cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/test/integration/targets/ec2_group/tasks/main.yml
Toshio Kuratomi 638de22b35 Update tests for required_if changes 
These tests are doing string matches on the error condition.  Update
them to match the new strings.  This is probably okay to push out to old
releases even though it's technically backwards incompatible because
production playbooks won't be checking that a parameter was missing.
Param missing is something detected and fixed while writing the playbook.
2017-10-26 17:37:11 -07:00

860 lines
28 KiB
YAML
Raw Blame History

---
# A Note about ec2 environment variable name preference:
# - EC2_URL -> AWS_URL
# - EC2_ACCESS_KEY -> AWS_ACCESS_KEY_ID -> AWS_ACCESS_KEY
# - EC2_SECRET_KEY -> AWS_SECRET_ACCESS_KEY -> AWX_SECRET_KEY
# - EC2_REGION -> AWS_REGION
#
# - include: ../../setup_ec2/tasks/common.yml module_name: ec2_group
- block:
# ============================================================
- name: test failure with no parameters
ec2_group:
register: result
ignore_errors: true
- name: assert failure with no parameters
assert:
that:
- 'result.failed'
- 'result.msg == "one of the following is required: name, group_id"'
# ============================================================
- name: test failure with only name
ec2_group:
name: '{{ec2_group_name}}'
register: result
ignore_errors: true
- name: assert failure with only name
assert:
that:
- 'result.failed'
- 'result.msg == "Must provide description when state is present."'
# ============================================================
- name: test failure with only description
ec2_group:
description: '{{ec2_group_description}}'
register: result
ignore_errors: true
- name: assert failure with only description
assert:
that:
- 'result.failed'
- 'result.msg == "one of the following is required: name, group_id"'
# ============================================================
- name: test failure with empty description (AWS API requires non-empty string desc)
ec2_group:
name: '{{ec2_group_name}}'
description: ''
region: '{{ec2_region}}'
register: result
ignore_errors: true
- name: assert failure with empty description
assert:
that:
- 'result.failed'
- 'result.msg == "Must provide description when state is present."'
# ============================================================
- name: test valid region parameter
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
region: '{{ec2_region}}'
register: result
ignore_errors: true
- name: assert valid region parameter
assert:
that:
- 'result.failed'
- '"Unable to locate credentials" in result.msg'
# ============================================================
- name: test environment variable EC2_REGION
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
environment:
EC2_REGION: '{{ec2_region}}'
register: result
ignore_errors: true
- name: assert environment variable EC2_REGION
assert:
that:
- 'result.failed'
- '"Unable to locate credentials" in result.msg'
# ============================================================
- name: test invalid ec2_url parameter
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
environment:
EC2_URL: bogus.example.com
register: result
ignore_errors: true
- name: assert invalid ec2_url parameter
assert:
that:
- 'result.failed'
- 'result.msg.startswith("The AWS region must be specified as an environment variable or in the AWS credentials profile")'
# ============================================================
- name: test valid ec2_url parameter
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
environment:
EC2_URL: '{{ec2_url}}'
register: result
ignore_errors: true
- name: assert valid ec2_url parameter
assert:
that:
- 'result.failed'
- 'result.msg.startswith("The AWS region must be specified as an environment variable or in the AWS credentials profile")'
# ============================================================
- name: test credentials from environment
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
environment:
EC2_REGION: '{{ec2_region}}'
EC2_ACCESS_KEY: bogus_access_key
EC2_SECRET_KEY: bogus_secret_key
register: result
ignore_errors: true
- name: assert ec2_group with valid ec2_url
assert:
that:
- 'result.failed'
- '"validate the provided access credentials" in result.msg'
# ============================================================
- name: test credential parameters
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: 'bogus_access_key'
ec2_secret_key: 'bogus_secret_key'
register: result
ignore_errors: true
- name: assert credential parameters
assert:
that:
- 'result.failed'
- '"validate the provided access credentials" in result.msg'
# ============================================================
- name: test state=absent
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: absent
register: result
# ============================================================
- name: test state=present (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present different description (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}CHANGED'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
ignore_errors: true
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present for ipv6 (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test rules_egress state=present for ipv6 (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
rules_egress:
- proto: "tcp"
from_port: 8181
to_port: 8181
cidr_ipv6: "64:ff9b::/96"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present for ipv4 (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: add same rule to the existing group (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
- name: add a rule that auto creates another security group
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
purge_rules: no
rules:
- proto: "tcp"
group_name: "{{ resource_prefix }} - Another security group"
group_desc: Another security group
ports: 7171
register: result
- name: check that there are now two rules
assert:
that:
- result.changed
- result.ip_permissions|length == 2
- result.ip_permissions[0].user_id_group_pairs or
result.ip_permissions[1].user_id_group_pairs
# ============================================================
- name: test ip rules convert port numbers from string to int (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
rules:
- proto: "tcp"
from_port: "8183"
to_port: "8183"
cidr_ipv6: "64:ff9b::/96"
rules_egress:
- proto: "tcp"
from_port: "8184"
to_port: "8184"
cidr_ipv6: "64:ff9b::/96"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test group rules convert port numbers from string to int (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
rules:
- proto: "tcp"
from_port: "8185"
to_port: "8185"
group_id: "{{result.group_id}}"
rules_egress:
- proto: "tcp"
from_port: "8186"
to_port: "8186"
cidr_ipv6: "64:ff9b::/96"
group_id: "{{result.group_id}}"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding a range of ports and ports given as strings (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8183-8190
- '8192'
cidr_ip: 1.1.1.1/32
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=absent (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
state: absent
environment:
EC2_REGION: '{{ec2_region}}'
EC2_ACCESS_KEY: '{{ec2_access_key}}'
EC2_SECRET_KEY: '{{ec2_secret_key}}'
EC2_SECURITY_TOKEN: '{{security_token|default("")}}'
register: result
- name: assert state=absent (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.group_id'
- name: create a VPC
ec2_vpc_net:
name: "{{ resource_prefix }}-vpc"
state: present
cidr_block: "10.232.232.128/26"
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
tags:
Name: "{{ resource_prefix }}-vpc"
Description: "Created by ansible-test"
register: vpc_result
- name: create security group in the VPC
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.vpc_id == vpc_result.vpc.id'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding tags (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
tag2: test2
register: result
- name: assert that tags were added (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.tags == {"tag1": "test1", "tag2": "test2"}'
# ============================================================
- name: test that tags are present (expected changed=False)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
purge_rules_egress: false
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
tag2: test2
register: result
- name: assert that tags were not changed (expected changed=False)
assert:
that:
- 'not result.changed'
- 'result.tags == {"tag1": "test1", "tag2": "test2"}'
# ============================================================
- name: test purging tags (expected changed=True)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
register: result
- name: assert that tag2 was removed (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.tags == {"tag1": "test1"}'
# ============================================================
- name: assert that tags are left as-is if not specified (expected changed=False)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert that the tags stayed the same (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.tags == {"tag1": "test1"}'
# ============================================================
- name: test purging all tags (expected changed=True)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags: {}
register: result
- name: assert that tag1 was removed (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.tags'
# ============================================================
- name: test adding a rule and egress rule descriptions (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
# purge the other rules so assertions work for the subsequent tests for rule descriptions
purge_rules_egress: true
purge_rules: true
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 1
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 1
register: result
- name: assert that rule descriptions are created (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 1"'
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 1"'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed changes should still have changed due to purged rules (expected changed=true)
assert:
that:
- 'result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test modifying rule and egress rule descriptions (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 2
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
register: result
- name: assert that rule descriptions were modified (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 2"'
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 2"'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test that keeping the same rule descriptions (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 2
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
register: result
- name: assert that rule descriptions stayed the same (expected changed=false)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'not result.changed'
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 2"'
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 2"'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test removing rule descriptions (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc:
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc:
register: result
- name: assert that rule descriptions were removed (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
- 'not result.ip_permissions[0].ipv6_ranges[0].description'
- 'not result.ip_permissions_egress[0].ip_ranges[0].description'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test state=absent (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
state: absent
environment:
EC2_REGION: '{{ec2_region}}'
EC2_ACCESS_KEY: '{{ec2_access_key}}'
EC2_SECRET_KEY: '{{ec2_secret_key}}'
EC2_SECURITY_TOKEN: '{{security_token|default("")}}'
register: result
- name: assert state=absent (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.group_id'
always:
# ============================================================
- name: tidy up security group
ec2_group:
name: '{{ec2_group_name}}'
state: absent
environment:
EC2_REGION: '{{ec2_region}}'
EC2_ACCESS_KEY: '{{ec2_access_key}}'
EC2_SECRET_KEY: '{{ec2_secret_key}}'
EC2_SECURITY_TOKEN: '{{security_token|default("")}}'
- name: tidy up automatically created SG
ec2_group:
name: "{{ resource_prefix }} - Another security group"
state: absent
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
- name: tidy up VPC
ec2_vpc_net:
name: "{{ resource_prefix }}-vpc"
state: absent
cidr_block: "10.232.232.128/26"
ec2_region: '{{ec2_region}}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
Reference in a new issue View git blame Copy permalink