community.general/test/integration/targets/lambda_policy/tasks/main.yml

---
#
#  Author: Michael De La Rue
#  based on ec2_key.yml + lambda.py

- block:

    # ============================================================
    - name: test with no parameters
      lambda_policy:
      register: result
      ignore_errors: true

    - name: assert failure when called with no parameters
      assert:
        that:
           - 'result.failed'
           - 'result.msg.startswith("missing required arguments: ")'

    # ============================================================
    - name: test with all required dummy parameters but no region
      lambda_policy:
        statement_id: dummy
        principal: api_fakeway
        action: fake:do_something_fake
        function_name: dummy_fake_function
      ignore_errors: true
      register: result

    - name: assert failure and appropriate message when called without region
      assert:
        that:
           - 'result.failed'
           - '"region must be specified" in result.msg'

    # ============================================================
    - name: test with all required dummy parameters but no region
      lambda_policy:
        statement_id: dummy
        principal: api_fakeway
        action: fake:do_something_fake
        function_name: dummy_fake_function
        region: null
      ignore_errors: true
      register: result

    - name: assert failure and appropriate message when called false region region
      assert:
        that:
           - 'result.failed'
           - '"region must be specified" in result.msg'

    # ============================================================
    - name: test exceptions generated by forcing bad ec2 url
      lambda_policy:
        function_name: "{{ lambda_function_name }}"
        region: "{{ec2_region}}"
        state: present
        statement_id: api-gateway-invoke-lambdas
        action: lambda:InvokeFunction
        principal: apigateway.amazonaws.com
        source_arn: "arn:aws:execute-api:no-north-0:1234567:*/*"
        ec2_url: https://noexist.example.com
        ec2_region: 'no-north-0'
        ec2_access_key: 'iamnotreallyanaccesskey'
        ec2_secret_key: 'thisisabadsecretkey'
        security_token: 'andthisisabadsecuritytoken'
      register: result
      ignore_errors: true

    - name: assert lambda manages to respond as expected
      assert:
        that:
           - 'result is failed'
           - 'result.msg != "MODULE FAILURE"'
           - 'result.changed == False'

    # ============================================================
    # direct zip file upload
    - name: move lambda into place for archive module
      copy:
        src: "mini_http_lambda.py"
        dest: "{{output_dir}}/mini_http_lambda.py"

    - name: bundle lambda into a zip
      archive:
        format: zip
        path: "{{output_dir}}/mini_http_lambda.py"
        dest: "{{output_dir}}/mini_http_lambda.zip"
      register: zip_res

    - name: test state=present - upload the lambda
      lambda:
        name="{{lambda_function_name}}"
        runtime="python2.7"
        handler="mini_http_lambda.handler"
        role="ansible_lambda_role"
        ec2_region='{{ec2_region}}'
        aws_access_key='{{aws_access_key}}'
        aws_secret_key='{{aws_secret_key}}'
        security_token='{{security_token}}'
        zip_file="{{zip_res.dest}}"
      register: lambda_result

    - name: install aws cli - FIXME temporary this should go for a lighterweight solution
      command: pip install awscli
      register: result

    - name: get the aws account ID for use in future commands
      command: aws sts get-caller-identity --output text --query 'Account'
      environment:
          AWS_ACCESS_KEY_ID: '{{aws_access_key}}'
          AWS_SECRET_ACCESS_KEY: '{{aws_secret_key}}'
          AWS_SESSION_TOKEN: '{{security_token}}'
      register: result

    - name: register account id
      set_fact:
        aws_account_id: "{{ result.stdout | replace('\n', '') }}"

    - name: register lambda uri for use in template
      set_fact:
        mini_lambda_uri: "arn:aws:apigateway:{{ec2_region}}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ec2_region}}:{{aws_account_id}}:function:{{ lambda_result.configuration.function_name }}/invocations"

    - name: build API file
      template:
        src: endpoint-test-swagger-api.yml.j2
        dest: "{{output_dir}}/endpoint-test-swagger-api.yml.j2"

    - name: deploy new API
      aws_api_gateway:
        api_file: "{{output_dir}}/endpoint-test-swagger-api.yml.j2"
        stage: "lambdabased"
        region: '{{ec2_region}}'
        aws_access_key: '{{aws_access_key}}'
        aws_secret_key: '{{aws_secret_key}}'
        security_token: '{{security_token}}'
      register: create_result


    - name: register api id for later
      set_fact:
        api_id: "{{ create_result.api_id }}"

    - name: check API fails with permissions failure
      uri: url="https://{{create_result.api_id}}.execute-api.{{ec2_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester"
      register: unauth_uri_result
      ignore_errors: true

    - name: assert internal server error due to permissions
      assert:
        that:
          - unauth_uri_result is failed
          - 'unauth_uri_result.status == 500'

    - name: give api gateway execute permissions on lambda
      lambda_policy:
        function_name: "{{ lambda_function_name }}"
        region: "{{ec2_region}}"
        state: present
        statement_id: api-gateway-invoke-lambdas
        action: lambda:InvokeFunction
        principal: apigateway.amazonaws.com
        source_arn: "arn:aws:execute-api:{{ ec2_region }}:{{ aws_account_id }}:*/*"
        aws_access_key: '{{aws_access_key}}'
        aws_secret_key: '{{aws_secret_key}}'
        security_token: '{{security_token}}'

    - name: check API works with execute permissions
      uri: url="https://{{create_result.api_id}}.execute-api.{{ec2_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester"
      register: uri_result

    - name: assert API works success
      assert:
        that:
           - 'uri_result'


    - name: deploy new API
      aws_api_gateway:
        api_file: "{{output_dir}}/endpoint-test-swagger-api.yml.j2"
        stage: "lambdabased"
        region: '{{ec2_region}}'
        aws_access_key: '{{aws_access_key}}'
        aws_secret_key: '{{aws_secret_key}}'
        security_token: '{{security_token}}'
      register: create_result
      ignore_errors: true


  always:

    # ============================================================
    - name: destroy lambda for test cleanup if created
      lambda:
        name="{{lambda_function_name}}"
        ec2_region='{{ec2_region}}'
        ec2_access_key='{{ec2_access_key}}'
        ec2_secret_key='{{ec2_secret_key}}'
        security_token='{{security_token}}'
        state=absent
      register: result

    - name: destroy API for test cleanup if created
      aws_api_gateway:
        state: absent
        api_id: '{{api_id}}'
        region: '{{ec2_region}}'
        aws_access_key: '{{ec2_access_key}}'
        aws_secret_key: '{{ec2_secret_key}}'
        security_token: '{{security_token}}'
      register: destroy_result

    - name: assert destroy statements succeeded
      assert:
        that:
           - 'destroy_result.changed == True'
           - 'result is not failed'