You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible/test/integration/targets/lambda_policy/tasks/main.yml

219 lines
7.2 KiB
YAML

---
#
# Author: Michael De La Rue
# based on ec2_key.yml + lambda.py
- block:
# ============================================================
- name: test with no parameters
lambda_policy:
register: result
ignore_errors: true
- name: assert failure when called with no parameters
assert:
that:
- 'result.failed'
- 'result.msg.startswith("missing required arguments: ")'
# ============================================================
- name: test with all required dummy parameters but no region
lambda_policy:
statement_id: dummy
principal: api_fakeway
action: fake:do_something_fake
function_name: dummy_fake_function
ignore_errors: true
register: result
- name: assert failure and appropriate message when called without region
assert:
that:
- 'result.failed'
- '"region must be specified" in result.msg'
# ============================================================
- name: test with all required dummy parameters but no region
lambda_policy:
statement_id: dummy
principal: api_fakeway
action: fake:do_something_fake
function_name: dummy_fake_function
region: null
ignore_errors: true
register: result
- name: assert failure and appropriate message when called false region region
assert:
that:
- 'result.failed'
- '"region must be specified" in result.msg'
# ============================================================
- name: test exceptions generated by forcing bad ec2 url
lambda_policy:
function_name: "{{ lambda_function_name }}"
region: "{{ec2_region}}"
state: present
statement_id: api-gateway-invoke-lambdas
action: lambda:InvokeFunction
principal: apigateway.amazonaws.com
source_arn: "arn:aws:execute-api:no-north-0:1234567:*/*"
ec2_url: https://noexist.example.com
ec2_region: 'no-north-0'
ec2_access_key: 'iamnotreallyanaccesskey'
ec2_secret_key: 'thisisabadsecretkey'
security_token: 'andthisisabadsecuritytoken'
register: result
ignore_errors: true
- name: assert lambda manages to respond as expected
assert:
that:
- 'result is failed'
- 'result.msg != "MODULE FAILURE"'
- 'result.changed == False'
# ============================================================
# direct zip file upload
- name: move lambda into place for archive module
copy:
src: "mini_http_lambda.py"
dest: "{{output_dir}}/mini_http_lambda.py"
- name: bundle lambda into a zip
archive:
format: zip
path: "{{output_dir}}/mini_http_lambda.py"
dest: "{{output_dir}}/mini_http_lambda.zip"
register: zip_res
- name: test state=present - upload the lambda
lambda:
name="{{lambda_function_name}}"
runtime="python2.7"
handler="mini_http_lambda.handler"
role="ansible_lambda_role"
ec2_region='{{ec2_region}}'
aws_access_key='{{aws_access_key}}'
aws_secret_key='{{aws_secret_key}}'
security_token='{{security_token}}'
zip_file="{{zip_res.dest}}"
register: lambda_result
- name: install aws cli - FIXME temporary this should go for a lighterweight solution
command: pip install awscli
register: result
- name: get the aws account ID for use in future commands
command: aws sts get-caller-identity --output text --query 'Account'
environment:
AWS_ACCESS_KEY_ID: '{{aws_access_key}}'
AWS_SECRET_ACCESS_KEY: '{{aws_secret_key}}'
AWS_SESSION_TOKEN: '{{security_token}}'
register: result
- name: register account id
set_fact:
aws_account_id: "{{ result.stdout | replace('\n', '') }}"
- name: register lambda uri for use in template
set_fact:
mini_lambda_uri: "arn:aws:apigateway:{{ec2_region}}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ec2_region}}:{{aws_account_id}}:function:{{ lambda_result.configuration.function_name }}/invocations"
- name: build API file
template:
src: endpoint-test-swagger-api.yml.j2
dest: "{{output_dir}}/endpoint-test-swagger-api.yml.j2"
- name: deploy new API
aws_api_gateway:
api_file: "{{output_dir}}/endpoint-test-swagger-api.yml.j2"
stage: "lambdabased"
region: '{{ec2_region}}'
aws_access_key: '{{aws_access_key}}'
aws_secret_key: '{{aws_secret_key}}'
security_token: '{{security_token}}'
register: create_result
- name: register api id for later
set_fact:
api_id: "{{ create_result.api_id }}"
- name: check API fails with permissions failure
uri: url="https://{{create_result.api_id}}.execute-api.{{ec2_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester"
register: unauth_uri_result
ignore_errors: true
- name: assert internal server error due to permissions
assert:
that:
- unauth_uri_result is failed
- 'unauth_uri_result.status == 500'
- name: give api gateway execute permissions on lambda
lambda_policy:
function_name: "{{ lambda_function_name }}"
region: "{{ec2_region}}"
state: present
statement_id: api-gateway-invoke-lambdas
action: lambda:InvokeFunction
principal: apigateway.amazonaws.com
source_arn: "arn:aws:execute-api:{{ ec2_region }}:{{ aws_account_id }}:*/*"
aws_access_key: '{{aws_access_key}}'
aws_secret_key: '{{aws_secret_key}}'
security_token: '{{security_token}}'
- name: check API works with execute permissions
uri: url="https://{{create_result.api_id}}.execute-api.{{ec2_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester"
register: uri_result
- name: assert API works success
assert:
that:
- 'uri_result'
- name: deploy new API
aws_api_gateway:
api_file: "{{output_dir}}/endpoint-test-swagger-api.yml.j2"
stage: "lambdabased"
region: '{{ec2_region}}'
aws_access_key: '{{aws_access_key}}'
aws_secret_key: '{{aws_secret_key}}'
security_token: '{{security_token}}'
register: create_result
ignore_errors: true
always:
# ============================================================
- name: destroy lambda for test cleanup if created
lambda:
name="{{lambda_function_name}}"
ec2_region='{{ec2_region}}'
ec2_access_key='{{ec2_access_key}}'
ec2_secret_key='{{ec2_secret_key}}'
security_token='{{security_token}}'
state=absent
register: result
- name: destroy API for test cleanup if created
aws_api_gateway:
state: absent
api_id: '{{api_id}}'
region: '{{ec2_region}}'
aws_access_key: '{{ec2_access_key}}'
aws_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: destroy_result
- name: assert destroy statements succeeded
assert:
that:
- 'destroy_result.changed == True'
- 'result is not failed'