aa68f728fd
* s3_bucket: Allow empty encryption_key_id with aws:kms to use KMS master key * Add idempotency check and cleanup example, dont require encryption_key_id
452 lines
14 KiB
YAML
452 lines
14 KiB
YAML
---
|
|
|
|
- block:
|
|
|
|
# ============================================================
|
|
- name: set connection information for all tasks
|
|
set_fact:
|
|
aws_connection_info: &aws_connection_info
|
|
aws_access_key: "{{ aws_access_key | default('') }}"
|
|
aws_secret_key: "{{ aws_secret_key | default('') }}"
|
|
security_token: "{{ security_token | default('') }}"
|
|
region: "{{ aws_region | default('') }}"
|
|
no_log: true
|
|
|
|
# ============================================================
|
|
- name: Create simple s3_bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible"
|
|
state: present
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.name == '{{ resource_prefix }}-testbucket-ansible'
|
|
- not output.requester_pays
|
|
|
|
# ============================================================
|
|
- name: Try to update the same bucket with the same values
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible"
|
|
state: present
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
- output.name == '{{ resource_prefix }}-testbucket-ansible'
|
|
- not output.requester_pays
|
|
|
|
# ============================================================
|
|
- name: Delete test s3_bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
|
|
# ============================================================
|
|
- name: Set bucket_name variable to be able to use it in lookup('template')
|
|
set_fact:
|
|
bucket_name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
|
|
- name: Create more complex s3_bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: yes
|
|
versioning: yes
|
|
tags:
|
|
example: tag1
|
|
another: tag2
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
|
|
- output.requester_pays
|
|
- output.versioning.MfaDelete == 'Disabled'
|
|
- output.versioning.Versioning == 'Enabled'
|
|
- output.tags.example == 'tag1'
|
|
- output.tags.another == 'tag2'
|
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
|
- output.policy.Statement[0].Effect == 'Allow'
|
|
- output.policy.Statement[0].Principal == '*'
|
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
|
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Try to update the same complex s3_bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: yes
|
|
versioning: yes
|
|
tags:
|
|
example: tag1
|
|
another: tag2
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
|
|
# ============================================================
|
|
- name: Update bucket policy on complex bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy-updated.json') }}"
|
|
requester_pays: yes
|
|
versioning: yes
|
|
tags:
|
|
example: tag1
|
|
another: tag2
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
|
- output.policy.Statement[0].Effect == 'Deny'
|
|
- output.policy.Statement[0].Principal == '*'
|
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
|
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Update attributes for s3_bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
tags:
|
|
example: tag1-udpated
|
|
another: tag2
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
|
|
- not output.requester_pays
|
|
- output.versioning.MfaDelete == 'Disabled'
|
|
- output.versioning.Versioning in ['Suspended', 'Disabled']
|
|
- output.tags.example == 'tag1-udpated'
|
|
- output.tags.another == 'tag2'
|
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
|
- output.policy.Statement[0].Effect == 'Allow'
|
|
- output.policy.Statement[0].Principal == '*'
|
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
|
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Remove a tag for s3_bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
tags:
|
|
example: tag1-udpated
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.tags.example == 'tag1-udpated'
|
|
- "'another' not in output.tags"
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Add a tag for s3_bucket with purge_tags False
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
purge_tags: no
|
|
tags:
|
|
anewtag: here
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.tags.example == 'tag1-udpated'
|
|
- output.tags.anewtag == 'here'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Update a tag for s3_bucket with purge_tags False
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
purge_tags: no
|
|
tags:
|
|
anewtag: next
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.tags.example == 'tag1-udpated'
|
|
- output.tags.anewtag == 'next'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Pass empty tags dict for s3_bucket with purge_tags False
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
purge_tags: no
|
|
tags: {}
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
- output.tags.example == 'tag1-udpated'
|
|
- output.tags.anewtag == 'next'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Do not specify any tag to ensure previous tags are not removed
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
- output.tags.example == 'tag1-udpated'
|
|
|
|
# ============================================================
|
|
- name: Remove all tags
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: present
|
|
policy: "{{ lookup('template','policy.json') }}"
|
|
requester_pays: no
|
|
versioning: no
|
|
tags: {}
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.tags == {}
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 5
|
|
|
|
- name: Delete complex s3 bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
|
|
# ============================================================
|
|
- name: Create bucket with dot in name
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}.testbucket.ansible"
|
|
state: present
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.name == '{{ resource_prefix }}.testbucket.ansible'
|
|
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 15
|
|
|
|
- name: Delete s3_bucket with dot in name
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}.testbucket.ansible"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
|
|
# ============================================================
|
|
- name: Try to delete a missing bucket (should not fail)
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-ansible-missing"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
# ============================================================
|
|
- name: Create bucket with AES256 encryption enabled
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
state: present
|
|
encryption: "AES256"
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.name == '{{ resource_prefix }}-testbucket-encrypt-ansible'
|
|
- output.encryption
|
|
- output.encryption.SSEAlgorithm == 'AES256'
|
|
|
|
- name: Update bucket with same encryption config
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
state: present
|
|
encryption: "AES256"
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
- output.encryption
|
|
- output.encryption.SSEAlgorithm == 'AES256'
|
|
|
|
- name: Disable encryption from bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
state: present
|
|
encryption: "none"
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- not output.encryption
|
|
|
|
- name: Enable aws:kms encryption with KMS master key
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
state: present
|
|
encryption: "aws:kms"
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
- output.encryption
|
|
- output.encryption.SSEAlgorithm == 'aws:kms'
|
|
|
|
- name: Enable aws:kms encryption with KMS master key (idempotent)
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
state: present
|
|
encryption: "aws:kms"
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- not output.changed
|
|
- output.encryption
|
|
- output.encryption.SSEAlgorithm == 'aws:kms'
|
|
|
|
# ============================================================
|
|
- name: Pause to help with s3 bucket eventual consistency
|
|
pause:
|
|
seconds: 10
|
|
|
|
- name: Delete encryption test s3 bucket
|
|
s3_bucket:
|
|
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: output
|
|
|
|
- assert:
|
|
that:
|
|
- output.changed
|
|
# ============================================================
|
|
always:
|
|
- name: Ensure all buckets are deleted
|
|
s3_bucket:
|
|
name: "{{item}}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
with_items:
|
|
- "{{ resource_prefix }}-testbucket-ansible"
|
|
- "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
- "{{ resource_prefix }}.testbucket.ansible"
|
|
- "{{ resource_prefix }}-testbucket-encrypt-ansible"
|