mirror of https://github.com/ansible/ansible.git
s3_bucket - cleanup and test stabilisation. (#66778)
* AnsibleAWSModule related cleanup - s3_bucket * Add extra information to s3_bucket timeout failures, it's possible the comparisons are doing something weird... * Move Bucket Encryption boto support logic into the pre-flight checks * Use the built in required_by logic * Rework s3_bucket integration tests * Add a retry around put_bucket_encryption s3_client.put_bucket_encryption is occasionally dropped on the floor by Amazon add some logic to retry s3_client.put_bucket_encryption call * Catch OperationAborted and retry, it is caused by a conflicting change still being in progress. (For example an Encryption setting applying) * Make sure we don't explode if the botocore version's too old * Review tweakspull/67763/head
parent
9463d28967
commit
d5c17118ed
@ -0,0 +1,12 @@
|
|||||||
|
[tests]
|
||||||
|
missing
|
||||||
|
simple
|
||||||
|
complex
|
||||||
|
dotted
|
||||||
|
tags
|
||||||
|
encryption_kms
|
||||||
|
encryption_sse
|
||||||
|
|
||||||
|
[all:vars]
|
||||||
|
ansible_connection=local
|
||||||
|
ansible_python_interpreter="{{ ansible_playbook_python }}"
|
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
# Beware: most of our tests here are run in parallel.
|
||||||
|
# To add new tests you'll need to add a new host to the inventory and a matching
|
||||||
|
# '{{ inventory_hostname }}'.yml file in roles/s3_bucket/tasks/
|
||||||
|
|
||||||
|
# VPC should get cleaned up once all hosts have run
|
||||||
|
- hosts: all
|
||||||
|
gather_facts: no
|
||||||
|
strategy: free
|
||||||
|
#serial: 10
|
||||||
|
roles:
|
||||||
|
- s3_bucket
|
@ -0,0 +1,4 @@
|
|||||||
|
dependencies:
|
||||||
|
- prepare_tests
|
||||||
|
- setup_ec2
|
||||||
|
- setup_remote_tmp_dir
|
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
bucket_name: '{{ resource_prefix }}-{{ inventory_hostname | regex_replace("_","-") }}'
|
@ -0,0 +1,4 @@
|
|||||||
|
dependencies:
|
||||||
|
- prepare_tests
|
||||||
|
- setup_ec2
|
||||||
|
- setup_remote_tmp_dir
|
@ -0,0 +1,146 @@
|
|||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: 'Create more complex s3_bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
policy: "{{ lookup('template','policy.json') }}"
|
||||||
|
requester_pays: yes
|
||||||
|
versioning: yes
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
another: tag2
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.requester_pays
|
||||||
|
- output.versioning.MfaDelete == 'Disabled'
|
||||||
|
- output.versioning.Versioning == 'Enabled'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.another == 'tag2'
|
||||||
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
||||||
|
- output.policy.Statement[0].Effect == 'Allow'
|
||||||
|
- output.policy.Statement[0].Principal == '*'
|
||||||
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
|
||||||
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
wait_for:
|
||||||
|
timeout: 10
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
|
- name: 'Try to update the same complex s3_bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
policy: "{{ lookup('template','policy.json') }}"
|
||||||
|
requester_pays: yes
|
||||||
|
versioning: yes
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
another: tag2
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.requester_pays
|
||||||
|
- output.versioning.MfaDelete == 'Disabled'
|
||||||
|
- output.versioning.Versioning == 'Enabled'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.another == 'tag2'
|
||||||
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
||||||
|
- output.policy.Statement[0].Effect == 'Allow'
|
||||||
|
- output.policy.Statement[0].Principal == '*'
|
||||||
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
|
||||||
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
- name: 'Update bucket policy on complex bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
policy: "{{ lookup('template','policy-updated.json') }}"
|
||||||
|
requester_pays: yes
|
||||||
|
versioning: yes
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
another: tag2
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is changed
|
||||||
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
||||||
|
- output.policy.Statement[0].Effect == 'Deny'
|
||||||
|
- output.policy.Statement[0].Principal == '*'
|
||||||
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
|
||||||
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
wait_for:
|
||||||
|
timeout: 10
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
|
- name: Update attributes for s3_bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
policy: "{{ lookup('template','policy.json') }}"
|
||||||
|
requester_pays: no
|
||||||
|
versioning: no
|
||||||
|
tags:
|
||||||
|
example: tag1-udpated
|
||||||
|
another: tag2
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- not output.requester_pays
|
||||||
|
- output.versioning.MfaDelete == 'Disabled'
|
||||||
|
- output.versioning.Versioning in ['Suspended', 'Disabled']
|
||||||
|
- output.tags.example == 'tag1-udpated'
|
||||||
|
- output.tags.another == 'tag2'
|
||||||
|
- output.policy.Statement[0].Action == 's3:GetObject'
|
||||||
|
- output.policy.Statement[0].Effect == 'Allow'
|
||||||
|
- output.policy.Statement[0].Principal == '*'
|
||||||
|
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
|
||||||
|
- output.policy.Statement[0].Sid == 'AddPerm'
|
||||||
|
|
||||||
|
- name: 'Delete complex test bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is changed
|
||||||
|
|
||||||
|
- name: 'Re-delete complex test bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: 'Ensure all buckets are deleted'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,54 @@
|
|||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: 'Ensure bucket_name contains a .'
|
||||||
|
set_fact:
|
||||||
|
bucket_name: '{{ bucket_name }}.something'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
#
|
||||||
|
- name: 'Create bucket with dot in name'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
wait_for:
|
||||||
|
timeout: 10
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
|
- name: 'Delete s3_bucket with dot in name'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is changed
|
||||||
|
|
||||||
|
- name: 'Re-delete s3_bucket with dot in name'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: 'Ensure all buckets are deleted'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,88 @@
|
|||||||
|
---
|
||||||
|
- module_defaults:
|
||||||
|
group/aws:
|
||||||
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
|
aws_secret_key: "{{ aws_secret_key }}"
|
||||||
|
security_token: "{{ security_token | default(omit) }}"
|
||||||
|
region: "{{ aws_region }}"
|
||||||
|
block:
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: 'Create a simple bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- name: 'Enable aws:kms encryption with KMS master key'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: "aws:kms"
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.encryption
|
||||||
|
- output.encryption.SSEAlgorithm == 'aws:kms'
|
||||||
|
|
||||||
|
- name: 'Re-enable aws:kms encryption with KMS master key (idempotent)'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: "aws:kms"
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- not output.changed
|
||||||
|
- output.encryption
|
||||||
|
- output.encryption.SSEAlgorithm == 'aws:kms'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Disable encryption from bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: "none"
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- not output.encryption
|
||||||
|
|
||||||
|
- name: Disable encryption from bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: "none"
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- not output.encryption
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Delete encryption test s3 bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: Ensure all buckets are deleted
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,88 @@
|
|||||||
|
---
|
||||||
|
- module_defaults:
|
||||||
|
group/aws:
|
||||||
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
|
aws_secret_key: "{{ aws_secret_key }}"
|
||||||
|
security_token: "{{ security_token | default(omit) }}"
|
||||||
|
region: "{{ aws_region }}"
|
||||||
|
block:
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: 'Create a simple bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- name: 'Enable AES256 encryption'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: 'AES256'
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.encryption
|
||||||
|
- output.encryption.SSEAlgorithm == 'AES256'
|
||||||
|
|
||||||
|
- name: 'Re-enable AES256 encryption (idempotency)'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: 'AES256'
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- not output.changed
|
||||||
|
- output.encryption
|
||||||
|
- output.encryption.SSEAlgorithm == 'AES256'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Disable encryption from bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: "none"
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- not output.encryption
|
||||||
|
|
||||||
|
- name: Disable encryption from bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
encryption: "none"
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- not output.encryption
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Delete encryption test s3 bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: Ensure all buckets are deleted
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
# Beware: most of our tests here are run in parallel.
|
||||||
|
# To add new tests you'll need to add a new host to the inventory and a matching
|
||||||
|
# '{{ inventory_hostname }}'.yml file in roles/ec2_roles/tasks/
|
||||||
|
#
|
||||||
|
# ###############################################################################
|
||||||
|
|
||||||
|
- name: "Wrap up all tests and setup AWS credentials"
|
||||||
|
module_defaults:
|
||||||
|
group/aws:
|
||||||
|
aws_access_key: "{{ aws_access_key }}"
|
||||||
|
aws_secret_key: "{{ aws_secret_key }}"
|
||||||
|
security_token: "{{ security_token | default(omit) }}"
|
||||||
|
region: "{{ aws_region }}"
|
||||||
|
block:
|
||||||
|
- debug:
|
||||||
|
msg: "{{ inventory_hostname }} start: {{ lookup('pipe','date') }}"
|
||||||
|
- include_tasks: '{{ inventory_hostname }}.yml'
|
||||||
|
- debug:
|
||||||
|
msg: "{{ inventory_hostname }} finish: {{ lookup('pipe','date') }}"
|
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
- name: 'Attempt to delete non-existent buckets'
|
||||||
|
block:
|
||||||
|
# ============================================================
|
||||||
|
#
|
||||||
|
# While in theory the 'simple' test case covers this there are
|
||||||
|
# ways in which eventual-consistency could catch us out.
|
||||||
|
#
|
||||||
|
- name: 'Delete non-existstent s3_bucket (never created)'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is success
|
||||||
|
- output is not changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: 'Ensure all buckets are deleted'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,64 @@
|
|||||||
|
---
|
||||||
|
- name: 'Run simple tests'
|
||||||
|
block:
|
||||||
|
# Note: s3_bucket doesn't support check_mode
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
- name: 'Create a simple s3_bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is success
|
||||||
|
- output is changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- not output.requester_pays
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
- name: 'Try to update the simple bucket with the same values'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is success
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- not output.requester_pays
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
- name: 'Delete the simple s3_bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is success
|
||||||
|
- output is changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
- name: 'Re-delete the simple s3_bucket (idemoptency)'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is success
|
||||||
|
- output is not changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: 'Ensure all buckets are deleted'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,256 @@
|
|||||||
|
---
|
||||||
|
- name: 'Run tagging tests'
|
||||||
|
block:
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
- name: 'Create simple s3_bucket for testing tagging'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: 'Add tags to s3 bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
another: tag2
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.another == 'tag2'
|
||||||
|
|
||||||
|
- name: 'Re-Add tags to s3 bucket'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
another: tag2
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.another == 'tag2'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Remove a tag from an s3_bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- "'another' not in output.tags"
|
||||||
|
|
||||||
|
- name: Re-remove the tag from an s3_bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
example: tag1
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- "'another' not in output.tags"
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
#- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
# wait_for:
|
||||||
|
# timeout: 10
|
||||||
|
# delegate_to: localhost
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
- name: 'Add a tag for s3_bucket with purge_tags False'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
purge_tags: no
|
||||||
|
tags:
|
||||||
|
anewtag: here
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.anewtag == 'here'
|
||||||
|
|
||||||
|
- name: 'Re-add a tag for s3_bucket with purge_tags False'
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
purge_tags: no
|
||||||
|
tags:
|
||||||
|
anewtag: here
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.anewtag == 'here'
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
#- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
# wait_for:
|
||||||
|
# timeout: 10
|
||||||
|
# delegate_to: localhost
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
- name: Update a tag for s3_bucket with purge_tags False
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
purge_tags: no
|
||||||
|
tags:
|
||||||
|
anewtag: next
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.anewtag == 'next'
|
||||||
|
|
||||||
|
- name: Re-update a tag for s3_bucket with purge_tags False
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
purge_tags: no
|
||||||
|
tags:
|
||||||
|
anewtag: next
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.anewtag == 'next'
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
#- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
# wait_for:
|
||||||
|
# timeout: 10
|
||||||
|
# delegate_to: localhost
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
- name: Pass empty tags dict for s3_bucket with purge_tags False
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
purge_tags: no
|
||||||
|
tags: {}
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
- output.tags.anewtag == 'next'
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
#- name: 'Pause to help with s3 bucket eventual consistency'
|
||||||
|
# wait_for:
|
||||||
|
# timeout: 10
|
||||||
|
# delegate_to: localhost
|
||||||
|
|
||||||
|
## ============================================================
|
||||||
|
|
||||||
|
- name: Do not specify any tag to ensure previous tags are not removed
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- not output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags.example == 'tag1'
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Remove all tags
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
tags: {}
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags == {}
|
||||||
|
|
||||||
|
- name: Re-remove all tags
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: present
|
||||||
|
tags: {}
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output is not changed
|
||||||
|
- output.name == '{{ bucket_name }}'
|
||||||
|
- output.tags == {}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
|
||||||
|
- name: Delete bucket
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- output.changed
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
always:
|
||||||
|
- name: Ensure all buckets are deleted
|
||||||
|
s3_bucket:
|
||||||
|
name: '{{ bucket_name }}'
|
||||||
|
state: absent
|
||||||
|
ignore_errors: yes
|
@ -0,0 +1,12 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# Beware: most of our tests here are run in parallel.
|
||||||
|
# To add new tests you'll need to add a new host to the inventory and a matching
|
||||||
|
# '{{ inventory_hostname }}'.yml file in roles/ec2_instance/tasks/
|
||||||
|
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
export ANSIBLE_ROLES_PATH=../
|
||||||
|
|
||||||
|
ansible-playbook main.yml -i inventory "$@"
|
@ -1,452 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- block:
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: set connection information for all tasks
|
|
||||||
set_fact:
|
|
||||||
aws_connection_info: &aws_connection_info
|
|
||||||
aws_access_key: "{{ aws_access_key | default('') }}"
|
|
||||||
aws_secret_key: "{{ aws_secret_key | default('') }}"
|
|
||||||
security_token: "{{ security_token | default('') }}"
|
|
||||||
region: "{{ aws_region | default('') }}"
|
|
||||||
no_log: true
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Create simple s3_bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible"
|
|
||||||
state: present
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.name == '{{ resource_prefix }}-testbucket-ansible'
|
|
||||||
- not output.requester_pays
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Try to update the same bucket with the same values
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible"
|
|
||||||
state: present
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
- output.name == '{{ resource_prefix }}-testbucket-ansible'
|
|
||||||
- not output.requester_pays
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Delete test s3_bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible"
|
|
||||||
state: absent
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Set bucket_name variable to be able to use it in lookup('template')
|
|
||||||
set_fact:
|
|
||||||
bucket_name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
|
|
||||||
- name: Create more complex s3_bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: yes
|
|
||||||
versioning: yes
|
|
||||||
tags:
|
|
||||||
example: tag1
|
|
||||||
another: tag2
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
|
|
||||||
- output.requester_pays
|
|
||||||
- output.versioning.MfaDelete == 'Disabled'
|
|
||||||
- output.versioning.Versioning == 'Enabled'
|
|
||||||
- output.tags.example == 'tag1'
|
|
||||||
- output.tags.another == 'tag2'
|
|
||||||
- output.policy.Statement[0].Action == 's3:GetObject'
|
|
||||||
- output.policy.Statement[0].Effect == 'Allow'
|
|
||||||
- output.policy.Statement[0].Principal == '*'
|
|
||||||
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
|
|
||||||
- output.policy.Statement[0].Sid == 'AddPerm'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Try to update the same complex s3_bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: yes
|
|
||||||
versioning: yes
|
|
||||||
tags:
|
|
||||||
example: tag1
|
|
||||||
another: tag2
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Update bucket policy on complex bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy-updated.json') }}"
|
|
||||||
requester_pays: yes
|
|
||||||
versioning: yes
|
|
||||||
tags:
|
|
||||||
example: tag1
|
|
||||||
another: tag2
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.policy.Statement[0].Action == 's3:GetObject'
|
|
||||||
- output.policy.Statement[0].Effect == 'Deny'
|
|
||||||
- output.policy.Statement[0].Principal == '*'
|
|
||||||
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
|
|
||||||
- output.policy.Statement[0].Sid == 'AddPerm'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Update attributes for s3_bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
tags:
|
|
||||||
example: tag1-udpated
|
|
||||||
another: tag2
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.name == '{{ resource_prefix }}-testbucket-ansible-complex'
|
|
||||||
- not output.requester_pays
|
|
||||||
- output.versioning.MfaDelete == 'Disabled'
|
|
||||||
- output.versioning.Versioning in ['Suspended', 'Disabled']
|
|
||||||
- output.tags.example == 'tag1-udpated'
|
|
||||||
- output.tags.another == 'tag2'
|
|
||||||
- output.policy.Statement[0].Action == 's3:GetObject'
|
|
||||||
- output.policy.Statement[0].Effect == 'Allow'
|
|
||||||
- output.policy.Statement[0].Principal == '*'
|
|
||||||
- output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*'
|
|
||||||
- output.policy.Statement[0].Sid == 'AddPerm'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Remove a tag for s3_bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
tags:
|
|
||||||
example: tag1-udpated
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.tags.example == 'tag1-udpated'
|
|
||||||
- "'another' not in output.tags"
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Add a tag for s3_bucket with purge_tags False
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
purge_tags: no
|
|
||||||
tags:
|
|
||||||
anewtag: here
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.tags.example == 'tag1-udpated'
|
|
||||||
- output.tags.anewtag == 'here'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Update a tag for s3_bucket with purge_tags False
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
purge_tags: no
|
|
||||||
tags:
|
|
||||||
anewtag: next
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.tags.example == 'tag1-udpated'
|
|
||||||
- output.tags.anewtag == 'next'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Pass empty tags dict for s3_bucket with purge_tags False
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
purge_tags: no
|
|
||||||
tags: {}
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
- output.tags.example == 'tag1-udpated'
|
|
||||||
- output.tags.anewtag == 'next'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Do not specify any tag to ensure previous tags are not removed
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
- output.tags.example == 'tag1-udpated'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Remove all tags
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: present
|
|
||||||
policy: "{{ lookup('template','policy.json') }}"
|
|
||||||
requester_pays: no
|
|
||||||
versioning: no
|
|
||||||
tags: {}
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.tags == {}
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 5
|
|
||||||
|
|
||||||
- name: Delete complex s3 bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
state: absent
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Create bucket with dot in name
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}.testbucket.ansible"
|
|
||||||
state: present
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.name == '{{ resource_prefix }}.testbucket.ansible'
|
|
||||||
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 15
|
|
||||||
|
|
||||||
- name: Delete s3_bucket with dot in name
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}.testbucket.ansible"
|
|
||||||
state: absent
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Try to delete a missing bucket (should not fail)
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-ansible-missing"
|
|
||||||
state: absent
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
# ============================================================
|
|
||||||
- name: Create bucket with AES256 encryption enabled
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
||||||
state: present
|
|
||||||
encryption: "AES256"
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.name == '{{ resource_prefix }}-testbucket-encrypt-ansible'
|
|
||||||
- output.encryption
|
|
||||||
- output.encryption.SSEAlgorithm == 'AES256'
|
|
||||||
|
|
||||||
- name: Update bucket with same encryption config
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
||||||
state: present
|
|
||||||
encryption: "AES256"
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
- output.encryption
|
|
||||||
- output.encryption.SSEAlgorithm == 'AES256'
|
|
||||||
|
|
||||||
- name: Disable encryption from bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
||||||
state: present
|
|
||||||
encryption: "none"
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- not output.encryption
|
|
||||||
|
|
||||||
- name: Enable aws:kms encryption with KMS master key
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
||||||
state: present
|
|
||||||
encryption: "aws:kms"
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
- output.encryption
|
|
||||||
- output.encryption.SSEAlgorithm == 'aws:kms'
|
|
||||||
|
|
||||||
- name: Enable aws:kms encryption with KMS master key (idempotent)
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
||||||
state: present
|
|
||||||
encryption: "aws:kms"
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- not output.changed
|
|
||||||
- output.encryption
|
|
||||||
- output.encryption.SSEAlgorithm == 'aws:kms'
|
|
||||||
|
|
||||||
# ============================================================
|
|
||||||
- name: Pause to help with s3 bucket eventual consistency
|
|
||||||
pause:
|
|
||||||
seconds: 10
|
|
||||||
|
|
||||||
- name: Delete encryption test s3 bucket
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
||||||
state: absent
|
|
||||||
<<: *aws_connection_info
|
|
||||||
register: output
|
|
||||||
|
|
||||||
- assert:
|
|
||||||
that:
|
|
||||||
- output.changed
|
|
||||||
# ============================================================
|
|
||||||
always:
|
|
||||||
- name: Ensure all buckets are deleted
|
|
||||||
s3_bucket:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: absent
|
|
||||||
<<: *aws_connection_info
|
|
||||||
ignore_errors: yes
|
|
||||||
with_items:
|
|
||||||
- "{{ resource_prefix }}-testbucket-ansible"
|
|
||||||
- "{{ resource_prefix }}-testbucket-ansible-complex"
|
|
||||||
- "{{ resource_prefix }}.testbucket.ansible"
|
|
||||||
- "{{ resource_prefix }}-testbucket-encrypt-ansible"
|
|
Loading…
Reference in New Issue