--- - name: setup vpc cs_vpc: name: "{{ cs_resource_prefix }}_vpc" display_text: "{{ cs_resource_prefix }}_display_text" cidr: 10.10.0.0/16 zone: "{{ cs_common_zone_adv }}" register: vpc - name: verify setup vpc assert: that: - vpc is successful - name: setup network acl cs_network_acl: name: "{{ cs_resource_prefix }}_acl" vpc: "{{ cs_resource_prefix }}_vpc" zone: "{{ cs_common_zone_adv }}" register: acl - name: verify setup network acl assert: that: - acl is successful - name: setup network acl rule cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" zone: "{{ cs_common_zone_adv }}" state: absent register: acl_rule - name: verify setup network acl rule assert: that: - acl_rule is successful - name: test fail missing params cs_network_acl_rule: ignore_errors: true register: acl_rule - name: verify test fail missing param assert: that: - acl_rule is failed - "acl_rule.msg.startswith('missing required arguments: ')" - name: test fail missing params for tcp cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: ingress action_policy: allow cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" ignore_errors: true register: acl_rule - name: verify test fail missing param for tcp assert: that: - acl_rule is failed - "acl_rule.msg == 'protocol is tcp but the following are missing: start_port, end_port'" - name: test fail missing params for icmp cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: ingress action_policy: allow cidr: 0.0.0.0/0 protocol: icmp zone: "{{ cs_common_zone_adv }}" ignore_errors: true register: acl_rule - name: verify test fail missing param for icmp assert: that: - acl_rule is failed - "acl_rule.msg == 'protocol is icmp but the following are missing: icmp_type, icmp_code'" - name: test fail missing params for by number cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: ingress action_policy: allow cidr: 0.0.0.0/0 protocol: by_number zone: "{{ cs_common_zone_adv }}" ignore_errors: true register: acl_rule - name: verify test fail missing param for by number assert: that: - acl_rule is failed - "acl_rule.msg == 'protocol is by_number but the following are missing: protocol_number'" - name: test create network acl rule in check mode cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: ingress action_policy: allow port: 80 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule check_mode: true - name: verify test create network acl rule in check mode assert: that: - acl_rule is successful - acl_rule is changed - name: test create network acl rule cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: ingress action_policy: allow port: 80 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule - name: verify test create network acl rule assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 80 - acl_rule.end_port == 80 - acl_rule.action_policy == "allow" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "ingress" - acl_rule.rule_position == 1 - name: test create network acl rule idempotence cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: ingress action_policy: allow port: 80 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule - name: verify test create network acl idempotence assert: that: - acl_rule is successful - acl_rule is not changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 80 - acl_rule.end_port == 80 - acl_rule.action_policy == "allow" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "ingress" - acl_rule.rule_position == 1 - name: test change network acl rule in check mode cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: deny port: 81 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule check_mode: true - name: verify test change network acl rule in check mode assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 80 - acl_rule.end_port == 80 - acl_rule.action_policy == "allow" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "ingress" - acl_rule.rule_position == 1 - name: test change network acl rule cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: deny port: 81 protocol: udp cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule - name: verify test change network acl rule assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "udp" - acl_rule.rule_position == 1 - name: test change network acl rule idempotence cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: deny port: 81 protocol: udp cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule - name: verify test change network acl idempotence assert: that: - acl_rule is successful - acl_rule is not changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "udp" - acl_rule.rule_position == 1 - name: test change network acl by protocol number in check mode cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: deny protocol: by_number protocol_number: 8 port: 81 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule check_mode: true - name: verify test change network acl by protocol number in check mode assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "udp" - acl_rule.rule_position == 1 - name: test change network acl by protocol number cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: deny protocol: by_number protocol_number: 8 port: 81 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule - name: verify test change network acl by protocol number assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "by_number" - acl_rule.protocol_number == 8 - acl_rule.rule_position == 1 - name: test change network acl by protocol number idempotence cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: deny protocol: by_number protocol_number: 8 port: 81 cidr: 0.0.0.0/0 zone: "{{ cs_common_zone_adv }}" register: acl_rule - name: verify test change network acl by protocol number idempotence assert: that: - acl_rule is successful - acl_rule is not changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "by_number" - acl_rule.protocol_number == 8 - acl_rule.rule_position == 1 - name: test create 2nd network acl rule in check mode cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 2 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: allow cidr: 10.23.12.0/24 zone: "{{ cs_common_zone_adv }}" protocol: all register: acl_rule check_mode: true - name: verify test create 2nd network acl rule in check mode assert: that: - acl_rule is successful - acl_rule is changed - name: test create 2nd network acl rule cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 2 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: allow cidr: 10.23.12.0/24 zone: "{{ cs_common_zone_adv }}" protocol: all register: acl_rule - name: verify test create 2nd network acl rule assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.action_policy == "allow" - acl_rule.cidr == "10.23.12.0/24" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "all" - acl_rule.rule_position == 2 - name: test create 2nd network acl rule idempotence cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 2 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: allow cidr: 10.23.12.0/24 zone: "{{ cs_common_zone_adv }}" protocol: all register: acl_rule - name: verify test create 2nd network acl rule idempotence assert: that: - acl_rule is successful - acl_rule is not changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.action_policy == "allow" - acl_rule.cidr == "10.23.12.0/24" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "all" - acl_rule.rule_position == 2 - name: test update 2nd network acl rule to icmp cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 2 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: allow cidr: 10.23.12.0/24 zone: "{{ cs_common_zone_adv }}" protocol: icmp icmp_type: 0 icmp_code: 8 register: acl_rule - name: verify test create 2nd network acl rule assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.action_policy == "allow" - acl_rule.cidr == "10.23.12.0/24" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "icmp" - acl_rule.icmp_type == 0 - acl_rule.icmp_code == 8 - acl_rule.rule_position == 2 - name: test update 2nd network acl rule to icmp idempotence cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 2 vpc: "{{ cs_resource_prefix }}_vpc" traffic_type: egress action_policy: allow cidr: 10.23.12.0/24 zone: "{{ cs_common_zone_adv }}" protocol: icmp icmp_type: 0 icmp_code: 8 register: acl_rule - name: verify test create 2nd network acl rule idempotence assert: that: - acl_rule is successful - acl_rule is not changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.action_policy == "allow" - acl_rule.cidr == "10.23.12.0/24" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "icmp" - acl_rule.icmp_type == 0 - acl_rule.icmp_code == 8 - acl_rule.rule_position == 2 - name: test absent network acl rule in check mode cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" zone: "{{ cs_common_zone_adv }}" state: absent register: acl_rule check_mode: true - name: verify test absent network acl rule in check mode assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.rule_position == 1 - name: test absent network acl rule cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" zone: "{{ cs_common_zone_adv }}" state: absent register: acl_rule - name: verify test absent network acl rule assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.start_port == 81 - acl_rule.end_port == 81 - acl_rule.action_policy == "deny" - acl_rule.cidr == "0.0.0.0/0" - acl_rule.traffic_type == "egress" - acl_rule.rule_position == 1 - name: test absent network acl rule idempotence cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 1 vpc: "{{ cs_resource_prefix }}_vpc" zone: "{{ cs_common_zone_adv }}" state: absent register: acl_rule - name: verify test absent network acl rule idempotence assert: that: - acl_rule is successful - acl_rule is not changed - name: test absent 2nd network acl rule cs_network_acl_rule: network_acl: "{{ cs_resource_prefix }}_acl" rule_position: 2 vpc: "{{ cs_resource_prefix }}_vpc" zone: "{{ cs_common_zone_adv }}" state: absent register: acl_rule - name: verify test absent 2nd network acl rule assert: that: - acl_rule is successful - acl_rule is changed - acl_rule.vpc == "{{ cs_resource_prefix }}_vpc" - acl_rule.network_acl == "{{ cs_resource_prefix }}_acl" - acl_rule.action_policy == "allow" - acl_rule.cidr == "10.23.12.0/24" - acl_rule.traffic_type == "egress" - acl_rule.protocol == "icmp" - acl_rule.icmp_type == 0 - acl_rule.icmp_code == 8 - acl_rule.rule_position == 2