From e0ebc8c9b4ca1d4f6d7bb88a26e264eaeaee1c2b Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Mon, 9 Sep 2019 23:23:19 +0100 Subject: [PATCH] Fixup aws_secret integration tests (#61241) * aws_secret: (integration tests) Move tests to using module_defaults * Update hacking aws security policy to enable management of secrets * aws_secret: (integration tests) Fixup integration tests - Update tests to use resource_prefix as a prefix rather than a suffix - Pause after role creation to cope with AWS being slow (and returning before the role it ready) --- .../testing_policies/security-policy.json | 19 +++-- .../targets/aws_secret/defaults/main.yaml | 3 + .../targets/aws_secret/tasks/main.yaml | 75 ++++++++----------- 3 files changed, 44 insertions(+), 53 deletions(-) diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json index d0fc61ab782..9aee5ab7d4f 100644 --- a/hacking/aws_config/testing_policies/security-policy.json +++ b/hacking/aws_config/testing_policies/security-policy.json @@ -122,21 +122,24 @@ "Sid": "AllowAccessToServerCertificates", "Effect": "Allow", "Action": [ - "iam:ListServerCertificates", - "iam:UploadServerCertificate", - "iam:UpdateServerCertificate", - "iam:DeleteServerCertificate", - "iam:GetServerCertificate" + "iam:*ServerCertificates", + "iam:*ServerCertificate" ], "Resource": "*" }, + { + "Sid": "AllowAccessToSecrets", + "Effect": "Allow", + "Action": [ + "secretsmanager:*" + ], + "Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*" + }, { "Sid": "AllowAccessToManagePasswordPolicy", "Effect": "Allow", "Action": [ - "iam:GetAccountPasswordPolicy", - "iam:DeleteAccountPasswordPolicy", - "iam:UpdateAccountPasswordPolicy" + "iam:*AccountPasswordPolicy" ], "Resource": "*" }, diff --git a/test/integration/targets/aws_secret/defaults/main.yaml b/test/integration/targets/aws_secret/defaults/main.yaml index f85fd58b593..cfdab552493 100644 --- a/test/integration/targets/aws_secret/defaults/main.yaml +++ b/test/integration/targets/aws_secret/defaults/main.yaml @@ -1,2 +1,5 @@ --- super_secret_string: 'Test12345' +secret_manager_role: "{{ resource_prefix }}-secrets-manager" +secret_name: "{{ resource_prefix }}-test-secret-string" +lambda_name: "{{ resource_prefix }}-hello-world" diff --git a/test/integration/targets/aws_secret/tasks/main.yaml b/test/integration/targets/aws_secret/tasks/main.yaml index 4f45dfed67c..a7d02b0b60e 100644 --- a/test/integration/targets/aws_secret/tasks/main.yaml +++ b/test/integration/targets/aws_secret/tasks/main.yaml @@ -1,37 +1,35 @@ --- -- block: - - name: set connection information for all tasks - set_fact: - aws_connection_info: &aws_connection_info - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - region: "{{ aws_region }}" - security_token: "{{ security_token }}" - no_log: true - +- module_defaults: + group/aws: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token | default(omit) }}" + region: "{{ aws_region }}" + block: - name: retrieve caller facts aws_caller_info: - <<: *aws_connection_info register: test_caller_facts - name: ensure IAM role exists iam_role: - <<: *aws_connection_info - name: "test-secrets-manager-role" + name: "{{ secret_manager_role }}" assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}" state: present create_instance_profile: no managed_policy: - 'arn:aws:iam::aws:policy/SecretsManagerReadWrite' - register: iam_role_output + register: iam_role ignore_errors: yes + - name: wait 10 seconds for role to become available + pause: + seconds: 10 + when: iam_role.changed + # CI does not remove the role and comparing policies has a bug on Python3; fall back to use iam_role_info - name: get IAM role iam_role_info: - <<: *aws_connection_info - name: "test-secrets-manager-role" - when: iam_role_output is failed + name: "{{ secret_manager_role }}" register: iam_role_info - name: set iam_role_output @@ -51,8 +49,7 @@ - name: dummy lambda for testing lambda: - <<: *aws_connection_info - name: "hello-world-{{ resource_prefix }}" + name: "{{ lambda_name }}" state: present zip_file: "{{ tmp.path }}/hello_world.zip" runtime: 'python2.7' @@ -86,8 +83,7 @@ # ============================================================ - name: add secret to AWS Secrets Manager aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" state: present secret_type: 'string' secret: "{{ super_secret_string }}" @@ -104,8 +100,7 @@ - name: no changes to secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" state: present secret_type: 'string' secret: "{{ super_secret_string }}" @@ -119,8 +114,7 @@ - name: make change to secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" description: 'this is a change to this secret' state: present secret_type: 'string' @@ -141,8 +135,7 @@ - name: add tags to secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" description: 'this is a change to this secret' state: present secret_type: 'string' @@ -159,8 +152,7 @@ - name: remove tags from secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" description: 'this is a change to this secret' state: present secret_type: 'string' @@ -174,22 +166,20 @@ - name: lambda policy for secrets manager lambda_policy: - <<: *aws_connection_info state: present - function_name: "hello-world-{{ resource_prefix }}" + function_name: "{{ lambda_name }}" statement_id: LambdaSecretsManagerTestPolicy action: 'lambda:InvokeFunction' principal: "secretsmanager.amazonaws.com" - name: add rotation lambda to secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" description: 'this is a change to this secret' state: present secret_type: 'string' secret: "{{ super_secret_string }}" - rotation_lambda: "arn:aws:lambda:{{ aws_region }}:{{ test_caller_facts.account }}:function:hello-world-{{ resource_prefix }}" + rotation_lambda: "arn:aws:lambda:{{ aws_region }}:{{ test_caller_facts.account }}:function:{{ lambda_name }}" register: result retries: 100 delay: 5 @@ -202,8 +192,7 @@ - name: remove rotation lambda from secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" description: 'this is a change to this secret' state: present secret_type: 'string' @@ -218,8 +207,7 @@ always: - name: remove secret aws_secret: - <<: *aws_connection_info - name: "test-secret-string-{{ resource_prefix }}" + name: "{{ secret_name }}" state: absent secret_type: 'string' secret: "{{ super_secret_string }}" @@ -228,9 +216,8 @@ - name: remove lambda policy lambda_policy: - <<: *aws_connection_info state: absent - function_name: "hello-world-{{ resource_prefix }}" + function_name: "{{ lambda_name }}" statement_id: lambda-secretsmanager-test-policy action: lambda:InvokeFunction principal: secretsmanager.amazonaws.com @@ -238,20 +225,18 @@ - name: remove dummy lambda lambda: - <<: *aws_connection_info - name: "hello-world-{{ resource_prefix }}" + name: "{{ lambda_name }}" state: absent zip_file: "{{ tmp.path }}/hello_world.zip" runtime: 'python2.7' - role: "test-secrets-manager-role" + role: "{{ secret_manager_role }}" handler: 'hello_world.lambda_handler' ignore_errors: yes # CI does not remove the IAM role - name: remove IAM role iam_role: - <<: *aws_connection_info - name: "test-secrets-manager-role" + name: "{{ secret_manager_role }}" assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}" state: absent create_instance_profile: no