ansible/test/integration/targets/ec2_group/tasks/egress_tests.yml
Ryan Brown 858a1b09bb EC2_group module refactor (formerly pr/37255) (#38678)
* Refactor ec2_group

Replace nested for loops with list comprehensions

Purge rules before adding new ones in case sg has maximum permitted rules

* Add check mode tests for ec2_group

* add tests

* Remove dead code

* Fix integration test assertions for old boto versions

* Add waiter for security group that is autocreated

* Add support for in-account group rules

* Add common util to get AWS account ID

Fixes #31383

* Fix protocol number and add separate tests for egress rule handling

* Return egress rule treatment to be backwards compatible

* Remove functions that were obsoleted by `Rule` namedtuple

* IP tests

* Move description updates to a function

* Fix string formatting missing index

* Add tests for auto-creation of the same group in quick succession

* Resolve use of brand-new group in a rule without a description

* Clean up duplicated get-security-group function

* Add reverse cleanup in case of dependency issues

* Add crossaccount ELB group support

* Deal with non-STS calls to account API

* Add filtering of owner IDs that match the current account
2018-05-24 11:53:21 -04:00

175 lines
5.3 KiB
YAML

---
- block:
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: yes
- name: Create a group with only the default rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
vpc_id: '{{ vpc_result.vpc.id }}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is in place (expected changed=true)
assert:
that:
- result is changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
- name: Create a group with only the default rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
vpc_id: '{{ vpc_result.vpc.id }}'
description: '{{ec2_group_description}}'
purge_rules_egress: false
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is not purged (expected changed=false)
assert:
that:
- result is not changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
- name: Pass empty egress rules without purging, should leave default rule in place
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
rules_egress: []
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is not purged (expected changed=false)
assert:
that:
- result is not changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
- name: Purge rules, including the default
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: true
rules_egress: []
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is not purged (expected changed=false)
assert:
that:
- result is changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 0
- name: Add a custom egress rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 1212
cidr_ip: 1.2.1.2/32
<<: *aws_connection_info
state: present
register: result
- name: assert first rule is here
assert:
that:
- result.ip_permissions_egress|length == 1
- name: Add a second custom egress rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
purge_rules_egress: false
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 2323
cidr_ip: 2.3.2.3/32
<<: *aws_connection_info
state: present
register: result
- name: assert the first rule is not purged
assert:
that:
- result.ip_permissions_egress|length == 2
- name: Purge the second rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 1212
cidr_ip: 1.2.1.2/32
<<: *aws_connection_info
state: present
register: result
- name: assert first rule is here
assert:
that:
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
- name: add a rule for all TCP ports
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
rules_egress:
- proto: tcp
ports: 0-65535
cidr_ip: 0.0.0.0/0
<<: *aws_connection_info
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
register: result
- name: Re-add the default rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
rules_egress:
- proto: -1
cidr_ip: 0.0.0.0/0
<<: *aws_connection_info
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
register: result
always:
- name: tidy up egress rule test security group
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
state: absent
vpc_id: '{{ vpc_result.vpc.id }}'
<<: *aws_connection_info
ignore_errors: yes