From e822450a79e8a7aded7233a5d8f0e7f3bd353188 Mon Sep 17 00:00:00 2001 From: Kyle Knapp Date: Wed, 14 Nov 2018 17:14:19 -0800 Subject: [PATCH] Add integration tests for iam_policy (#40115) * Add integration tests for iam_policy * Fix indentation and ignore errors during clean up * Mark iam_policy integration tests as unsupported by CI * Add policies to a temporary folder that is cleaned up * Add tasks to verify that iam_policy can remove policies from users, roles, and groups --- test/integration/targets/iam_policy/aliases | 2 + .../targets/iam_policy/defaults/main.yml | 5 + .../targets/iam_policy/files/no_access.json | 10 + .../iam_policy/files/no_access_with_id.json | 11 + .../targets/iam_policy/files/no_trust.json | 10 + .../targets/iam_policy/tasks/main.yml | 325 ++++++++++++++++++ 6 files changed, 363 insertions(+) create mode 100644 test/integration/targets/iam_policy/aliases create mode 100644 test/integration/targets/iam_policy/defaults/main.yml create mode 100644 test/integration/targets/iam_policy/files/no_access.json create mode 100644 test/integration/targets/iam_policy/files/no_access_with_id.json create mode 100644 test/integration/targets/iam_policy/files/no_trust.json create mode 100644 test/integration/targets/iam_policy/tasks/main.yml diff --git a/test/integration/targets/iam_policy/aliases b/test/integration/targets/iam_policy/aliases new file mode 100644 index 0000000000..5692719518 --- /dev/null +++ b/test/integration/targets/iam_policy/aliases @@ -0,0 +1,2 @@ +cloud/aws +unsupported diff --git a/test/integration/targets/iam_policy/defaults/main.yml b/test/integration/targets/iam_policy/defaults/main.yml new file mode 100644 index 0000000000..1d65af04d2 --- /dev/null +++ b/test/integration/targets/iam_policy/defaults/main.yml @@ -0,0 +1,5 @@ +--- +iam_user_name: '{{resource_prefix}}' +iam_role_name: '{{resource_prefix}}' +iam_group_name: '{{resource_prefix}}' +iam_policy_name: '{{resource_prefix}}' diff --git a/test/integration/targets/iam_policy/files/no_access.json b/test/integration/targets/iam_policy/files/no_access.json new file mode 100644 index 0000000000..a2f2997575 --- /dev/null +++ b/test/integration/targets/iam_policy/files/no_access.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": "*", + "Resource": "*" + } + ] +} diff --git a/test/integration/targets/iam_policy/files/no_access_with_id.json b/test/integration/targets/iam_policy/files/no_access_with_id.json new file mode 100644 index 0000000000..9d40dd54a8 --- /dev/null +++ b/test/integration/targets/iam_policy/files/no_access_with_id.json @@ -0,0 +1,11 @@ +{ + "Id": "MyId", + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": "*", + "Resource": "*" + } + ] +} diff --git a/test/integration/targets/iam_policy/files/no_trust.json b/test/integration/targets/iam_policy/files/no_trust.json new file mode 100644 index 0000000000..c36616187a --- /dev/null +++ b/test/integration/targets/iam_policy/files/no_trust.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Principal": {"AWS": "*"}, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/test/integration/targets/iam_policy/tasks/main.yml b/test/integration/targets/iam_policy/tasks/main.yml new file mode 100644 index 0000000000..891d0607aa --- /dev/null +++ b/test/integration/targets/iam_policy/tasks/main.yml @@ -0,0 +1,325 @@ +--- +- block: + # ============================================================ + - name: set up aws connection info + set_fact: + aws_connection_info: &aws_connection_info + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region }}" + no_log: yes + # ============================================================ + - name: Create a temporary folder for the policies + tempfile: + state: directory + register: tmpdir + # ============================================================ + - name: Copy over policy + copy: + src: no_access.json + dest: "{{ tmpdir.path }}" + # ============================================================ + - name: Copy over other policy + copy: + src: no_access_with_id.json + dest: "{{ tmpdir.path }}" + # ============================================================ + - name: Create user for tests + iam_user: + name: "{{ iam_user_name }}" + state: present + <<: *aws_connection_info + # ============================================================ + - name: Create role for tests + iam_role: + name: "{{ iam_role_name }}" + assume_role_policy_document: "{{ lookup('file','no_trust.json') }}" + state: present + <<: *aws_connection_info + # ============================================================ + - name: Create group for tests + iam_group: + name: "{{ iam_group_name }}" + state: present + <<: *aws_connection_info + # ============================================================ + - name: Create policy for user + iam_policy: + iam_type: user + iam_name: "{{ iam_user_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was added for user + assert: + that: + - result.changed == True + - result.policies == ["{{ iam_policy_name }}"] + - result.user_name == "{{ iam_user_name }}" + # ============================================================ + - name: Update policy for user + iam_policy: + iam_type: user + iam_name: "{{ iam_user_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access_with_id.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was updated for user + assert: + that: + - result.changed == True + # ============================================================ + - name: Update policy for user with same policy + iam_policy: + iam_type: user + iam_name: "{{ iam_user_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access_with_id.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy did not change for user + assert: + that: + - result.changed == False + # ============================================================ + - name: Create policy for user using policy_json + iam_policy: + iam_type: user + iam_name: "{{ iam_user_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was added for user + assert: + that: + - result.changed == True + - result.policies == ["{{ iam_policy_name }}"] + - result.user_name == "{{ iam_user_name }}" + # ============================================================ + - name: Create policy for role + iam_policy: + iam_type: role + iam_name: "{{ iam_role_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was added for role + assert: + that: + - result.changed == True + - result.policies == ["{{ iam_policy_name }}"] + - result.role_name == "{{ iam_role_name }}" + # ============================================================ + - name: Update policy for role + iam_policy: + iam_type: role + iam_name: "{{ iam_role_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access_with_id.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was updated for role + assert: + that: + - result.changed == True + # ============================================================ + - name: Update policy for role with same policy + iam_policy: + iam_type: role + iam_name: "{{ iam_role_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access_with_id.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy did not change for role + assert: + that: + - result.changed == False + # ============================================================ + - name: Create policy for role using policy_json + iam_policy: + iam_type: role + iam_name: "{{ iam_role_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was added for role + assert: + that: + - result.changed == True + - result.policies == ["{{ iam_policy_name }}"] + - result.role_name == "{{ iam_role_name }}" + # ============================================================ + - name: Create policy for group + iam_policy: + iam_type: group + iam_name: "{{ iam_group_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was added for group + assert: + that: + - result.changed == True + - result.policies == ["{{ iam_policy_name }}"] + - result.group_name == "{{ iam_group_name }}" + # ============================================================ + - name: Update policy for group + iam_policy: + iam_type: group + iam_name: "{{ iam_group_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access_with_id.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was updated for group + assert: + that: + - result.changed == True + # ============================================================ + - name: Update policy for group with same policy + iam_policy: + iam_type: group + iam_name: "{{ iam_group_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_document: "{{ tmpdir.path }}/no_access_with_id.json" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy did not change for group + assert: + that: + - result.changed == False + # ============================================================ + - name: Create policy for group using policy_json + iam_policy: + iam_type: group + iam_name: "{{ iam_group_name }}" + policy_name: "{{ iam_policy_name }}" + state: present + policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}" + <<: *aws_connection_info + register: result + # ============================================================ + - name: Assert policy was added for group + assert: + that: + - result.changed == True + - result.policies == ["{{ iam_policy_name }}"] + - result.group_name == "{{ iam_group_name }}" + # ============================================================ + - name: Delete policy for user + iam_policy: + iam_type: user + iam_name: "{{ iam_user_name }}" + policy_name: "{{ iam_policy_name }}" + state: absent + <<: *aws_connection_info + - assert: + that: + - result.changed == True + # ============================================================ + - name: Delete policy for role + iam_policy: + iam_type: role + iam_name: "{{ iam_role_name }}" + policy_name: "{{ iam_policy_name }}" + state: absent + <<: *aws_connection_info + - assert: + that: + - result.changed == True + # ============================================================ + - name: Delete policy for group + iam_policy: + iam_type: group + iam_name: "{{ iam_group_name }}" + policy_name: "{{ iam_policy_name }}" + state: absent + <<: *aws_connection_info + - assert: + that: + - result.changed == True + # ============================================================ + always: + # ============================================================ + - name: Delete policy for user + iam_policy: + iam_type: user + iam_name: "{{ iam_user_name }}" + policy_name: "{{ iam_policy_name }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + # ============================================================ + - name: Delete user for tests + iam_user: + name: "{{ iam_user_name }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + # ============================================================ + - name: Delete policy for role + iam_policy: + iam_type: role + iam_name: "{{ iam_role_name }}" + policy_name: "{{ iam_policy_name }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + # ============================================================ + - name: Delete role for tests + iam_role: + name: "{{ iam_role_name }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + # ============================================================ + - name: Delete policy for group + iam_policy: + iam_type: group + iam_name: "{{ iam_group_name }}" + policy_name: "{{ iam_policy_name }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + # ============================================================ + - name: Delete group for tests + iam_group: + name: "{{ iam_group_name }}" + state: absent + <<: *aws_connection_info + ignore_errors: yes + # ============================================================ + - name: Delete temporary folder containing the policies + file: + state: absent + path: "{{ tmpdir.path }}/"