mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
ec2_instace: fix instance_role argument (#37465)
This commit is contained in:
parent
ddf937d642
commit
b000339a31
4 changed files with 79 additions and 4 deletions
|
@ -994,7 +994,7 @@ def build_run_instance_spec(params, ec2=None):
|
|||
|
||||
# IAM profile
|
||||
if params.get('instance_role'):
|
||||
spec['IamInstanceProfile'] = dict(Arn=determine_iam_role(params.get('iam_profile')))
|
||||
spec['IamInstanceProfile'] = dict(Arn=determine_iam_role(params.get('instance_role')))
|
||||
|
||||
spec['InstanceType'] = params['instance_type']
|
||||
return spec
|
||||
|
@ -1267,10 +1267,9 @@ def pretty_instance(i):
|
|||
return instance
|
||||
|
||||
|
||||
def determine_iam_role(name_or_arn, iam):
|
||||
def determine_iam_role(name_or_arn):
|
||||
if re.match(r'^arn:aws:iam::\d+:instance-profile/[\w+=/,.@-]+$', name_or_arn):
|
||||
return name_or_arn
|
||||
if iam is None:
|
||||
iam = module.client('iam')
|
||||
try:
|
||||
role = iam.get_instance_profile(InstanceProfileName=name_or_arn)
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
{
|
||||
"Version": "2008-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "",
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"Service": "ec2.amazonaws.com"
|
||||
},
|
||||
"Action": "sts:AssumeRole"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,62 @@
|
|||
- name: set connection information for all tasks
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: true
|
||||
|
||||
- block:
|
||||
- name: Create IAM role for test
|
||||
iam_role:
|
||||
name: "{{ resource_prefix }}-test-policy"
|
||||
assume_role_policy_document: "{{ lookup('file','assume-role-policy.json') }}"
|
||||
state: present
|
||||
create_instance_profile: yes
|
||||
managed_policy:
|
||||
- AmazonEC2ContainerServiceRole
|
||||
<<: *aws_connection_info
|
||||
register: iam_role
|
||||
|
||||
- name: Wait for IAM role to be available, otherwise the next step will fail (Invalid IAM Instance Profile name)
|
||||
command: sleep 10
|
||||
|
||||
- name: Make instance with an instance_role
|
||||
ec2_instance:
|
||||
name: "{{ resource_prefix }}-test-default-vpc"
|
||||
image_id: "{{ ec2_ami_image[aws_region] }}"
|
||||
security_groups: "{{ sg.group_id }}"
|
||||
instance_type: t2.micro
|
||||
instance_role: "{{ resource_prefix }}-test-policy"
|
||||
<<: *aws_connection_info
|
||||
register: instance_with_role
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- 'instance_with_role.instances[0].iam_instance_profile.arn == iam_role.arn.replace(":role/", ":instance-profile/")'
|
||||
|
||||
always:
|
||||
- name: Terminate instance
|
||||
ec2:
|
||||
instance_ids: "{{ instance_with_role.instance_ids }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
register: removed
|
||||
until: removed is not failed
|
||||
ignore_errors: yes
|
||||
retries: 10
|
||||
|
||||
- name: Delete IAM role for test
|
||||
iam_role:
|
||||
name: "{{ resource_prefix }}-test-policy"
|
||||
assume_role_policy_document: "{{ lookup('file','assume-role-policy.json') }}"
|
||||
state: absent
|
||||
create_instance_profile: yes
|
||||
managed_policy:
|
||||
- AmazonEC2ContainerServiceRole
|
||||
<<: *aws_connection_info
|
||||
register: removed
|
||||
until: removed is not failed
|
||||
ignore_errors: yes
|
||||
retries: 10
|
|
@ -94,6 +94,7 @@
|
|||
- include_tasks: tasks/external_resource_attach.yml
|
||||
- include_tasks: tasks/block_devices.yml
|
||||
- include_tasks: tasks/default_vpc_tests.yml
|
||||
- include_tasks: tasks/iam_instance_role.yml
|
||||
|
||||
|
||||
# ============================================================
|
||||
|
|
Loading…
Reference in a new issue