---
- name: set up aws connection info
  module_defaults:
    group/aws:
      aws_access_key: "{{ aws_access_key }}"
      aws_secret_key: "{{ aws_secret_key }}"
      security_token: "{{ security_token | default(omit) }}"
      region: "{{ aws_region }}"
  block:
  - name: ensure ansible user exists
    iam_user:
      name: '{{ test_user }}'
      state: present

  - name: ensure group exists
    iam_group:
      name: '{{ test_group }}'
      users:
        - '{{ test_user }}'
      state: present
    register: iam_group

  - assert:
      that:
        - iam_group.iam_group.users
        - iam_group is changed

  - name: add non existent user to group
    iam_group:
      name: '{{ test_group }}'
      users:
        - '{{ test_user }}'
        - NonExistentUser
      state: present
    ignore_errors: yes
    register: iam_group

  - name: assert that adding non existent user to group fails with helpful message
    assert:
      that:
        - iam_group is failed
        - iam_group.msg.startswith("Couldn't add user NonExistentUser to group {{ test_group }}")

  - name: remove a user
    iam_group:
      name: '{{ test_group }}'
      purge_users: True
      users: []
      state: present
    register: iam_group

  - assert:
      that:
        - iam_group is changed
        - not iam_group.iam_group.users

  - name: re-remove a user (no change)
    iam_group:
      name: '{{ test_group }}'
      purge_users: True
      users: []
      state: present
    register: iam_group

  - assert:
      that:
        - iam_group is not changed
        - not iam_group.iam_group.users

  - name: Add the user again
    iam_group:
      name: '{{ test_group }}'
      users:
        - '{{ test_user }}'
      state: present
    register: iam_group

  - assert:
      that:
        - iam_group is changed
        - iam_group.iam_group.users

  - name: Re-add the user
    iam_group:
      name: '{{ test_group }}'
      users:
        - '{{ test_user }}'
      state: present
    register: iam_group

  - assert:
      that:
        - iam_group is not changed
        - iam_group.iam_group.users

  - name: remove group
    iam_group:
      name: '{{ test_group }}'
      state: absent
    register: iam_group

  - assert:
      that:
        - iam_group is changed

  - name: re-remove group
    iam_group:
      name: '{{ test_group }}'
      state: absent
    register: iam_group

  - assert:
      that:
        - iam_group is not changed

  always:
  - name: remove group
    iam_group:
      name: '{{ test_group }}'
      state: absent

  - name: remove ansible user
    iam_user:
      name: '{{ test_user }}'
      state: absent