wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Consolidate keyvault tests (#45196)

Browse source
This commit is contained in:
Zim Kalinowski 2018-09-05 17:48:27 +08:00 committed by Yunge Zhu
parent a5e2b60870
commit 0ad262e3ec
10 changed files with 137 additions and 288 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/integration/targets/azure_rm_keyvault/aliases
View file

@ -1,3 +1,5 @@
cloud/azure
destructive
shippable/azure/group1
azure_rm_keyvaultkey
azure_rm_keyvaultsecret

0
test/integration/targets/azure_rm_keyvaultkey/lookup_plugins/azure_service_principal_attribute.py → test/integration/targets/azure_rm_keyvault/lookup_plugins/azure_service_principal_attribute.py
View file

150
test/integration/targets/azure_rm_keyvault/tasks/main.yml
View file

@ -1,22 +1,53 @@
- name: Prepare random number
set_fact:
rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
tenant_id: "{{ lookup('env','AZURE_TENANT') }}"
run_once: yes
- name: set service principal info
set_fact:
azure_client_id: "{{ lookup('env','AZURE_CLIENT_ID') }}"
azure_secret: "{{ lookup('env','AZURE_SECRET') }}"
no_log: yes
- name: lookup service principal object id
set_fact:
object_id: "{{ lookup('azure_service_principal_attribute',
azure_client_id=azure_client_id,
azure_secret=azure_secret,
azure_tenant=tenant_id) }}"
register: object_id
- name: Create instance of Key Vault -- check mode
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
vault_tenant: 11111111-1111-1111-1111-111122223333
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
family: A
access_policies:
- object_id: 99998888-8666-4144-9199-2d7cd0111111
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
keys:
- get
- list
- update
- create
- import
- delete
- recover
- backup
- restore
secrets:
- get
- list
- set
- delete
- recover
- backup
- restore
check_mode: yes
register: output
- name: Assert the resource instance is well created
@ -28,36 +59,48 @@
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
vault_tenant: 11111111-1111-1111-1111-111122223333
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
family: A
access_policies:
- object_id: 99998888-8666-4144-9199-2d7cd0111111
keys:
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
secrets:
- get
- list
- set
- delete
- recover
- backup
- restore
register: output
- name: Assert the resource instance is well created
assert:
that:
- output.changed
- name: Create again instance of Key Vault
- name: Create instance of Key Vault again
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
vault_tenant: 11111111-1111-1111-1111-111122223333
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
family: A
access_policies:
- object_id: 99998888-8666-4144-9199-2d7cd0111111
keys:
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
secrets:
- get
- list
- set
- delete
- recover
- backup
- restore
register: output
- name: Assert the state has not changed
assert:
@ -68,20 +111,32 @@
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
vault_tenant: 11111111-1111-1111-1111-111122223333
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
family: A
access_policies:
- object_id: 99998888-8666-4144-9199-2d7cd0111111
certificates:
- get
- list
- object_id: 11112222-8666-4144-9199-2d7cd0111111
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
keys:
- get
- list
- update
- create
- import
- delete
- recover
- backup
- restore
secrets:
- get
- list
- set
- delete
- recover
- backup
- restore
tags:
aaa: bbb
register: output
@ -102,6 +157,71 @@
assert:
that:
- output.response[0].tags.aaa == "bbb"
#
# azure_rm_keyvaultkey tests
#
- name: create a kevyault key
block:
- azure_rm_keyvaultkey:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
key_name: testkey
tags:
testing: test
delete: on-exit
register: output
- assert:
that: output.changed
rescue:
- azure_rm_keyvaultkey:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
key_name: testkey
- name: delete a kevyault key
azure_rm_keyvaultkey:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
key_name: testkey
register: output
- assert:
that: output.changed
#
# azure_rm_keyvaultsecret tests
#
- name: create a kevyault secret
block:
- azure_rm_keyvaultsecret:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
secret_name: testsecret
secret_value: 'mysecret'
tags:
testing: test
delete: on-exit
register: output
- assert:
that: output.changed
rescue:
- azure_rm_keyvaultsecret:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
secret_name: testsecret
- name: delete a kevyault secret
azure_rm_keyvaultsecret:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
secret_name: testsecret
register: output
- assert:
that: output.changed
#
# azure_rm_keyvault finalize & clean up
#
- name: Delete instance of Key Vault -- check mode
azure_rm_keyvault:

3
test/integration/targets/azure_rm_keyvaultkey/aliases
View file

@ -1,3 +0,0 @@
cloud/azure
shippable/azure/group1
destructive

2
test/integration/targets/azure_rm_keyvaultkey/meta/main.yml
View file

@ -1,2 +0,0 @@
dependencies:
- setup_azure

90
test/integration/targets/azure_rm_keyvaultkey/tasks/main.yml
View file

@ -1,90 +0,0 @@
- name: Prepare random number
set_fact:
rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
tenant_id: "{{ lookup('env','AZURE_TENANT') }}"
run_once: yes
- name: set service principal info
set_fact:
azure_client_id: "{{ lookup('env','AZURE_CLIENT_ID') }}"
azure_secret: "{{ lookup('env','AZURE_SECRET') }}"
no_log: yes
- name: lookup service principal object id
set_fact:
object_id: "{{ lookup('azure_service_principal_attribute',
azure_client_id=azure_client_id,
azure_secret=azure_secret,
azure_tenant=tenant_id) }}"
register: object_id
- name: Create instance of Key Vault
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
family: A
access_policies:
- tenant_id: "{{ tenant_id }}"
object_id: '{{ object_id }}'
keys:
- get
- list
- update
- create
- import
- delete
- recover
- backup
- restore
- encrypt
- decrypt
- wrapkey
- unwrapkey
- sign
- verify
secrets:
- get
- list
- set
- delete
- recover
- backup
- restore
register: output
- name: create a kevyault key
block:
- azure_rm_keyvaultkey:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
key_name: testkey
tags:
testing: test
delete: on-exit
register: output
- assert:
that: output.changed
rescue:
- azure_rm_keyvaultkey:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
key_name: testkey
- name: delete a kevyault key
azure_rm_keyvaultkey:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
key_name: testkey
register: output
- assert:
that: output.changed
- name: Delete instance of Key Vault
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
state: absent

3
test/integration/targets/azure_rm_keyvaultsecret/aliases
View file

@ -1,3 +0,0 @@
cloud/azure
shippable/azure/group1
destructive

94
test/integration/targets/azure_rm_keyvaultsecret/lookup_plugins/azure_service_principal_attribute.py
View file

@ -1,94 +0,0 @@
# (c) 2018 Yunge Zhu, <yungez@microsoft.com>
# (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = """
lookup: azure_service_principal_attribute
requirements:
- azure-graphrbac
author:
- Yunge Zhu <yungez@microsoft.com>
version_added: "2.7"
short_description: Look up Azure service principal attributes.
description:
- Describes object id of your Azure service principal account.
options:
azure_client_id:
description: azure service principal client id.
azure_secret:
description: azure service principal secret
azure_tenant:
description: azure tenant
azure_cloud_environment:
description: azure cloud environment
"""
EXAMPLES = """
set_fact:
object_id: "{{ lookup('azure_service_principal_attribute',
azure_client_id=azure_client_id,
azure_secret=azure_secret,
azure_tenant=azure_secret) }}"
"""
RETURN = """
_raw:
description:
Returns object id of service principal.
"""
from ansible.errors import AnsibleError
from ansible.plugins import AnsiblePlugin
from ansible.plugins.lookup import LookupBase
from ansible.module_utils._text import to_native
try:
from azure.common.credentials import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient
from msrestazure import azure_cloud
from msrestazure.azure_exceptions import CloudError
except ImportError:
raise AnsibleError(
"The lookup azure_service_principal_attribute requires azure.graphrbac, msrest")
class LookupModule(LookupBase):
def run(self, terms, variables, **kwargs):
self.set_options(direct=kwargs)
credentials = {}
credentials['azure_client_id'] = self.get_option('azure_client_id', None)
credentials['azure_secret'] = self.get_option('azure_secret', None)
credentials['azure_tenant'] = self.get_option('azure_tenant', 'common')
if credentials['azure_client_id'] is None or credentials['azure_secret'] is None:
raise AnsibleError("Must specify azure_client_id and azure_secret")
_cloud_environment = azure_cloud.AZURE_PUBLIC_CLOUD
if self.get_option('azure_cloud_environment', None) is not None:
cloud_environment = azure_cloud.get_cloud_from_metadata_endpoint(credentials['azure_cloud_environment'])
try:
azure_credentials = ServicePrincipalCredentials(client_id=credentials['azure_client_id'],
secret=credentials['azure_secret'],
tenant=credentials['azure_tenant'],
resource=_cloud_environment.endpoints.active_directory_graph_resource_id)
client = GraphRbacManagementClient(azure_credentials, credentials['azure_tenant'],
base_url=_cloud_environment.endpoints.active_directory_graph_resource_id)
response = list(client.service_principals.list(filter="appId eq '{0}'".format(credentials['azure_client_id'])))
sp = response[0]
return sp.object_id.split(',')
except CloudError as ex:
raise AnsibleError("Failed to get service principal object id: %s" % to_native(ex))
return False

2
test/integration/targets/azure_rm_keyvaultsecret/meta/main.yml
View file

@ -1,2 +0,0 @@
dependencies:
- setup_azure

79
test/integration/targets/azure_rm_keyvaultsecret/tasks/main.yml
View file

@ -1,79 +0,0 @@
- name: Prepare random number
set_fact:
rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
tenant_id: "{{ lookup('env','AZURE_TENANT') }}"
run_once: yes
- name: set service principal info
set_fact:
azure_client_id: "{{ lookup('env','AZURE_CLIENT_ID') }}"
azure_secret: "{{ lookup('env','AZURE_SECRET') }}"
no_log: yes
- name: lookup service principal object id
set_fact:
object_id: "{{ lookup('azure_service_principal_attribute',
azure_client_id=azure_client_id,
azure_secret=azure_secret,
azure_tenant=tenant_id) }}"
register: object_id
- name: Create instance of Key Vault
azure_rm_keyvault:
resource_group: "{{ resource_group }}"
vault_name: "vault{{ rpfx }}"
enabled_for_deployment: yes
vault_tenant: "{{ tenant_id }}"
sku:
name: standard
family: A
access_policies:
- tenant_id: "{{ tenant_id }}"
object_id: "{{ object_id }}"
keys:
- get
- list
- update
- create
- import
- delete
- recover
- backup
- restore
secrets:
- get
- list
- set
- delete
- recover
- backup
- restore
register: output
- name: create a kevyault secret
block:
- azure_rm_keyvaultsecret:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
secret_name: testsecret
secret_value: 'mysecret'
tags:
testing: test
delete: on-exit
register: output
- assert:
that: output.changed
rescue:
- azure_rm_keyvaultsecret:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
secret_name: testsecret
- name: delete a kevyault secret
azure_rm_keyvaultsecret:
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
state: absent
secret_name: testsecret
register: output
- assert:
that: output.changed