mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Add integration tests for iam_policy (#40115)
* Add integration tests for iam_policy * Fix indentation and ignore errors during clean up * Mark iam_policy integration tests as unsupported by CI * Add policies to a temporary folder that is cleaned up * Add tasks to verify that iam_policy can remove policies from users, roles, and groups
This commit is contained in:
parent
54c54fc960
commit
e822450a79
6 changed files with 363 additions and 0 deletions
2
test/integration/targets/iam_policy/aliases
Normal file
2
test/integration/targets/iam_policy/aliases
Normal file
|
@ -0,0 +1,2 @@
|
|||
cloud/aws
|
||||
unsupported
|
5
test/integration/targets/iam_policy/defaults/main.yml
Normal file
5
test/integration/targets/iam_policy/defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
iam_user_name: '{{resource_prefix}}'
|
||||
iam_role_name: '{{resource_prefix}}'
|
||||
iam_group_name: '{{resource_prefix}}'
|
||||
iam_policy_name: '{{resource_prefix}}'
|
10
test/integration/targets/iam_policy/files/no_access.json
Normal file
10
test/integration/targets/iam_policy/files/no_access.json
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Deny",
|
||||
"Action": "*",
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"Id": "MyId",
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Deny",
|
||||
"Action": "*",
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
10
test/integration/targets/iam_policy/files/no_trust.json
Normal file
10
test/integration/targets/iam_policy/files/no_trust.json
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Deny",
|
||||
"Principal": {"AWS": "*"},
|
||||
"Action": "sts:AssumeRole"
|
||||
}
|
||||
]
|
||||
}
|
325
test/integration/targets/iam_policy/tasks/main.yml
Normal file
325
test/integration/targets/iam_policy/tasks/main.yml
Normal file
|
@ -0,0 +1,325 @@
|
|||
---
|
||||
- block:
|
||||
# ============================================================
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: yes
|
||||
# ============================================================
|
||||
- name: Create a temporary folder for the policies
|
||||
tempfile:
|
||||
state: directory
|
||||
register: tmpdir
|
||||
# ============================================================
|
||||
- name: Copy over policy
|
||||
copy:
|
||||
src: no_access.json
|
||||
dest: "{{ tmpdir.path }}"
|
||||
# ============================================================
|
||||
- name: Copy over other policy
|
||||
copy:
|
||||
src: no_access_with_id.json
|
||||
dest: "{{ tmpdir.path }}"
|
||||
# ============================================================
|
||||
- name: Create user for tests
|
||||
iam_user:
|
||||
name: "{{ iam_user_name }}"
|
||||
state: present
|
||||
<<: *aws_connection_info
|
||||
# ============================================================
|
||||
- name: Create role for tests
|
||||
iam_role:
|
||||
name: "{{ iam_role_name }}"
|
||||
assume_role_policy_document: "{{ lookup('file','no_trust.json') }}"
|
||||
state: present
|
||||
<<: *aws_connection_info
|
||||
# ============================================================
|
||||
- name: Create group for tests
|
||||
iam_group:
|
||||
name: "{{ iam_group_name }}"
|
||||
state: present
|
||||
<<: *aws_connection_info
|
||||
# ============================================================
|
||||
- name: Create policy for user
|
||||
iam_policy:
|
||||
iam_type: user
|
||||
iam_name: "{{ iam_user_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was added for user
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.policies == ["{{ iam_policy_name }}"]
|
||||
- result.user_name == "{{ iam_user_name }}"
|
||||
# ============================================================
|
||||
- name: Update policy for user
|
||||
iam_policy:
|
||||
iam_type: user
|
||||
iam_name: "{{ iam_user_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was updated for user
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
# ============================================================
|
||||
- name: Update policy for user with same policy
|
||||
iam_policy:
|
||||
iam_type: user
|
||||
iam_name: "{{ iam_user_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy did not change for user
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
# ============================================================
|
||||
- name: Create policy for user using policy_json
|
||||
iam_policy:
|
||||
iam_type: user
|
||||
iam_name: "{{ iam_user_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was added for user
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.policies == ["{{ iam_policy_name }}"]
|
||||
- result.user_name == "{{ iam_user_name }}"
|
||||
# ============================================================
|
||||
- name: Create policy for role
|
||||
iam_policy:
|
||||
iam_type: role
|
||||
iam_name: "{{ iam_role_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was added for role
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.policies == ["{{ iam_policy_name }}"]
|
||||
- result.role_name == "{{ iam_role_name }}"
|
||||
# ============================================================
|
||||
- name: Update policy for role
|
||||
iam_policy:
|
||||
iam_type: role
|
||||
iam_name: "{{ iam_role_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was updated for role
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
# ============================================================
|
||||
- name: Update policy for role with same policy
|
||||
iam_policy:
|
||||
iam_type: role
|
||||
iam_name: "{{ iam_role_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy did not change for role
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
# ============================================================
|
||||
- name: Create policy for role using policy_json
|
||||
iam_policy:
|
||||
iam_type: role
|
||||
iam_name: "{{ iam_role_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was added for role
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.policies == ["{{ iam_policy_name }}"]
|
||||
- result.role_name == "{{ iam_role_name }}"
|
||||
# ============================================================
|
||||
- name: Create policy for group
|
||||
iam_policy:
|
||||
iam_type: group
|
||||
iam_name: "{{ iam_group_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was added for group
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.policies == ["{{ iam_policy_name }}"]
|
||||
- result.group_name == "{{ iam_group_name }}"
|
||||
# ============================================================
|
||||
- name: Update policy for group
|
||||
iam_policy:
|
||||
iam_type: group
|
||||
iam_name: "{{ iam_group_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was updated for group
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
# ============================================================
|
||||
- name: Update policy for group with same policy
|
||||
iam_policy:
|
||||
iam_type: group
|
||||
iam_name: "{{ iam_group_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy did not change for group
|
||||
assert:
|
||||
that:
|
||||
- result.changed == False
|
||||
# ============================================================
|
||||
- name: Create policy for group using policy_json
|
||||
iam_policy:
|
||||
iam_type: group
|
||||
iam_name: "{{ iam_group_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: present
|
||||
policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
|
||||
<<: *aws_connection_info
|
||||
register: result
|
||||
# ============================================================
|
||||
- name: Assert policy was added for group
|
||||
assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
- result.policies == ["{{ iam_policy_name }}"]
|
||||
- result.group_name == "{{ iam_group_name }}"
|
||||
# ============================================================
|
||||
- name: Delete policy for user
|
||||
iam_policy:
|
||||
iam_type: user
|
||||
iam_name: "{{ iam_user_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
- assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
# ============================================================
|
||||
- name: Delete policy for role
|
||||
iam_policy:
|
||||
iam_type: role
|
||||
iam_name: "{{ iam_role_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
- assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
# ============================================================
|
||||
- name: Delete policy for group
|
||||
iam_policy:
|
||||
iam_type: group
|
||||
iam_name: "{{ iam_group_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
- assert:
|
||||
that:
|
||||
- result.changed == True
|
||||
# ============================================================
|
||||
always:
|
||||
# ============================================================
|
||||
- name: Delete policy for user
|
||||
iam_policy:
|
||||
iam_type: user
|
||||
iam_name: "{{ iam_user_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
# ============================================================
|
||||
- name: Delete user for tests
|
||||
iam_user:
|
||||
name: "{{ iam_user_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
# ============================================================
|
||||
- name: Delete policy for role
|
||||
iam_policy:
|
||||
iam_type: role
|
||||
iam_name: "{{ iam_role_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
# ============================================================
|
||||
- name: Delete role for tests
|
||||
iam_role:
|
||||
name: "{{ iam_role_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
# ============================================================
|
||||
- name: Delete policy for group
|
||||
iam_policy:
|
||||
iam_type: group
|
||||
iam_name: "{{ iam_group_name }}"
|
||||
policy_name: "{{ iam_policy_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
# ============================================================
|
||||
- name: Delete group for tests
|
||||
iam_group:
|
||||
name: "{{ iam_group_name }}"
|
||||
state: absent
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
# ============================================================
|
||||
- name: Delete temporary folder containing the policies
|
||||
file:
|
||||
state: absent
|
||||
path: "{{ tmpdir.path }}/"
|
Loading…
Reference in a new issue