diff --git a/docs/docsite/rst/dev_guide/testing_integration.rst b/docs/docsite/rst/dev_guide/testing_integration.rst index bb10cd2e4b..9539378b44 100644 --- a/docs/docsite/rst/dev_guide/testing_integration.rst +++ b/docs/docsite/rst/dev_guide/testing_integration.rst @@ -29,7 +29,9 @@ more information about supported credentials, refer to ``credentials.template``. Prerequisites ============= -The tests will assume things like hg, svn, and git are installed and in path. +The tests will assume things like hg, svn, and git are installed and in path. Some tests +(such as those for Amazon Web Services) need separate definitions, which will be covered +later in this document. (Complete list pending) @@ -139,10 +141,38 @@ To test with Python 3 use the following images: - ubuntu1604py3 -Cloud Tests -=========== +Legacy Cloud Tests +================== -See the :doc:`testing_integration_legacy` page for more information. +Some of the cloud tests run as normal integration tests, and others run as legacy tests; see the +:doc:`testing_integration_legacy` page for more information. + + +Other configuration for Cloud Tests +=================================== + +In order to run some tests, you must provide access credentials in a file named +``cloud-config-aws.yml`` or ``cloud-config-cs.ini`` in the test/integration +directory. Corresponding .template files are available for for syntax help. The newer AWS +tests now use the file test/integration/cloud-config-aws.yml + +IAM policies for AWS +==================== + +Ansible needs fairly wide ranging powers to run the tests in an AWS account. This rights can be provided to a dedicated user. These need to be configured before running the test. + +testing-iam-policy.json.j2 +-------------------------- + +The testing-iam-policy.json.j2 file contains a policy which can be given to the user +running the tests to minimize the rights of that user. Please note that while this policy does limit the user to one region, this does not fully restrict the user (primarily due to the limitations of the Amazon ARN notation). The user will still have wide privileges for viewing account definitions, and will also able to manage some resources that are not related to testing (for example, AWS lambdas with different names). Tests should not be run in a primary production account in any case. + +Other Definitions required +-------------------------- + +Apart from installing the policy and giving it to the user identity running the tests, a +lambda role `ansible_integration_tests` has to be created which has lambda basic execution +privileges. Network Tests @@ -159,7 +189,6 @@ This page details the specifics around testing Ansible Networking modules. How to do this is explained in the rest of this document. - Network integration tests can be ran by doing:: cd test/integration diff --git a/docs/docsite/rst/dev_guide/testing_integration_legacy.rst b/docs/docsite/rst/dev_guide/testing_integration_legacy.rst index 0c7358b394..116943ea69 100644 --- a/docs/docsite/rst/dev_guide/testing_integration_legacy.rst +++ b/docs/docsite/rst/dev_guide/testing_integration_legacy.rst @@ -8,7 +8,7 @@ This page details how to run the integration tests that haven't been ported to t The following areas are still tested using the legacy ``make tests`` command: -* amazon +* amazon (some) * azure * cloudflare * cloudscale @@ -37,7 +37,6 @@ In order to run cloud tests, you must provide access credentials in a file named ``credentials.yml``. A sample credentials file named ``credentials.template`` is available for syntax help. - Provide cloud credentials:: cp credentials.template credentials.yml @@ -47,9 +46,35 @@ Provide cloud credentials:: Other configuration =================== -In order to run some tests, you must provide access credentials in a file -named ``credentials.yml``. A sample credentials file named -``credentials.template`` is available for syntax help. +In order to run some tests, you must provide access credentials in a file named +``credentials.yml``. A sample credentials file named ``credentials.template`` is available +for syntax help. + +IAM policies for AWS +==================== + +In order to run the tests in an AWS account ansible needs fairly wide ranging powers which +can be provided to a dedicated user or temporary credentials using a specific policy +configured in the AWS account. + +testing-iam-policy.json.j2 +-------------------------- + +The testing-iam-policy.json.j2 file contains a policy which can be given to the user +running the tests to give close to minimum rights required to run the tests. Please note +that this does not fully restrict the user; The user has wide privileges for viewing +account definitions and is also able to manage some resources that are not related to +testing (e.g. AWS lambdas with different names) primarily due to the limitations of the +Amazon ARN notation. At the very least the policy limits the user to one region, however +tests should not be run in a primary production account in any case. + +Other Definitions required +-------------------------- + +Apart from installing the policy and giving it to the user identity running +the tests, a lambda role `ansible_integration_tests` has to be created which +has lambda basic execution privileges. + Running Tests ============= diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2 new file mode 100644 index 0000000000..d5534a41e8 --- /dev/null +++ b/hacking/aws_config/testing-iam-policy.json.j2 @@ -0,0 +1,246 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowDescribeAllEC2", + "Effect": "Allow", + "Action": [ + "ec2:Describe*" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "MiscPrivilegesNeededByEC2Tests", + "Effect": "Allow", + "Action": [ + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:DeleteKeyPair", + "ec2:ImportKeyPair", + "ec2:RunInstances", + "ec2:CreateTags", + "ec2:TerminateInstances", + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:DisassociateAddress", + "ec2:ReleaseAddress", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:CreateRouteTable", + "ec2:ModifyRouteTable", + "ec2:DescribeRouteTable", + "ec2:AssociateRouteTable", + "ec2:DisassociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:CreateInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DeleteNatGateway" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "AllowManageSecurityGroupsForSetup", + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroups", + "ec2:CreateSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*" + ] + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "AllowReadAllLoadBalancers", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeInstanceHealth" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*" + ] + }, + { + "Sid": "AllowManagementofOwnLoadBalancers", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*" + ] + }, + { + "Sid": "AllowCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + }, + { + "Sid": "AllowOldRDSModule", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSModuleCompatibilityTests", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSInstanceManageOwnInstance", + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AllowRDSSnapshotManageSnapshots", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBSnapshots", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots", + "rds:DeleteDBInstance", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:CreateDBInstanceReadReplica" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AlowS3AnsibleTestBuckets", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteBucket", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::ansible_test_*", + "arn:aws:s3:::ansible_test_*/*" + ] + }, + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:us-east-1::*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::459030870916:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight", + "Effect": "Allow", + "Action": [ + "lambda:*" + ], + "Resource": [ + "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + ] + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::459030870916:role/ansible_lambda_role" + ] + } + ] +}