archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixup aws_secret integration tests (#61241)

Browse Source 
* aws_secret: (integration tests) Move tests to using module_defaults

* Update hacking aws security policy to enable management of secrets

* aws_secret: (integration tests) Fixup integration tests
- Update tests to use resource_prefix as a prefix rather than a suffix
- Pause after role creation to cope with AWS being slow (and returning before the role it ready)
pull/62035/head
Mark Chappell 5 years ago committed by Jill R
parent 50e09be14f
commit e0ebc8c9b4
3 changed files with 44 additions and 53 deletions
Show Stats Download Patch File Download Diff File

19
hacking/aws_config/testing_policies/security-policy.json
Unescape Escape View File

@ -122,21 +122,24 @@
"Sid": "AllowAccessToServerCertificates", "Sid": "AllowAccessToServerCertificates",
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"iam:ListServerCertificates", "iam:*ServerCertificates",
"iam:UploadServerCertificate", "iam:*ServerCertificate"
"iam:UpdateServerCertificate",
"iam:DeleteServerCertificate",
"iam:GetServerCertificate"
], ],
"Resource": "*" "Resource": "*"
}, },
{
"Sid": "AllowAccessToSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:*"
],
"Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*"
},
{ {
"Sid": "AllowAccessToManagePasswordPolicy", "Sid": "AllowAccessToManagePasswordPolicy",
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"iam:GetAccountPasswordPolicy", "iam:*AccountPasswordPolicy"
"iam:DeleteAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
], ],
"Resource": "*" "Resource": "*"
}, },

3
test/integration/targets/aws_secret/defaults/main.yaml
Unescape Escape View File

@ -1,2 +1,5 @@
--- ---
super_secret_string: 'Test12345' super_secret_string: 'Test12345'
secret_manager_role: "{{ resource_prefix }}-secrets-manager"
secret_name: "{{ resource_prefix }}-test-secret-string"
lambda_name: "{{ resource_prefix }}-hello-world"

69
test/integration/targets/aws_secret/tasks/main.yaml
Unescape Escape View File

@ -1,37 +1,35 @@
--- ---
- block: - module_defaults:
- name: set connection information for all tasks group/aws:
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}" aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}" aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token | default(omit) }}"
region: "{{ aws_region }}" region: "{{ aws_region }}"
security_token: "{{ security_token }}" block:
no_log: true
- name: retrieve caller facts - name: retrieve caller facts
aws_caller_info: aws_caller_info:
<<: *aws_connection_info
register: test_caller_facts register: test_caller_facts
- name: ensure IAM role exists - name: ensure IAM role exists
iam_role: iam_role:
<<: *aws_connection_info name: "{{ secret_manager_role }}"
name: "test-secrets-manager-role"
assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}" assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}"
state: present state: present
create_instance_profile: no create_instance_profile: no
managed_policy: managed_policy:
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite' - 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
register: iam_role_output register: iam_role
ignore_errors: yes ignore_errors: yes
- name: wait 10 seconds for role to become available
pause:
seconds: 10
when: iam_role.changed
# CI does not remove the role and comparing policies has a bug on Python3; fall back to use iam_role_info # CI does not remove the role and comparing policies has a bug on Python3; fall back to use iam_role_info
- name: get IAM role - name: get IAM role
iam_role_info: iam_role_info:
<<: *aws_connection_info name: "{{ secret_manager_role }}"
name: "test-secrets-manager-role"
when: iam_role_output is failed
register: iam_role_info register: iam_role_info
- name: set iam_role_output - name: set iam_role_output
@ -51,8 +49,7 @@
- name: dummy lambda for testing - name: dummy lambda for testing
lambda: lambda:
<<: *aws_connection_info name: "{{ lambda_name }}"
name: "hello-world-{{ resource_prefix }}"
state: present state: present
zip_file: "{{ tmp.path }}/hello_world.zip" zip_file: "{{ tmp.path }}/hello_world.zip"
runtime: 'python2.7' runtime: 'python2.7'
@ -86,8 +83,7 @@
# ============================================================ # ============================================================
- name: add secret to AWS Secrets Manager - name: add secret to AWS Secrets Manager
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
state: present state: present
secret_type: 'string' secret_type: 'string'
secret: "{{ super_secret_string }}" secret: "{{ super_secret_string }}"
@ -104,8 +100,7 @@
- name: no changes to secret - name: no changes to secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
state: present state: present
secret_type: 'string' secret_type: 'string'
secret: "{{ super_secret_string }}" secret: "{{ super_secret_string }}"
@ -119,8 +114,7 @@
- name: make change to secret - name: make change to secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
description: 'this is a change to this secret' description: 'this is a change to this secret'
state: present state: present
secret_type: 'string' secret_type: 'string'
@ -141,8 +135,7 @@
- name: add tags to secret - name: add tags to secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
description: 'this is a change to this secret' description: 'this is a change to this secret'
state: present state: present
secret_type: 'string' secret_type: 'string'
@ -159,8 +152,7 @@
- name: remove tags from secret - name: remove tags from secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
description: 'this is a change to this secret' description: 'this is a change to this secret'
state: present state: present
secret_type: 'string' secret_type: 'string'
@ -174,22 +166,20 @@
- name: lambda policy for secrets manager - name: lambda policy for secrets manager
lambda_policy: lambda_policy:
<<: *aws_connection_info
state: present state: present
function_name: "hello-world-{{ resource_prefix }}" function_name: "{{ lambda_name }}"
statement_id: LambdaSecretsManagerTestPolicy statement_id: LambdaSecretsManagerTestPolicy
action: 'lambda:InvokeFunction' action: 'lambda:InvokeFunction'
principal: "secretsmanager.amazonaws.com" principal: "secretsmanager.amazonaws.com"
- name: add rotation lambda to secret - name: add rotation lambda to secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
description: 'this is a change to this secret' description: 'this is a change to this secret'
state: present state: present
secret_type: 'string' secret_type: 'string'
secret: "{{ super_secret_string }}" secret: "{{ super_secret_string }}"
rotation_lambda: "arn:aws:lambda:{{ aws_region }}:{{ test_caller_facts.account }}:function:hello-world-{{ resource_prefix }}" rotation_lambda: "arn:aws:lambda:{{ aws_region }}:{{ test_caller_facts.account }}:function:{{ lambda_name }}"
register: result register: result
retries: 100 retries: 100
delay: 5 delay: 5
@ -202,8 +192,7 @@
- name: remove rotation lambda from secret - name: remove rotation lambda from secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
description: 'this is a change to this secret' description: 'this is a change to this secret'
state: present state: present
secret_type: 'string' secret_type: 'string'
@ -218,8 +207,7 @@
always: always:
- name: remove secret - name: remove secret
aws_secret: aws_secret:
<<: *aws_connection_info name: "{{ secret_name }}"
name: "test-secret-string-{{ resource_prefix }}"
state: absent state: absent
secret_type: 'string' secret_type: 'string'
secret: "{{ super_secret_string }}" secret: "{{ super_secret_string }}"
@ -228,9 +216,8 @@
- name: remove lambda policy - name: remove lambda policy
lambda_policy: lambda_policy:
<<: *aws_connection_info
state: absent state: absent
function_name: "hello-world-{{ resource_prefix }}" function_name: "{{ lambda_name }}"
statement_id: lambda-secretsmanager-test-policy statement_id: lambda-secretsmanager-test-policy
action: lambda:InvokeFunction action: lambda:InvokeFunction
principal: secretsmanager.amazonaws.com principal: secretsmanager.amazonaws.com
@ -238,20 +225,18 @@
- name: remove dummy lambda - name: remove dummy lambda
lambda: lambda:
<<: *aws_connection_info name: "{{ lambda_name }}"
name: "hello-world-{{ resource_prefix }}"
state: absent state: absent
zip_file: "{{ tmp.path }}/hello_world.zip" zip_file: "{{ tmp.path }}/hello_world.zip"
runtime: 'python2.7' runtime: 'python2.7'
role: "test-secrets-manager-role" role: "{{ secret_manager_role }}"
handler: 'hello_world.lambda_handler' handler: 'hello_world.lambda_handler'
ignore_errors: yes ignore_errors: yes
# CI does not remove the IAM role # CI does not remove the IAM role
- name: remove IAM role - name: remove IAM role
iam_role: iam_role:
<<: *aws_connection_info name: "{{ secret_manager_role }}"
name: "test-secrets-manager-role"
assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}" assume_role_policy_document: "{{ lookup('file','secretsmanager-trust-policy.json') }}"
state: absent state: absent
create_instance_profile: no create_instance_profile: no

Write Preview
Loading…
Cancel
Save