mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
[AWS] ses rule set module for inbound email processing (#42781)
* Add module ses_rule_set for Amazon SES * Update behaviours and naming to be consistent with other aws_ses_ modules. * Add global lock around tests using active rule sets to prevent intermittent test failures. * Fix deletion of rule sets so that we don't inactivate the active rule set when force deleting an inactive rule set.
This commit is contained in:
parent
b759862daa
commit
b70d5d9aee
11 changed files with 1030 additions and 1 deletions
|
@ -234,7 +234,14 @@
|
|||
"ses:GetIdentityPolicies",
|
||||
"ses:PutIdentityPolicy",
|
||||
"ses:DeleteIdentityPolicy",
|
||||
"ses:ListIdentityPolicies"
|
||||
"ses:ListIdentityPolicies",
|
||||
"ses:SetIdentityFeedbackForwardingEnabled",
|
||||
"ses:ListReceiptRuleSets",
|
||||
"ses:DescribeReceiptRuleSet",
|
||||
"ses:DescribeActiveReceiptRuleSet",
|
||||
"ses:SetActiveReceiptRuleSet",
|
||||
"ses:CreateReceiptRuleSet",
|
||||
"ses:DeleteReceiptRuleSet"
|
||||
],
|
||||
"Resource": [
|
||||
"*"
|
||||
|
|
|
@ -31,6 +31,28 @@
|
|||
"Action": "waf:*",
|
||||
"Effect": "Allow",
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowListingCloudwatchLogs",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"logs:DescribeLogGroups"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowModifyingCloudwatchLogs",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"logs:CreateLogGroup",
|
||||
"logs:PutRetentionPolicy",
|
||||
"logs:DeleteLogGroup"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
250
lib/ansible/modules/cloud/amazon/aws_ses_rule_set.py
Normal file
250
lib/ansible/modules/cloud/amazon/aws_ses_rule_set.py
Normal file
|
@ -0,0 +1,250 @@
|
|||
#!/usr/bin/python
|
||||
# Copyright (c) 2017, Ben Tomasik <ben@tomasik.io>
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
||||
|
||||
DOCUMENTATION = """
|
||||
---
|
||||
module: aws_ses_rule_set
|
||||
short_description: Manages SES inbound receipt rule sets
|
||||
description:
|
||||
- The M(aws_ses_rule_set) module allows you to create, delete, and manage SES receipt rule sets
|
||||
version_added: 2.8
|
||||
author:
|
||||
- "Ben Tomasik (@tomislacker)"
|
||||
- "Ed Costello (@orthanc)"
|
||||
requirements: [ boto3, botocore ]
|
||||
options:
|
||||
name:
|
||||
description:
|
||||
- The name of the receipt rule set.
|
||||
required: True
|
||||
state:
|
||||
description:
|
||||
- Whether to create (or update) or destroy the receipt rule set.
|
||||
required: False
|
||||
default: present
|
||||
choices: ["absent", "present"]
|
||||
active:
|
||||
description:
|
||||
- Whether or not this rule set should be the active rule set. Only has an impact if I(state) is C(present).
|
||||
- If omitted, the active rule set will not be changed.
|
||||
- If C(True) then this rule set will be made active and all others inactive.
|
||||
- if C(False) then this rule set will be deactivated. Be careful with this as you can end up with no active rule set.
|
||||
type: bool
|
||||
required: False
|
||||
force:
|
||||
description:
|
||||
- When deleting a rule set, deactivate it first (AWS prevents deletion of the active rule set).
|
||||
type: bool
|
||||
required: False
|
||||
default: False
|
||||
extends_documentation_fragment:
|
||||
- aws
|
||||
- ec2
|
||||
"""
|
||||
|
||||
EXAMPLES = """
|
||||
# Note: None of these examples set aws_access_key, aws_secret_key, or region.
|
||||
# It is assumed that their matching environment variables are set.
|
||||
---
|
||||
- name: Create default rule set and activate it if not already
|
||||
aws_ses_rule_set:
|
||||
name: default-rule-set
|
||||
state: present
|
||||
active: yes
|
||||
|
||||
- name: Create some arbitrary rule set but do not activate it
|
||||
aws_ses_rule_set:
|
||||
name: arbitrary-rule-set
|
||||
state: present
|
||||
|
||||
- name: Explicitly deactivate the default rule set leaving no active rule set
|
||||
aws_ses_rule_set:
|
||||
name: default-rule-set
|
||||
state: present
|
||||
active: no
|
||||
|
||||
- name: Remove an arbitary inactive rule set
|
||||
aws_ses_rule_set:
|
||||
name: arbitrary-rule-set
|
||||
state: absent
|
||||
|
||||
- name: Remove an ruleset even if we have to first deactivate it to remove it
|
||||
aws_ses_rule_set:
|
||||
name: default-rule-set
|
||||
state: absent
|
||||
force: yes
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
active:
|
||||
description: if the SES rule set is active
|
||||
returned: success if I(state) is C(present)
|
||||
type: bool
|
||||
sample: true
|
||||
rule_sets:
|
||||
description: The list of SES receipt rule sets that exist after any changes.
|
||||
returned: success
|
||||
type: list
|
||||
sample: [{
|
||||
"created_timestamp": "2018-02-25T01:20:32.690000+00:00",
|
||||
"name": "default-rule-set"
|
||||
}]
|
||||
"""
|
||||
|
||||
from ansible.module_utils.aws.core import AnsibleAWSModule
|
||||
from ansible.module_utils.ec2 import camel_dict_to_snake_dict, AWSRetry
|
||||
|
||||
try:
|
||||
from botocore.exceptions import BotoCoreError, ClientError
|
||||
except ImportError:
|
||||
pass # handled by AnsibleAWSModule
|
||||
|
||||
|
||||
def list_rule_sets(client, module):
|
||||
try:
|
||||
response = client.list_receipt_rule_sets(aws_retry=True)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg="Couldn't list rule sets.")
|
||||
return response['RuleSets']
|
||||
|
||||
|
||||
def rule_set_in(name, rule_sets):
|
||||
return any([s for s in rule_sets if s['Name'] == name])
|
||||
|
||||
|
||||
def ruleset_active(client, module, name):
|
||||
try:
|
||||
active_rule_set = client.describe_active_receipt_rule_set(aws_retry=True)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg="Couldn't get the active rule set.")
|
||||
if active_rule_set is not None and 'Metadata' in active_rule_set:
|
||||
return name == active_rule_set['Metadata']['Name']
|
||||
else:
|
||||
# Metadata was not set meaning there is no active rule set
|
||||
return False
|
||||
|
||||
|
||||
def deactivate_rule_set(client, module):
|
||||
try:
|
||||
# No ruleset name deactivates all rulesets
|
||||
client.set_active_receipt_rule_set(aws_retry=True)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg="Couldn't set active rule set to None.")
|
||||
|
||||
|
||||
def update_active_rule_set(client, module, name, desired_active):
|
||||
check_mode = module.check_mode
|
||||
|
||||
active = ruleset_active(client, module, name)
|
||||
|
||||
changed = False
|
||||
if desired_active is not None:
|
||||
if desired_active and not active:
|
||||
if not check_mode:
|
||||
try:
|
||||
client.set_active_receipt_rule_set(RuleSetName=name, aws_retry=True)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg="Couldn't set active rule set to {0}.".format(name))
|
||||
changed = True
|
||||
active = True
|
||||
elif not desired_active and active:
|
||||
if not check_mode:
|
||||
deactivate_rule_set(client, module)
|
||||
changed = True
|
||||
active = False
|
||||
return changed, active
|
||||
|
||||
|
||||
def create_or_update_rule_set(client, module):
|
||||
name = module.params.get('name')
|
||||
check_mode = module.check_mode
|
||||
changed = False
|
||||
|
||||
rule_sets = list_rule_sets(client, module)
|
||||
if not rule_set_in(name, rule_sets):
|
||||
if not check_mode:
|
||||
try:
|
||||
client.create_receipt_rule_set(RuleSetName=name, aws_retry=True)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg="Couldn't create rule set {0}.".format(name))
|
||||
changed = True
|
||||
rule_sets = list(rule_sets)
|
||||
rule_sets.append({
|
||||
'Name': name,
|
||||
})
|
||||
|
||||
(active_changed, active) = update_active_rule_set(client, module, name, module.params.get('active'))
|
||||
changed |= active_changed
|
||||
|
||||
module.exit_json(
|
||||
changed=changed,
|
||||
active=active,
|
||||
rule_sets=[camel_dict_to_snake_dict(x) for x in rule_sets],
|
||||
)
|
||||
|
||||
|
||||
def remove_rule_set(client, module):
|
||||
name = module.params.get('name')
|
||||
check_mode = module.check_mode
|
||||
changed = False
|
||||
|
||||
rule_sets = list_rule_sets(client, module)
|
||||
if rule_set_in(name, rule_sets):
|
||||
active = ruleset_active(client, module, name)
|
||||
if active and not module.params.get('force'):
|
||||
module.fail_json(
|
||||
msg="Couldn't delete rule set {0} because it is currently active. Set force=true to delete an active ruleset.".format(name),
|
||||
error={
|
||||
"code": "CannotDelete",
|
||||
"message": "Cannot delete active rule set: {0}".format(name),
|
||||
}
|
||||
)
|
||||
if not check_mode:
|
||||
if active and module.params.get('force'):
|
||||
deactivate_rule_set(client, module)
|
||||
try:
|
||||
client.delete_receipt_rule_set(RuleSetName=name, aws_retry=True)
|
||||
except (BotoCoreError, ClientError) as e:
|
||||
module.fail_json_aws(e, msg="Couldn't delete rule set {0}.".format(name))
|
||||
changed = True
|
||||
rule_sets = [x for x in rule_sets if x['Name'] != name]
|
||||
|
||||
module.exit_json(
|
||||
changed=changed,
|
||||
rule_sets=[camel_dict_to_snake_dict(x) for x in rule_sets],
|
||||
)
|
||||
|
||||
|
||||
def main():
|
||||
argument_spec = dict(
|
||||
name=dict(type='str', required=True),
|
||||
state=dict(type='str', default='present', choices=['present', 'absent']),
|
||||
active=dict(type='bool'),
|
||||
force=dict(type='bool', default=False),
|
||||
)
|
||||
|
||||
module = AnsibleAWSModule(argument_spec=argument_spec, supports_check_mode=True)
|
||||
|
||||
state = module.params.get('state')
|
||||
|
||||
# SES APIs seem to have a much lower throttling threshold than most of the rest of the AWS APIs.
|
||||
# Docs say 1 call per second. This shouldn't actually be a big problem for normal usage, but
|
||||
# the ansible build runs multiple instances of the test in parallel that's caused throttling
|
||||
# failures so apply a jittered backoff to call SES calls.
|
||||
client = module.client('ses', retry_decorator=AWSRetry.jittered_backoff())
|
||||
|
||||
if state == 'absent':
|
||||
remove_rule_set(client, module)
|
||||
else:
|
||||
create_or_update_rule_set(client, module)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
2
test/integration/targets/aws_ses_rule_set/aliases
Normal file
2
test/integration/targets/aws_ses_rule_set/aliases
Normal file
|
@ -0,0 +1,2 @@
|
|||
cloud/aws
|
||||
shippable/aws/group1
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
default_rule_set: "{{ resource_prefix }}-default-rule-set"
|
||||
second_rule_set: "{{ resource_prefix }}-second-rule-set"
|
||||
|
||||
# See comment in obtain-lock.yaml for definitions of these variables
|
||||
max_obtain_lock_attempts: 10
|
||||
obtain_lock_delay_seconds: 30
|
||||
lock_timeout_seconds: 900
|
||||
lock_log_group_prefix: "ansible-testing-locks/aws_ses_rule_set"
|
|
@ -0,0 +1,349 @@
|
|||
---
|
||||
# ============================================================
|
||||
# These tests all rely on making rule sets active. There can only be
|
||||
# a single active rule set so multiple builds must not run these tests
|
||||
# in parallel or they will fail intermittently.
|
||||
# See the locking block in main.yaml for how this restriction is enforced
|
||||
# ============================================================
|
||||
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
|
||||
# ============================================================
|
||||
- name: mark rule set active
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
- name: mark rule set active
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed to active
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == True
|
||||
- name: remark rule set active
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is False
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: create rule set active
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed to existing and active
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == True
|
||||
- "default_rule_set in result.rule_sets|map(attribute='name')"
|
||||
- name: remark rule set active
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is False
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: mark rule set inactive
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: mark rule set inactive
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: False
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed to inactive
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == False
|
||||
- name: remark rule set inactive
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: False
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is False
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: Absent active flag does not change active status
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: recreate rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert not changed and still active
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
- result.active == True
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: Cannot Remove Active Rule Set
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: remove rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
failed_when: "result.error.code != 'CannotDelete'"
|
||||
- name: assert error code is CannotDelete
|
||||
assert:
|
||||
that:
|
||||
- "result.error.code == 'CannotDelete'"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: Remove Active Rule Set with Force
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: force remove rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed and absent
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- "default_rule_set not in result.rule_sets|map(attribute='name')"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: Force Remove of Inactive Rule Set does Not Affect Active Rule Set
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: create inactive rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ second_rule_set }}"
|
||||
active: False
|
||||
<<: *aws_connection_info
|
||||
- name: force remove inactiave rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ second_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed and absent
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- "second_rule_set not in result.rule_sets|map(attribute='name')"
|
||||
- name: remark active rule set active
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert no change
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
loop:
|
||||
- "{{ default_rule_set }}"
|
||||
- "{{ second_rule_set }}"
|
||||
|
||||
# ============================================================
|
||||
- name: mark rule set inactive in check mode
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: mark rule set inactive in check mode
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: False
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
check_mode: True
|
||||
- name: assert changed to inactive
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == False
|
||||
- name: remark rule set inactive
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: False
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is True since previous inactive was in check mode
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: Cannot Remove Active Rule Set in check mode
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: remove rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
failed_when: "result.error.code != 'CannotDelete'"
|
||||
check_mode: True
|
||||
- name: assert error code is CannotDelete
|
||||
assert:
|
||||
that:
|
||||
- "result.error.code == 'CannotDelete'"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
|
||||
# ============================================================
|
||||
- name: Remove Active Rule Set with Force in check mode
|
||||
block:
|
||||
- name: create active rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
- name: force remove rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
check_mode: True
|
||||
- name: assert changed and absent
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- "default_rule_set not in result.rule_sets|map(attribute='name')"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is True since previous removal was in check mode
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
# ============================================================
|
||||
# Release a lock obtained using obtain-lock.yaml
|
||||
# This should be included in the always clause of a block to
|
||||
# ensure the lock is released. See obtain-lock.yaml for more
|
||||
# details of how the locking works.
|
||||
# ============================================================
|
||||
|
||||
- cloudwatchlogs_log_group:
|
||||
log_group_name: "{{ lock_attempt_log_group_name }}"
|
||||
state: absent
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
|
@ -0,0 +1,187 @@
|
|||
---
|
||||
# ============================================================
|
||||
# These tests work on rule sets without making them active.
|
||||
# so multiple builds can safely run these tests as is normal.
|
||||
#
|
||||
# DO NOT ADD TESTS THAT RELY ON ACTIVE RULE SETS TO THIS FILE
|
||||
#
|
||||
# Any test that make rule sets active must be added in
|
||||
# active-rule-set-tests.yaml or you will have intermittent failures
|
||||
# from multiple builds interacting
|
||||
# ============================================================
|
||||
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
|
||||
# ============================================================
|
||||
- name: test create rule sets
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed to exists inactive
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == False
|
||||
- "default_rule_set in result.rule_sets|map(attribute='name')"
|
||||
- name: recreate rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is False
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
# ============================================================
|
||||
- name: Remove No Such Rules Set
|
||||
block:
|
||||
- name: remove ruleset
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert not changed and absent
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
- "default_rule_set not in result.rule_sets|map(attribute='name')"
|
||||
# ============================================================
|
||||
- name: Remove Inactive Rule Set
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
- name: remove rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed and removed
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- "default_rule_set not in result.rule_sets|map(attribute='name')"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
# ============================================================
|
||||
- name: test create in check mode
|
||||
block:
|
||||
- name: create rule set in check mode
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
check_mode: True
|
||||
- name: assert changed inactive and present
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == False
|
||||
- "default_rule_set in result.rule_sets|map(attribute='name')"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert nothing to clean up since create was in check mode
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
# ============================================================
|
||||
- name: mark rule set active in check mode
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
- name: mark rule set active in check mode
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
check_mode: True
|
||||
- name: assert changed and active
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.active == True
|
||||
# We check the rule set is still inactive rather than making
|
||||
# it active again as that way this test can be run in
|
||||
# parallel
|
||||
- name: Ensure rule set is inactive
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
active: False
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert unchanged since activation was in check mode
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
# ============================================================
|
||||
- name: Remove Inactive Rule Set in check mode
|
||||
block:
|
||||
- name: create rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
<<: *aws_connection_info
|
||||
- name: remove rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
check_mode: True
|
||||
- name: assert changed and removed
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- "default_rule_set not in result.rule_sets|map(attribute='name')"
|
||||
always:
|
||||
- name: cleanup rule set
|
||||
aws_ses_rule_set:
|
||||
name: "{{ default_rule_set }}"
|
||||
state: absent
|
||||
force: True
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
- name: assert changed is True since previous removal was in check mode
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
36
test/integration/targets/aws_ses_rule_set/tasks/main.yaml
Normal file
36
test/integration/targets/aws_ses_rule_set/tasks/main.yaml
Normal file
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
- include_tasks: inactive-rule-set-tests.yaml
|
||||
|
||||
# ============================================================
|
||||
# There can only be a single active rule set, tests that
|
||||
# relies on the active state of the rule cannot be run in
|
||||
# parallel.
|
||||
# To prevent failures due to parallel runs in the integration
|
||||
# builds, the below block creates a lock to ensure that only
|
||||
# one process will be running these tests in the same region
|
||||
# and same AWS account.
|
||||
# See obtain-lock.yaml for explanation of how the lock is
|
||||
# constructed.
|
||||
# ============================================================
|
||||
- name: Active Rule Set Tests
|
||||
block:
|
||||
- name: Obtain Lock
|
||||
include_tasks: obtain-lock-wrapper.yaml
|
||||
# Use of loop here is a workaround for lack of support for
|
||||
# do-until loops on includes. See:
|
||||
# https://github.com/ansible/ansible/issues/17098
|
||||
loop: "{{ range(0, max_obtain_lock_attempts, 1)|list }}"
|
||||
loop_control:
|
||||
loop_var: obtain_lock_attempt
|
||||
|
||||
# Because of the above workaround we have to explicitly check
|
||||
# that the lock was obtained
|
||||
- name: Check Obtained Lock
|
||||
assert:
|
||||
msg: "Could not obtain lock after {{ max_obtain_lock_attempts }} attempts."
|
||||
that: won_lock|bool
|
||||
|
||||
- include_tasks: active-rule-set-tests.yaml
|
||||
|
||||
always:
|
||||
- include_tasks: cleanup-lock.yaml
|
|
@ -0,0 +1,26 @@
|
|||
# ============================================================
|
||||
# Do While loops cannot be used on task includes.
|
||||
# See: https://github.com/ansible/ansible/issues/17098
|
||||
#
|
||||
# So as a workaround we use a regular loop to repeatedly attempt
|
||||
# obtaining a lock.
|
||||
#
|
||||
# For this to work we need to skip the subsequent iterations
|
||||
# once we get a lock, and delay between iterations if we
|
||||
# did not obtain the lock.
|
||||
#
|
||||
# This file encapsulates this logic to reduce the spam from
|
||||
# skipped tasks in the ansible log.
|
||||
# ============================================================
|
||||
|
||||
- include_tasks: obtain-lock.yaml
|
||||
# Skip obtaining a lock if we've already succeeded in getting it
|
||||
when: "not won_lock|default(False)|bool"
|
||||
|
||||
- name: Lock Retry Delay
|
||||
wait_for:
|
||||
# Add some random jitter to the delay to reduce lock contention
|
||||
timeout: "{{ obtain_lock_delay_seconds + 15|random }}"
|
||||
# Only delay if we're retrying, so skip the delay if we're
|
||||
# on the last attempt or have got the lock
|
||||
when: "obtain_lock_attempt < (max_obtain_lock_attempts - 1) and not won_lock|bool"
|
126
test/integration/targets/aws_ses_rule_set/tasks/obtain-lock.yaml
Normal file
126
test/integration/targets/aws_ses_rule_set/tasks/obtain-lock.yaml
Normal file
|
@ -0,0 +1,126 @@
|
|||
# ============================================================
|
||||
# This file attempts to obtain a global lock (for a given
|
||||
# region / account combination.
|
||||
#
|
||||
# This makes one attempt to get the lock and will set the
|
||||
# won_lock variable to True or False to indicate whether
|
||||
# or not we got the lock.
|
||||
#
|
||||
# It's expected that this will be executed in a retry loop
|
||||
# so that if we don't get the lock we delay then try again.
|
||||
#
|
||||
# This should only be used in a block with cleanup-lock.yaml
|
||||
# included in the always clause to ensure the lock is released.
|
||||
#
|
||||
# There are several variables that control the locking behaviour:
|
||||
# * lock_timeout_seconds
|
||||
# How old a lock must be before it's assumed to be an expired
|
||||
# lock that was not cleaned up by the owner. Any locks older
|
||||
# than this will not prevent a lock being obtained and will
|
||||
# be deleted when a new process obtains the lock.
|
||||
# * lock_log_group_prefix
|
||||
# The log_group prefix that represents the lock being obtained.
|
||||
# This must be the same across all processes trying to obtain
|
||||
# the lock.
|
||||
# * lock_process_id
|
||||
# A unique identifier of this process. Each process that might
|
||||
# attempt to lock the process must have a different identifier.
|
||||
# This defaults to the resource_prefix which is generally
|
||||
# appropriate.
|
||||
# * max_obtain_lock_attempts
|
||||
# How many attempts to make to get the lock before giving up
|
||||
# NB: This is actually done in main.yaml
|
||||
# * obtain_lock_delay_seconds:
|
||||
# How long to delay after failing to get the lock before
|
||||
# trying again.
|
||||
# NB: This is actually done in obtain-lock-wrapper.yaml
|
||||
#
|
||||
# The locking here is based around creating cloudwatch log groups.
|
||||
# This resource was chosen because:
|
||||
# A) it's free
|
||||
# B) we have a built in grouping concept because of the hierarchy
|
||||
# that allows us to easily group attempts for the same lock
|
||||
# C) the creation time is tracked and returned which gives us
|
||||
# a mechanism for deterministically picking a winner
|
||||
#
|
||||
# Each lock is represented by a log group prefix. Each attempt
|
||||
# to obtain the lock is a log group of the lock_process_id below
|
||||
# that prefix.
|
||||
#
|
||||
# The winning lock is the one with the earliest creation time.
|
||||
#
|
||||
# To prevent a hanging lock from permanently hanging the build
|
||||
# lock attempts older than the lock timeout are ignored and
|
||||
# cleaned up by the next process to win the lock.
|
||||
# ============================================================
|
||||
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
|
||||
- name: Set lock_attempt_log_group_name
|
||||
set_fact:
|
||||
lock_attempt_log_group_name: "{{ lock_log_group_prefix }}/{{ lock_process_id|default(resource_prefix) }}"
|
||||
|
||||
# Note the overwrite below to ensure that the creation time
|
||||
# is upated. This is important as we calculate expiry relative
|
||||
# the attempt creation.
|
||||
#
|
||||
# Because of this it's imporatnt that we delete the attempt
|
||||
# if we don't get the lock. Otherwise we can get a deadlock
|
||||
# where the stale atttempt from one process wins, but then
|
||||
# because that process updates the creation date it doesn't
|
||||
# consider its self to havewone.
|
||||
- name: Create Lock Attempt Log Group
|
||||
cloudwatchlogs_log_group:
|
||||
log_group_name: "{{ lock_attempt_log_group_name }}"
|
||||
state: present
|
||||
overwrite: True
|
||||
<<: *aws_connection_info
|
||||
register: lock_attempt_log_group_result
|
||||
|
||||
- name: Get Lock Attempt Lock Groups
|
||||
cloudwatchlogs_log_group_facts:
|
||||
log_group_name: "{{ lock_log_group_prefix }}/"
|
||||
<<: *aws_connection_info
|
||||
register: lock_attempt_log_groups
|
||||
|
||||
- name: Calculate Expired Lock Attempt Timestamp
|
||||
set_fact:
|
||||
expired_lock_timestamp: "{{ lock_attempt_log_group_result.creation_time - (lock_timeout_seconds * 1000) }}"
|
||||
|
||||
- name: Get Expired and Active Lock Attempts
|
||||
set_fact:
|
||||
expired_lock_attempts: "{{ lock_attempt_log_groups.log_groups|selectattr('creation_time', 'lt', expired_lock_timestamp|int)|list }}"
|
||||
active_lock_attempts: "{{ lock_attempt_log_groups.log_groups|selectattr('creation_time', 'ge', expired_lock_timestamp|int)|list }}"
|
||||
|
||||
- name: Pick Winning Lock Attempt
|
||||
set_fact:
|
||||
winning_lock_attempt: "{{ active_lock_attempts|sort(attribute='creation_time')|first }}"
|
||||
|
||||
- name: Determine if Won Lock
|
||||
set_fact:
|
||||
won_lock: "{{ winning_lock_attempt.log_group_name == lock_attempt_log_group_name }}"
|
||||
|
||||
# Remove the lock attempt if we didn't get the lock. This prevents
|
||||
# our stale lock attempt blocking another process from getting the lock.
|
||||
# See more detailed comment above Create Lock Attempt Log Group
|
||||
- name: Remove Failed Lock Attempt Log Group
|
||||
cloudwatchlogs_log_group:
|
||||
log_group_name: "{{ lock_attempt_log_group_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
when: "not won_lock|bool"
|
||||
|
||||
- name: Delete Expired Lock Attempts
|
||||
cloudwatchlogs_log_group:
|
||||
log_group_name: "{{ item.log_group_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
when: "won_lock|bool"
|
||||
loop: "{{ expired_lock_attempts }}"
|
Loading…
Reference in a new issue