1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/test/integration/targets/ec2_group/tasks/main.yml
Ryan Brown 079299db4d
[aws] ec2_group multi-account and peered VPC bugfix (#45296)
* Add tests to replicate bug #44788 

* Handle when userId is same account due to in-account peering

* Module defaults for main.yml

* Turn off VPC peering tests in CI
2018-09-06 15:06:03 -04:00

1484 lines
48 KiB
YAML

---
# A Note about ec2 environment variable name preference:
# - EC2_URL -> AWS_URL
# - EC2_ACCESS_KEY -> AWS_ACCESS_KEY_ID -> AWS_ACCESS_KEY
# - EC2_SECRET_KEY -> AWS_SECRET_ACCESS_KEY -> AWX_SECRET_KEY
# - EC2_REGION -> AWS_REGION
#
# - include: ../../setup_ec2/tasks/common.yml module_name: ec2_group
- include: ./credential_tests.yml
- module_defaults:
group/aws:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
block:
# ============================================================
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: yes
# ============================================================
- name: determine if there is a default VPC
set_fact:
defaultvpc: "{{ lookup('aws_account_attribute',
attribute='default-vpc',
region=aws_region,
aws_access_key=aws_access_key,
aws_secret_key=aws_secret_key,
aws_security_token=security_token) }}"
register: default_vpc
# ============================================================
- name: create a VPC
ec2_vpc_net:
name: "{{ resource_prefix }}-vpc"
state: present
cidr_block: "10.232.232.128/26"
<<: *aws_connection_info
tags:
Name: "{{ resource_prefix }}-vpc"
Description: "Created by ansible-test"
register: vpc_result
#TODO(ryansb): Update CI for VPC peering permissions
#- include: ./multi_account.yml
- include: ./numeric_protos.yml
- include: ./rule_group_create.yml
- include: ./egress_tests.yml
- include: ./data_validation.yml
# ============================================================
- name: test state=absent (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: absent
check_mode: true
register: result
- name: assert no changes would be made
assert:
that:
- not result.changed
# ===========================================================
- name: test state=absent
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: absent
register: result
# ============================================================
- name: test state=present (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test state=present (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present different description (expected changed=false) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}CHANGED'
<<: *aws_connection_info
state: present
check_mode: true
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
# ============================================================
- name: test state=present different description (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}CHANGED'
<<: *aws_connection_info
state: present
ignore_errors: true
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: tests IPv6 with the default VPC
include: ./ipv6_default_tests.yml
when: default_vpc
- name: test IPv6 with a specified VPC
block:
# ============================================================
- name: test state=present (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
<<: *aws_connection_info
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test state=present (expected changed=true)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
<<: *aws_connection_info
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present for ipv6 (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
<<: *aws_connection_info
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test state=present for ipv6 (expected changed=true)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
<<: *aws_connection_info
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=present for ipv6 (expected changed=false) (CHECK MODE)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
<<: *aws_connection_info
check_mode: true
register: result
- name: assert nothing changed
assert:
that:
- 'not result.changed'
# ============================================================
- name: test state=present for ipv6 (expected changed=false)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
<<: *aws_connection_info
register: result
- name: assert nothing changed
assert:
that:
- 'not result.changed'
# ============================================================
- name: test rules_egress state=present for ipv6 (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
rules_egress:
- proto: "tcp"
from_port: 8181
to_port: 8181
cidr_ipv6: "64:ff9b::/96"
<<: *aws_connection_info
check_mode: true
diff: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.diff.0.before.ip_permissions == result.diff.0.after.ip_permissions'
- 'result.diff.0.before.ip_permissions_egress != result.diff.0.after.ip_permissions_egress'
# ============================================================
- name: test rules_egress state=present for ipv6 (expected changed=true)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ipv6: "64:ff9b::/96"
rules_egress:
- proto: "tcp"
from_port: 8181
to_port: 8181
cidr_ipv6: "64:ff9b::/96"
<<: *aws_connection_info
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test state=absent (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: absent
vpc_id: '{{ vpc_result.vpc.id }}'
<<: *aws_connection_info
check_mode: true
diff: true
register: result
- name: assert group was removed
assert:
that:
- 'result.changed'
- 'not result.diff.0.after'
# ============================================================
- name: test state=absent (expected changed=true)
ec2_group:
name: '{{ ec2_group_name }}-2'
description: '{{ ec2_group_description }}-2'
state: absent
vpc_id: '{{ vpc_result.vpc.id }}'
<<: *aws_connection_info
register: result
- name: assert group was removed
assert:
that:
- 'result.changed'
# ============================================================
- name: test state=present for ipv4 (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test state=present for ipv4 (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
- 'result.ip_permissions|length == 1'
- 'result.ip_permissions_egress|length == 1'
# ============================================================
- name: add same rule to the existing group (expected changed=false) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
check_mode: true
diff: true
register: check_result
- assert:
that:
- not check_result.changed
- check_result.diff.0.before.ip_permissions.0 == check_result.diff.0.after.ip_permissions.0
# ============================================================
- name: add same rule to the existing group (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
- name: assert state=present (expected changed=false)
assert:
that:
- 'not check_result.changed'
# ============================================================
- name: add a rule that auto creates another security group (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
purge_rules: no
rules:
- proto: "tcp"
group_name: "{{ resource_prefix }} - Another security group"
group_desc: Another security group
ports: 7171
check_mode: true
register: result
- name: check that there are now two rules
assert:
that:
- result.changed
# ============================================================
- name: add a rule that auto creates another security group
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
purge_rules: no
rules:
- proto: "tcp"
group_name: "{{ resource_prefix }} - Another security group"
group_desc: Another security group
ports: 7171
register: result
- name: check that there are now two rules
assert:
that:
- result.changed
- result.ip_permissions|length == 2
- result.ip_permissions[0].user_id_group_pairs or
result.ip_permissions[1].user_id_group_pairs
- 'result.ip_permissions_egress[0].ip_protocol == "-1"'
# ============================================================
- name: test ip rules convert port numbers from string to int (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
rules:
- proto: "tcp"
from_port: "8183"
to_port: "8183"
cidr_ip: "1.1.1.1/32"
rules_egress:
- proto: "tcp"
from_port: "8184"
to_port: "8184"
cidr_ip: "1.1.1.1/32"
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test ip rules convert port numbers from string to int (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
rules:
- proto: "tcp"
from_port: "8183"
to_port: "8183"
cidr_ip: "1.1.1.1/32"
rules_egress:
- proto: "tcp"
from_port: "8184"
to_port: "8184"
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
- 'result.ip_permissions|length == 1'
- 'result.ip_permissions_egress[0].ip_protocol == "tcp"'
# ============================================================
- name: test group rules convert port numbers from string to int (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
rules:
- proto: "tcp"
from_port: "8185"
to_port: "8185"
group_id: "{{result.group_id}}"
rules_egress:
- proto: "tcp"
from_port: "8186"
to_port: "8186"
group_id: "{{result.group_id}}"
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test group rules convert port numbers from string to int (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
rules:
- proto: "tcp"
from_port: "8185"
to_port: "8185"
group_id: "{{result.group_id}}"
rules_egress:
- proto: "tcp"
from_port: "8186"
to_port: "8186"
group_id: "{{result.group_id}}"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding a range of ports and ports given as strings (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8183-8190
- '8192'
cidr_ip: 1.1.1.1/32
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test adding a range of ports and ports given as strings (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8183-8190
- '8192'
cidr_ip: 1.1.1.1/32
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding a rule with a IPv4 CIDR with host bits set (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8195
cidr_ip: 10.0.0.1/8
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test adding a rule with a IPv4 CIDR with host bits set (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8195
cidr_ip: 10.0.0.1/8
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding the same rule with a IPv4 CIDR with host bits set (expected changed=false) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8195
cidr_ip: 10.0.0.1/8
check_mode: true
register: check_result
# ============================================================
- name: test adding the same rule with a IPv4 CIDR with host bits set (expected changed=false and a warning)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8195
cidr_ip: 10.0.0.1/8
register: result
- name: assert state=present (expected changed=false and a warning)
assert:
that:
- 'not check_result.changed'
- name: assert state=present (expected changed=false and a warning)
assert:
that:
# No way to assert for warnings?
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test using the default VPC
block:
- name: test adding a rule with a IPv6 CIDR with host bits set (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8196
cidr_ipv6: '2001:db00::1/24'
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test adding a rule with a IPv6 CIDR with host bits set (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8196
cidr_ipv6: '2001:db00::1/24'
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding a rule again with a IPv6 CIDR with host bits set (expected changed=false and a warning)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
# set purge_rules to false so we don't get a false positive from previously added rules
purge_rules: false
rules:
- proto: "tcp"
ports:
- 8196
cidr_ipv6: '2001:db00::1/24'
register: result
- name: assert state=present (expected changed=false and a warning)
assert:
that:
# No way to assert for warnings?
- 'not result.changed'
- 'result.group_id.startswith("sg-")'
when: default_vpc
# ============================================================
- name: test state=absent (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
state: absent
<<: *aws_connection_info
check_mode: true
register: result
- name: assert state=absent (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test state=absent (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
state: absent
<<: *aws_connection_info
register: result
- name: assert state=absent (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.group_id'
# ============================================================
- name: create security group in the VPC (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
check_mode: true
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: create security group in the VPC
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert state=present (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.vpc_id == vpc_result.vpc.id'
- 'result.group_id.startswith("sg-")'
# ============================================================
- name: test adding tags (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
tag2: test2
check_mode: true
diff: true
register: result
- name: assert that tags were added (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.diff.0.before.tags'
- 'result.diff.0.after.tags.tag1 == "test1"'
- 'result.diff.0.after.tags.tag2 == "test2"'
# ============================================================
- name: test adding tags (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
tag2: test2
register: result
- name: assert that tags were added (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.tags == {"tag1": "test1", "tag2": "test2"}'
# ============================================================
- name: test that tags are present (expected changed=False) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
purge_rules_egress: false
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
tag2: test2
check_mode: true
register: result
- name: assert that tags were not changed (expected changed=False)
assert:
that:
- 'not result.changed'
# ============================================================
- name: test that tags are present (expected changed=False)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
purge_rules_egress: false
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
tag2: test2
register: result
- name: assert that tags were not changed (expected changed=False)
assert:
that:
- 'not result.changed'
- 'result.tags == {"tag1": "test1", "tag2": "test2"}'
# ============================================================
- name: test purging tags (expected changed=True) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
check_mode: true
register: result
- name: assert that tag2 was removed (expected changed=true)
assert:
that:
- 'result.changed'
# ============================================================
- name: test purging tags (expected changed=True)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags:
tag1: test1
register: result
- name: assert that tag2 was removed (expected changed=true)
assert:
that:
- 'result.changed'
- 'result.tags == {"tag1": "test1"}'
# ============================================================
- name: assert that tags are left as-is if not specified (expected changed=False)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
register: result
- name: assert that the tags stayed the same (expected changed=false)
assert:
that:
- 'not result.changed'
- 'result.tags == {"tag1": "test1"}'
# ============================================================
- name: test purging all tags (expected changed=True)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
state: present
rules:
- proto: "tcp"
from_port: 8182
to_port: 8182
cidr_ip: "1.1.1.1/32"
tags: {}
register: result
- name: assert that tag1 was removed (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.tags'
# ============================================================
- name: test adding a rule and egress rule descriptions (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
# purge the other rules so assertions work for the subsequent tests for rule descriptions
purge_rules_egress: true
purge_rules: true
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 1
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 1
check_mode: true
register: result
- name: assert that rule descriptions are created (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed changes should still have changed due to purged rules (expected changed=true)
assert:
that:
- 'result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test adding a rule and egress rule descriptions (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
# purge the other rules so assertions work for the subsequent tests for rule descriptions
purge_rules_egress: true
purge_rules: true
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 1
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 1
register: result
- name: assert that rule descriptions are created (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 1"'
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 1"'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed changes should still have changed due to purged rules (expected changed=true)
assert:
that:
- 'result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test modifying rule and egress rule descriptions (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 2
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
check_mode: true
register: result
- name: assert that rule descriptions were modified (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined and result.ip_permissions_egress[1].ip_ranges[0].description is undefined
# ============================================================
- name: test modifying rule and egress rule descriptions (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 2
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
register: result
- name: assert that rule descriptions were modified (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 2"'
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 2"'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test creating rule in default vpc with egress rule (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}-default-vpc'
description: '{{ec2_group_description}} default VPC'
<<: *aws_connection_info
purge_rules_egress: true
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ip: 1.1.1.1/24
rule_desc: ipv4 rule desc
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
register: result
- name: assert that rule descriptions were modified (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
- 'result.ip_permissions_egress|length == 1'
# ============================================================
- name: test that keeping the same rule descriptions (expected changed=false) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 2
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
check_mode: true
register: result
- name: assert that rule descriptions stayed the same (expected changed=false)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test that keeping the same rule descriptions (expected changed=false)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc: ipv6 rule desc 2
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc: egress rule desc 2
register: result
- name: assert that rule descriptions stayed the same (expected changed=false)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'not result.changed'
- 'result.ip_permissions[0].ipv6_ranges[0].description == "ipv6 rule desc 2"'
- 'result.ip_permissions_egress[0].ip_ranges[0].description == "egress rule desc 2"'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test removing rule descriptions (expected changed=true) (CHECK MODE)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc:
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc:
check_mode: true
register: result
- name: assert that rule descriptions were removed (expected changed=true)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is defined
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.ip_permissions_egress[0].ip_ranges[0].description is undefined
# ============================================================
- name: test removing rule descriptions (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
purge_rules: false
state: present
rules:
- proto: "tcp"
ports:
- 8281
cidr_ipv6: 1001:d00::/24
rule_desc:
rules_egress:
- proto: "tcp"
ports:
- 8282
cidr_ip: 2.2.2.2/32
rule_desc:
register: result
ignore_errors: true
- name: assert that rule descriptions were removed (expected changed=true with newer botocore)
# Only assert this if rule description is defined as the botocore version may < 1.7.2.
# It's still helpful to have these tests run on older versions since it verifies backwards
# compatibility with this feature.
assert:
that:
- 'result.ip_permissions[0].ipv6_ranges[0].description is undefined'
- 'result.ip_permissions_egress[0].ip_ranges[0].description is undefined'
when: result is changed
- name: if an older version of botocore is installed everything should stay the same (expected changed=false)
assert:
that:
- 'not result.changed'
when: result.failed
# ============================================================
- name: test state=absent (expected changed=true)
ec2_group:
name: '{{ec2_group_name}}'
state: absent
<<: *aws_connection_info
register: result
- name: assert state=absent (expected changed=true)
assert:
that:
- 'result.changed'
- 'not result.group_id'
always:
# ============================================================
- name: tidy up security group
ec2_group:
name: '{{ec2_group_name}}'
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: tidy up security group for IPv6 EC2-Classic tests
ec2_group:
name: '{{ ec2_group_name }}-2'
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: tidy up default VPC security group
ec2_group:
name: '{{ec2_group_name}}-default-vpc'
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: tidy up automatically created SG
ec2_group:
name: "{{ resource_prefix }} - Another security group"
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: tidy up VPC
ec2_vpc_net:
name: "{{ resource_prefix }}-vpc"
state: absent
cidr_block: "10.232.232.128/26"
<<: *aws_connection_info
ignore_errors: yes