ansible/test/integration/targets/iam_policy/tasks/main.yml

---
- block:
    # ============================================================
    - name: set up aws connection info
      set_fact:
        aws_connection_info: &aws_connection_info
           aws_access_key: "{{ aws_access_key }}"
           aws_secret_key: "{{ aws_secret_key }}"
           security_token: "{{ security_token }}"
           region: "{{ aws_region }}"
      no_log: yes
    # ============================================================
    - name: Create a temporary folder for the policies
      tempfile:
        state: directory
      register: tmpdir
    # ============================================================
    - name: Copy over policy
      copy:
        src: no_access.json
        dest: "{{ tmpdir.path }}"
    # ============================================================
    - name: Copy over other policy
      copy:
        src: no_access_with_id.json
        dest: "{{ tmpdir.path }}"
    # ============================================================
    - name: Create user for tests
      iam_user:
        name: "{{ iam_user_name }}"
        state: present
        <<: *aws_connection_info
    # ============================================================
    - name: Create role for tests
      iam_role:
        name: "{{ iam_role_name }}"
        assume_role_policy_document: "{{ lookup('file','no_trust.json') }}"
        state: present
        <<: *aws_connection_info
    # ============================================================
    - name: Create group for tests
      iam_group:
        name: "{{ iam_group_name }}"
        state: present
        <<: *aws_connection_info
    # ============================================================
    - name: Create policy for user
      iam_policy:
        iam_type: user
        iam_name: "{{ iam_user_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was added for user
      assert:
        that:
          - result.changed == True
          - result.policies == ["{{ iam_policy_name }}"]
          - result.user_name == "{{ iam_user_name }}" 
    # ============================================================
    - name: Update policy for user
      iam_policy:
        iam_type: user
        iam_name: "{{ iam_user_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was updated for user
      assert:
        that:
          - result.changed == True
    # ============================================================
    - name: Update policy for user with same policy
      iam_policy:
        iam_type: user
        iam_name: "{{ iam_user_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy did not change for user
      assert:
        that:
          - result.changed == False
    # ============================================================
    - name: Create policy for user using policy_json
      iam_policy:
        iam_type: user
        iam_name: "{{ iam_user_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was added for user
      assert:
        that:
          - result.changed == True
          - result.policies == ["{{ iam_policy_name }}"]
          - result.user_name == "{{ iam_user_name }}" 
    # ============================================================
    - name: Create policy for role
      iam_policy:
        iam_type: role
        iam_name: "{{ iam_role_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was added for role
      assert:
        that:
          - result.changed == True
          - result.policies == ["{{ iam_policy_name }}"]
          - result.role_name == "{{ iam_role_name }}" 
    # ============================================================
    - name: Update policy for role
      iam_policy:
        iam_type: role
        iam_name: "{{ iam_role_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was updated for role
      assert:
        that:
          - result.changed == True
    # ============================================================
    - name: Update policy for role with same policy
      iam_policy:
        iam_type: role
        iam_name: "{{ iam_role_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy did not change for role
      assert:
        that:
          - result.changed == False
    # ============================================================
    - name: Create policy for role using policy_json
      iam_policy:
        iam_type: role
        iam_name: "{{ iam_role_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was added for role
      assert:
        that:
          - result.changed == True
          - result.policies == ["{{ iam_policy_name }}"]
          - result.role_name == "{{ iam_role_name }}" 
    # ============================================================
    - name: Create policy for group
      iam_policy:
        iam_type: group
        iam_name: "{{ iam_group_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was added for group
      assert:
        that:
          - result.changed == True
          - result.policies == ["{{ iam_policy_name }}"]
          - result.group_name == "{{ iam_group_name }}" 
    # ============================================================
    - name: Update policy for group
      iam_policy:
        iam_type: group
        iam_name: "{{ iam_group_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was updated for group
      assert:
        that:
          - result.changed == True
    # ============================================================
    - name: Update policy for group with same policy
      iam_policy:
        iam_type: group
        iam_name: "{{ iam_group_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_document: "{{ tmpdir.path }}/no_access_with_id.json"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy did not change for group
      assert:
        that:
          - result.changed == False
    # ============================================================
    - name: Create policy for group using policy_json
      iam_policy:
        iam_type: group
        iam_name: "{{ iam_group_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: present
        policy_json: "{{ lookup('file', '{{ tmpdir.path }}/no_access.json') }}"
        <<: *aws_connection_info
      register: result 
    # ============================================================
    - name: Assert policy was added for group
      assert:
        that:
          - result.changed == True
          - result.policies == ["{{ iam_policy_name }}"]
          - result.group_name == "{{ iam_group_name }}"
    # ============================================================
    - name: Delete policy for user
      iam_policy:
        iam_type: user
        iam_name: "{{ iam_user_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: absent
        <<: *aws_connection_info
    - assert:
        that:
          - result.changed == True
    # ============================================================
    - name: Delete policy for role
      iam_policy:
        iam_type: role
        iam_name: "{{ iam_role_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: absent
        <<: *aws_connection_info
    - assert:
        that:
          - result.changed == True
    # ============================================================
    - name: Delete policy for group
      iam_policy:
        iam_type: group
        iam_name: "{{ iam_group_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: absent
        <<: *aws_connection_info
    - assert:
        that:
          - result.changed == True
    # ============================================================
  always:
    # ============================================================
    - name: Delete policy for user
      iam_policy:
        iam_type: user
        iam_name: "{{ iam_user_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: absent
        <<: *aws_connection_info
      ignore_errors: yes
    # ============================================================
    - name: Delete user for tests
      iam_user:
        name: "{{ iam_user_name }}"
        state: absent
        <<: *aws_connection_info
      ignore_errors: yes
    # ============================================================
    - name: Delete policy for role
      iam_policy:
        iam_type: role
        iam_name: "{{ iam_role_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: absent
        <<: *aws_connection_info
      ignore_errors: yes
    # ============================================================
    - name: Delete role for tests
      iam_role:
        name: "{{ iam_role_name }}"
        state: absent
        <<: *aws_connection_info
      ignore_errors: yes
    # ============================================================
    - name: Delete policy for group
      iam_policy:
        iam_type: group
        iam_name: "{{ iam_group_name }}"
        policy_name: "{{ iam_policy_name }}"
        state: absent
        <<: *aws_connection_info
      ignore_errors: yes
    # ============================================================
    - name: Delete group for tests
      iam_group:
        name: "{{ iam_group_name }}"
        state: absent
        <<: *aws_connection_info
      ignore_errors: yes
    # ============================================================
    - name: Delete temporary folder containing the policies
      file:
        state: absent
        path: "{{ tmpdir.path }}/"