|
|
|
---
|
|
|
|
- block:
|
|
|
|
- name: set up aws connection info
|
|
|
|
set_fact:
|
|
|
|
aws_connection_info: &aws_connection_info
|
|
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
|
|
security_token: "{{ security_token }}"
|
|
|
|
region: "{{ aws_region }}"
|
|
|
|
no_log: yes
|
|
|
|
|
|
|
|
|
|
|
|
- name: Create a group with only the default rule
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert default rule is in place (expected changed=true)
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result is changed
|
|
|
|
- result.ip_permissions|length == 0
|
|
|
|
- result.ip_permissions_egress|length == 1
|
|
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
|
|
|
|
|
|
|
- name: Create a group with only the default rule
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
purge_rules_egress: false
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert default rule is not purged (expected changed=false)
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result is not changed
|
|
|
|
- result.ip_permissions|length == 0
|
|
|
|
- result.ip_permissions_egress|length == 1
|
|
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
|
|
|
|
|
|
|
- name: Pass empty egress rules without purging, should leave default rule in place
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
purge_rules_egress: false
|
|
|
|
rules_egress: []
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert default rule is not purged (expected changed=false)
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result is not changed
|
|
|
|
- result.ip_permissions|length == 0
|
|
|
|
- result.ip_permissions_egress|length == 1
|
|
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
|
|
|
|
|
|
|
|
- name: Purge rules, including the default
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
purge_rules_egress: true
|
|
|
|
rules_egress: []
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert default rule is not purged (expected changed=false)
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result is changed
|
|
|
|
- result.ip_permissions|length == 0
|
|
|
|
- result.ip_permissions_egress|length == 0
|
|
|
|
|
|
|
|
- name: Add a custom egress rule
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
rules_egress:
|
|
|
|
- proto: tcp
|
|
|
|
ports:
|
|
|
|
- 1212
|
|
|
|
cidr_ip: 1.2.1.2/32
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert first rule is here
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result.ip_permissions_egress|length == 1
|
|
|
|
|
|
|
|
- name: Add a second custom egress rule
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
purge_rules_egress: false
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
rules_egress:
|
|
|
|
- proto: tcp
|
|
|
|
ports:
|
|
|
|
- 2323
|
|
|
|
cidr_ip: 2.3.2.3/32
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert the first rule is not purged
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result.ip_permissions_egress|length == 2
|
|
|
|
|
|
|
|
- name: Purge the second rule (CHECK MODE) (DIFF MODE)
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
rules_egress:
|
|
|
|
- proto: tcp
|
|
|
|
ports:
|
|
|
|
- 1212
|
|
|
|
cidr_ip: 1.2.1.2/32
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
check_mode: True
|
|
|
|
diff: True
|
|
|
|
|
|
|
|
- name: assert first rule will be left
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result.changed
|
|
|
|
- result.diff.0.after.ip_permissions_egress|length == 1
|
|
|
|
- result.diff.0.after.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
|
|
|
|
|
|
|
|
- name: Purge the second rule
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
rules_egress:
|
|
|
|
- proto: tcp
|
|
|
|
ports:
|
|
|
|
- 1212
|
|
|
|
cidr_ip: 1.2.1.2/32
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: assert first rule is here
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
- result.ip_permissions_egress|length == 1
|
|
|
|
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
|
|
|
|
|
|
|
|
- name: add a rule for all TCP ports
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
rules_egress:
|
|
|
|
- proto: tcp
|
|
|
|
ports: 0-65535
|
|
|
|
cidr_ip: 0.0.0.0/0
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
register: result
|
|
|
|
|
|
|
|
- name: Re-add the default rule
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
description: '{{ec2_group_description}}'
|
|
|
|
rules_egress:
|
|
|
|
- proto: -1
|
|
|
|
cidr_ip: 0.0.0.0/0
|
|
|
|
<<: *aws_connection_info
|
|
|
|
state: present
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
register: result
|
|
|
|
always:
|
|
|
|
- name: tidy up egress rule test security group
|
|
|
|
ec2_group:
|
|
|
|
name: '{{ec2_group_name}}-egress-tests'
|
|
|
|
state: absent
|
|
|
|
vpc_id: '{{ vpc_result.vpc.id }}'
|
|
|
|
<<: *aws_connection_info
|
|
|
|
ignore_errors: yes
|