b980a5c02a
* Use Boto3 for ec2_group Currently boto doesn't support ipv6. To support ipv6 in ec2_group, we need boto3. boto3 has significant API changes, which caused more re-factoring for ec2_group module. Added additional integration test to test_ec2_group role. * Follow the standard for boto3 ansible Fixed imports. Use boto3 ansible exception with camel_dict_to_snake_dict. Refactored the call to authorize/revoke ingress and egress. * Removed dependancy with module ipaddress Added new parameter called cidr_ipv6 for specifying ipv6 addresses inline with how boto3 handles ipv6 addresses. * Updated integration test * Added ipv6 integration test for ec2_group * Set purge_rules to false for integration test * Fixed import statements Added example for ipv6. Removed defining HAS_BOTO3 variable and import HAS_BOTO3 from ec2. Cleaned up import statements. * Fixed exception handling * Add IAM permissions for ec2_group tests Missing AuthorizeSecurityGroupEgress necessary for latest tests * Wrapped botocore import in try/except block Import just botocore to be more similar to other modules
364 lines
12 KiB
YAML
364 lines
12 KiB
YAML
---
|
|
# A Note about ec2 environment variable name preference:
|
|
# - EC2_URL -> AWS_URL
|
|
# - EC2_ACCESS_KEY -> AWS_ACCESS_KEY_ID -> AWS_ACCESS_KEY
|
|
# - EC2_SECRET_KEY -> AWS_SECRET_ACCESS_KEY -> AWX_SECRET_KEY
|
|
# - EC2_REGION -> AWS_REGION
|
|
#
|
|
|
|
# - include: ../../setup_ec2/tasks/common.yml module_name=ec2_group
|
|
|
|
- block:
|
|
|
|
# ============================================================
|
|
- name: test failure with no parameters
|
|
ec2_group:
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert failure with no parameters
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- 'result.msg == "one of the following is required: name,group_id"'
|
|
|
|
# ============================================================
|
|
- name: test failure with only name
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert failure with only name
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- 'result.msg == "Must provide description when state is present."'
|
|
|
|
# ============================================================
|
|
- name: test failure with only description
|
|
ec2_group:
|
|
description='{{ec2_group_description}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert failure with only description
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- 'result.msg == "one of the following is required: name,group_id"'
|
|
|
|
# ============================================================
|
|
- name: test failure with empty description (AWS API requires non-empty string desc)
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description=''
|
|
region='{{ec2_region}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert failure with empty description
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- 'result.msg == "Must provide description when state is present."'
|
|
|
|
# ============================================================
|
|
- name: test valid region parameter
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
region='{{ec2_region}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert valid region parameter
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- '"Unable to locate credentials" in result.msg'
|
|
|
|
# ============================================================
|
|
- name: test environment variable EC2_REGION
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
environment:
|
|
EC2_REGION: '{{ec2_region}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert environment variable EC2_REGION
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- '"Unable to locate credentials" in result.msg'
|
|
|
|
# ============================================================
|
|
- name: test invalid ec2_url parameter
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
environment:
|
|
EC2_URL: bogus.example.com
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert invalid ec2_url parameter
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- 'result.msg.startswith("The AWS region must be specified as an environment variable or in the AWS credentials profile")'
|
|
|
|
# ============================================================
|
|
- name: test valid ec2_url parameter
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
environment:
|
|
EC2_URL: '{{ec2_url}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert valid ec2_url parameter
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- 'result.msg.startswith("The AWS region must be specified as an environment variable or in the AWS credentials profile")'
|
|
|
|
# ============================================================
|
|
- name: test credentials from environment
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
environment:
|
|
EC2_REGION: '{{ec2_region}}'
|
|
EC2_ACCESS_KEY: bogus_access_key
|
|
EC2_SECRET_KEY: bogus_secret_key
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert ec2_group with valid ec2_url
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- '"validate the provided access credentials" in result.msg'
|
|
|
|
# ============================================================
|
|
- name: test credential parameters
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
ec2_region='{{ec2_region}}'
|
|
ec2_access_key='bogus_access_key'
|
|
ec2_secret_key='bogus_secret_key'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert credential parameters
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- '"validate the provided access credentials" in result.msg'
|
|
|
|
# ============================================================
|
|
- name: test state=absent
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
ec2_region='{{ec2_region}}'
|
|
ec2_access_key='{{ec2_access_key}}'
|
|
ec2_secret_key='{{ec2_secret_key}}'
|
|
security_token='{{security_token}}'
|
|
state=absent
|
|
register: result
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=true)
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
ec2_region='{{ec2_region}}'
|
|
ec2_access_key='{{ec2_access_key}}'
|
|
ec2_secret_key='{{ec2_secret_key}}'
|
|
security_token='{{security_token}}'
|
|
state=present
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present different description raises error
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}CHANGED'
|
|
ec2_region='{{ec2_region}}'
|
|
ec2_access_key='{{ec2_access_key}}'
|
|
ec2_secret_key='{{ec2_secret_key}}'
|
|
security_token='{{security_token}}'
|
|
state=present
|
|
ignore_errors: true
|
|
register: result
|
|
|
|
- name: assert matching group with non-matching description raises error
|
|
assert:
|
|
that:
|
|
- 'result.failed'
|
|
- '"Group description does not match existing group. ec2_group does not support this case." in result.msg'
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=false)
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
description='{{ec2_group_description}}'
|
|
ec2_region='{{ec2_region}}'
|
|
ec2_access_key='{{ec2_access_key}}'
|
|
ec2_secret_key='{{ec2_secret_key}}'
|
|
security_token='{{security_token}}'
|
|
state=present
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv6 (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
ec2_region: '{{ec2_region}}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test rules_egress state=present for ipv6 (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
ec2_region: '{{ec2_region}}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: 8181
|
|
to_port: 8181
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv4 (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
ec2_region: '{{ec2_region}}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: add same rule to the existing group (expected changed=false)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
ec2_region: '{{ec2_region}}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=absent (expected changed=true)
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
state=absent
|
|
environment:
|
|
EC2_REGION: '{{ec2_region}}'
|
|
EC2_ACCESS_KEY: '{{ec2_access_key}}'
|
|
EC2_SECRET_KEY: '{{ec2_secret_key}}'
|
|
EC2_SECURITY_TOKEN: '{{security_token|default("")}}'
|
|
register: result
|
|
|
|
- name: assert state=absent (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'not result.group_id'
|
|
|
|
always:
|
|
|
|
# ============================================================
|
|
- name: test state=absent (expected changed=false)
|
|
ec2_group:
|
|
name='{{ec2_group_name}}'
|
|
state=absent
|
|
environment:
|
|
EC2_REGION: '{{ec2_region}}'
|
|
EC2_ACCESS_KEY: '{{ec2_access_key}}'
|
|
EC2_SECRET_KEY: '{{ec2_secret_key}}'
|
|
EC2_SECURITY_TOKEN: '{{security_token|default("")}}'
|
|
register: result
|
|
|
|
- name: assert state=absent (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'not result.group_id'
|