858a1b09bb
* Refactor ec2_group Replace nested for loops with list comprehensions Purge rules before adding new ones in case sg has maximum permitted rules * Add check mode tests for ec2_group * add tests * Remove dead code * Fix integration test assertions for old boto versions * Add waiter for security group that is autocreated * Add support for in-account group rules * Add common util to get AWS account ID Fixes #31383 * Fix protocol number and add separate tests for egress rule handling * Return egress rule treatment to be backwards compatible * Remove functions that were obsoleted by `Rule` namedtuple * IP tests * Move description updates to a function * Fix string formatting missing index * Add tests for auto-creation of the same group in quick succession * Resolve use of brand-new group in a rule without a description * Clean up duplicated get-security-group function * Add reverse cleanup in case of dependency issues * Add crossaccount ELB group support * Deal with non-STS calls to account API * Add filtering of owner IDs that match the current account
175 lines
5.3 KiB
YAML
175 lines
5.3 KiB
YAML
---
|
|
- block:
|
|
- name: set up aws connection info
|
|
set_fact:
|
|
aws_connection_info: &aws_connection_info
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token }}"
|
|
region: "{{ aws_region }}"
|
|
no_log: yes
|
|
|
|
|
|
- name: Create a group with only the default rule
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert default rule is in place (expected changed=true)
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.ip_permissions|length == 0
|
|
- result.ip_permissions_egress|length == 1
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
|
|
|
- name: Create a group with only the default rule
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
description: '{{ec2_group_description}}'
|
|
purge_rules_egress: false
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert default rule is not purged (expected changed=false)
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
- result.ip_permissions|length == 0
|
|
- result.ip_permissions_egress|length == 1
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
|
|
|
- name: Pass empty egress rules without purging, should leave default rule in place
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
rules_egress: []
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert default rule is not purged (expected changed=false)
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
- result.ip_permissions|length == 0
|
|
- result.ip_permissions_egress|length == 1
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
|
|
|
- name: Purge rules, including the default
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: true
|
|
rules_egress: []
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert default rule is not purged (expected changed=false)
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.ip_permissions|length == 0
|
|
- result.ip_permissions_egress|length == 0
|
|
|
|
- name: Add a custom egress rule
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules_egress:
|
|
- proto: tcp
|
|
ports:
|
|
- 1212
|
|
cidr_ip: 1.2.1.2/32
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert first rule is here
|
|
assert:
|
|
that:
|
|
- result.ip_permissions_egress|length == 1
|
|
|
|
- name: Add a second custom egress rule
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
purge_rules_egress: false
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules_egress:
|
|
- proto: tcp
|
|
ports:
|
|
- 2323
|
|
cidr_ip: 2.3.2.3/32
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert the first rule is not purged
|
|
assert:
|
|
that:
|
|
- result.ip_permissions_egress|length == 2
|
|
|
|
- name: Purge the second rule
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules_egress:
|
|
- proto: tcp
|
|
ports:
|
|
- 1212
|
|
cidr_ip: 1.2.1.2/32
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert first rule is here
|
|
assert:
|
|
that:
|
|
- result.ip_permissions_egress|length == 1
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
|
|
|
|
- name: add a rule for all TCP ports
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
rules_egress:
|
|
- proto: tcp
|
|
ports: 0-65535
|
|
cidr_ip: 0.0.0.0/0
|
|
<<: *aws_connection_info
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
register: result
|
|
|
|
- name: Re-add the default rule
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
description: '{{ec2_group_description}}'
|
|
rules_egress:
|
|
- proto: -1
|
|
cidr_ip: 0.0.0.0/0
|
|
<<: *aws_connection_info
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
register: result
|
|
always:
|
|
- name: tidy up egress rule test security group
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
state: absent
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|