Rework s3_bucket integration tests

ci_complete

test/integration/targets/s3_bucket/aliases

@@ -1,3 +1,2 @@
 cloud/aws
 shippable/aws/group1
-unstable

test/integration/targets/s3_bucket/inventory

@@ -0,0 +1,12 @@
+[tests]
+missing
+simple
+complex
+dotted
+tags
+encryption_kms
+encryption_sse
+
+[all:vars]
+ansible_connection=local
+ansible_python_interpreter="{{ ansible_playbook_python }}"

test/integration/targets/s3_bucket/main.yml

@@ -0,0 +1,12 @@
+---
+# Beware: most of our tests here are run in parallel.
+# To add new tests you'll need to add a new host to the inventory and a matching
+# '{{ inventory_hostname }}'.yml file in roles/s3_bucket/tasks/
+
+# VPC should get cleaned up once all hosts have run
+- hosts: all
+  gather_facts: no
+  strategy: free
+  #serial: 10
+  roles:
+    - s3_bucket

test/integration/targets/s3_bucket/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - prepare_tests
+  - setup_ec2
+  - setup_remote_tmp_dir

test/integration/targets/s3_bucket/roles/s3_bucket/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+bucket_name: '{{ resource_prefix }}-{{ inventory_hostname | regex_replace("_","-") }}'

test/integration/targets/s3_bucket/roles/s3_bucket/meta/main.yml

@@ -0,0 +1,4 @@
+dependencies:
+  - prepare_tests
+  - setup_ec2
+  - setup_remote_tmp_dir

test/integration/targets/s3_bucket/roles/s3_bucket/tasks/complex.yml

@@ -0,0 +1,135 @@
+---
+- block:
+    - name: 'Create more complex s3_bucket'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        policy: "{{ lookup('template','policy.json') }}"
+        requester_pays: yes
+        versioning: yes
+        tags:
+          example: tag1
+          another: tag2
+      register: output
+
+    - assert:
+        that:
+          - output is changed
+          - output.name == '{{ bucket_name }}'
+          - output.requester_pays
+          - output.versioning.MfaDelete == 'Disabled'
+          - output.versioning.Versioning == 'Enabled'
+          - output.tags.example == 'tag1'
+          - output.tags.another == 'tag2'
+          - output.policy.Statement[0].Action == 's3:GetObject'
+          - output.policy.Statement[0].Effect == 'Allow'
+          - output.policy.Statement[0].Principal == '*'
+          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
+          - output.policy.Statement[0].Sid == 'AddPerm'
+
+    # ============================================================
+
+    - name: 'Pause to help with s3 bucket eventual consistency'
+      wait_for:
+        timeout: 10
+      delegate_to: localhost
+
+    - name: 'Try to update the same complex s3_bucket'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        policy: "{{ lookup('template','policy.json') }}"
+        requester_pays: yes
+        versioning: yes
+        tags:
+          example: tag1
+          another: tag2
+      register: output
+
+    - assert:
+        that:
+          - output is not changed
+
+    # ============================================================
+    - name: 'Update bucket policy on complex bucket'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        policy: "{{ lookup('template','policy-updated.json') }}"
+        requester_pays: yes
+        versioning: yes
+        tags:
+          example: tag1
+          another: tag2
+      register: output
+
+    - assert:
+        that:
+          - output is changed
+          - output.policy.Statement[0].Action == 's3:GetObject'
+          - output.policy.Statement[0].Effect == 'Deny'
+          - output.policy.Statement[0].Principal == '*'
+          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
+          - output.policy.Statement[0].Sid == 'AddPerm'
+
+    # ============================================================
+
+    - name: 'Pause to help with s3 bucket eventual consistency'
+      wait_for:
+        timeout: 10
+      delegate_to: localhost
+
+    - name: Update attributes for s3_bucket
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        policy: "{{ lookup('template','policy.json') }}"
+        requester_pays: no
+        versioning: no
+        tags:
+          example: tag1-udpated
+          another: tag2
+      register: output
+
+    - assert:
+        that:
+          - output is changed
+          - output.name == '{{ bucket_name }}'
+          - not output.requester_pays
+          - output.versioning.MfaDelete == 'Disabled'
+          - output.versioning.Versioning in ['Suspended', 'Disabled']
+          - output.tags.example == 'tag1-udpated'
+          - output.tags.another == 'tag2'
+          - output.policy.Statement[0].Action == 's3:GetObject'
+          - output.policy.Statement[0].Effect == 'Allow'
+          - output.policy.Statement[0].Principal == '*'
+          - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*'
+          - output.policy.Statement[0].Sid == 'AddPerm'
+
+    - name: 'Delete complex test bucket'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output is changed
+
+    - name: 'Re-delete complex test bucket'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output is not changed
+
+  # ============================================================
+  always:
+    - name: 'Ensure all buckets are deleted'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      ignore_errors: yes

test/integration/targets/s3_bucket/roles/s3_bucket/tasks/dotted.yml

@@ -0,0 +1,54 @@
+---
+- block:
+    - name: 'Ensure bucket_name contains a .'
+      set_fact:
+        bucket_name: '{{ bucket_name }}.something'
+
+    # ============================================================
+    #
+    - name: 'Create bucket with dot in name'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+      register: output
+
+    - assert:
+        that:
+          - output is changed
+          - output.name == '{{ bucket_name }}'
+
+
+    # ============================================================
+
+    - name: 'Pause to help with s3 bucket eventual consistency'
+      wait_for:
+        timeout: 10
+      delegate_to: localhost
+
+    - name: 'Delete s3_bucket with dot in name'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output is changed
+
+    - name: 'Re-delete s3_bucket with dot in name'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output is not changed
+
+  # ============================================================
+  always:
+    - name: 'Ensure all buckets are deleted'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      ignore_errors: yes

test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml

@@ -0,0 +1,88 @@
+---
+- module_defaults:
+    group/aws:
+      aws_access_key: "{{ aws_access_key }}"
+      aws_secret_key: "{{ aws_secret_key }}"
+      security_token: "{{ security_token | default(omit) }}"
+      region: "{{ aws_region }}"
+  block:
+
+    # ============================================================
+
+    - name: 'Create a simple bucket'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+      register: output
+
+    - name: 'Enable aws:kms encryption with KMS master key'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        encryption: "aws:kms"
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.encryption
+          - output.encryption.SSEAlgorithm == 'aws:kms'
+
+    - name: 'Re-enable aws:kms encryption with KMS master key (idempotent)'
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        encryption: "aws:kms"
+      register: output
+
+    - assert:
+        that:
+          - not output.changed
+          - output.encryption
+          - output.encryption.SSEAlgorithm == 'aws:kms'
+
+    # ============================================================
+
+    - name: Disable encryption from bucket
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        encryption: "none"
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - not output.encryption
+
+    - name: Disable encryption from bucket
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: present
+        encryption: "none"
+      register: output
+
+    - assert:
+        that:
+          - output is not changed
+          - not output.encryption
+
+    # ============================================================
+
+    - name: Delete encryption test s3 bucket
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+
+  # ============================================================
+  always:
+    - name: Ensure all buckets are deleted
+      s3_bucket:
+        name: '{{ bucket_name }}'
+        state: absent
+      ignore_errors: yes