e822450a79
* Add integration tests for iam_policy * Fix indentation and ignore errors during clean up * Mark iam_policy integration tests as unsupported by CI * Add policies to a temporary folder that is cleaned up * Add tasks to verify that iam_policy can remove policies from users, roles, and groups
325 lines
12 KiB
YAML
325 lines
12 KiB
YAML
---
|
|
- block:
|
|
# ============================================================
|
|
- name: set up aws connection info
|
|
set_fact:
|
|
aws_connection_info: &aws_connection_info
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token }}"
|
|
region: "{{ aws_region }}"
|
|
no_log: yes
|
|
# ============================================================
|
|
- name: Create a temporary folder for the policies
|
|
tempfile:
|
|
state: directory
|
|
register: tmpdir
|
|
# ============================================================
|
|
- name: Copy over policy
|
|
copy:
|
|
src: no_access.json
|
|
dest: "{{ tmpdir.path }}"
|
|
# ============================================================
|
|
- name: Copy over other policy
|
|
copy:
|
|
src: no_access_with_id.json
|
|
dest: "{{ tmpdir.path }}"
|
|
# ============================================================
|
|
- name: Create user for tests
|
|
iam_user:
|
|
name: "{{ iam_user_name }}"
|
|
state: present
|
|
<<: *aws_connection_info
|
|
# ============================================================
|
|
- name: Create role for tests
|
|
iam_role:
|
|
name: "{{ iam_role_name }}"
|
|
assume_role_policy_document: "{{ lookup('file','no_trust.json') }}"
|
|
state: present
|
|
<<: *aws_connection_info
|
|
# ============================================================
|
|
- name: Create group for tests
|
|
iam_group:
|
|
name: "{{ iam_group_name }}"
|
|
state: present
|
|
<<: *aws_connection_info
|
|
# ============================================================
|
|
- name: Create policy for user
|
|
iam_policy:
|
|
iam_type: user
|
|
iam_name: "{{ iam_user_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was added for user
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
- result.policies == ["{{ iam_policy_name }}"]
|
|
- result.user_name == "{{ iam_user_name }}"
|
|
# ============================================================
|
|
- name: Update policy for user
|
|
iam_policy:
|
|
iam_type: user
|
|
iam_name: "{{ iam_user_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was updated for user
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
# ============================================================
|
|
- name: Update policy for user with same policy
|
|
iam_policy:
|
|
iam_type: user
|
|
iam_name: "{{ iam_user_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy did not change for user
|
|
assert:
|
|
that:
|
|
- result.changed == False
|
|
# ============================================================
|
|
- name: Create policy for user using policy_json
|
|
iam_policy:
|
|
iam_type: user
|
|
iam_name: "{{ iam_user_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was added for user
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
- result.policies == ["{{ iam_policy_name }}"]
|
|
- result.user_name == "{{ iam_user_name }}"
|
|
# ============================================================
|
|
- name: Create policy for role
|
|
iam_policy:
|
|
iam_type: role
|
|
iam_name: "{{ iam_role_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was added for role
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
- result.policies == ["{{ iam_policy_name }}"]
|
|
- result.role_name == "{{ iam_role_name }}"
|
|
# ============================================================
|
|
- name: Update policy for role
|
|
iam_policy:
|
|
iam_type: role
|
|
iam_name: "{{ iam_role_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was updated for role
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
# ============================================================
|
|
- name: Update policy for role with same policy
|
|
iam_policy:
|
|
iam_type: role
|
|
iam_name: "{{ iam_role_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy did not change for role
|
|
assert:
|
|
that:
|
|
- result.changed == False
|
|
# ============================================================
|
|
- name: Create policy for role using policy_json
|
|
iam_policy:
|
|
iam_type: role
|
|
iam_name: "{{ iam_role_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was added for role
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
- result.policies == ["{{ iam_policy_name }}"]
|
|
- result.role_name == "{{ iam_role_name }}"
|
|
# ============================================================
|
|
- name: Create policy for group
|
|
iam_policy:
|
|
iam_type: group
|
|
iam_name: "{{ iam_group_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was added for group
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
- result.policies == ["{{ iam_policy_name }}"]
|
|
- result.group_name == "{{ iam_group_name }}"
|
|
# ============================================================
|
|
- name: Update policy for group
|
|
iam_policy:
|
|
iam_type: group
|
|
iam_name: "{{ iam_group_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was updated for group
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
# ============================================================
|
|
- name: Update policy for group with same policy
|
|
iam_policy:
|
|
iam_type: group
|
|
iam_name: "{{ iam_group_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy did not change for group
|
|
assert:
|
|
that:
|
|
- result.changed == False
|
|
# ============================================================
|
|
- name: Create policy for group using policy_json
|
|
iam_policy:
|
|
iam_type: group
|
|
iam_name: "{{ iam_group_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: present
|
|
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
# ============================================================
|
|
- name: Assert policy was added for group
|
|
assert:
|
|
that:
|
|
- result.changed == True
|
|
- result.policies == ["{{ iam_policy_name }}"]
|
|
- result.group_name == "{{ iam_group_name }}"
|
|
# ============================================================
|
|
- name: Delete policy for user
|
|
iam_policy:
|
|
iam_type: user
|
|
iam_name: "{{ iam_user_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
- assert:
|
|
that:
|
|
- result.changed == True
|
|
# ============================================================
|
|
- name: Delete policy for role
|
|
iam_policy:
|
|
iam_type: role
|
|
iam_name: "{{ iam_role_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
- assert:
|
|
that:
|
|
- result.changed == True
|
|
# ============================================================
|
|
- name: Delete policy for group
|
|
iam_policy:
|
|
iam_type: group
|
|
iam_name: "{{ iam_group_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
- assert:
|
|
that:
|
|
- result.changed == True
|
|
# ============================================================
|
|
always:
|
|
# ============================================================
|
|
- name: Delete policy for user
|
|
iam_policy:
|
|
iam_type: user
|
|
iam_name: "{{ iam_user_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
# ============================================================
|
|
- name: Delete user for tests
|
|
iam_user:
|
|
name: "{{ iam_user_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
# ============================================================
|
|
- name: Delete policy for role
|
|
iam_policy:
|
|
iam_type: role
|
|
iam_name: "{{ iam_role_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
# ============================================================
|
|
- name: Delete role for tests
|
|
iam_role:
|
|
name: "{{ iam_role_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
# ============================================================
|
|
- name: Delete policy for group
|
|
iam_policy:
|
|
iam_type: group
|
|
iam_name: "{{ iam_group_name }}"
|
|
policy_name: "{{ iam_policy_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
# ============================================================
|
|
- name: Delete group for tests
|
|
iam_group:
|
|
name: "{{ iam_group_name }}"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
# ============================================================
|
|
- name: Delete temporary folder containing the policies
|
|
file:
|
|
state: absent
|
|
path: "{{ tmpdir.path }}/"
|