Fix EC2 test suite to work with testing policies (#44387)
* Update testing policies to ensure all required permissions are present * Tidy up security policies to reduce duplicate permissions * Make roles static so that they can be present before CI is run, meaning that role creation permission is not required by the CI itself, only by someone setting up the roles prior to testing * Move contents to cloudfront policy to network policy to ensure policy count (maximum of 10) stays low * Maintain compute policy below 6144 bytes
This commit is contained in:
Will Thames
Sloane Hertel
parent
6cf722fed6
commit
60fb9fc208
14 changed files with 125 additions and 157 deletions
|
|
@ -52,3 +52,4 @@
|
|||
state: present
|
||||
managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}"
|
||||
profile: "{{ profile|default(omit) }}"
|
||||
purge_policy: yes
|
||||
|
|
|
|||
|
|
@ -1,29 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "AllowCloudfrontUsage",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"cloudfront:CreateDistribution",
|
||||
"cloudfront:CreateDistributionWithTags",
|
||||
"cloudfront:CreateCloudFrontOriginAccessIdentity",
|
||||
"cloudfront:DeleteDistribution",
|
||||
"cloudfront:GetDistribution",
|
||||
"cloudfront:GetStreamingDistribution",
|
||||
"cloudfront:GetDistributionConfig",
|
||||
"cloudfront:GetStreamingDistributionConfig",
|
||||
"cloudfront:GetInvalidation",
|
||||
"cloudfront:ListDistributions",
|
||||
"cloudfront:ListDistributionsByWebACLId",
|
||||
"cloudfront:ListInvalidations",
|
||||
"cloudfront:ListStreamingDistributions",
|
||||
"cloudfront:ListTagsForResource",
|
||||
"cloudfront:TagResource",
|
||||
"cloudfront:UntagResource",
|
||||
"cloudfront:UpdateDistribution"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -43,6 +43,7 @@
|
|||
"ec2:AssociateSubnetCidrBlock",
|
||||
"ec2:AttachInternetGateway",
|
||||
"ec2:AttachNetworkInterface",
|
||||
"ec2:AttachVolume",
|
||||
"ec2:AttachVpnGateway",
|
||||
"ec2:CreateCustomerGateway",
|
||||
"ec2:CreateDhcpOptions",
|
||||
|
|
@ -50,6 +51,7 @@
|
|||
"ec2:CreateInternetGateway",
|
||||
"ec2:CreateKeyPair",
|
||||
"ec2:CreateNatGateway",
|
||||
"ec2:CreateNetworkInterface",
|
||||
"ec2:CreateRoute",
|
||||
"ec2:CreateRouteTable",
|
||||
"ec2:CreateSecurityGroup",
|
||||
|
|
@ -64,6 +66,7 @@
|
|||
"ec2:DeleteInternetGateway",
|
||||
"ec2:DeleteKeyPair",
|
||||
"ec2:DeleteNatGateway",
|
||||
"ec2:DeleteNetworkInterface",
|
||||
"ec2:DeleteRoute",
|
||||
"ec2:DeleteRouteTable",
|
||||
"ec2:DeleteSnapshot",
|
||||
|
|
@ -87,6 +90,7 @@
|
|||
"ec2:RegisterImage",
|
||||
"ec2:ReleaseAddress",
|
||||
"ec2:ReplaceRouteTableAssociation",
|
||||
"ec2:ReplaceIamInstanceProfileAssociation",
|
||||
"ec2:ReportInstanceStatus"
|
||||
],
|
||||
"Resource": "*"
|
||||
|
|
@ -135,10 +139,7 @@
|
|||
"elasticloadbalancing:DeleteTargetGroup",
|
||||
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
||||
"elasticloadbalancing:DescribeInstanceHealth",
|
||||
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
||||
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
||||
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
|
||||
"elasticloadbalancing:DescribeLoadBalancers",
|
||||
"elasticloadbalancing:DescribeLoadBalancer*",
|
||||
"elasticloadbalancing:DescribeTags",
|
||||
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
|
||||
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
|
||||
|
|
@ -177,9 +178,7 @@
|
|||
"lambda:CreateEventSourceMapping",
|
||||
"lambda:GetAccountSettings",
|
||||
"lambda:GetEventSourceMapping",
|
||||
"lambda:ListEventSourceMappings",
|
||||
"lambda:ListFunctions",
|
||||
"lambda:ListTags",
|
||||
"lambda:List*",
|
||||
"lambda:TagResource",
|
||||
"lambda:UntagResource"
|
||||
],
|
||||
|
|
@ -199,8 +198,6 @@
|
|||
"lambda:GetFunctionConfiguration",
|
||||
"lambda:GetPolicy",
|
||||
"lambda:InvokeFunction",
|
||||
"lambda:ListAliases",
|
||||
"lambda:ListVersionsByFunction",
|
||||
"lambda:PublishVersion",
|
||||
"lambda:RemovePermission",
|
||||
"lambda:UpdateAlias",
|
||||
|
|
@ -219,6 +216,7 @@
|
|||
"Resource": [
|
||||
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
|
||||
"arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
|
||||
"arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
|
||||
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
|
||||
"arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
|
||||
"arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@
|
|||
"ecs:StopTask",
|
||||
"ecs:UpdateService",
|
||||
"elasticloadbalancing:Describe*",
|
||||
"iam:GetInstanceProfile",
|
||||
"iam:GetPolicy",
|
||||
"iam:GetPolicyVersion",
|
||||
"iam:GetRole",
|
||||
|
|
|
|||
|
|
@ -86,6 +86,17 @@
|
|||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "DMSEndpoints",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"dms:CreateEndpoint",
|
||||
"dms:DeleteEndpoint",
|
||||
"dms:DescribeEndpoints",
|
||||
"dms:ModifyEndpoint"
|
||||
],
|
||||
"Resource": ["*"]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,17 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "AllowAccessToServerCertificates",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:ListServerCertificates",
|
||||
"iam:UploadServerCertificate",
|
||||
"iam:UpdateServerCertificate",
|
||||
"iam:DeleteServerCertificate",
|
||||
"iam:GetServerCertificate"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -22,6 +22,30 @@
|
|||
"ec2:DescribeTransitGateways"
|
||||
],
|
||||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowCloudfrontUsage",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"cloudfront:CreateDistribution",
|
||||
"cloudfront:CreateDistributionWithTags",
|
||||
"cloudfront:CreateCloudFrontOriginAccessIdentity",
|
||||
"cloudfront:DeleteDistribution",
|
||||
"cloudfront:GetDistribution",
|
||||
"cloudfront:GetStreamingDistribution",
|
||||
"cloudfront:GetDistributionConfig",
|
||||
"cloudfront:GetStreamingDistributionConfig",
|
||||
"cloudfront:GetInvalidation",
|
||||
"cloudfront:ListDistributions",
|
||||
"cloudfront:ListDistributionsByWebACLId",
|
||||
"cloudfront:ListInvalidations",
|
||||
"cloudfront:ListStreamingDistributions",
|
||||
"cloudfront:ListTagsForResource",
|
||||
"cloudfront:TagResource",
|
||||
"cloudfront:UntagResource",
|
||||
"cloudfront:UpdateDistribution"
|
||||
],
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,9 @@
|
|||
"iam:CreateRole",
|
||||
"iam:DeleteRole",
|
||||
"iam:DetachRolePolicy",
|
||||
"iam:PassRole"
|
||||
"iam:PassRole",
|
||||
"iam:UpdateAssumeRolePolicy",
|
||||
"sts:AssumeRole"
|
||||
],
|
||||
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
|
||||
"Effect": "Allow",
|
||||
|
|
@ -91,22 +93,6 @@
|
|||
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowSTSAnsibleTests",
|
||||
"Action": [
|
||||
"iam:CreateRole",
|
||||
"iam:DeleteRole",
|
||||
"iam:DetachRolePolicy",
|
||||
"sts:AssumeRole",
|
||||
"iam:AttachRolePolicy",
|
||||
"iam:CreateInstanceProfile"
|
||||
],
|
||||
"Effect": "Allow",
|
||||
"Resource": [
|
||||
"arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*",
|
||||
"arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Sid": "AllowAccessToUnspecifiedKMSResources",
|
||||
"Effect": "Allow",
|
||||
|
|
@ -132,26 +118,13 @@
|
|||
"Resource": "*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowAccessToSpecifiedIAMResources",
|
||||
"Sid": "AllowAccessToServerCertificates",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:CreateRole",
|
||||
"iam:DeleteRole",
|
||||
"iam:GetRole",
|
||||
"iam:PassRole",
|
||||
"iam:UpdateAssumeRolePolicy"
|
||||
"iam:ListServerCertificates",
|
||||
"iam:UploadServerCertificate"
|
||||
],
|
||||
"Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*"
|
||||
},
|
||||
{
|
||||
"Sid": "AllowInstanceProfileCreation",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:AddRoleToInstanceProfile",
|
||||
"iam:CreateInstanceProfile",
|
||||
"iam:RemoveRoleFromInstanceProfile"
|
||||
],
|
||||
"Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*"
|
||||
"Resource": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
dependencies:
|
||||
- prepare_tests
|
||||
- setup_ec2
|
||||
- setup_remote_tmp_dir
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
- hosts: localhost
|
||||
connection: local
|
||||
environment: "{{ ansible_test.environment }}"
|
||||
|
||||
roles:
|
||||
- ec2_instance
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
- hosts: localhost
|
||||
connection: local
|
||||
environment: "{{ ansible_test.environment }}"
|
||||
vars:
|
||||
resource_prefix: 'ansible-testing'
|
||||
|
||||
tasks:
|
||||
- block:
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: True
|
||||
|
||||
- name: Include vars file in {{ playbook_dir }}../defaults/main.yml
|
||||
include_vars:
|
||||
file: '{{ playbook_dir }}/../defaults/main.yml'
|
||||
|
||||
- name: create t3.nano with cpu options (fails gracefully)
|
||||
ec2_instance:
|
||||
state: present
|
||||
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
|
||||
image_id: "{{ ec2_ami_image[aws_region] }}"
|
||||
instance_type: t3.nano
|
||||
cpu_options:
|
||||
core_count: 1
|
||||
threads_per_core: 1
|
||||
<<: *aws_connection_info
|
||||
register: ec2_instance_cpu_options_creation
|
||||
ignore_errors: yes
|
||||
|
||||
- name: check that graceful error message is returned when creation with cpu_options and old botocore
|
||||
assert:
|
||||
that:
|
||||
- ec2_instance_cpu_options_creation.failed
|
||||
- 'ec2_instance_cpu_options_creation.msg == "cpu_options is only supported with botocore >= 1.10.16"'
|
||||
|
||||
always:
|
||||
- name: cleanup c4.large in case graceful failure was in fact a graceful success
|
||||
ec2_instance:
|
||||
state: absent
|
||||
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -eux
|
||||
|
||||
export ANSIBLE_ROLES_PATH=../../targets/
|
||||
|
||||
# Test graceful failure for older versions of botocore
|
||||
source virtualenv.sh
|
||||
pip install 'botocore<1.10.16' 'boto3<1.7.16'
|
||||
ansible-playbook -v playbooks/version_fail.yml "$@"
|
||||
|
||||
# Run full test suite
|
||||
source virtualenv.sh
|
||||
pip install 'botocore>=1.10.16' boto3
|
||||
ansible-playbook -v playbooks/full_test.yml "$@"
|
||||
|
|
@ -8,6 +8,43 @@
|
|||
|
||||
- block:
|
||||
|
||||
- set_fact:
|
||||
virtualenv: "{{ remote_tmp_dir }}/virtualenv"
|
||||
virtualenv_command: "{{ ansible_python_interpreter }} -m virtualenv"
|
||||
|
||||
- set_fact:
|
||||
virtualenv_interpreter: "{{ virtualenv }}/bin/python"
|
||||
|
||||
- pip:
|
||||
name: virtualenv
|
||||
|
||||
- pip:
|
||||
name:
|
||||
- 'botocore<1.10.16'
|
||||
- boto3
|
||||
- coverage
|
||||
virtualenv: "{{ virtualenv }}"
|
||||
virtualenv_command: "{{ virtualenv_command }}"
|
||||
virtualenv_site_packages: no
|
||||
|
||||
- include_tasks: version_fail.yml
|
||||
vars:
|
||||
ansible_python_interpreter: "{{ virtualenv_interpreter }}"
|
||||
|
||||
- file:
|
||||
path: "{{ virtualenv }}"
|
||||
state: absent
|
||||
|
||||
- pip:
|
||||
name:
|
||||
- 'botocore>=1.10.16'
|
||||
- boto3
|
||||
- coverage
|
||||
virtualenv: "{{ virtualenv }}"
|
||||
virtualenv_command: "{{ virtualenv_command }}"
|
||||
virtualenv_site_packages: no
|
||||
|
||||
|
||||
- include_tasks: env_setup.yml
|
||||
- include_tasks: cpu_options.yml
|
||||
- include_tasks: termination_protection.yml
|
||||
|
|
|
|||
36
test/integration/targets/ec2_instance/tasks/version_fail.yml
Normal file
36
test/integration/targets/ec2_instance/tasks/version_fail.yml
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
- block:
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
aws_connection_info: &aws_connection_info
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
no_log: True
|
||||
|
||||
- name: create t3.nano with cpu options (fails gracefully)
|
||||
ec2_instance:
|
||||
state: present
|
||||
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
|
||||
image_id: "{{ ec2_ami_image[aws_region] }}"
|
||||
instance_type: t3.nano
|
||||
cpu_options:
|
||||
core_count: 1
|
||||
threads_per_core: 1
|
||||
<<: *aws_connection_info
|
||||
register: ec2_instance_cpu_options_creation
|
||||
ignore_errors: yes
|
||||
|
||||
- name: check that graceful error message is returned when creation with cpu_options and old botocore
|
||||
assert:
|
||||
that:
|
||||
- ec2_instance_cpu_options_creation.failed
|
||||
- 'ec2_instance_cpu_options_creation.msg == "cpu_options is only supported with botocore >= 1.10.16"'
|
||||
|
||||
always:
|
||||
- name: cleanup t3.nano in case graceful failure was in fact a graceful success
|
||||
ec2_instance:
|
||||
state: absent
|
||||
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
|
||||
<<: *aws_connection_info
|
||||
ignore_errors: yes
|
||||
Loading…
Reference in a new issue