mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
EC2_group module refactor (formerly pr/37255) (#38678)
* Refactor ec2_group Replace nested for loops with list comprehensions Purge rules before adding new ones in case sg has maximum permitted rules * Add check mode tests for ec2_group * add tests * Remove dead code * Fix integration test assertions for old boto versions * Add waiter for security group that is autocreated * Add support for in-account group rules * Add common util to get AWS account ID Fixes #31383 * Fix protocol number and add separate tests for egress rule handling * Return egress rule treatment to be backwards compatible * Remove functions that were obsoleted by `Rule` namedtuple * IP tests * Move description updates to a function * Fix string formatting missing index * Add tests for auto-creation of the same group in quick succession * Resolve use of brand-new group in a rule without a description * Clean up duplicated get-security-group function * Add reverse cleanup in case of dependency issues * Add crossaccount ELB group support * Deal with non-STS calls to account API * Add filtering of owner IDs that match the current account
This commit is contained in:
parent
49f569d915
commit
858a1b09bb
11 changed files with 1844 additions and 651 deletions
46
lib/ansible/module_utils/aws/iam.py
Normal file
46
lib/ansible/module_utils/aws/iam.py
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Copyright (c) 2017 Ansible Project
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
import traceback
|
||||
|
||||
try:
|
||||
from botocore.exceptions import ClientError, NoCredentialsError
|
||||
except ImportError:
|
||||
pass # caught by HAS_BOTO3
|
||||
|
||||
from ansible.module_utils._text import to_native
|
||||
|
||||
|
||||
def get_aws_account_id(module):
|
||||
""" Given AnsibleAWSModule instance, get the active AWS account ID
|
||||
|
||||
get_account_id tries too find out the account that we are working
|
||||
on. It's not guaranteed that this will be easy so we try in
|
||||
several different ways. Giving either IAM or STS privilages to
|
||||
the account should be enough to permit this.
|
||||
"""
|
||||
account_id = None
|
||||
try:
|
||||
sts_client = module.client('sts')
|
||||
account_id = sts_client.get_caller_identity().get('Account')
|
||||
# non-STS sessions may also get NoCredentialsError from this STS call, so
|
||||
# we must catch that too and try the IAM version
|
||||
except (ClientError, NoCredentialsError):
|
||||
try:
|
||||
iam_client = module.client('iam')
|
||||
account_id = iam_client.get_user()['User']['Arn'].split(':')[4]
|
||||
except ClientError as e:
|
||||
if (e.response['Error']['Code'] == 'AccessDenied'):
|
||||
except_msg = to_native(e)
|
||||
# don't match on `arn:aws` because of China region `arn:aws-cn` and similar
|
||||
account_id = except_msg.search(r"arn:\w+:iam::([0-9]{12,32}):\w+/").group(1)
|
||||
if account_id is None:
|
||||
module.fail_json_aws(e, msg="Could not get AWS account information")
|
||||
except Exception as e:
|
||||
module.fail_json(
|
||||
msg="Failed to get AWS account information, Try allowing sts:GetCallerIdentity or iam:GetUser permissions.",
|
||||
exception=traceback.format_exc()
|
||||
)
|
||||
if not account_id:
|
||||
module.fail_json(msg="Failed while determining AWS account ID. Try allowing sts:GetCallerIdentity or iam:GetUser permissions.")
|
||||
return to_native(account_id)
|
|
@ -27,6 +27,24 @@ ec2_data = {
|
|||
},
|
||||
]
|
||||
},
|
||||
"SecurityGroupExists": {
|
||||
"delay": 5,
|
||||
"maxAttempts": 40,
|
||||
"operation": "DescribeSecurityGroups",
|
||||
"acceptors": [
|
||||
{
|
||||
"matcher": "path",
|
||||
"expected": True,
|
||||
"argument": "length(SecurityGroups[]) > `0`",
|
||||
"state": "success"
|
||||
},
|
||||
{
|
||||
"matcher": "error",
|
||||
"expected": "InvalidGroup.NotFound",
|
||||
"state": "retry"
|
||||
},
|
||||
]
|
||||
},
|
||||
"SubnetExists": {
|
||||
"delay": 5,
|
||||
"maxAttempts": 40,
|
||||
|
@ -179,6 +197,12 @@ waiters_by_name = {
|
|||
core_waiter.NormalizedOperationMethod(
|
||||
ec2.describe_route_tables
|
||||
)),
|
||||
('EC2', 'security_group_exists'): lambda ec2: core_waiter.Waiter(
|
||||
'security_group_exists',
|
||||
ec2_model('SecurityGroupExists'),
|
||||
core_waiter.NormalizedOperationMethod(
|
||||
ec2.describe_security_groups
|
||||
)),
|
||||
('EC2', 'subnet_exists'): lambda ec2: core_waiter.Waiter(
|
||||
'subnet_exists',
|
||||
ec2_model('SubnetExists'),
|
||||
|
|
File diff suppressed because it is too large
Load diff
161
test/integration/targets/ec2_group/tasks/credential_tests.yml
Normal file
161
test/integration/targets/ec2_group/tasks/credential_tests.yml
Normal file
|
@ -0,0 +1,161 @@
|
|||
---
|
||||
# A Note about ec2 environment variable name preference:
|
||||
# - EC2_URL -> AWS_URL
|
||||
# - EC2_ACCESS_KEY -> AWS_ACCESS_KEY_ID -> AWS_ACCESS_KEY
|
||||
# - EC2_SECRET_KEY -> AWS_SECRET_ACCESS_KEY -> AWX_SECRET_KEY
|
||||
# - EC2_REGION -> AWS_REGION
|
||||
#
|
||||
|
||||
# - include: ../../setup_ec2/tasks/common.yml module_name: ec2_group
|
||||
|
||||
- block:
|
||||
# ============================================================
|
||||
- name: test failure with no parameters
|
||||
ec2_group:
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert failure with no parameters
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- 'result.msg == "one of the following is required: name, group_id"'
|
||||
|
||||
# ============================================================
|
||||
- name: test failure with only name
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert failure with only name
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- 'result.msg == "Must provide description when state is present."'
|
||||
|
||||
# ============================================================
|
||||
- name: test failure with only description
|
||||
ec2_group:
|
||||
description: '{{ec2_group_description}}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert failure with only description
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- 'result.msg == "one of the following is required: name, group_id"'
|
||||
|
||||
# ============================================================
|
||||
- name: test failure with empty description (AWS API requires non-empty string desc)
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: ''
|
||||
region: '{{ec2_region}}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert failure with empty description
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- 'result.msg == "Must provide description when state is present."'
|
||||
|
||||
# ============================================================
|
||||
- name: test valid region parameter
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
region: '{{ec2_region}}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert valid region parameter
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- '"Unable to locate credentials" in result.msg'
|
||||
|
||||
# ============================================================
|
||||
- name: test environment variable EC2_REGION
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
environment:
|
||||
EC2_REGION: '{{ec2_region}}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert environment variable EC2_REGION
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- '"Unable to locate credentials" in result.msg'
|
||||
|
||||
# ============================================================
|
||||
- name: test invalid ec2_url parameter
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
environment:
|
||||
EC2_URL: bogus.example.com
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert invalid ec2_url parameter
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- 'result.msg.startswith("The ec2_group module requires a region")'
|
||||
|
||||
# ============================================================
|
||||
- name: test valid ec2_url parameter
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
environment:
|
||||
EC2_URL: '{{ec2_url}}'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert valid ec2_url parameter
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- 'result.msg.startswith("The ec2_group module requires a region")'
|
||||
|
||||
# ============================================================
|
||||
- name: test credentials from environment
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
environment:
|
||||
EC2_REGION: '{{ec2_region}}'
|
||||
EC2_ACCESS_KEY: bogus_access_key
|
||||
EC2_SECRET_KEY: bogus_secret_key
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert ec2_group with valid ec2_url
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- '"validate the provided access credentials" in result.msg'
|
||||
|
||||
# ============================================================
|
||||
- name: test credential parameters
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
ec2_region: '{{ec2_region}}'
|
||||
ec2_access_key: 'bogus_access_key'
|
||||
ec2_secret_key: 'bogus_secret_key'
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert credential parameters
|
||||
assert:
|
||||
that:
|
||||
- 'result.failed'
|
||||
- '"validate the provided access credentials" in result.msg'
|
44
test/integration/targets/ec2_group/tasks/data_validation.yml
Normal file
44
test/integration/targets/ec2_group/tasks/data_validation.yml
Normal file
|
@ -0,0 +1,44 @@
|
|||
---
|
||||
- block:
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
- name: Create a group with only the default rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-input-tests'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
|
||||
- name: Run through some common weird port specs
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-input-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
rules:
|
||||
- "{{ item }}"
|
||||
with_items:
|
||||
- proto: tcp
|
||||
from_port: "8182"
|
||||
to_port: 8182
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
rule_desc: Mixed string and non-string ports
|
||||
- proto: tcp
|
||||
ports:
|
||||
- "9000"
|
||||
- 9001
|
||||
- 9002-9005
|
||||
cidr_ip: "1.2.3.0/24"
|
||||
always:
|
||||
- name: tidy up input testing group
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-input-tests'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
175
test/integration/targets/ec2_group/tasks/egress_tests.yml
Normal file
175
test/integration/targets/ec2_group/tasks/egress_tests.yml
Normal file
|
@ -0,0 +1,175 @@
|
|||
---
|
||||
- block:
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
|
||||
|
||||
- name: Create a group with only the default rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert default rule is in place (expected changed=true)
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.ip_permissions|length == 0
|
||||
- result.ip_permissions_egress|length == 1
|
||||
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
||||
|
||||
- name: Create a group with only the default rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
purge_rules_egress: false
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert default rule is not purged (expected changed=false)
|
||||
assert:
|
||||
that:
|
||||
- result is not changed
|
||||
- result.ip_permissions|length == 0
|
||||
- result.ip_permissions_egress|length == 1
|
||||
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
||||
|
||||
- name: Pass empty egress rules without purging, should leave default rule in place
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
purge_rules_egress: false
|
||||
rules_egress: []
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert default rule is not purged (expected changed=false)
|
||||
assert:
|
||||
that:
|
||||
- result is not changed
|
||||
- result.ip_permissions|length == 0
|
||||
- result.ip_permissions_egress|length == 1
|
||||
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
||||
|
||||
- name: Purge rules, including the default
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
purge_rules_egress: true
|
||||
rules_egress: []
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert default rule is not purged (expected changed=false)
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
- result.ip_permissions|length == 0
|
||||
- result.ip_permissions_egress|length == 0
|
||||
|
||||
- name: Add a custom egress rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
rules_egress:
|
||||
- proto: tcp
|
||||
ports:
|
||||
- 1212
|
||||
cidr_ip: 1.2.1.2/32
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert first rule is here
|
||||
assert:
|
||||
that:
|
||||
- result.ip_permissions_egress|length == 1
|
||||
|
||||
- name: Add a second custom egress rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
purge_rules_egress: false
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
rules_egress:
|
||||
- proto: tcp
|
||||
ports:
|
||||
- 2323
|
||||
cidr_ip: 2.3.2.3/32
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert the first rule is not purged
|
||||
assert:
|
||||
that:
|
||||
- result.ip_permissions_egress|length == 2
|
||||
|
||||
- name: Purge the second rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
rules_egress:
|
||||
- proto: tcp
|
||||
ports:
|
||||
- 1212
|
||||
cidr_ip: 1.2.1.2/32
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: assert first rule is here
|
||||
assert:
|
||||
that:
|
||||
- result.ip_permissions_egress|length == 1
|
||||
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
|
||||
|
||||
- name: add a rule for all TCP ports
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
rules_egress:
|
||||
- proto: tcp
|
||||
ports: 0-65535
|
||||
cidr_ip: 0.0.0.0/0
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
register: result
|
||||
|
||||
- name: Re-add the default rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
description: '{{ec2_group_description}}'
|
||||
rules_egress:
|
||||
- proto: -1
|
||||
cidr_ip: 0.0.0.0/0
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
register: result
|
||||
always:
|
||||
- name: tidy up egress rule test security group
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-egress-tests'
|
||||
state: absent
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
103
test/integration/targets/ec2_group/tasks/ipv6_default_tests.yml
Normal file
103
test/integration/targets/ec2_group/tasks/ipv6_default_tests.yml
Normal file
|
@ -0,0 +1,103 @@
|
|||
---
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
# ============================================================
|
||||
- name: test state=present for ipv6 (expected changed=true) (CHECK MODE)
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: 8182
|
||||
to_port: 8182
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
check_mode: true
|
||||
register: result
|
||||
|
||||
- name: assert state=present (expected changed=true)
|
||||
assert:
|
||||
that:
|
||||
- 'result.changed'
|
||||
|
||||
# ============================================================
|
||||
- name: test state=present for ipv6 (expected changed=true)
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: 8182
|
||||
to_port: 8182
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
register: result
|
||||
|
||||
- name: assert state=present (expected changed=true)
|
||||
assert:
|
||||
that:
|
||||
- 'result.changed'
|
||||
- 'result.group_id.startswith("sg-")'
|
||||
|
||||
# ============================================================
|
||||
- name: test rules_egress state=present for ipv6 (expected changed=true) (CHECK MODE)
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: 8182
|
||||
to_port: 8182
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
rules_egress:
|
||||
- proto: "tcp"
|
||||
from_port: 8181
|
||||
to_port: 8181
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
check_mode: true
|
||||
register: result
|
||||
|
||||
- name: assert state=present (expected changed=true)
|
||||
assert:
|
||||
that:
|
||||
- 'result.changed'
|
||||
|
||||
# ============================================================
|
||||
- name: test rules_egress state=present for ipv6 (expected changed=true)
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: 8182
|
||||
to_port: 8182
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
rules_egress:
|
||||
- proto: "tcp"
|
||||
from_port: 8181
|
||||
to_port: 8181
|
||||
cidr_ipv6: "64:ff9b::/96"
|
||||
register: result
|
||||
|
||||
- name: assert state=present (expected changed=true)
|
||||
assert:
|
||||
that:
|
||||
- 'result.changed'
|
||||
- 'result.group_id.startswith("sg-")'
|
||||
- name: delete it
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}'
|
||||
<<: *aws_connection_info
|
||||
state: absent
|
File diff suppressed because it is too large
Load diff
132
test/integration/targets/ec2_group/tasks/rule_group_create.yml
Normal file
132
test/integration/targets/ec2_group/tasks/rule_group_create.yml
Normal file
|
@ -0,0 +1,132 @@
|
|||
---
|
||||
- block:
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
|
||||
- name: Create a group with self-referring rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-1'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: 8000
|
||||
to_port: 8100
|
||||
group_name: '{{ec2_group_name}}-auto-create-1'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: Create a second group rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-2'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
|
||||
- name: Create a series of rules with a recently created group as target
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-1'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
purge_rules: false
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: "{{ item }}"
|
||||
to_port: "{{ item }}"
|
||||
group_name: '{{ec2_group_name}}-auto-create-2'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
with_items:
|
||||
- 20
|
||||
- 40
|
||||
- 60
|
||||
- 80
|
||||
|
||||
- name: Create a group with only the default rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-1'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
from_port: 8182
|
||||
to_port: 8182
|
||||
group_name: '{{ec2_group_name}}-auto-create-3'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
ignore_errors: true
|
||||
|
||||
- name: assert you can't create a new group from a rule target with no description
|
||||
assert:
|
||||
that:
|
||||
- result is failed
|
||||
|
||||
- name: Create a group with a target of a separate group
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-1'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
rules:
|
||||
- proto: tcp
|
||||
ports:
|
||||
- 22
|
||||
- 80
|
||||
group_name: '{{ec2_group_name}}-auto-create-3'
|
||||
group_desc: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
register: result
|
||||
|
||||
- name: Create a 4th group
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-4'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
rules:
|
||||
- proto: tcp
|
||||
ports:
|
||||
- 22
|
||||
cidr_ip: 0.0.0.0/0
|
||||
|
||||
- name: use recently created group in a rule
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-5'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
description: '{{ec2_group_description}}'
|
||||
rules:
|
||||
- proto: tcp
|
||||
ports:
|
||||
- 443
|
||||
group_name: '{{ec2_group_name}}-auto-create-4'
|
||||
<<: *aws_connection_info
|
||||
state: present
|
||||
|
||||
always:
|
||||
- name: tidy up egress rule test security group
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-{{ item }}'
|
||||
state: absent
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
with_items: [5, 4, 3, 2, 1]
|
||||
- name: tidy up egress rule test security group
|
||||
ec2_group:
|
||||
name: '{{ec2_group_name}}-auto-create-{{ item }}'
|
||||
state: absent
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
with_items: [1, 2, 3, 4, 5]
|
|
@ -2,7 +2,6 @@ lib/ansible/module_utils/network/iosxr/iosxr.py ansible-format-automatic-specifi
|
|||
lib/ansible/modules/cloud/amazon/aws_api_gateway.py ansible-format-automatic-specification
|
||||
lib/ansible/modules/cloud/amazon/aws_kms.py ansible-format-automatic-specification
|
||||
lib/ansible/modules/cloud/amazon/ec2_eip.py ansible-format-automatic-specification
|
||||
lib/ansible/modules/cloud/amazon/ec2_group.py ansible-format-automatic-specification
|
||||
lib/ansible/modules/cloud/amazon/ecs_ecr.py ansible-format-automatic-specification
|
||||
lib/ansible/modules/cloud/amazon/sns.py ansible-format-automatic-specification
|
||||
lib/ansible/modules/cloud/azure/azure_rm_acs.py ansible-format-automatic-specification
|
||||
|
|
80
test/units/modules/cloud/amazon/test_ec2_group.py
Normal file
80
test/units/modules/cloud/amazon/test_ec2_group.py
Normal file
|
@ -0,0 +1,80 @@
|
|||
import pytest
|
||||
|
||||
from ansible.modules.cloud.amazon import ec2_group as group_module
|
||||
|
||||
|
||||
def test_from_permission():
|
||||
internal_http = {
|
||||
u'FromPort': 80,
|
||||
u'IpProtocol': 'tcp',
|
||||
u'IpRanges': [
|
||||
{
|
||||
u'CidrIp': '10.0.0.0/8',
|
||||
u'Description': 'Foo Bar Baz'
|
||||
},
|
||||
],
|
||||
u'Ipv6Ranges': [
|
||||
{u'CidrIpv6': 'fe80::94cc:8aff:fef6:9cc/64'},
|
||||
],
|
||||
u'PrefixListIds': [],
|
||||
u'ToPort': 80,
|
||||
u'UserIdGroupPairs': [],
|
||||
}
|
||||
perms = list(group_module.rule_from_group_permission(internal_http))
|
||||
assert len(perms) == 2
|
||||
assert perms[0].target == '10.0.0.0/8'
|
||||
assert perms[0].target_type == 'ipv4'
|
||||
assert perms[0].description == 'Foo Bar Baz'
|
||||
assert perms[1].target == 'fe80::94cc:8aff:fef6:9cc/64'
|
||||
|
||||
global_egress = {
|
||||
'IpProtocol': '-1',
|
||||
'IpRanges': [{'CidrIp': '0.0.0.0/0'}],
|
||||
'Ipv6Ranges': [],
|
||||
'PrefixListIds': [],
|
||||
'UserIdGroupPairs': []
|
||||
}
|
||||
perms = list(group_module.rule_from_group_permission(global_egress))
|
||||
assert len(perms) == 1
|
||||
assert perms[0].target == '0.0.0.0/0'
|
||||
assert perms[0].port_range == (None, None)
|
||||
|
||||
internal_prefix_http = {
|
||||
u'FromPort': 80,
|
||||
u'IpProtocol': 'tcp',
|
||||
u'PrefixListIds': [
|
||||
{'PrefixListId': 'p-1234'}
|
||||
],
|
||||
u'ToPort': 80,
|
||||
u'UserIdGroupPairs': [],
|
||||
}
|
||||
perms = list(group_module.rule_from_group_permission(internal_prefix_http))
|
||||
assert len(perms) == 1
|
||||
assert perms[0].target == 'p-1234'
|
||||
|
||||
|
||||
def test_rule_to_permission():
|
||||
tests = [
|
||||
group_module.Rule((22, 22), 'udp', 'sg-1234567890', 'group', None),
|
||||
group_module.Rule((1, 65535), 'tcp', '0.0.0.0/0', 'ipv4', "All TCP from everywhere"),
|
||||
group_module.Rule((443, 443), 'tcp', 'ip-123456', 'ip_prefix', "Traffic to privatelink IPs"),
|
||||
group_module.Rule((443, 443), 'tcp', 'feed:dead:::beef/64', 'ipv6', None),
|
||||
]
|
||||
for test in tests:
|
||||
perm = group_module.to_permission(test)
|
||||
assert perm['FromPort'], perm['ToPort'] == test.port_range
|
||||
assert perm['IpProtocol'] == test.protocol
|
||||
|
||||
|
||||
def test_validate_ip():
|
||||
class Warner(object):
|
||||
def warn(self, msg):
|
||||
return
|
||||
ips = [
|
||||
('1.1.1.1/24', '1.1.1.0/24'),
|
||||
('192.168.56.101/16', '192.168.0.0/16'),
|
||||
('1203:8fe0:fe80:b897:8990:8a7c:99bf:323d/64', '1203:8fe0:fe80::/64'),
|
||||
]
|
||||
|
||||
for ip, net in ips:
|
||||
assert group_module.validate_ip(Warner(), ip) == net
|
Loading…
Reference in a new issue