ec2_instance - update tests related to termination protection (#65035)

* ec2_instance - update tests related to termination protection

* add more test cases for termination protection

test/integration/targets/ec2_instance/roles/ec2_instance/tasks/termination_protection.yml

@@ -1,101 +1,184 @@
 - block:
-  - name: "Make termination-protected instance in the testing subnet created in the test VPC"
+
+    - name: Create instance with termination protection (check mode)
       ec2_instance:
-      state: running
+        name: "{{ resource_prefix }}-termination-protection"
-      name: "{{ resource_prefix }}-test-protected-instance-in-vpc"
         image_id: "{{ ec2_ami_image }}"
         tags:
-        TestId: "{{ ec2_instance_tag_TestId }}"
+          TestId: "{{ resource_prefix }}"
         security_groups: "{{ sg.group_id }}"
         vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
         termination_protection: true
         instance_type: "{{ ec2_instance_type }}"
+        state: running
         wait: yes
-    register: in_test_vpc
+      check_mode: yes
+      register: create_instance_check_mode_results
 
-  - name: "Make termination-protected instance in the testing subnet created in the test VPC(check mode)"
+    - name: Check the returned value for the earlier task
+      assert:
+        that:
+          - "{{ create_instance_check_mode_results.changed }}"
+          - "{{ create_instance_check_mode_results.spec.DisableApiTermination }}"
+
+    - name: Create instance with termination protection
       ec2_instance:
-      state: running
+        name: "{{ resource_prefix }}-termination-protection"
-      name: "{{ resource_prefix }}-test-protected-instance-in-vpc-checkmode"
         image_id: "{{ ec2_ami_image }}"
         tags:
-        TestId: "{{ ec2_instance_tag_TestId }}"
+          TestId: "{{ resource_prefix }}"
         security_groups: "{{ sg.group_id }}"
         vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
         termination_protection: true
         instance_type: "{{ ec2_instance_type }}"
-    check_mode: yes
+        state: running
+        wait: yes
+      register: create_instance_results
 
-  - name: "fact presented ec2 instance"
+    - name: Check return values of the create instance task
-    ec2_instance_info:
+      assert:
-      filters:
+        that:
-        "tag:Name": "{{ resource_prefix }}-test-protected-instance-in-vpc"
+          - "{{ create_instance_results.instances | length }} > 0"
-        "instance-state-name": "running"
+          - "'{{ create_instance_results.instances.0.state.name }}' == 'running'"
-    register: presented_instance_fact
+          - "'{{ create_instance_results.spec.DisableApiTermination }}'"
 
-  - name: "fact checkmode ec2 instance"
+    - name: Create instance with termination protection (check mode) (idempotent)
-    ec2_instance_info:
+      ec2_instance:
-      filters:
+        name: "{{ resource_prefix }}-termination-protection"
-        "tag:Name": "{{ resource_prefix }}-test-protected-instance-in-vpc-checkmode"
+        image_id: "{{ ec2_ami_image }}"
-    register: checkmode_instance_fact
+        tags:
+          TestId: "{{ resource_prefix }}"
+        security_groups: "{{ sg.group_id }}"
+        vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
+        termination_protection: true
+        instance_type: "{{ ec2_instance_type }}"
+        state: running
+        wait: yes
+      check_mode: yes
+      register: create_instance_check_mode_results
 
-  - name: "Confirm whether the check mode is working normally."
+    - name: Check the returned value for the earlier task
       assert:
         that:
-        - "{{ presented_instance_fact.instances | length }} > 0"
+          - "{{ not create_instance_check_mode_results.changed }}"
-        - "'{{ presented_instance_fact.instances.0.state.name }}' in ['running', 'pending']"
-        - "{{ checkmode_instance_fact.instances | length }} == 0"
 
-  - name: "Try to terminate the instance"
+    - name: Create instance with termination protection (idempotent)
       ec2_instance:
-      state: absent
+        name: "{{ resource_prefix }}-termination-protection"
-      name: "{{ resource_prefix }}-test-protected-instance-in-vpc"
         image_id: "{{ ec2_ami_image }}"
         tags:
-        TestId: "{{ ec2_instance_tag_TestId }}"
+          TestId: "{{ resource_prefix }}"
         security_groups: "{{ sg.group_id }}"
         vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
         termination_protection: true
         instance_type: "{{ ec2_instance_type }}"
-    register: bad_terminate
+        state: running
-    ignore_errors: yes
+        wait: yes
+      register: create_instance_results
 
-  - name: "Cannot terminate protected instance"
+    - name: Check return values of the create instance task
       assert:
         that:
-        - bad_terminate is failed
+          - "{{ not create_instance_results.changed }}"
+          - "{{ create_instance_results.instances | length }} > 0"
+
+    - name: Try to terminate the instance (expected to fail)
+      ec2_instance:
+        filters:
+          tag:Name: "{{ resource_prefix }}-termination-protection"
+        state: absent
+      failed_when: "'Unable to terminate instances' not in terminate_instance_results.msg"
+      register: terminate_instance_results
+
+    # https://github.com/ansible/ansible/issues/67716
+    # Updates to termination protection in check mode has a bug (listed above)
 
-  - name: "Alter termination protection setting"
+    - name: Set termination protection to false
       ec2_instance:
-      state: present
+        name: "{{ resource_prefix }}-termination-protection"
-      name: "{{ resource_prefix }}-test-protected-instance-in-vpc"
         image_id: "{{ ec2_ami_image }}"
+        termination_protection: false
+        instance_type: "{{ ec2_instance_type }}"
         vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
+      register: set_termination_protection_results
+
+    - name: Check return value
+      assert:
+        that:
+          - "{{ set_termination_protection_results.changed }}"
+          - "{{ not set_termination_protection_results.changes[0].DisableApiTermination.Value }}"
+
+    - name: Set termination protection to false (idempotent)
+      ec2_instance:
+        name: "{{ resource_prefix }}-termination-protection"
+        image_id: "{{ ec2_ami_image }}"
         termination_protection: false
         instance_type: "{{ ec2_instance_type }}"
-      tags:
+        vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
-        TestId: "{{ ec2_instance_tag_TestId }}"
+      register: set_termination_protection_results
+
+    - name: Check return value
+      assert:
+        that:
+          - "{{ not set_termination_protection_results.changed }}"
 
-  - name: "Try to terminate the instance again (should work)"
+    - name: Set termination protection to true
       ec2_instance:
-      state: absent
+        name: "{{ resource_prefix }}-termination-protection"
-      name: "{{ resource_prefix }}-test-protected-instance-in-vpc"
         image_id: "{{ ec2_ami_image }}"
+        termination_protection: true
+        instance_type: "{{ ec2_instance_type }}"
         vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
+      register: set_termination_protection_results
+
+    - name: Check return value
+      assert:
+        that:
+          - "{{ set_termination_protection_results.changed }}"
+          - "{{ set_termination_protection_results.changes[0].DisableApiTermination.Value }}"
+
+    - name: Set termination protection to true (idempotent)
+      ec2_instance:
+        name: "{{ resource_prefix }}-termination-protection"
+        image_id: "{{ ec2_ami_image }}"
+        termination_protection: true
         instance_type: "{{ ec2_instance_type }}"
-      wait: false
+        vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
-      tags:
+      register: set_termination_protection_results
-        TestId: "{{ ec2_instance_tag_TestId }}"
-    register: terminate_results
 
-  - assert:
+    - name: Check return value
-      that: terminate_results is not failed
+      assert:
+        that:
+          - "{{ not set_termination_protection_results.changed }}"
 
-  always:
+    - name: Set termination protection to false (so we can terminate instance)
-  - name: "Terminate termination_protection instances"
+      ec2_instance:
+        name: "{{ resource_prefix }}-termination-protection"
+        image_id: "{{ ec2_ami_image }}"
+        termination_protection: false
+        instance_type: "{{ ec2_instance_type }}"
+        vpc_subnet_id: "{{ testing_subnet_b.subnet.id }}"
+      register: set_termination_protection_results
+
+    - name: Terminate the instance
       ec2_instance:
+        filters:
+          tag:TestId: "{{ resource_prefix }}"
         state: absent
+
+  always:
+
+    - name: Set termination protection to false (so we can terminate instance) (cleanup)
+      ec2_instance:
         filters:
-        "tag:TestId": "{{ ec2_instance_tag_TestId }}"
+          tag:TestId: "{{ resource_prefix }}"
-      wait: yes
+        termination_protection: false
+      ignore_errors: yes
+
+    - name: Terminate instance
+      ec2_instance:
+        filters:
+          tag:TestId: "{{ resource_prefix }}"
+        state: absent
+        wait: false
       ignore_errors: yes