always exist (they don't), query to find out which AZs we have available first * Test that the NACLs we get back are actually the *saml* NACL rather than duplicates/delete remove * Cleanup IPv6 tests a little. Note: IPv6 support for ec2_vpc_nacl not complete yet. This provides the initial framework, and should ensure things don't start exploding when support is added. * Removing subnets by name from a NACL *is* now supported * Fix ec2_vpc_nacl return documentation
170 lines
4.6 KiB
YAML
170 lines
4.6 KiB
YAML
---
|
|
- module_defaults:
|
|
group/aws:
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token | default(omit) }}"
|
|
region: "{{ aws_region }}"
|
|
block:
|
|
|
|
# ============================================================
|
|
|
|
- name: test without any parameters
|
|
ec2_vpc_nacl:
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
- name: assert required parameters
|
|
assert:
|
|
that:
|
|
- result.failed
|
|
- "result.msg == 'one of the following is required: name, nacl_id'"
|
|
|
|
- name: get network ACL info without any parameters
|
|
ec2_vpc_nacl_info:
|
|
register: nacl_facts
|
|
|
|
- name: assert we don't error
|
|
assert:
|
|
that:
|
|
- nacl_facts is succeeded
|
|
|
|
- name: get network ACL info with invalid ID
|
|
ec2_vpc_nacl_info:
|
|
nacl_ids:
|
|
- 'acl-000000000000'
|
|
register: nacl_facts
|
|
ignore_errors: yes
|
|
|
|
- name: assert message mentions missing ACLs
|
|
assert:
|
|
that:
|
|
- nacl_facts is failed
|
|
- '"does not exist" in nacl_facts.msg'
|
|
|
|
# ============================================================
|
|
|
|
- name: fetch AZ availability
|
|
aws_az_info:
|
|
register: az_info
|
|
|
|
- name: Assert that we have multiple AZs available to us
|
|
assert:
|
|
that: az_info.availability_zones | length >= 2
|
|
|
|
- name: pick AZs
|
|
set_fact:
|
|
az_one: '{{ az_info.availability_zones[0].zone_name }}'
|
|
az_two: '{{ az_info.availability_zones[1].zone_name }}'
|
|
|
|
# ============================================================
|
|
|
|
- name: create a VPC
|
|
ec2_vpc_net:
|
|
cidr_block: 10.230.230.0/24
|
|
name: "{{ resource_prefix }}"
|
|
state: present
|
|
register: vpc
|
|
|
|
- name: create subnets
|
|
ec2_vpc_subnet:
|
|
cidr: "{{ item.cidr }}"
|
|
az: "{{ item.az }}"
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
state: present
|
|
tags:
|
|
Name: "{{ item.name }}"
|
|
with_items:
|
|
- cidr: 10.230.230.0/26
|
|
az: "{{ az_one }}"
|
|
name: "{{ resource_prefix }}-subnet-1"
|
|
- cidr: 10.230.230.64/26
|
|
az: "{{ az_two }}"
|
|
name: "{{ resource_prefix }}-subnet-2"
|
|
- cidr: 10.230.230.128/26
|
|
az: "{{ az_one }}"
|
|
name: "{{ resource_prefix }}-subnet-3"
|
|
- cidr: 10.230.230.192/26
|
|
az: "{{ az_two }}"
|
|
name: "{{ resource_prefix }}-subnet-4"
|
|
register: subnets
|
|
|
|
# ============================================================
|
|
|
|
- include_tasks: tasks/subnet_ids.yml
|
|
vars:
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
subnet_ids: "{{ subnets | json_query('results[*].subnet.id') }}"
|
|
|
|
- include_tasks: tasks/subnet_names.yml
|
|
vars:
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
subnet_names: "{{ subnets | json_query('results[*].subnet.tags.Name') }}"
|
|
|
|
- include_tasks: tasks/tags.yml
|
|
vars:
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
subnet_ids: "{{ subnets | json_query('results[*].subnet.id') }}"
|
|
|
|
- include_tasks: tasks/ingress_and_egress.yml
|
|
vars:
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
subnet_ids: "{{ subnets | json_query('results[*].subnet.id') }}"
|
|
|
|
- include_tasks: tasks/ipv6.yml
|
|
|
|
# ============================================================
|
|
|
|
always:
|
|
|
|
- name: remove network ACL
|
|
ec2_vpc_nacl:
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
name: "{{ resource_prefix }}-acl"
|
|
state: absent
|
|
register: removed_acl
|
|
until: removed_acl is success
|
|
retries: 5
|
|
delay: 5
|
|
ignore_errors: yes
|
|
|
|
- name: remove subnets
|
|
ec2_vpc_subnet:
|
|
cidr: "{{ item.cidr }}"
|
|
az: "{{ aws_region}}{{ item.az }}"
|
|
vpc_id: "{{ vpc.vpc.id }}"
|
|
state: absent
|
|
tags:
|
|
Public: "{{ item.public | string }}"
|
|
Name: "{{ item.public | ternary('public', 'private') }}-{{ item.az }}"
|
|
with_items:
|
|
- cidr: 10.230.230.0/26
|
|
az: "a"
|
|
public: "True"
|
|
- cidr: 10.230.230.64/26
|
|
az: "b"
|
|
public: "True"
|
|
- cidr: 10.230.230.128/26
|
|
az: "a"
|
|
public: "False"
|
|
- cidr: 10.230.230.192/26
|
|
az: "b"
|
|
public: "False"
|
|
ignore_errors: yes
|
|
register: removed_subnets
|
|
until: removed_subnets is success
|
|
retries: 5
|
|
delay: 5
|
|
|
|
- name: remove the VPC
|
|
ec2_vpc_net:
|
|
cidr_block: 10.230.230.0/24
|
|
name: "{{ resource_prefix }}"
|
|
state: absent
|
|
ignore_errors: yes
|
|
register: removed_vpc
|
|
until: removed_vpc is success
|
|
retries: 5
|
|
delay: 5
|
|
|
|
# ============================================================
|