s3_bucket: add integration tests (#36941)

Also update testing-policies/storage
6 years ago · 7c07877b1b
parent 51d491f8f0
commit 7c07877b1b
5 changed files with 244 additions and 5 deletions
--- a/hacking/aws_config/testing_policies/storage-policy.json
+++ b/hacking/aws_config/testing_policies/storage-policy.json
@ -2,16 +2,24 @@
    "Version": "2012-10-17",
    "Statement": [
        {
-            "Sid": "AlowS3AnsibleTestBuckets",
+            "Sid": "AllowS3AnsibleTestBuckets",
            "Action": [
+                "s3:CreateBucket",
+                "s3:DeleteBucket",
+                "s3:DeleteObject",
+                "s3:GetBucketPolicy",
+                "s3:GetBucketRequestPayment",
+                "s3:GetBucketTagging",
+                "s3:GetBucketVersioning",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutBucketAcl",
-                "s3:CreateBucket",
+                "s3:PutBucketPolicy",
+                "s3:PutBucketRequestPayment",
+                "s3:PutBucketTagging",
+                "s3:PutBucketVersioning",
                "s3:PutObject",
-                "s3:PutObjectAcl",
-                "s3:DeleteBucket",
-                "s3:DeleteObject"
+                "s3:PutObjectAcl"
            ],
            "Effect": "Allow",
            "Resource": [
--- a/test/integration/targets/s3_bucket/aliases
+++ b/test/integration/targets/s3_bucket/aliases
@ -0,0 +1,2 @@
+cloud/aws
+posix/ci/cloud/group4/aws
--- a/test/integration/targets/s3_bucket/tasks/main.yml
+++ b/test/integration/targets/s3_bucket/tasks/main.yml
@ -0,0 +1,205 @@
+---
+
+- block:
+
+    # ============================================================
+    - name: set connection information for all tasks
+      set_fact:
+        aws_connection_info: &aws_connection_info
+          aws_access_key: "{{ aws_access_key }}"
+          aws_secret_key: "{{ aws_secret_key }}"
+          security_token: "{{ security_token }}"
+          region: "{{ aws_region }}"
+      no_log: true
+
+    # ============================================================
+    - name: Create simple s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible"
+        state: present
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.name == '{{ resource_prefix }}-testbucket-ansible'
+          - not output.requester_pays
+
+    # ============================================================
+    - name: Try to update the same bucket with the same values
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible"
+        state: present
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - not output.changed
+          - output.name == '{{ resource_prefix }}-testbucket-ansible'
+          - not output.requester_pays
+
+    # ============================================================
+    - name: Delete s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible"
+        state: absent
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+
+    # ============================================================
+    - name: Set bucket_name variable to be able to use it in lookup('template')
+      set_fact:
+        bucket_name: "{{ resource_prefix }}-testbucket-ansible-complex"
+
+    - name: Create more complex s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible-complex"
+        state: present
+        policy: "{{ lookup('template','policy.json') }}"
+        requester_pays: yes
+        versioning: yes
+        tags:
+          example: tag1
+          another: tag2
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
+          - output.requester_pays
+          - output.versioning.MfaDelete == 'Disabled'
+          - output.versioning.Versioning == 'Enabled'
+          - output.tags.example == 'tag1'
+          - output.tags.another == 'tag2'
+          - output.policy.Statement[0].Action == 's3:GetObject'
+          - output.policy.Statement[0].Effect == 'Allow'
+          - output.policy.Statement[0].Principal == '*'
+          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
+          - output.policy.Statement[0].Sid == 'AddPerm'
+
+    # ============================================================
+    - name: Try to update the same complex s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible-complex"
+        state: present
+        policy: "{{ lookup('template','policy.json') }}"
+        requester_pays: yes
+        versioning: yes
+        tags:
+          example: tag1
+          another: tag2
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - not output.changed
+
+    # ============================================================
+    - name: Update bucket policy
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible-complex"
+        state: present
+        policy: "{{ lookup('template','policy-updated.json') }}"
+        requester_pays: yes
+        versioning: yes
+        tags:
+          example: tag1
+          another: tag2
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.policy.Statement[0].Action == 's3:GetObject'
+          - output.policy.Statement[0].Effect == 'Deny'
+          - output.policy.Statement[0].Principal == '*'
+          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
+          - output.policy.Statement[0].Sid == 'AddPerm'
+
+    # ============================================================
+    - name: Update attributes for s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible-complex"
+        state: present
+        policy: "{{ lookup('template','policy.json') }}"
+        requester_pays: no
+        versioning: no
+        tags:
+          example: tag1-udpated
+          another: tag2
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
+          - not output.requester_pays
+          - output.versioning.MfaDelete == 'Disabled'
+          - output.versioning.Versioning == 'Suspended'
+          - output.tags.example == 'tag1-udpated'
+          - output.tags.another == 'tag2'
+          - output.policy.Statement[0].Action == 's3:GetObject'
+          - output.policy.Statement[0].Effect == 'Allow'
+          - output.policy.Statement[0].Principal == '*'
+          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
+          - output.policy.Statement[0].Sid == 'AddPerm'
+
+
+    # ============================================================
+    - name: Delete s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-ansible-complex"
+        state: absent
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+
+    # ============================================================
+    - name: Create bucket with dot in name
+      s3_bucket:
+        name: "{{ resource_prefix }}.testbucket.ansible"
+        state: present
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.name == '{{ resource_prefix }}.testbucket.ansible'
+
+    - name: Delete s3_bucket
+      s3_bucket:
+        name: "{{ resource_prefix }}.testbucket.ansible"
+        state: absent
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+
+  # ============================================================
+  always:
+    - name: Ensure all buckets are deleted
+      s3_bucket:
+        name: "{{item}}"
+        state: absent
+        <<: *aws_connection_info
+      with_items:
+        - "{{ resource_prefix }}-testbucket-ansible"
+        - "{{ resource_prefix }}-testbucket-ansible-complex"
+        - "{{ resource_prefix }}.testbucket.ansible"
--- a/test/integration/targets/s3_bucket/templates/policy-updated.json
+++ b/test/integration/targets/s3_bucket/templates/policy-updated.json
@ -0,0 +1,12 @@
+{
+  "Version":"2012-10-17",
+  "Statement":[
+    {
+      "Sid":"AddPerm",
+      "Effect":"Deny",
+      "Principal": "*",
+      "Action":["s3:GetObject"],
+      "Resource":["arn:aws:s3:::{{bucket_name}}/*"]
+    }
+  ]
+}
--- a/test/integration/targets/s3_bucket/templates/policy.json
+++ b/test/integration/targets/s3_bucket/templates/policy.json
@ -0,0 +1,12 @@
+{
+  "Version":"2012-10-17",
+  "Statement":[
+    {
+      "Sid":"AddPerm",
+      "Effect":"Allow",
+      "Principal": "*",
+      "Action":["s3:GetObject"],
+      "Resource":["arn:aws:s3:::{{bucket_name}}/*"]
+    }
+  ]
+}