wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible/test/integration/targets/sts_assume_role/tasks/main.yml
Matt Clay ca13e678ae Backport test infra fixes and updates to stable-2.5. (#46992) 
* Fix unit test parametrize order on Python 3.5.

(cherry picked from commit 53b230ca74)

* Fix ansible-test unit test execution. (#45772)

* Fix ansible-test units requirements install.
* Run unit tests as unprivileged user under Docker.

(cherry picked from commit 379a7f4f5a)

* Run unit tests in parallel. (#45812)

(cherry picked from commit abe8e4c9e8)

* Minor fixes for unit test delegation.

(cherry picked from commit be199cfe90)

* add support for opening shell on remote Windows host (#43919)

* add support for opening shell on remote Windows host

* added arg completion and fix sanity check

* remove uneeded arg

(cherry picked from commit 6ca4ea0c1f)

* Block network access for unit tests in docker.

(cherry picked from commit 99cac99cbc)

* Make ansible-test available in the bin directory. (#45876)

(cherry picked from commit f3d1f9544b)

* Support comments in ansible-test flat files.

(cherry picked from commit 5a3000af19)

* Fix incorrect use of subprocess.CalledProcessError (#45890)

(cherry picked from commit 24dd87bd0a)

* Improve ansible-test match error handling.

(cherry picked from commit 2056c981ae)

* Improve error handling for docs-build test.

(cherry picked from commit 2148999048)

* Bug fixes and cleanup for ansible-test. (#45991)

* Remove unused imports.
* Clean up ConfigParser usage in ansible-test.
* Fix bare except statements in ansible-test.
* Miscellaneous cleanup from PyCharm inspections.
* Enable pylint no-self-use for ansible-test.
* Remove obsolete pylint ignores for Python 3.7.
* Fix shellcheck issuers under newer shellcheck.
* Use newer path for ansible-test.
* Fix issues in code-smell tests.

(cherry picked from commit ac492476e5)

* Fix integration test library search path.

This prevents tests from loading modules outside the source tree,
which could result in testing the wrong module if a system-wide
install is present, or custom modules exist.

(cherry picked from commit d603cd41fe)

* Update default container to version 1.2.0.

(cherry picked from commit d478a4c3f6)
(cherry picked from commit 21c4eb8db5)

* Fix ansible-test docker python version handling.

This removes the old name based version detection behavior and
uses versions defined in the docker completion file instead, as
the new containers do not follow the old naming scheme.

(cherry picked from commit 54937ba784)

* Reduce noise in docs-build test failures.

(cherry picked from commit 4085d01617)

* Fix ansible-test encoding issues for exceptions.

(cherry picked from commit 0d7a156319)

* Fix ansible-test multi-group smoke test handling. (#46363)

* Fix ansible-test smoke tests across groups.
* Fix ansible-test list arg defaults.
* Fix ansible-test require and exclude delegation.
* Fix detection of Windows specific changes.
* Add minimal Windows testing for Python 3.7.

(cherry picked from commit e53390b3b1)

* Use default-test-container version 1.3.0.

(cherry picked from commit 6d9be66418)

* Add file exists check in integration-aliases test.

(cherry picked from commit 33a8be9109)

* Improve ansible-test environment checking between tests. (#46459)

* Add unified diff output to environment validation.

This makes it easier to see where the environment changed.

* Compare Python interpreters by version to pip shebangs.

This helps expose cases where pip executables use a different
Python interpreter than is expected.

* Query `pip.__version__` instead of using `pip --version`.

This is a much faster way to query the pip version. It also more
closely matches how we invoke pip within ansible-test.

* Remove redundant environment scan between tests.

This reuses the environment scan from the end of the previous test
as the basis for comparison during the next test.

(cherry picked from commit 0dc7f38787)

* Add symlinks sanity test. (#46467)

* Add symlinks sanity test.
* Replace legacy test symlinks with actual content.
* Remove dir symlink from template_jinja2_latest.
* Update import test to use generated library dir.
* Fix copy test symlink setup.

(cherry picked from commit e2b6047514)

* Fix parametrize warning in unit tests.

(cherry picked from commit 1a28898a00)

* Update MANIFEST.in (#46502)

* Update MANIFEST.in:

- Remove unnecessary prune.
- Include files needed by tests.
- Exclude botmeta sanity test.

These changes permit sanity tests to pass on sdist output.
(cherry picked from commit cbb49f66ec)

* Fix unit tests which modify the source tree. (#45763)

* Fix CNOS unit test log usage.
* Use temp dir for Galaxy unit tests.
* Write to temp files in interfaces_file unit test.
* Fix log placement in netapp_e_ldap unit test.

(cherry picked from commit 0686450cae)

* Fix ansible-test custom docker image traceback.

(cherry picked from commit 712ad9ed64)

* ansible-test: Create public key creating Windows targets (#43760)

* ansible-test: Create public key creating Windows targets

* Changed to always set SSH Key for Windows hosts

(cherry picked from commit adc0efe10c)

* Fix and re-enable sts_assume_role integration tests (#46026)

* Fix the STS assume role error message assertion when the role to assume does not exist.

(cherry picked from commit 18dc928e28)

* Fix ACI unit test on Python 3.7.0.

The previous logic was only needed for pre-release versions of 3.7.

(cherry picked from commit c0bf9815c9)

* Remove placeboify from unit tests that are not calling AWS (i.e. creating a recording) (#45754)

(cherry picked from commit 2167ce6cb6)

* Update sanity test ignore entries.
2018-10-13 10:44:11 -07:00

384 lines
13 KiB
YAML
Raw Blame History

---
# tasks file for sts_assume_role
- block:
# ============================================================
# TODO create simple ansible sts_get_caller_identity module
- blockinfile:
path: "{{ output_dir }}/sts.py"
create: yes
block: |
#!/usr/bin/env python
import boto3
sts = boto3.client('sts')
response = sts.get_caller_identity()
print(response['Account'])
- name: get the aws account id
command: python "{{ output_dir }}/sts.py"
environment:
AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
AWS_SESSION_TOKEN: "{{ security_token }}"
register: result
- name: register account id
set_fact:
aws_account: "{{ result.stdout | replace('\n', '') }}"
# ============================================================
- name: create test iam role
iam_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
name: "ansible-test-sts-{{ resource_prefix }}"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
create_instance_profile: False
managed_policy:
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
state: present
register: test_role
# ============================================================
- name: pause to ensure role exists before using
pause:
seconds: 30
# ============================================================
- name: test with no parameters
sts_assume_role:
register: result
ignore_errors: true
- name: assert with no parameters
assert:
that:
- 'result.failed'
- "'missing required arguments:' in result.msg"
# ============================================================
- name: test with empty parameters
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn:
role_session_name:
policy:
duration_seconds:
external_id:
mfa_token:
mfa_serial_number:
register: result
ignore_errors: true
- name: assert with empty parameters
assert:
that:
- 'result.failed'
- "'Missing required parameter in input:' in result.msg"
when: result.module_stderr is not defined
- name: assert with empty parameters
assert:
that:
- 'result.failed'
- "'Member must have length greater than or equal to 20' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test with only 'role_arn' parameter
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
role_arn: "{{ test_role.iam_role.arn }}"
register: result
ignore_errors: true
- name: assert with only 'role_arn' parameter
assert:
that:
- 'result.failed'
- "'missing required arguments: role_session_name' in result.msg"
# ============================================================
- name: test with only 'role_session_name' parameter
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
role_session_name: "AnsibleTest"
register: result
ignore_errors: true
- name: assert with only 'role_session_name' parameter
assert:
that:
- 'result.failed'
- "'missing required arguments: role_arn' in result.msg"
# ============================================================
- name: test assume role with invalid policy
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: "AnsibleTest"
policy: "invalid policy"
register: result
ignore_errors: true
- name: assert assume role with invalid policy
assert:
that:
- 'result.failed'
- "'The policy is not in the valid JSON format.' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid policy
assert:
that:
- 'result.failed'
- "'The policy is not in the valid JSON format.' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid duration seconds
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
duration_seconds: invalid duration
register: result
ignore_errors: true
- name: assert assume role with invalid duration seconds
assert:
that:
- 'result.failed'
- "'unable to convert to int: invalid literal for int()' in result.msg"
# ============================================================
- name: test assume role with invalid external id
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
external_id: invalid external id
register: result
ignore_errors: true
- name: assert assume role with invalid external id
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid external id
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid mfa serial number
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
mfa_serial_number: invalid serial number
register: result
ignore_errors: true
- name: assert assume role with invalid mfa serial number
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid mfa serial number
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid mfa token code
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
mfa_token: invalid token code
register: result
ignore_errors: true
- name: assert assume role with invalid mfa token code
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid mfa token code
assert:
that:
- 'result.failed'
- "'Member must satisfy regular expression pattern:' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role with invalid role_arn
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: invalid role arn
role_session_name: AnsibleTest
register: result
ignore_errors: true
- name: assert assume role with invalid role_arn
assert:
that:
- result.failed
- "'Invalid length for parameter RoleArn' in result.msg"
when: result.module_stderr is not defined
- name: assert assume role with invalid role_arn
assert:
that:
- 'result.failed'
- "'Member must have length greater than or equal to 20' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume not existing sts role
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region}}"
role_arn: "arn:aws:iam::123456789:role/non-existing-role"
role_session_name: "AnsibleTest"
register: result
ignore_errors: true
- name: assert assume not existing sts role
assert:
that:
- 'result.failed'
- "'Access denied' in result.msg"
when: result.module_stderr is not defined
- name: assert assume not existing sts role
assert:
that:
- 'result.failed'
- "'Access denied' in result.module_stderr"
when: result.module_stderr is defined
# ============================================================
- name: test assume role
sts_assume_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
role_arn: "{{ test_role.iam_role.arn }}"
role_session_name: AnsibleTest
register: assumed_role
- name: assert assume role
assert:
that:
- 'not assumed_role.failed'
- "'sts_creds' in assumed_role"
- "'access_key' in assumed_role.sts_creds"
- "'secret_key' in assumed_role.sts_creds"
- "'session_token' in assumed_role.sts_creds"
# ============================================================
- name: test that assumed credentials have IAM read-only access
iam_role:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
region: "{{ aws_region}}"
name: "ansible-test-sts-{{ resource_prefix }}"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
create_instance_profile: False
state: present
register: result
- name: assert assumed role with privileged action (expect changed=false)
assert:
that:
- 'not result.failed'
- 'not result.changed'
- "'iam_role' in result"
# ============================================================
- name: test assumed role with unprivileged action
iam_role:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
region: "{{ aws_region}}"
name: "ansible-test-sts-{{ resource_prefix }}-new"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
state: present
register: result
ignore_errors: true
- name: assert assumed role with unprivileged action (expect changed=false)
assert:
that:
- 'result.failed'
- "'is not authorized to perform: iam:CreateRole' in result.msg"
# runs on Python2
when: result.module_stderr is not defined
- name: assert assumed role with unprivileged action (expect changed=false)
assert:
that:
- 'result.failed'
- "'is not authorized to perform: iam:CreateRole' in result.module_stderr"
# runs on Python3
when: result.module_stderr is defined
# ============================================================
always:
- name: delete test iam role
iam_role:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
name: "ansible-test-sts-{{ resource_prefix }}"
assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}"
managed_policy:
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
state: absent
Reference in a new issue View git blame Copy permalink