From 832e03d932da8e21f265abc4b4df27924d92fb47 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Fri, 6 Sep 2019 01:25:36 +0200 Subject: [PATCH] Fixup iam_group integration tests and return value documentation (#61243) * iam_group: (integration tests) migrate tests to module_defaults * iam_group: (integration tests) migrate to using temporary user and group with {{ resource_prefix }} * iam_group: (integration tests) fix test, checking the return values * iam_group: (integration tests) Add some more tests around the behaviour of 'changed' * iam_group: (docs) Update documentation of iam_group return value * Update AWS testing policies to enable group/user management --- .../testing_policies/security-policy.json | 13 ++ lib/ansible/modules/cloud/amazon/iam_group.py | 99 +++++----- .../targets/iam_group/defaults/main.yml | 3 + .../targets/iam_group/meta/main.yml | 3 + .../targets/iam_group/tasks/main.yml | 187 +++++++++++------- 5 files changed, 192 insertions(+), 113 deletions(-) create mode 100644 test/integration/targets/iam_group/defaults/main.yml create mode 100644 test/integration/targets/iam_group/meta/main.yml diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json index 8c3f2b914d5..d0fc61ab782 100644 --- a/hacking/aws_config/testing_policies/security-policy.json +++ b/hacking/aws_config/testing_policies/security-policy.json @@ -139,6 +139,19 @@ "iam:UpdateAccountPasswordPolicy" ], "Resource": "*" + }, + { + "Sid": "AllowAccessToManageUsersAndGroups", + "Effect": "Allow", + "Action": [ + "iam:*Group", + "iam:*User", + "iam:ListAttachedGroupPolicies" + ], + "Resource": [ + "arn:aws:iam::{{ aws_account }}:user/ansible-test*", + "arn:aws:iam::{{ aws_account }}:group/ansible-test*" + ] } ] } diff --git a/lib/ansible/modules/cloud/amazon/iam_group.py b/lib/ansible/modules/cloud/amazon/iam_group.py index ff62c27ef8e..968a2e924d9 100644 --- a/lib/ansible/modules/cloud/amazon/iam_group.py +++ b/lib/ansible/modules/cloud/amazon/iam_group.py @@ -111,56 +111,61 @@ EXAMPLES = ''' ''' RETURN = ''' -group: - description: dictionary containing all the group information +iam_group: + description: dictionary containing all the group information including group membership returned: success type: complex contains: - arn: - description: the Amazon Resource Name (ARN) specifying the group - type: str - sample: "arn:aws:iam::1234567890:group/testgroup1" - create_date: - description: the date and time, in ISO 8601 date-time format, when the group was created - type: str - sample: "2017-02-08T04:36:28+00:00" - group_id: - description: the stable and unique string identifying the group - type: str - sample: AGPAIDBWE12NSFINE55TM - group_name: - description: the friendly name that identifies the group - type: str - sample: testgroup1 - path: - description: the path to the group - type: str - sample: / -users: - description: list containing all the group members - returned: success - type: complex - contains: - arn: - description: the Amazon Resource Name (ARN) specifying the user - type: str - sample: "arn:aws:iam::1234567890:user/test_user1" - create_date: - description: the date and time, in ISO 8601 date-time format, when the user was created - type: str - sample: "2017-02-08T04:36:28+00:00" - user_id: - description: the stable and unique string identifying the user - type: str - sample: AIDAIZTPY123YQRS22YU2 - user_name: - description: the friendly name that identifies the user - type: str - sample: testgroup1 - path: - description: the path to the user - type: str - sample: / + group: + description: dictionary containing all the group information + returned: success + type: complex + contains: + arn: + description: the Amazon Resource Name (ARN) specifying the group + type: str + sample: "arn:aws:iam::1234567890:group/testgroup1" + create_date: + description: the date and time, in ISO 8601 date-time format, when the group was created + type: str + sample: "2017-02-08T04:36:28+00:00" + group_id: + description: the stable and unique string identifying the group + type: str + sample: AGPAIDBWE12NSFINE55TM + group_name: + description: the friendly name that identifies the group + type: str + sample: testgroup1 + path: + description: the path to the group + type: str + sample: / + users: + description: list containing all the group members + returned: success + type: complex + contains: + arn: + description: the Amazon Resource Name (ARN) specifying the user + type: str + sample: "arn:aws:iam::1234567890:user/test_user1" + create_date: + description: the date and time, in ISO 8601 date-time format, when the user was created + type: str + sample: "2017-02-08T04:36:28+00:00" + user_id: + description: the stable and unique string identifying the user + type: str + sample: AIDAIZTPY123YQRS22YU2 + user_name: + description: the friendly name that identifies the user + type: str + sample: testgroup1 + path: + description: the path to the user + type: str + sample: / ''' from ansible.module_utils.aws.core import AnsibleAWSModule diff --git a/test/integration/targets/iam_group/defaults/main.yml b/test/integration/targets/iam_group/defaults/main.yml new file mode 100644 index 00000000000..f5112b1a423 --- /dev/null +++ b/test/integration/targets/iam_group/defaults/main.yml @@ -0,0 +1,3 @@ +--- +test_user: '{{ resource_prefix }}-user' +test_group: '{{ resource_prefix }}-group' diff --git a/test/integration/targets/iam_group/meta/main.yml b/test/integration/targets/iam_group/meta/main.yml new file mode 100644 index 00000000000..1f64f1169a9 --- /dev/null +++ b/test/integration/targets/iam_group/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - prepare_tests + - setup_ec2 diff --git a/test/integration/targets/iam_group/tasks/main.yml b/test/integration/targets/iam_group/tasks/main.yml index 1a5146fb8f7..328fd7dbd0e 100644 --- a/test/integration/targets/iam_group/tasks/main.yml +++ b/test/integration/targets/iam_group/tasks/main.yml @@ -1,70 +1,125 @@ +--- - name: set up aws connection info - set_fact: - aws_connection_info: &aws_connection_info + module_defaults: + group/aws: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" + security_token: "{{ security_token | default(omit) }}" region: "{{ aws_region }}" - no_log: yes - -- name: ensure ansible user exists - iam_user: - name: AnsibleTestUser - state: present - <<: *aws_connection_info - -- name: ensure group exists - iam_group: - name: ansible_test - users: - - AnsibleTestUser - state: present - <<: *aws_connection_info - register: iam_group - -- assert: - that: - - iam_group.users - -- name: add non existent user to group - iam_group: - name: ansible_test - users: - - AnsibleTestUser - - NonExistentUser - state: present - <<: *aws_connection_info - ignore_errors: yes - register: iam_group - -- name: assert that adding non existent user to group fails with helpful message - assert: - that: - - iam_group is failed - - iam_group.msg.startswith("Couldn't add user NonExistentUser to group ansible_test") - -- name: remove a user - iam_group: - name: ansible_test - purge_users: True - users: [] - state: present - <<: *aws_connection_info - register: iam_group - -- assert: - that: - - iam_group.changed - - not iam_group.users - -- name: remove group - iam_group: - name: ansible_test - state: absent - <<: *aws_connection_info - -- name: remove ansible user - iam_user: - name: AnsibleTestUser - state: absent - <<: *aws_connection_info + block: + - name: ensure ansible user exists + iam_user: + name: '{{ test_user }}' + state: present + + - name: ensure group exists + iam_group: + name: '{{ test_group }}' + users: + - '{{ test_user }}' + state: present + register: iam_group + + - assert: + that: + - iam_group.iam_group.users + - iam_group is changed + + - name: add non existent user to group + iam_group: + name: '{{ test_group }}' + users: + - '{{ test_user }}' + - NonExistentUser + state: present + ignore_errors: yes + register: iam_group + + - name: assert that adding non existent user to group fails with helpful message + assert: + that: + - iam_group is failed + - iam_group.msg.startswith("Couldn't add user NonExistentUser to group {{ test_group }}") + + - name: remove a user + iam_group: + name: '{{ test_group }}' + purge_users: True + users: [] + state: present + register: iam_group + + - assert: + that: + - iam_group is changed + - not iam_group.iam_group.users + + - name: re-remove a user (no change) + iam_group: + name: '{{ test_group }}' + purge_users: True + users: [] + state: present + register: iam_group + + - assert: + that: + - iam_group is not changed + - not iam_group.iam_group.users + + - name: Add the user again + iam_group: + name: '{{ test_group }}' + users: + - '{{ test_user }}' + state: present + register: iam_group + + - assert: + that: + - iam_group is changed + - iam_group.iam_group.users + + - name: Re-add the user + iam_group: + name: '{{ test_group }}' + users: + - '{{ test_user }}' + state: present + register: iam_group + + - assert: + that: + - iam_group is not changed + - iam_group.iam_group.users + + - name: remove group + iam_group: + name: '{{ test_group }}' + state: absent + register: iam_group + + - assert: + that: + - iam_group is changed + + - name: re-remove group + iam_group: + name: '{{ test_group }}' + state: absent + register: iam_group + + - assert: + that: + - iam_group is not changed + + always: + - name: remove group + iam_group: + name: '{{ test_group }}' + state: absent + + - name: remove ansible user + iam_user: + name: '{{ test_user }}' + state: absent