270 lines
6.3 KiB
YAML
270 lines
6.3 KiB
YAML
- name: Prepare random number
|
|
set_fact:
|
|
rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
|
|
tenant_id: "{{ azure_tenant }}"
|
|
run_once: yes
|
|
|
|
- name: lookup service principal object id
|
|
set_fact:
|
|
object_id: "{{ lookup('azure_service_principal_attribute',
|
|
azure_client_id=azure_client_id,
|
|
azure_secret=azure_secret,
|
|
azure_tenant=tenant_id) }}"
|
|
register: object_id
|
|
|
|
- name: Create instance of Key Vault -- check mode
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
enabled_for_deployment: yes
|
|
vault_tenant: "{{ tenant_id }}"
|
|
sku:
|
|
name: standard
|
|
family: A
|
|
access_policies:
|
|
- tenant_id: "{{ tenant_id }}"
|
|
object_id: "{{ object_id }}"
|
|
keys:
|
|
- get
|
|
- list
|
|
- update
|
|
- create
|
|
- import
|
|
- delete
|
|
- recover
|
|
- backup
|
|
- restore
|
|
secrets:
|
|
- get
|
|
- list
|
|
- set
|
|
- delete
|
|
- recover
|
|
- backup
|
|
- restore
|
|
check_mode: yes
|
|
register: output
|
|
- name: Assert the resource instance is well created
|
|
assert:
|
|
that:
|
|
- output.changed
|
|
|
|
- name: Create instance of Key Vault
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
enabled_for_deployment: yes
|
|
vault_tenant: "{{ tenant_id }}"
|
|
sku:
|
|
name: standard
|
|
family: A
|
|
access_policies:
|
|
- tenant_id: "{{ tenant_id }}"
|
|
object_id: "{{ object_id }}"
|
|
secrets:
|
|
- get
|
|
- list
|
|
- set
|
|
- delete
|
|
- recover
|
|
- backup
|
|
- restore
|
|
register: output
|
|
- name: Assert the resource instance is well created
|
|
assert:
|
|
that:
|
|
- output.changed
|
|
|
|
- name: Create instance of Key Vault again
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
enabled_for_deployment: yes
|
|
vault_tenant: "{{ tenant_id }}"
|
|
sku:
|
|
name: standard
|
|
family: A
|
|
access_policies:
|
|
- tenant_id: "{{ tenant_id }}"
|
|
object_id: "{{ object_id }}"
|
|
secrets:
|
|
- get
|
|
- list
|
|
- set
|
|
- delete
|
|
- recover
|
|
- backup
|
|
- restore
|
|
register: output
|
|
- name: Assert the state has not changed
|
|
assert:
|
|
that:
|
|
- output.changed == false
|
|
|
|
- name: Update existing Key Vault (add a rule and tags)
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
enabled_for_deployment: yes
|
|
vault_tenant: "{{ tenant_id }}"
|
|
sku:
|
|
name: standard
|
|
family: A
|
|
access_policies:
|
|
- tenant_id: "{{ tenant_id }}"
|
|
object_id: "{{ object_id }}"
|
|
keys:
|
|
- get
|
|
- list
|
|
- update
|
|
- create
|
|
- import
|
|
- delete
|
|
- recover
|
|
- backup
|
|
- restore
|
|
secrets:
|
|
- get
|
|
- list
|
|
- set
|
|
- delete
|
|
- recover
|
|
- backup
|
|
- restore
|
|
tags:
|
|
aaa: bbb
|
|
register: output
|
|
- name: Assert the state has changed
|
|
assert:
|
|
that:
|
|
- output.changed == true
|
|
|
|
- name: Get key vault facts
|
|
azure_rm_keyvault_info:
|
|
resource_group: "{{ resource_group }}"
|
|
name: "vault{{ rpfx }}"
|
|
register: facts
|
|
|
|
- name: Assert the facts are properly set
|
|
assert:
|
|
that:
|
|
- facts['keyvaults'] | length == 1
|
|
- facts['keyvaults'][0]['vault_uri'] != None
|
|
- facts['keyvaults'][0]['name'] != None
|
|
- facts['keyvaults'][0]['access_policies'] != None
|
|
- facts['keyvaults'][0]['sku'] != None
|
|
- facts['keyvaults'][0]['id'] != None
|
|
#
|
|
# azure_rm_keyvaultkey tests
|
|
#
|
|
|
|
- name: create a keyvault key
|
|
block:
|
|
- azure_rm_keyvaultkey:
|
|
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
key_name: testkey
|
|
tags:
|
|
testing: test
|
|
delete: on-exit
|
|
register: output
|
|
- assert:
|
|
that: output.changed
|
|
rescue:
|
|
- azure_rm_keyvaultkey:
|
|
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
state: absent
|
|
key_name: testkey
|
|
|
|
- name: Get key current version
|
|
azure_rm_keyvaultkey_info:
|
|
vault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
name: testkey
|
|
register: facts
|
|
|
|
- name: Assert key facts
|
|
assert:
|
|
that:
|
|
- facts['keys'] | length == 1
|
|
- facts['keys'][0]['kid']
|
|
- facts['keys'][0]['permitted_operations'] | length > 0
|
|
- facts['keys'][0]['type']
|
|
- facts['keys'][0]['version']
|
|
|
|
- name: delete a kevyault key
|
|
azure_rm_keyvaultkey:
|
|
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
state: absent
|
|
key_name: testkey
|
|
register: output
|
|
|
|
- assert:
|
|
that: output.changed
|
|
|
|
#
|
|
# azure_rm_keyvaultsecret tests
|
|
#
|
|
- name: create a keyvault secret
|
|
block:
|
|
- azure_rm_keyvaultsecret:
|
|
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
secret_name: testsecret
|
|
secret_value: 'mysecret'
|
|
tags:
|
|
testing: test
|
|
delete: on-exit
|
|
register: output
|
|
- assert:
|
|
that: output.changed
|
|
rescue:
|
|
- azure_rm_keyvaultsecret:
|
|
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
state: absent
|
|
secret_name: testsecret
|
|
|
|
- name: delete a keyvault secret
|
|
azure_rm_keyvaultsecret:
|
|
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
|
state: absent
|
|
secret_name: testsecret
|
|
register: output
|
|
|
|
- assert:
|
|
that: output.changed
|
|
|
|
#
|
|
# azure_rm_keyvault finalize & clean up
|
|
#
|
|
|
|
- name: Delete instance of Key Vault -- check mode
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
state: absent
|
|
check_mode: yes
|
|
register: output
|
|
- name: Assert the state has changed
|
|
assert:
|
|
that:
|
|
- output.changed
|
|
|
|
- name: Delete instance of Key Vault
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
state: absent
|
|
register: output
|
|
- name: Assert the state has changed
|
|
assert:
|
|
that:
|
|
- output.changed
|
|
|
|
- name: Delete unexisting instance of Key Vault
|
|
azure_rm_keyvault:
|
|
resource_group: "{{ resource_group }}"
|
|
vault_name: "vault{{ rpfx }}"
|
|
state: absent
|
|
register: output
|
|
- name: Assert the state has changed
|
|
assert:
|
|
that:
|
|
- output.changed == false
|