mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
079299db4d
* Add tests to replicate bug #44788 * Handle when userId is same account due to in-account peering * Module defaults for main.yml * Turn off VPC peering tests in CI
1484 lines
48 KiB
YAML
1484 lines
48 KiB
YAML
---
|
|
# A Note about ec2 environment variable name preference:
|
|
# - EC2_URL -> AWS_URL
|
|
# - EC2_ACCESS_KEY -> AWS_ACCESS_KEY_ID -> AWS_ACCESS_KEY
|
|
# - EC2_SECRET_KEY -> AWS_SECRET_ACCESS_KEY -> AWX_SECRET_KEY
|
|
# - EC2_REGION -> AWS_REGION
|
|
#
|
|
|
|
# - include: ../../setup_ec2/tasks/common.yml module_name: ec2_group
|
|
|
|
- include: ./credential_tests.yml
|
|
- module_defaults:
|
|
group/aws:
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token }}"
|
|
region: "{{ aws_region }}"
|
|
block:
|
|
# ============================================================
|
|
- name: set up aws connection info
|
|
set_fact:
|
|
aws_connection_info: &aws_connection_info
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token }}"
|
|
region: "{{ aws_region }}"
|
|
no_log: yes
|
|
|
|
# ============================================================
|
|
- name: determine if there is a default VPC
|
|
set_fact:
|
|
defaultvpc: "{{ lookup('aws_account_attribute',
|
|
attribute='default-vpc',
|
|
region=aws_region,
|
|
aws_access_key=aws_access_key,
|
|
aws_secret_key=aws_secret_key,
|
|
aws_security_token=security_token) }}"
|
|
register: default_vpc
|
|
|
|
# ============================================================
|
|
- name: create a VPC
|
|
ec2_vpc_net:
|
|
name: "{{ resource_prefix }}-vpc"
|
|
state: present
|
|
cidr_block: "10.232.232.128/26"
|
|
<<: *aws_connection_info
|
|
tags:
|
|
Name: "{{ resource_prefix }}-vpc"
|
|
Description: "Created by ansible-test"
|
|
register: vpc_result
|
|
#TODO(ryansb): Update CI for VPC peering permissions
|
|
#- include: ./multi_account.yml
|
|
- include: ./numeric_protos.yml
|
|
- include: ./rule_group_create.yml
|
|
- include: ./egress_tests.yml
|
|
- include: ./data_validation.yml
|
|
|
|
# ============================================================
|
|
- name: test state=absent (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: absent
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert no changes would be made
|
|
assert:
|
|
that:
|
|
- not result.changed
|
|
|
|
# ===========================================================
|
|
- name: test state=absent
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: absent
|
|
register: result
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present different description (expected changed=false) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}CHANGED'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present different description (expected changed=false)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}CHANGED'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
ignore_errors: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=false)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: tests IPv6 with the default VPC
|
|
include: ./ipv6_default_tests.yml
|
|
when: default_vpc
|
|
|
|
- name: test IPv6 with a specified VPC
|
|
block:
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
<<: *aws_connection_info
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv6 (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
<<: *aws_connection_info
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv6 (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv6 (expected changed=false) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
<<: *aws_connection_info
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert nothing changed
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv6 (expected changed=false)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert nothing changed
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
|
|
# ============================================================
|
|
- name: test rules_egress state=present for ipv6 (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: 8181
|
|
to_port: 8181
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
<<: *aws_connection_info
|
|
check_mode: true
|
|
diff: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.diff.0.before.ip_permissions == result.diff.0.after.ip_permissions'
|
|
- 'result.diff.0.before.ip_permissions_egress != result.diff.0.after.ip_permissions_egress'
|
|
|
|
# ============================================================
|
|
- name: test rules_egress state=present for ipv6 (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: present
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: 8181
|
|
to_port: 8181
|
|
cidr_ipv6: "64:ff9b::/96"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test state=absent (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: absent
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
<<: *aws_connection_info
|
|
check_mode: true
|
|
diff: true
|
|
register: result
|
|
|
|
- name: assert group was removed
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'not result.diff.0.after'
|
|
|
|
# ============================================================
|
|
- name: test state=absent (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
description: '{{ ec2_group_description }}-2'
|
|
state: absent
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert group was removed
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv4 (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=present for ipv4 (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
- 'result.ip_permissions|length == 1'
|
|
- 'result.ip_permissions_egress|length == 1'
|
|
|
|
# ============================================================
|
|
- name: add same rule to the existing group (expected changed=false) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
check_mode: true
|
|
diff: true
|
|
register: check_result
|
|
|
|
- assert:
|
|
that:
|
|
- not check_result.changed
|
|
- check_result.diff.0.before.ip_permissions.0 == check_result.diff.0.after.ip_permissions.0
|
|
|
|
# ============================================================
|
|
- name: add same rule to the existing group (expected changed=false)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
- name: assert state=present (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not check_result.changed'
|
|
|
|
# ============================================================
|
|
- name: add a rule that auto creates another security group (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
purge_rules: no
|
|
rules:
|
|
- proto: "tcp"
|
|
group_name: "{{ resource_prefix }} - Another security group"
|
|
group_desc: Another security group
|
|
ports: 7171
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: check that there are now two rules
|
|
assert:
|
|
that:
|
|
- result.changed
|
|
|
|
# ============================================================
|
|
- name: add a rule that auto creates another security group
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
purge_rules: no
|
|
rules:
|
|
- proto: "tcp"
|
|
group_name: "{{ resource_prefix }} - Another security group"
|
|
group_desc: Another security group
|
|
ports: 7171
|
|
register: result
|
|
|
|
- name: check that there are now two rules
|
|
assert:
|
|
that:
|
|
- result.changed
|
|
- result.ip_permissions|length == 2
|
|
- result.ip_permissions[0].user_id_group_pairs or
|
|
result.ip_permissions[1].user_id_group_pairs
|
|
- 'result.ip_permissions_egress[0].ip_protocol == "-1"'
|
|
|
|
# ============================================================
|
|
- name: test ip rules convert port numbers from string to int (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: "8183"
|
|
to_port: "8183"
|
|
cidr_ip: "1.1.1.1/32"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: "8184"
|
|
to_port: "8184"
|
|
cidr_ip: "1.1.1.1/32"
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test ip rules convert port numbers from string to int (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: "8183"
|
|
to_port: "8183"
|
|
cidr_ip: "1.1.1.1/32"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: "8184"
|
|
to_port: "8184"
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
- 'result.ip_permissions|length == 1'
|
|
- 'result.ip_permissions_egress[0].ip_protocol == "tcp"'
|
|
|
|
|
|
# ============================================================
|
|
- name: test group rules convert port numbers from string to int (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: "8185"
|
|
to_port: "8185"
|
|
group_id: "{{result.group_id}}"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: "8186"
|
|
to_port: "8186"
|
|
group_id: "{{result.group_id}}"
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test group rules convert port numbers from string to int (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: "8185"
|
|
to_port: "8185"
|
|
group_id: "{{result.group_id}}"
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
from_port: "8186"
|
|
to_port: "8186"
|
|
group_id: "{{result.group_id}}"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test adding a range of ports and ports given as strings (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8183-8190
|
|
- '8192'
|
|
cidr_ip: 1.1.1.1/32
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test adding a range of ports and ports given as strings (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8183-8190
|
|
- '8192'
|
|
cidr_ip: 1.1.1.1/32
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test adding a rule with a IPv4 CIDR with host bits set (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8195
|
|
cidr_ip: 10.0.0.1/8
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test adding a rule with a IPv4 CIDR with host bits set (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8195
|
|
cidr_ip: 10.0.0.1/8
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test adding the same rule with a IPv4 CIDR with host bits set (expected changed=false) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8195
|
|
cidr_ip: 10.0.0.1/8
|
|
check_mode: true
|
|
register: check_result
|
|
|
|
# ============================================================
|
|
- name: test adding the same rule with a IPv4 CIDR with host bits set (expected changed=false and a warning)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8195
|
|
cidr_ip: 10.0.0.1/8
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false and a warning)
|
|
assert:
|
|
that:
|
|
- 'not check_result.changed'
|
|
|
|
- name: assert state=present (expected changed=false and a warning)
|
|
assert:
|
|
that:
|
|
# No way to assert for warnings?
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test using the default VPC
|
|
block:
|
|
|
|
- name: test adding a rule with a IPv6 CIDR with host bits set (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8196
|
|
cidr_ipv6: '2001:db00::1/24'
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test adding a rule with a IPv6 CIDR with host bits set (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8196
|
|
cidr_ipv6: '2001:db00::1/24'
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
|
|
- name: test adding a rule again with a IPv6 CIDR with host bits set (expected changed=false and a warning)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
state: present
|
|
# set purge_rules to false so we don't get a false positive from previously added rules
|
|
purge_rules: false
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8196
|
|
cidr_ipv6: '2001:db00::1/24'
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=false and a warning)
|
|
assert:
|
|
that:
|
|
# No way to assert for warnings?
|
|
- 'not result.changed'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
when: default_vpc
|
|
|
|
# ============================================================
|
|
- name: test state=absent (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=absent (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test state=absent (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert state=absent (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'not result.group_id'
|
|
|
|
# ============================================================
|
|
- name: create security group in the VPC (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: create security group in the VPC
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert state=present (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.vpc_id == vpc_result.vpc.id'
|
|
- 'result.group_id.startswith("sg-")'
|
|
|
|
# ============================================================
|
|
- name: test adding tags (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags:
|
|
tag1: test1
|
|
tag2: test2
|
|
check_mode: true
|
|
diff: true
|
|
register: result
|
|
|
|
- name: assert that tags were added (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'not result.diff.0.before.tags'
|
|
- 'result.diff.0.after.tags.tag1 == "test1"'
|
|
- 'result.diff.0.after.tags.tag2 == "test2"'
|
|
|
|
# ============================================================
|
|
- name: test adding tags (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags:
|
|
tag1: test1
|
|
tag2: test2
|
|
register: result
|
|
|
|
- name: assert that tags were added (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.tags == {"tag1": "test1", "tag2": "test2"}'
|
|
|
|
# ============================================================
|
|
- name: test that tags are present (expected changed=False) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
purge_rules_egress: false
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags:
|
|
tag1: test1
|
|
tag2: test2
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert that tags were not changed (expected changed=False)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
|
|
# ============================================================
|
|
- name: test that tags are present (expected changed=False)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
purge_rules_egress: false
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags:
|
|
tag1: test1
|
|
tag2: test2
|
|
register: result
|
|
|
|
- name: assert that tags were not changed (expected changed=False)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.tags == {"tag1": "test1", "tag2": "test2"}'
|
|
|
|
# ============================================================
|
|
- name: test purging tags (expected changed=True) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags:
|
|
tag1: test1
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert that tag2 was removed (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
|
|
# ============================================================
|
|
- name: test purging tags (expected changed=True)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags:
|
|
tag1: test1
|
|
register: result
|
|
|
|
- name: assert that tag2 was removed (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.tags == {"tag1": "test1"}'
|
|
|
|
# ============================================================
|
|
|
|
- name: assert that tags are left as-is if not specified (expected changed=False)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
register: result
|
|
|
|
- name: assert that the tags stayed the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.tags == {"tag1": "test1"}'
|
|
|
|
# ============================================================
|
|
|
|
- name: test purging all tags (expected changed=True)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
from_port: 8182
|
|
to_port: 8182
|
|
cidr_ip: "1.1.1.1/32"
|
|
tags: {}
|
|
register: result
|
|
|
|
- name: assert that tag1 was removed (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'not result.tags'
|
|
|
|
# ============================================================
|
|
- name: test adding a rule and egress rule descriptions (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
# purge the other rules so assertions work for the subsequent tests for rule descriptions
|
|
purge_rules_egress: true
|
|
purge_rules: true
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc: ipv6 rule desc 1
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 1
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert that rule descriptions are created (expected changed=true)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed changes should still have changed due to purged rules (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
- name: test adding a rule and egress rule descriptions (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
# purge the other rules so assertions work for the subsequent tests for rule descriptions
|
|
purge_rules_egress: true
|
|
purge_rules: true
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc: ipv6 rule desc 1
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 1
|
|
register: result
|
|
|
|
- name: assert that rule descriptions are created (expected changed=true)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 1"'
|
|
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 1"'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed changes should still have changed due to purged rules (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
- name: test modifying rule and egress rule descriptions (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
purge_rules: false
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc: ipv6 rule desc 2
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 2
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert that rule descriptions were modified (expected changed=true)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined and result.ip_permissions_egress[1].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
- name: test modifying rule and egress rule descriptions (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
purge_rules: false
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc: ipv6 rule desc 2
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 2
|
|
register: result
|
|
|
|
- name: assert that rule descriptions were modified (expected changed=true)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 2"'
|
|
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 2"'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
|
|
- name: test creating rule in default vpc with egress rule (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-default-vpc'
|
|
description: '{{ec2_group_description}} default VPC'
|
|
<<: *aws_connection_info
|
|
purge_rules_egress: true
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ip: 1.1.1.1/24
|
|
rule_desc: ipv4 rule desc
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 2
|
|
register: result
|
|
|
|
- name: assert that rule descriptions were modified (expected changed=true)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'result.ip_permissions_egress|length == 1'
|
|
|
|
# ============================================================
|
|
- name: test that keeping the same rule descriptions (expected changed=false) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
purge_rules: false
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc: ipv6 rule desc 2
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 2
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert that rule descriptions stayed the same (expected changed=false)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
- name: test that keeping the same rule descriptions (expected changed=false)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
purge_rules: false
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc: ipv6 rule desc 2
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc: egress rule desc 2
|
|
register: result
|
|
|
|
- name: assert that rule descriptions stayed the same (expected changed=false)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 2"'
|
|
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 2"'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
- name: test removing rule descriptions (expected changed=true) (CHECK MODE)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
purge_rules: false
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc:
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc:
|
|
check_mode: true
|
|
register: result
|
|
|
|
- name: assert that rule descriptions were removed (expected changed=true)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
|
|
|
|
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
|
|
|
|
# ============================================================
|
|
- name: test removing rule descriptions (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
description: '{{ec2_group_description}}'
|
|
<<: *aws_connection_info
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
purge_rules_egress: false
|
|
purge_rules: false
|
|
state: present
|
|
rules:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8281
|
|
cidr_ipv6: 1001:d00::/24
|
|
rule_desc:
|
|
rules_egress:
|
|
- proto: "tcp"
|
|
ports:
|
|
- 8282
|
|
cidr_ip: 2.2.2.2/32
|
|
rule_desc:
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: assert that rule descriptions were removed (expected changed=true with newer botocore)
|
|
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
|
|
# It's still helpful to have these tests run on older versions since it verifies backwards
|
|
# compatibility with this feature.
|
|
assert:
|
|
that:
|
|
- 'result.ip_permissions[0].ipv6_ranges[0].description is undefined'
|
|
- 'result.ip_permissions_egress[0].ip_ranges[0].description is undefined'
|
|
when: result is changed
|
|
|
|
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
|
|
assert:
|
|
that:
|
|
- 'not result.changed'
|
|
when: result.failed
|
|
|
|
# ============================================================
|
|
|
|
- name: test state=absent (expected changed=true)
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: assert state=absent (expected changed=true)
|
|
assert:
|
|
that:
|
|
- 'result.changed'
|
|
- 'not result.group_id'
|
|
|
|
always:
|
|
# ============================================================
|
|
- name: tidy up security group
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
|
|
- name: tidy up security group for IPv6 EC2-Classic tests
|
|
ec2_group:
|
|
name: '{{ ec2_group_name }}-2'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
|
|
- name: tidy up default VPC security group
|
|
ec2_group:
|
|
name: '{{ec2_group_name}}-default-vpc'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
|
|
- name: tidy up automatically created SG
|
|
ec2_group:
|
|
name: "{{ resource_prefix }} - Another security group"
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|
|
|
|
- name: tidy up VPC
|
|
ec2_vpc_net:
|
|
name: "{{ resource_prefix }}-vpc"
|
|
state: absent
|
|
cidr_block: "10.232.232.128/26"
|
|
<<: *aws_connection_info
|
|
ignore_errors: yes
|