diff --git a/hacking/aws_config/testing_policies/storage-policy.json b/hacking/aws_config/testing_policies/storage-policy.json index 0c8fcaca6b..961c80ca7c 100644 --- a/hacking/aws_config/testing_policies/storage-policy.json +++ b/hacking/aws_config/testing_policies/storage-policy.json @@ -2,16 +2,24 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "AlowS3AnsibleTestBuckets", + "Sid": "AllowS3AnsibleTestBuckets", "Action": [ + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:DeleteObject", + "s3:GetBucketPolicy", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", "s3:GetObject", "s3:ListBucket", "s3:PutBucketAcl", - "s3:CreateBucket", + "s3:PutBucketPolicy", + "s3:PutBucketRequestPayment", + "s3:PutBucketTagging", + "s3:PutBucketVersioning", "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteBucket", - "s3:DeleteObject" + "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": [ diff --git a/test/integration/targets/s3_bucket/aliases b/test/integration/targets/s3_bucket/aliases new file mode 100644 index 0000000000..d6ae2f116b --- /dev/null +++ b/test/integration/targets/s3_bucket/aliases @@ -0,0 +1,2 @@ +cloud/aws +posix/ci/cloud/group4/aws diff --git a/test/integration/targets/s3_bucket/tasks/main.yml b/test/integration/targets/s3_bucket/tasks/main.yml new file mode 100644 index 0000000000..0b29be3141 --- /dev/null +++ b/test/integration/targets/s3_bucket/tasks/main.yml @@ -0,0 +1,205 @@ +--- + +- block: + + # ============================================================ + - name: set connection information for all tasks + set_fact: + aws_connection_info: &aws_connection_info + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region }}" + no_log: true + + # ============================================================ + - name: Create simple s3_bucket + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible" + state: present + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + - output.name == '{{ resource_prefix }}-testbucket-ansible' + - not output.requester_pays + + # ============================================================ + - name: Try to update the same bucket with the same values + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible" + state: present + <<: *aws_connection_info + register: output + + - assert: + that: + - not output.changed + - output.name == '{{ resource_prefix }}-testbucket-ansible' + - not output.requester_pays + + # ============================================================ + - name: Delete s3_bucket + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible" + state: absent + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + + # ============================================================ + - name: Set bucket_name variable to be able to use it in lookup('template') + set_fact: + bucket_name: "{{ resource_prefix }}-testbucket-ansible-complex" + + - name: Create more complex s3_bucket + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible-complex" + state: present + policy: "{{ lookup('template','policy.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + - output.name == '{{ resource_prefix }}-testbucket-ansible-complex' + - output.requester_pays + - output.versioning.MfaDelete == 'Disabled' + - output.versioning.Versioning == 'Enabled' + - output.tags.example == 'tag1' + - output.tags.another == 'tag2' + - output.policy.Statement[0].Action == 's3:GetObject' + - output.policy.Statement[0].Effect == 'Allow' + - output.policy.Statement[0].Principal == '*' + - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*' + - output.policy.Statement[0].Sid == 'AddPerm' + + # ============================================================ + - name: Try to update the same complex s3_bucket + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible-complex" + state: present + policy: "{{ lookup('template','policy.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + <<: *aws_connection_info + register: output + + - assert: + that: + - not output.changed + + # ============================================================ + - name: Update bucket policy + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible-complex" + state: present + policy: "{{ lookup('template','policy-updated.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + - output.policy.Statement[0].Action == 's3:GetObject' + - output.policy.Statement[0].Effect == 'Deny' + - output.policy.Statement[0].Principal == '*' + - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*' + - output.policy.Statement[0].Sid == 'AddPerm' + + # ============================================================ + - name: Update attributes for s3_bucket + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible-complex" + state: present + policy: "{{ lookup('template','policy.json') }}" + requester_pays: no + versioning: no + tags: + example: tag1-udpated + another: tag2 + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + - output.name == '{{ resource_prefix }}-testbucket-ansible-complex' + - not output.requester_pays + - output.versioning.MfaDelete == 'Disabled' + - output.versioning.Versioning == 'Suspended' + - output.tags.example == 'tag1-udpated' + - output.tags.another == 'tag2' + - output.policy.Statement[0].Action == 's3:GetObject' + - output.policy.Statement[0].Effect == 'Allow' + - output.policy.Statement[0].Principal == '*' + - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*' + - output.policy.Statement[0].Sid == 'AddPerm' + + + # ============================================================ + - name: Delete s3_bucket + s3_bucket: + name: "{{ resource_prefix }}-testbucket-ansible-complex" + state: absent + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + + # ============================================================ + - name: Create bucket with dot in name + s3_bucket: + name: "{{ resource_prefix }}.testbucket.ansible" + state: present + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + - output.name == '{{ resource_prefix }}.testbucket.ansible' + + - name: Delete s3_bucket + s3_bucket: + name: "{{ resource_prefix }}.testbucket.ansible" + state: absent + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + + # ============================================================ + always: + - name: Ensure all buckets are deleted + s3_bucket: + name: "{{item}}" + state: absent + <<: *aws_connection_info + with_items: + - "{{ resource_prefix }}-testbucket-ansible" + - "{{ resource_prefix }}-testbucket-ansible-complex" + - "{{ resource_prefix }}.testbucket.ansible" diff --git a/test/integration/targets/s3_bucket/templates/policy-updated.json b/test/integration/targets/s3_bucket/templates/policy-updated.json new file mode 100644 index 0000000000..5775c5eb2c --- /dev/null +++ b/test/integration/targets/s3_bucket/templates/policy-updated.json @@ -0,0 +1,12 @@ +{ + "Version":"2012-10-17", + "Statement":[ + { + "Sid":"AddPerm", + "Effect":"Deny", + "Principal": "*", + "Action":["s3:GetObject"], + "Resource":["arn:aws:s3:::{{bucket_name}}/*"] + } + ] +} diff --git a/test/integration/targets/s3_bucket/templates/policy.json b/test/integration/targets/s3_bucket/templates/policy.json new file mode 100644 index 0000000000..a2720aed60 --- /dev/null +++ b/test/integration/targets/s3_bucket/templates/policy.json @@ -0,0 +1,12 @@ +{ + "Version":"2012-10-17", + "Statement":[ + { + "Sid":"AddPerm", + "Effect":"Allow", + "Principal": "*", + "Action":["s3:GetObject"], + "Resource":["arn:aws:s3:::{{bucket_name}}/*"] + } + ] +}