1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Aws ssm multiple fixes (#35569)

* aws ssm parameter lookup test case - fails demonstrating no exception when parameter missing

* aws ssm parameter lookup - fail in case parameter doesn't exist

* aws ssm parameter lookup test case - failing case for nice return from path lookup

* aws ssm parameter lookup - convert incoming taglist to a key-value dictionary

* aws ssm parameter lookup - pep8 / style clean up

* aws_ssm lookup plugin rewrite for more standard interface

* aws_ssm module and lookup - introduce integration test and fix:

* aws_ssm module and lookup - error case integraton test and many PEP8 and other cleanups

* aws ssm parameter lookup - Various fixes in response to review + recursive fix & test

* aws ssm parameter lookup - more in response to review - shertel/abadger

* aws ssm parameter lookup unit test - move to mocker according to abadger

* aws ssm parameter lookup - integrate with new documentation fragment

* aws ssm parameter lookup - accept either aws_profile or boto_profile

* aws ssm parameter lookup - eliminate lookup document fragment until env vars are fixed later
This commit is contained in:
mikedlr 2018-02-06 22:41:46 +00:00 committed by Sloane Hertel
parent 49eb0c49ea
commit d31ded47fb
6 changed files with 451 additions and 154 deletions

View file

@ -60,7 +60,9 @@ options:
description: description:
- region. - region.
required: false required: false
author: Bill Wang (ozbillwang@gmail.com) author:
- Bill Wang (ozbillwang@gmail.com)
- Michael De La Rue (@mikedlr)
extends_documentation_fragment: aws extends_documentation_fragment: aws
requirements: [ botocore, boto3 ] requirements: [ botocore, boto3 ]
''' '''
@ -107,13 +109,11 @@ delete_parameter:
type: dictionary type: dictionary
''' '''
import traceback from ansible.module_utils.aws.core import AnsibleAWSModule
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ec2 import boto3_conn, get_aws_connection_info
from ansible.module_utils.ec2 import HAS_BOTO3, camel_dict_to_snake_dict
from ansible.module_utils.ec2 import boto3_conn, ec2_argument_spec, get_aws_connection_info
try: try:
from botocore.exceptions import ClientError, NoCredentialsError from botocore.exceptions import ClientError
except ImportError: except ImportError:
pass # will be captured by imported HAS_BOTO3 pass # will be captured by imported HAS_BOTO3
@ -139,64 +139,54 @@ def create_update_parameter(client, module):
response = client.put_parameter(**args) response = client.put_parameter(**args)
changed = True changed = True
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), module.fail_json_aws(e, msg="setting parameter")
**camel_dict_to_snake_dict(e.response))
return changed, response return changed, response
def delete_parameter(client, module): def delete_parameter(client, module):
changed = False
response = {} response = {}
try: try:
get_response = client.get_parameters( response = client.delete_parameter(
Names=[module.params.get('name')] Name=module.params.get('name')
) )
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), if e.response['Error']['Code'] == 'ParameterNotFound':
**camel_dict_to_snake_dict(e.response)) return False, {}
module.fail_json_aws(e, msg="deleting parameter")
if get_response['Parameters']: return True, response
try:
response = client.delete_parameter(
Name=module.params.get('name')
)
changed = True
except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(),
**camel_dict_to_snake_dict(e.response))
return changed, response
def setup_client(module):
region, ec2_url, aws_connect_params = get_aws_connection_info(module, boto3=True)
connection = boto3_conn(module, conn_type='client', resource='ssm', region=region, endpoint=ec2_url, **aws_connect_params)
return connection
def setup_module_object():
argument_spec = dict(
name=dict(required=True),
description=dict(),
value=dict(required=False),
state=dict(default='present', choices=['present', 'absent']),
string_type=dict(default='String', choices=['String', 'StringList', 'SecureString']),
decryption=dict(default=True, type='bool'),
key_id=dict(default="alias/aws/ssm"),
overwrite=dict(default=True, type='bool'),
region=dict(required=False),
)
return AnsibleAWSModule(
argument_spec=argument_spec,
)
def main(): def main():
module = setup_module_object()
argument_spec = ec2_argument_spec()
argument_spec.update(
dict(
name=dict(required=True),
description=dict(),
value=dict(required=False),
state=dict(default='present', choices=['present', 'absent']),
string_type=dict(default='String', choices=['String', 'StringList', 'SecureString']),
decryption=dict(default=True, type='bool'),
key_id=dict(default="alias/aws/ssm"),
overwrite=dict(default=True, type='bool'),
region=dict(required=False),
)
)
module = AnsibleModule(argument_spec=argument_spec)
if not HAS_BOTO3:
module.fail_json(msg='boto3 are required.')
state = module.params.get('state') state = module.params.get('state')
try: client = setup_client(module)
region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module, boto3=True)
client = boto3_conn(module, conn_type='client', resource='ssm', region=region, endpoint=ec2_url, **aws_connect_kwargs)
except NoCredentialsError as e:
module.fail_json(msg="Can't authorize connection - %s" % str(e))
invocations = { invocations = {
"present": create_update_parameter, "present": create_update_parameter,
@ -205,5 +195,6 @@ def main():
(changed, response) = invocations[state](client, module) (changed, response) = invocations[state](client, module)
module.exit_json(changed=changed, response=response) module.exit_json(changed=changed, response=response)
if __name__ == '__main__': if __name__ == '__main__':
main() main()

View file

@ -1,5 +1,6 @@
# (c) 2016, Bill Wang <ozbillwang(at)gmail.com> # (c) 2016, Bill Wang <ozbillwang(at)gmail.com>
# (c) 2017, Marat Bakeev <hawara(at)gmail.com> # (c) 2017, Marat Bakeev <hawara(at)gmail.com>
# (c) 2018, Michael De La Rue <siblemitcom.mddlr(at)spamgourmet.com>
# (c) 2017 Ansible Project # (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
@ -7,33 +8,42 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type __metaclass__ = type
DOCUMENTATION = ''' DOCUMENTATION = '''
lookup: aws_ssm lookup: aws_ssm
author: author:
- Bill Wang <ozbillwang(at)gmail.com> - Bill Wang <ozbillwang(at)gmail.com>
- Marat Bakeev <hawara(at)gmail.com> - Marat Bakeev <hawara(at)gmail.com>
version_added: 2.5 - Michael De La Rue <siblemitcom.mddlr@spamgourmet.com>
short_description: Get the value for a SSM parameter. version_added: 2.5
description: requirements:
- Get the value for an Amazon Simple Systems Manager parameter or a heirarchy of parameters. The first - boto3
argument you pass the lookup can either be a parameter name or a hierarchy of parameters. Hierarchies start - botocore
with a forward slash and end with the parameter name. Up to 5 layers may be specified. short_description: Get the value for a SSM parameter or all parameters under a path.
options: description:
aws_profile: - Get the value for an Amazon Simple Systems Manager parameter or a heirarchy of parameters.
description: The boto profile to use. You may use environment variables or the default profile as an alternative. The first argument you pass the lookup can either be a parameter name or a hierarchy of
region: parameters. Hierarchies start with a forward slash and end with the parameter name. Up to
description: The region to use. You may use environment variables ar the default profile's region as an alternative. 5 layers may be specified.
decrypt: - When explicitly looking up a parameter by name the parameter being missing will be an error.
description: A boolean to indicate whether to decrypt the parameter. - When looking up a path for parameters under it a dictionary will be returned for each path.
default: false If there is no parameter under that path then the return will be successful but the
bypath: dictionary will be empty.
description: A boolean to indicate whether the parameter is provided as a hierarchy. options:
default: false decrypt:
recursive: description: A boolean to indicate whether to decrypt the parameter.
description: A boolean to indicate whether to retrieve all parameters within a hierarchy. default: false
default: false type: boolean
shortnames: bypath:
description: Indicates whether to return the shortened name if using a parameter hierarchy. description: A boolean to indicate whether the parameter is provided as a hierarchy.
default: false default: false
type: boolean
recursive:
description: A boolean to indicate whether to retrieve all parameters within a hierarchy.
default: false
type: boolean
shortnames:
description: Indicates whether to return the name only without path if using a parameter hierarchy.
default: false
type: boolean
''' '''
EXAMPLES = ''' EXAMPLES = '''
@ -45,130 +55,148 @@ EXAMPLES = '''
debug: msg="{{ lookup('aws_ssm', 'NoKey') }}" debug: msg="{{ lookup('aws_ssm', 'NoKey') }}"
- name: lookup ssm parameter store in nominated region - name: lookup ssm parameter store in nominated region
debug: msg="{{ lookup('aws_ssm', 'Hello', 'region=us-east-2' ) }}" debug: msg="{{ lookup('aws_ssm', 'Hello', region=us-east-2 ) }}"
- name: lookup ssm parameter store without decrypted - name: lookup ssm parameter store without decrypted
debug: msg="{{ lookup('aws_ssm', 'Hello', 'decrypt=False' ) }}" debug: msg="{{ lookup('aws_ssm', 'Hello', decrypt=False ) }}"
- name: lookup ssm parameter store in nominated aws profile - name: lookup ssm parameter store in nominated aws profile
debug: msg="{{ lookup('aws_ssm', 'Hello', 'aws_profile=myprofile' ) }}" debug: msg="{{ lookup('aws_ssm', 'Hello', aws_profile=myprofile ) }}"
- name: lookup ssm parameter store with all options. - name: lookup ssm parameter store with all options.
debug: msg="{{ lookup('aws_ssm', 'Hello', 'decrypt=false', 'region=us-east-2', 'aws_profile=myprofile') }}" debug: msg="{{ lookup('aws_ssm', 'Hello', decrypt=false, region=us-east-2, aws_profile=myprofile') }}"
- name: return a dictionary of ssm parameters from a hierarchy path - name: return a dictionary of ssm parameters from a hierarchy path
debug: msg="{{ lookup('aws_ssm', '/PATH/to/params', 'region=ap-southeast-2', 'bypath', 'recursive=true' ) }}" debug: msg="{{ lookup('aws_ssm', '/PATH/to/params', region=ap-southeast-2, bypath=true, recursive=true' ) }}"
- name: return a dictionary of ssm parameters from a hierarchy path with shortened names (param instead of /PATH/to/param) - name: return a dictionary of ssm parameters from a hierarchy path with shortened names (param instead of /PATH/to/param)
debug: msg="{{ lookup('aws_ssm', '/PATH/to/params', 'region=ap-southeast-2', 'shortnames', 'bypath', 'recursive=true' ) }}" debug: msg="{{ lookup('aws_ssm', '/PATH/to/params', region=ap-southeast-2, shortnames=true, bypath=true, recursive=true ) }}"
- name: Iterate over a parameter hierarchy - name: Iterate over a parameter hierarchy
debug: msg='key contains {{item.Name }} with value {{item.Value}} ' debug: msg='key contains {{item.Name}} with value {{item.Value}} '
with_aws_ssm: loop: '{{ query("aws_ssm", "/TEST/test-list", region="ap-southeast-2", bypath=true) }}'
- '/TEST/test-list'
- 'region=ap-southeast-2'
- 'bypath'
''' '''
from ansible.module_utils.ec2 import HAS_BOTO3 from ansible.module_utils._text import to_native
from ansible.module_utils.ec2 import HAS_BOTO3, boto3_tag_list_to_ansible_dict
from ansible.errors import AnsibleError from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase from ansible.plugins.lookup import LookupBase
from ansible.module_utils.parsing.convert_bool import boolean
try:
from __main__ import display
except ImportError:
from ansible.utils.display import Display
display = Display()
try: try:
from botocore.exceptions import ClientError from botocore.exceptions import ClientError
import botocore
import boto3 import boto3
except ImportError: except ImportError:
pass # will be captured by imported HAS_BOTO3 pass # will be captured by imported HAS_BOTO3
class LookupModule(LookupBase): def _boto3_conn(region, credentials):
def run(self, terms, variables, **kwargs): if 'boto_profile' in credentials:
''' boto_profile = credentials.pop('boto_profile')
:param terms: a list of plugin options else:
e.g. ['parameter_name', 'region=us-east-1', 'aws_profile=profile', 'decrypt=false'] boto_profile = None
:param variables: config variables
:return The value of the SSM parameter or None
'''
ret = {} try:
response = {} connection = boto3.session.Session(profile_name=boto_profile).client('ssm', region, **credentials)
session = {} except (botocore.exceptions.ProfileNotFound, botocore.exceptions.PartialCredentialsError):
ssm_dict = {} if boto_profile:
lparams = {} try:
connection = boto3.session.Session(profile_name=boto_profile).client('ssm', region)
# FIXME: we should probably do better passing on of the error information
except (botocore.exceptions.ProfileNotFound, botocore.exceptions.PartialCredentialsError):
raise AnsibleError("Insufficient credentials found.")
else:
raise AnsibleError("Insufficient credentials found.")
return connection
class LookupModule(LookupBase):
def run(self, terms, variables=None, boto_profile=None, aws_profile=None,
aws_secret_key=None, aws_access_key=None, aws_security_token=None, region=None,
bypath=False, shortnames=False, recursive=False, decrypt=True):
'''
:arg terms: a list of lookups to run.
e.g. ['parameter_name', 'parameter_name_too' ]
:kwarg variables: ansible variables active at the time of the lookup
:kwarg aws_secret_key: identity of the AWS key to use
:kwarg aws_access_key: AWS seret key (matching identity)
:kwarg aws_security_token: AWS session key if using STS
:kwarg decrypt: Set to True to get decrypted parameters
:kwarg region: AWS region in which to do the lookup
:kwarg bypath: Set to True to do a lookup of variables under a path
:kwarg recursive: Set to True to recurse below the path (requires bypath=True)
:returns: A list of parameter values or a list of dictionaries if bypath=True.
'''
if not HAS_BOTO3: if not HAS_BOTO3:
raise AnsibleError('botocore and boto3 are required.') raise AnsibleError('botocore and boto3 are required for aws_ssm lookup.')
ssm_dict['WithDecryption'] = True ret = []
response = {}
ssm_dict = {}
# check if option 'bypath' is specified, while still allowing to have a parameter with the same name credentials = {}
if 'bypath' in terms[1:]: if aws_profile:
ssm_dict['Path'] = terms[0] credentials['boto_profile'] = aws_profile
del terms[terms[1:].index('bypath') + 1]
else: else:
ssm_dict['Names'] = [terms[0]] credentials['boto_profile'] = boto_profile
credentials['aws_secret_access_key'] = aws_secret_key
credentials['aws_access_key_id'] = aws_access_key
credentials['aws_session_token'] = aws_security_token
# Option to return short parameter names in by path lookups client = _boto3_conn(region, credentials)
if 'shortnames' in terms[1:]:
lparams['shortnames'] = True
del terms[terms[1:].index('shortnames') + 1]
if len(terms) > 1: ssm_dict['WithDecryption'] = decrypt
for param in terms[1:]:
if "=" in param:
key, value = param.split('=')
else:
raise AnsibleError("ssm parameter store plugin needs key=value pairs, but received %s" % param)
if key == "region" or key == "aws_profile": # Lookup by path
session[key] = value if bypath:
ssm_dict['Recursive'] = recursive
# recurse or not for term in terms:
if key == "recursive" and boolean(value): ssm_dict["Path"] = term
ssm_dict['Recursive'] = True display.vvv("AWS_ssm path lookup term: %s in region: %s" % (term, region))
try:
# decrypt the value or not response = client.get_parameters_by_path(**ssm_dict)
if key == "decrypt" and boolean(value): except ClientError as e:
ssm_dict['WithDecryption'] = False raise AnsibleError("SSM lookup exception: {0}".format(to_native(e)))
if "aws_profile" in session:
boto3.setup_default_session(profile_name=session['aws_profile'])
if "region" in session:
client = boto3.client('ssm', region_name=session['region'])
else:
client = boto3.client('ssm')
try:
# Lookup by path
if 'Path' in ssm_dict:
response = client.get_parameters_by_path(**ssm_dict)
paramlist = list() paramlist = list()
paramlist.extend(response['Parameters']) paramlist.extend(response['Parameters'])
# Manual pagination, since boto doesnt support it yet for get_parameters_by_path # Manual pagination, since boto doesn't support it yet for get_parameters_by_path
while 'NextToken' in response: while 'NextToken' in response:
response = client.get_parameters_by_path(NextToken=response['NextToken'], **ssm_dict) response = client.get_parameters_by_path(NextToken=response['NextToken'], **ssm_dict)
paramlist.extend(response['Parameters']) paramlist.extend(response['Parameters'])
# shorten parameter names. yes, this will return duplicate names with different values. # shorten parameter names. yes, this will return duplicate names with different values.
if 'shortnames' in lparams: if shortnames:
for x in paramlist: for x in paramlist:
x['Name'] = x['Name'][x['Name'].rfind('/') + 1:] x['Name'] = x['Name'][x['Name'].rfind('/') + 1:]
display.vvvv("AWS_ssm path lookup returned: %s" % str(paramlist))
if len(paramlist): if len(paramlist):
return paramlist ret.append(boto3_tag_list_to_ansible_dict(paramlist,
tag_name_key_name="Name",
tag_value_key_name="Value"))
else: else:
return None ret.append({})
# Lookup by parameter name # Lookup by parameter name - always returns a list with one or no entry.
else: else:
display.vvv("AWS_ssm name lookup term: %s" % terms)
ssm_dict["Names"] = terms
try:
response = client.get_parameters(**ssm_dict) response = client.get_parameters(**ssm_dict)
ret.update(response) except ClientError as e:
if ret['Parameters']: raise AnsibleError("SSM lookup exception: {0}".format(to_native(e)))
return [ret['Parameters'][0]['Value']] if len(response['Parameters']) == len(terms):
else: ret = [p['Value'] for p in response['Parameters']]
return None else:
raise AnsibleError('Undefined AWS SSM parameter: %s ' % str(response['InvalidParameters']))
except ClientError as e: display.vvvv("AWS_ssm path lookup returning: %s " % str(ret))
raise AnsibleError("SSM lookup exception: {0}".format(e)) return ret

View file

@ -0,0 +1,2 @@
cloud/aws
posix/ci/cloud/group4/aws

View file

@ -0,0 +1,3 @@
---
# defaults file for aws_lambda test
ssm_key_prefix: '{{resource_prefix}}'

View file

@ -0,0 +1,136 @@
---
#
# Author: Michael De La Rue
# based on aws_lambda test cases
- block:
# ============================================================
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: yes
# ============================================================
- name: Create or update key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/Hello"
description: "This is your first key"
value: "World"
<<: *aws_connection_info
- name: Check that parameter was stored correctly
assert:
that:
- "'{{lookup('aws_ssm', '/' ~ ssm_key_prefix ~ '/Hello', region=ec2_region, aws_access_key=ec2_access_key, aws_secret_key=ec2_secret_key, aws_security_token=security_token )}}' == 'World'"
# ============================================================
- name: Create or update key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/path/wonvar"
description: "This is your first key"
value: "won value"
<<: *aws_connection_info
- name: Create or update key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/path/toovar"
description: "This is your first key"
value: "too value"
<<: *aws_connection_info
- name: Create or update key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/path/tree/treevar"
description: "This is your first key"
value: "tree value"
<<: *aws_connection_info
# ============================================================
- name: Create or update key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/deeppath/wondir/samevar"
description: "This is your first key"
value: "won value"
<<: *aws_connection_info
- name: Create or update key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/deeppath/toodir/samevar"
description: "This is your first key"
value: "too value"
<<: *aws_connection_info
# ============================================================
- name: debug the lookup
debug:
msg: "{{lookup('aws_ssm', '/' ~ ssm_key_prefix ~ '/path', region=ec2_region, aws_access_key=ec2_access_key, aws_secret_key=ec2_secret_key, aws_security_token=security_token, bypath=True )}}'"
- name: Check that parameter path is stored and retrieved
assert:
that:
- "'{{lookup('aws_ssm', '/' ~ ssm_key_prefix ~ '/path', region=ec2_region, aws_access_key=ec2_access_key, aws_secret_key=ec2_secret_key, aws_security_token=security_token, bypath=True, shortnames=true ) | to_json }}' == '{\"toovar\": \"too value\", \"wonvar\": \"won value\"}'"
# ============================================================
- name: Error in case we don't find a named parameter
debug:
msg: "'{{lookup('aws_ssm', '/' ~ ssm_key_prefix ~ '/Goodbye', region=ec2_region, aws_access_key=ec2_access_key, aws_secret_key=ec2_secret_key, aws_security_token=security_token )}}' == 'World'"
register: result
ignore_errors: true
- name: assert failure from failure to find parameter
assert:
that:
- 'result.failed'
- "'Undefined AWS SSM parameter' in result.msg"
# ============================================================
- name: Handle multiple paths with one that doesn't exist - default to full names.
assert:
that:
- "'{{lookup('aws_ssm', '/' ~ ssm_key_prefix ~ '/path', '/' ~ ssm_key_prefix ~ '/dont_create_this_path_you_will_break_the_ansible_tests', region=ec2_region, aws_access_key=ec2_access_key, aws_secret_key=ec2_secret_key, aws_security_token=security_token, bypath=True ) | to_json }}' in ( '[{\"/' ~ ssm_key_prefix ~ '/path/toovar\": \"too value\", \"/' ~ ssm_key_prefix ~ '/path/wonvar\": \"won value\"}, {}]', '[{\"/' ~ ssm_key_prefix ~ '/path/wonvar\": \"won value\", \"/' ~ ssm_key_prefix ~ '/path/toovar\": \"too value\"}, {}]' )"
# ============================================================
# this may be a bit of a nasty test case; we should perhaps accept _either_ value that was stored
# in the two variables named 'samevar'
- name: Handle multiple paths with one that doesn't exist - shortnames - including overlap.
assert:
that:
- "'{{lookup('aws_ssm', '/' ~ ssm_key_prefix ~ '/path', '/' ~ ssm_key_prefix ~ '/dont_create_this_path_you_will_break_the_ansible_tests', '/' ~ ssm_key_prefix ~ '/deeppath', region=ec2_region, aws_access_key=ec2_access_key, aws_secret_key=ec2_secret_key, aws_security_token=security_token, bypath=True, shortnames=true, recursive=true ) | to_json }}' == '[{\"toovar\": \"too value\", \"treevar\": \"tree value\", \"wonvar\": \"won value\"}, {}, {\"samevar\": \"won value\"}]'"
# ============================================================
- name: Delete key/value pair in aws parameter store
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/Hello"
state: absent
<<: *aws_connection_info
# ============================================================
- name: Attempt delete key/value pair in aws parameter store again
aws_ssm_parameter_store:
name: "/{{ssm_key_prefix}}/Hello"
state: absent
<<: *aws_connection_info
register: result
- name: assert that changed is False since parameter should be deleted
assert:
that:
- result.changed == False
always:
# ============================================================
- name: Delete remaining key/value pairs in aws parameter store
aws_ssm_parameter_store:
name: "{{item}}"
state: absent
<<: *aws_connection_info
with_items:
- "/{{ssm_key_prefix}}/Hello"
- "/{{ssm_key_prefix}}/path/wonvar"
- "/{{ssm_key_prefix}}/path/toovar"
- "/{{ssm_key_prefix}}/path/tree/treevar"

View file

@ -0,0 +1,137 @@
#
# (c) 2017 Michael De La Rue
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
import pytest
from copy import copy
from ansible.errors import AnsibleError
import ansible.plugins.lookup.aws_ssm as aws_ssm
try:
import boto3
from botocore.exceptions import ClientError
except ImportError:
pytestmark = pytest.mark.skip("This test requires the boto3 and botocore Python libraries")
simple_variable_success_response = {
'Parameters': [
{
'Name': 'simple_variable',
'Type': 'String',
'Value': 'simplevalue',
'Version': 1
}
],
'InvalidParameters': [],
'ResponseMetadata': {
'RequestId': '12121212-3434-5656-7878-9a9a9a9a9a9a',
'HTTPStatusCode': 200,
'HTTPHeaders': {
'x-amzn-requestid': '12121212-3434-5656-7878-9a9a9a9a9a9a',
'content-type': 'application/x-amz-json-1.1',
'content-length': '116',
'date': 'Tue, 23 Jan 2018 11:04:27 GMT'
},
'RetryAttempts': 0
}
}
path_success_response = copy(simple_variable_success_response)
path_success_response['Parameters'] = [
{'Name': '/testpath/too', 'Type': 'String', 'Value': 'simple_value_too', 'Version': 1},
{'Name': '/testpath/won', 'Type': 'String', 'Value': 'simple_value_won', 'Version': 1}
]
missing_variable_fail_response = copy(simple_variable_success_response)
missing_variable_fail_response['Parameters'] = []
missing_variable_fail_response['InvalidParameters'] = ['missing_variable']
dummy_credentials = {}
dummy_credentials['boto_profile'] = None
dummy_credentials['aws_secret_key'] = "notasecret"
dummy_credentials['aws_access_key'] = "notakey"
dummy_credentials['aws_security_token'] = None
dummy_credentials['region'] = 'eu-west-1'
def test_lookup_variable(mocker):
lookup = aws_ssm.LookupModule()
lookup._load_name = "aws_ssm"
boto3_double = mocker.MagicMock()
boto3_double.Session.return_value.client.return_value.get_parameters.return_value = simple_variable_success_response
boto3_client_double = boto3_double.Session.return_value.client
with mocker.patch.object(boto3, 'session', boto3_double):
retval = lookup.run(["simple_variable"], {}, **dummy_credentials)
assert(retval[0] == "simplevalue")
boto3_client_double.assert_called_with('ssm', 'eu-west-1', aws_access_key_id='notakey',
aws_secret_access_key="notasecret", aws_session_token=None)
def test_path_lookup_variable(mocker):
lookup = aws_ssm.LookupModule()
lookup._load_name = "aws_ssm"
boto3_double = mocker.MagicMock()
get_path_fn = boto3_double.Session.return_value.client.return_value.get_parameters_by_path
get_path_fn.return_value = path_success_response
boto3_client_double = boto3_double.Session.return_value.client
with mocker.patch.object(boto3, 'session', boto3_double):
args = copy(dummy_credentials)
args["bypath"] = 'true'
retval = lookup.run(["/testpath"], {}, **args)
assert(retval[0]["/testpath/won"] == "simple_value_won")
assert(retval[0]["/testpath/too"] == "simple_value_too")
boto3_client_double.assert_called_with('ssm', 'eu-west-1', aws_access_key_id='notakey',
aws_secret_access_key="notasecret", aws_session_token=None)
get_path_fn.assert_called_with(Path="/testpath", Recursive=False, WithDecryption=True)
def test_warn_missing_variable(mocker):
lookup = aws_ssm.LookupModule()
lookup._load_name = "aws_ssm"
boto3_double = mocker.MagicMock()
boto3_double.Session.return_value.client.return_value.get_parameters.return_value = missing_variable_fail_response
with pytest.raises(AnsibleError):
with mocker.patch.object(boto3, 'session', boto3_double):
lookup.run(["missing_variable"], {}, **dummy_credentials)
error_response = {'Error': {'Code': 'ResourceNotFoundException', 'Message': 'Fake Testing Error'}}
operation_name = 'FakeOperation'
def test_warn_denied_variable(mocker):
lookup = aws_ssm.LookupModule()
lookup._load_name = "aws_ssm"
boto3_double = mocker.MagicMock()
boto3_double.Session.return_value.client.return_value.get_parameters.side_effect = ClientError(error_response, operation_name)
with pytest.raises(AnsibleError):
with mocker.patch.object(boto3, 'session', boto3_double):
lookup.run(["denied_variable"], {}, **dummy_credentials)