wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible/test/integration/targets/sts_assume_role/tasks/main.yml

385 lines
13 KiB
YAML
Raw Normal View History

Port sts_assume_role to boto3 (#32569) * Ported sts_assume_role to boto3 * Added integration tests
2018-01-22 22:46:08 +00:00
---
# tasks file for sts_assume_role
- block:
# ============================================================
# TODO create simple ansible sts_get_caller_identity module
- blockinfile:
path: "{{ output_dir }}/sts.py"
create: yes
block: |
#!/usr/bin/env python
import boto3
sts = boto3.client('sts')
response = sts.get_caller_identity()
print(response['Account'])
- name: get the aws account id
command: python "{{ output_dir }}/sts.py"
environment:
AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
AWS_SESSION_TOKEN: "{{ security_token }}"
register: result
- name: register account id
set_fact:
aws_account: "{{ result.stdout | replace('\n', '') }}"
# ============================================================
- name: create test iam role
iam_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
name: "ansible-test-sts-{{ resource_prefix }}"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
create_instance_profile: False
managed_policy:
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
state: present
register: test_role
# ============================================================
- name: pause to ensure role exists before using
pause:
seconds: 30
# ============================================================
- name: test with no parameters
sts_assume_role:
register: result
ignore_errors: true
- name: assert with no parameters
assert:
that:
- 'result.failed'
- "'missing required arguments:' in result.msg"
# ============================================================
- name: test with empty parameters
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn:
role_session_name:
policy:
duration_seconds:
external_id:
mfa_token:
mfa_serial_number:
register: result
ignore_errors: true
- name: assert with empty parameters
assert:
that:
- 'result.failed'
- "'Missing required parameter in input:' in result.msg"
when: result.module_stderr is not defined
- name: assert with empty parameters
assert:
that:
- 'result.failed'
- "'Member must have length greater than or equal to 20' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test with only 'role_arn' parameter
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
role_arn: "{{ test_role.iam_role.arn }}"
register: result
ignore_errors: true
- name: assert with only 'role_arn' parameter
assert:
that:
- 'result.failed'
- "'missing required arguments: role_session_name' in result.msg"
# ============================================================
- name: test with only 'role_session_name' parameter
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
role_session_name: "AnsibleTest"
register: result
ignore_errors: true
- name: assert with only 'role_session_name' parameter
assert:
that:
- 'result.failed'
- "'missing required arguments: role_arn' in result.msg"
# ============================================================
- name: test assume role with invalid policy
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: "AnsibleTest"
policy: "invalid policy"
register: result
ignore_errors: true
- name: assert assume role with invalid policy
assert:
that:
- 'result.failed'
- "'The policy is not in the valid JSON format.' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid policy
assert:
that:
- 'result.failed'
- "'The policy is not in the valid JSON format.' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid duration seconds
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
duration_seconds: invalid duration
register: result
ignore_errors: true
- name: assert assume role with invalid duration seconds
assert:
that:
- 'result.failed'
- "'unable to convert to int: invalid literal for int()' in result.msg"
# ============================================================
- name: test assume role with invalid external id
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
external_id: invalid external id
register: result
ignore_errors: true
- name: assert assume role with invalid external id
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid external id
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid mfa serial number
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
mfa_serial_number: invalid serial number
register: result
ignore_errors: true
- name: assert assume role with invalid mfa serial number
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid mfa serial number
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid mfa token code
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
mfa_token: invalid token code
register: result
ignore_errors: true
- name: assert assume role with invalid mfa token code
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid mfa token code
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid role_arn
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: invalid role arn
role_session_name: AnsibleTest
register: result
ignore_errors: true
- name: assert assume role with invalid role_arn
assert:
that:
- result.failed
- "'Invalid length for parameter RoleArn' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid role_arn
assert:
that:
- 'result.failed'
- "'Member must have length greater than or equal to 20' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume not existing sts role
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "arn:aws:iam::123456789:role/non-existing-role"
role_session_name: "AnsibleTest"
register: result
ignore_errors: true
- name: assert assume not existing sts role
assert:
that:
- 'result.failed'
Backport test infra fixes and updates to stable-2.5. (#46992) * Fix unit test parametrize order on Python 3.5. (cherry picked from commit 53b230ca746e8657d6aed09885568f0cf8dbc61e) * Fix ansible-test unit test execution. (#45772) * Fix ansible-test units requirements install. * Run unit tests as unprivileged user under Docker. (cherry picked from commit 379a7f4f5a0491964c7896834f3f326412888585) * Run unit tests in parallel. (#45812) (cherry picked from commit abe8e4c9e8bd9cdca70a7906b15beb57a52393ca) * Minor fixes for unit test delegation. (cherry picked from commit be199cfe90927d4e369597ee3c4b86401454614c) * add support for opening shell on remote Windows host (#43919) * add support for opening shell on remote Windows host * added arg completion and fix sanity check * remove uneeded arg (cherry picked from commit 6ca4ea0c1f20ff23f231bbe14a80fd3eafc87087) * Block network access for unit tests in docker. (cherry picked from commit 99cac99cbc3b49ad9fb39950d881e0f266775320) * Make ansible-test available in the bin directory. (#45876) (cherry picked from commit f3d1f9544ba67785e787ea303f81db74603780eb) * Support comments in ansible-test flat files. (cherry picked from commit 5a3000af19b81c1baf592e970683c7fd0ac0d43f) * Fix incorrect use of subprocess.CalledProcessError (#45890) (cherry picked from commit 24dd87bd0abeb41a8cf167f7f31ed7e8e4255ea3) * Improve ansible-test match error handling. (cherry picked from commit 2056c981ae0fad9289337cb63c8b1b0d5b539368) * Improve error handling for docs-build test. (cherry picked from commit 2148999048179c623a31b0fac3bb02361ec42fe2) * Bug fixes and cleanup for ansible-test. (#45991) * Remove unused imports. * Clean up ConfigParser usage in ansible-test. * Fix bare except statements in ansible-test. * Miscellaneous cleanup from PyCharm inspections. * Enable pylint no-self-use for ansible-test. * Remove obsolete pylint ignores for Python 3.7. * Fix shellcheck issuers under newer shellcheck. * Use newer path for ansible-test. * Fix issues in code-smell tests. (cherry picked from commit ac492476e5389e17b8d401174f18b73e59a7fb06) * Fix integration test library search path. This prevents tests from loading modules outside the source tree, which could result in testing the wrong module if a system-wide install is present, or custom modules exist. (cherry picked from commit d603cd41feaef3d9beaa7f133ded59d6809b4916) * Update default container to version 1.2.0. (cherry picked from commit d478a4c3f6e02b48507070c3d1d63fd158890756) (cherry picked from commit 21c4eb8db50423a8184ded3b04fd81d737a4e0fb) * Fix ansible-test docker python version handling. This removes the old name based version detection behavior and uses versions defined in the docker completion file instead, as the new containers do not follow the old naming scheme. (cherry picked from commit 54937ba7848c3d10b31b85c46e3e8d41c98c5519) * Reduce noise in docs-build test failures. (cherry picked from commit 4085d016178fe4be15a52264fe903fd2932cefc7) * Fix ansible-test encoding issues for exceptions. (cherry picked from commit 0d7a156319f2b9f1786147bb717ec2b0d7bd6091) * Fix ansible-test multi-group smoke test handling. (#46363) * Fix ansible-test smoke tests across groups. * Fix ansible-test list arg defaults. * Fix ansible-test require and exclude delegation. * Fix detection of Windows specific changes. * Add minimal Windows testing for Python 3.7. (cherry picked from commit e53390b3b1afedc475294f25b9c2b847fa63a806) * Use default-test-container version 1.3.0. (cherry picked from commit 6d9be66418452a655b551e0796361273f3c7ac18) * Add file exists check in integration-aliases test. (cherry picked from commit 33a8be9109ff3bf77d21dfa0117238d0f081a0b1) * Improve ansible-test environment checking between tests. (#46459) * Add unified diff output to environment validation. This makes it easier to see where the environment changed. * Compare Python interpreters by version to pip shebangs. This helps expose cases where pip executables use a different Python interpreter than is expected. * Query `pip.__version__` instead of using `pip --version`. This is a much faster way to query the pip version. It also more closely matches how we invoke pip within ansible-test. * Remove redundant environment scan between tests. This reuses the environment scan from the end of the previous test as the basis for comparison during the next test. (cherry picked from commit 0dc7f3878794f6deecfcc642da45c951ca376069) * Add symlinks sanity test. (#46467) * Add symlinks sanity test. * Replace legacy test symlinks with actual content. * Remove dir symlink from template_jinja2_latest. * Update import test to use generated library dir. * Fix copy test symlink setup. (cherry picked from commit e2b60475147204ff5c06de3b4f0e2106ded064ff) * Fix parametrize warning in unit tests. (cherry picked from commit 1a28898a008b7c349bbd7a7604788678bc954e31) * Update MANIFEST.in (#46502) * Update MANIFEST.in: - Remove unnecessary prune. - Include files needed by tests. - Exclude botmeta sanity test. These changes permit sanity tests to pass on sdist output. (cherry picked from commit cbb49f66ecbba1547fe864cb2ff08ddbe0ad074c) * Fix unit tests which modify the source tree. (#45763) * Fix CNOS unit test log usage. * Use temp dir for Galaxy unit tests. * Write to temp files in interfaces_file unit test. * Fix log placement in netapp_e_ldap unit test. (cherry picked from commit 0686450cae86720c804d2f6b6d09fa3abba9dacc) * Fix ansible-test custom docker image traceback. (cherry picked from commit 712ad9ed64084b58058801258087667a6681939d) * ansible-test: Create public key creating Windows targets (#43760) * ansible-test: Create public key creating Windows targets * Changed to always set SSH Key for Windows hosts (cherry picked from commit adc0efe10c5be833b5138e1d8b0d0316f87c5241) * Fix and re-enable sts_assume_role integration tests (#46026) * Fix the STS assume role error message assertion when the role to assume does not exist. (cherry picked from commit 18dc928e28ae35bf9b786c8a48558ff83cc3a6a2) * Fix ACI unit test on Python 3.7.0. The previous logic was only needed for pre-release versions of 3.7. (cherry picked from commit c0bf9815c98c9ec00fc9648ae7a0f561684fc10e) * Remove placeboify from unit tests that are not calling AWS (i.e. creating a recording) (#45754) (cherry picked from commit 2167ce6cb6db57bf066dce83a5a03978a13bf1ef) * Update sanity test ignore entries.
2018-10-13 17:44:11 +00:00
- "'Access denied' in result.msg"
Port sts_assume_role to boto3 (#32569) * Ported sts_assume_role to boto3 * Added integration tests
2018-01-22 22:46:08 +00:00
when: result.module_stderr is not defined
- name: assert assume not existing sts role
assert:
that:
- 'result.failed'
Backport test infra fixes and updates to stable-2.5. (#46992) * Fix unit test parametrize order on Python 3.5. (cherry picked from commit 53b230ca746e8657d6aed09885568f0cf8dbc61e) * Fix ansible-test unit test execution. (#45772) * Fix ansible-test units requirements install. * Run unit tests as unprivileged user under Docker. (cherry picked from commit 379a7f4f5a0491964c7896834f3f326412888585) * Run unit tests in parallel. (#45812) (cherry picked from commit abe8e4c9e8bd9cdca70a7906b15beb57a52393ca) * Minor fixes for unit test delegation. (cherry picked from commit be199cfe90927d4e369597ee3c4b86401454614c) * add support for opening shell on remote Windows host (#43919) * add support for opening shell on remote Windows host * added arg completion and fix sanity check * remove uneeded arg (cherry picked from commit 6ca4ea0c1f20ff23f231bbe14a80fd3eafc87087) * Block network access for unit tests in docker. (cherry picked from commit 99cac99cbc3b49ad9fb39950d881e0f266775320) * Make ansible-test available in the bin directory. (#45876) (cherry picked from commit f3d1f9544ba67785e787ea303f81db74603780eb) * Support comments in ansible-test flat files. (cherry picked from commit 5a3000af19b81c1baf592e970683c7fd0ac0d43f) * Fix incorrect use of subprocess.CalledProcessError (#45890) (cherry picked from commit 24dd87bd0abeb41a8cf167f7f31ed7e8e4255ea3) * Improve ansible-test match error handling. (cherry picked from commit 2056c981ae0fad9289337cb63c8b1b0d5b539368) * Improve error handling for docs-build test. (cherry picked from commit 2148999048179c623a31b0fac3bb02361ec42fe2) * Bug fixes and cleanup for ansible-test. (#45991) * Remove unused imports. * Clean up ConfigParser usage in ansible-test. * Fix bare except statements in ansible-test. * Miscellaneous cleanup from PyCharm inspections. * Enable pylint no-self-use for ansible-test. * Remove obsolete pylint ignores for Python 3.7. * Fix shellcheck issuers under newer shellcheck. * Use newer path for ansible-test. * Fix issues in code-smell tests. (cherry picked from commit ac492476e5389e17b8d401174f18b73e59a7fb06) * Fix integration test library search path. This prevents tests from loading modules outside the source tree, which could result in testing the wrong module if a system-wide install is present, or custom modules exist. (cherry picked from commit d603cd41feaef3d9beaa7f133ded59d6809b4916) * Update default container to version 1.2.0. (cherry picked from commit d478a4c3f6e02b48507070c3d1d63fd158890756) (cherry picked from commit 21c4eb8db50423a8184ded3b04fd81d737a4e0fb) * Fix ansible-test docker python version handling. This removes the old name based version detection behavior and uses versions defined in the docker completion file instead, as the new containers do not follow the old naming scheme. (cherry picked from commit 54937ba7848c3d10b31b85c46e3e8d41c98c5519) * Reduce noise in docs-build test failures. (cherry picked from commit 4085d016178fe4be15a52264fe903fd2932cefc7) * Fix ansible-test encoding issues for exceptions. (cherry picked from commit 0d7a156319f2b9f1786147bb717ec2b0d7bd6091) * Fix ansible-test multi-group smoke test handling. (#46363) * Fix ansible-test smoke tests across groups. * Fix ansible-test list arg defaults. * Fix ansible-test require and exclude delegation. * Fix detection of Windows specific changes. * Add minimal Windows testing for Python 3.7. (cherry picked from commit e53390b3b1afedc475294f25b9c2b847fa63a806) * Use default-test-container version 1.3.0. (cherry picked from commit 6d9be66418452a655b551e0796361273f3c7ac18) * Add file exists check in integration-aliases test. (cherry picked from commit 33a8be9109ff3bf77d21dfa0117238d0f081a0b1) * Improve ansible-test environment checking between tests. (#46459) * Add unified diff output to environment validation. This makes it easier to see where the environment changed. * Compare Python interpreters by version to pip shebangs. This helps expose cases where pip executables use a different Python interpreter than is expected. * Query `pip.__version__` instead of using `pip --version`. This is a much faster way to query the pip version. It also more closely matches how we invoke pip within ansible-test. * Remove redundant environment scan between tests. This reuses the environment scan from the end of the previous test as the basis for comparison during the next test. (cherry picked from commit 0dc7f3878794f6deecfcc642da45c951ca376069) * Add symlinks sanity test. (#46467) * Add symlinks sanity test. * Replace legacy test symlinks with actual content. * Remove dir symlink from template_jinja2_latest. * Update import test to use generated library dir. * Fix copy test symlink setup. (cherry picked from commit e2b60475147204ff5c06de3b4f0e2106ded064ff) * Fix parametrize warning in unit tests. (cherry picked from commit 1a28898a008b7c349bbd7a7604788678bc954e31) * Update MANIFEST.in (#46502) * Update MANIFEST.in: - Remove unnecessary prune. - Include files needed by tests. - Exclude botmeta sanity test. These changes permit sanity tests to pass on sdist output. (cherry picked from commit cbb49f66ecbba1547fe864cb2ff08ddbe0ad074c) * Fix unit tests which modify the source tree. (#45763) * Fix CNOS unit test log usage. * Use temp dir for Galaxy unit tests. * Write to temp files in interfaces_file unit test. * Fix log placement in netapp_e_ldap unit test. (cherry picked from commit 0686450cae86720c804d2f6b6d09fa3abba9dacc) * Fix ansible-test custom docker image traceback. (cherry picked from commit 712ad9ed64084b58058801258087667a6681939d) * ansible-test: Create public key creating Windows targets (#43760) * ansible-test: Create public key creating Windows targets * Changed to always set SSH Key for Windows hosts (cherry picked from commit adc0efe10c5be833b5138e1d8b0d0316f87c5241) * Fix and re-enable sts_assume_role integration tests (#46026) * Fix the STS assume role error message assertion when the role to assume does not exist. (cherry picked from commit 18dc928e28ae35bf9b786c8a48558ff83cc3a6a2) * Fix ACI unit test on Python 3.7.0. The previous logic was only needed for pre-release versions of 3.7. (cherry picked from commit c0bf9815c98c9ec00fc9648ae7a0f561684fc10e) * Remove placeboify from unit tests that are not calling AWS (i.e. creating a recording) (#45754) (cherry picked from commit 2167ce6cb6db57bf066dce83a5a03978a13bf1ef) * Update sanity test ignore entries.
2018-10-13 17:44:11 +00:00
- "'Access denied' in result.module_stderr"
Port sts_assume_role to boto3 (#32569) * Ported sts_assume_role to boto3 * Added integration tests
2018-01-22 22:46:08 +00:00
when: result.module_stderr is defined
# ============================================================
- name: test assume role
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
register: assumed_role
- name: assert assume role
assert:
that:
- 'not assumed_role.failed'
- "'sts_creds' in assumed_role"
- "'access_key' in assumed_role.sts_creds"
- "'secret_key' in assumed_role.sts_creds"
- "'session_token' in assumed_role.sts_creds"
# ============================================================
- name: test that assumed credentials have IAM read-only access
iam_role:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
region: "{{ aws_region}}"
name: "ansible-test-sts-{{ resource_prefix }}"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
create_instance_profile: False
state: present
register: result
- name: assert assumed role with privileged action (expect changed=false)
assert:
that:
- 'not result.failed'
- 'not result.changed'
- "'iam_role' in result"
# ============================================================
- name: test assumed role with unprivileged action
iam_role:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
region: "{{ aws_region}}"
name: "ansible-test-sts-{{ resource_prefix }}-new"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
state: present
register: result
ignore_errors: true
- name: assert assumed role with unprivileged action (expect changed=false)
assert:
that:
- 'result.failed'
- "'is not authorized to perform: iam:CreateRole' in result.msg"
# runs on Python2
when: result.module_stderr is not defined
- name: assert assumed role with unprivileged action (expect changed=false)
assert:
that:
- 'result.failed'
- "'is not authorized to perform: iam:CreateRole' in result.module_stderr"
# runs on Python3
when: result.module_stderr is defined
# ============================================================
always:
- name: delete test iam role
iam_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
name: "ansible-test-sts-{{ resource_prefix }}"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
managed_policy:
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
state: absent
Reference in a new issue Copy permalink