From 003c26de04d9d602a1c1d646011ec3783be4b85d Mon Sep 17 00:00:00 2001 From: Jill R <4121322+jillr@users.noreply.github.com> Date: Wed, 30 Oct 2019 06:37:33 -0700 Subject: [PATCH] iam_user Additional integration tests (#63768) * Add tests that were originally part of pr59079 before being lost in a rebase * missed a needed check_mode: yes and a test with a wrong group * Clarify test name, fix resource, add user delete test * Use AWSDenyAll for benign policy, chech policy with non-full ARN path works, fix wrong module copy-pasta --- .../targets/iam_user/tasks/main.yml | 256 +++++++++++++++++- 1 file changed, 254 insertions(+), 2 deletions(-) diff --git a/test/integration/targets/iam_user/tasks/main.yml b/test/integration/targets/iam_user/tasks/main.yml index 87359b761f..e5b9a21e84 100644 --- a/test/integration/targets/iam_user/tasks/main.yml +++ b/test/integration/targets/iam_user/tasks/main.yml @@ -7,7 +7,6 @@ security_token: "{{ security_token | default(omit) }}" region: "{{ aws_region }}" block: - - name: ensure improper usage of parameters fails gracefully iam_user_info: path: '{{ test_path }}' @@ -51,12 +50,40 @@ - iam_user_info is failed - '"path" in iam_user_info.msg' - - name: ensure ansible user exists + - name: create test user (check mode) + iam_user: + name: '{{ test_user }}' + state: present + check_mode: yes + register: iam_user + + - name: assert that the user would be created + assert: + that: + - iam_user is changed + + - name: create test user iam_user: name: '{{ test_user }}' state: present register: iam_user + - name: assert that the user is created + assert: + that: + - iam_user is changed + + - name: ensure test user exists (no change) + iam_user: + name: '{{ test_user }}' + state: present + register: iam_user + + - name: assert that the user wasn't changed + assert: + that: + - iam_user is not changed + - name: ensure the info used to validate other tests is valid set_fact: test_iam_user: '{{ iam_user.iam_user.user }}' @@ -104,6 +131,170 @@ - iam_user_info.iam_users[0].user_id == test_iam_user.user_id - iam_user_info.iam_users[0].user_name == test_iam_user.user_name + # =========================================== + # Test Managed Policy management + # + # Use a couple of benign policies for testing: + # - AWSDenyAll + # - ServiceQuotasReadOnlyAccess + # + - name: attach managed policy to user (check mode) + check_mode: yes + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/AWSDenyAll + register: iam_user + + - name: assert that the user is changed + assert: + that: + - iam_user is changed + + - name: attach managed policy to user + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/AWSDenyAll + register: iam_user + + - name: assert that the user is changed + assert: + that: + - iam_user is changed + + - name: ensure managed policy is attached to user (no change) + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/AWSDenyAll + register: iam_user + + - name: assert that the user hasn't changed + assert: + that: + - iam_user is not changed + + - name: attach different managed policy to user (check mode) + check_mode: yes + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: no + register: iam_user + + - name: assert that the user changed + assert: + that: + - iam_user is changed + + - name: attach different managed policy to user + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: no + register: iam_user + + - name: assert that the user changed + assert: + that: + - iam_user is changed + + - name: Check first policy wasn't purged + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + - arn:aws:iam::aws:policy/AWSDenyAll + purge_policy: no + register: iam_user + + - name: assert that the user hasn't changed + assert: + that: + - iam_user is not changed + + - name: Check that managed policy order doesn't matter + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/AWSDenyAll + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: no + register: iam_user + + - name: assert that the user hasn't changed + assert: + that: + - iam_user is not changed + + - name: Check that policy doesn't require full ARN path + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - AWSDenyAll + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: no + register: iam_user + + - name: assert that the user hasn't changed + assert: + that: + - iam_user is not changed + + - name: Remove one of the managed policies - with purge (check mode) + check_mode: yes + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: yes + register: iam_user + + - name: assert that the user changed + assert: + that: + - iam_user is changed + + - name: Remove one of the managed policies - with purge + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: yes + register: iam_user + + - name: assert that the user changed + assert: + that: + - iam_user is changed + + - name: Check we only have the one policy attached + iam_user: + name: '{{ test_user }}' + state: present + managed_policy: + - arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess + purge_policy: yes + register: iam_user + + - name: assert that the user changed + assert: + that: + - iam_user is not changed + - name: ensure group exists iam_group: name: '{{ test_group }}' @@ -112,11 +303,17 @@ state: present register: iam_group + - assert: + that: + - iam_group.changed + - iam_group.iam_group.users + - name: get info on IAM user(s) in group iam_user_info: group: '{{ test_group }}' name: '{{ test_user }}' register: iam_user_info + - assert: that: - iam_user_info.iam_users | length == 1 @@ -215,14 +412,69 @@ that: - iam_user_info.iam_users | length == 0 + - name: remove group + iam_group: + name: '{{ test_group }}' + state: absent + register: iam_group + + - name: assert that group was removed + assert: + that: + - iam_group.changed + - iam_group + + - name: Test remove group again (idempotency) + iam_group: + name: "{{ test_group }}" + state: absent + register: iam_group + + - name: assert that group remove is not changed + assert: + that: + - not iam_group.changed + + - name: Remove user with attached policy + iam_user: + name: "{{ test_user }}" + state: absent + register: iam_user + + - name: get info on IAM user(s) after deleting + iam_user_info: + group: '{{ test_user }}' + ignore_errors: yes + register: iam_user_info + + - name: Assert user was removed + assert: + that: + - iam_user.changed + - "'cannot be found' in iam_user_info.msg" + + - name: Remove user with attached policy (idempotent) + iam_user: + name: "{{ test_user }}" + state: absent + ignore_errors: yes + register: iam_user + + - name: Assert user was removed + assert: + that: + - not iam_user.changed + always: - name: remove group iam_group: name: '{{ test_group }}' state: absent + ignore_errors: yes - name: remove ansible users iam_user: name: '{{ item }}' state: absent with_items: '{{ test_users }}' + ignore_errors: yes