From 8f73866cbea102df8b5ec25dda01a41b1abc72b5 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Thu, 20 Feb 2020 20:55:13 +0100 Subject: [PATCH] Rework s3_bucket integration tests ci_complete --- test/integration/targets/s3_bucket/aliases | 1 - test/integration/targets/s3_bucket/inventory | 12 + test/integration/targets/s3_bucket/main.yml | 12 + .../targets/s3_bucket/meta/main.yml | 4 + .../roles/s3_bucket/defaults/main.yml | 2 + .../s3_bucket/roles/s3_bucket/meta/main.yml | 4 + .../roles/s3_bucket/tasks/complex.yml | 135 ++++++ .../roles/s3_bucket/tasks/dotted.yml | 54 +++ .../roles/s3_bucket/tasks/encryption_kms.yml | 88 ++++ .../roles/s3_bucket/tasks/encryption_sse.yml | 88 ++++ .../s3_bucket/roles/s3_bucket/tasks/main.yml | 20 + .../roles/s3_bucket/tasks/missing.yml | 26 + .../roles/s3_bucket/tasks/simple.yml | 64 +++ .../s3_bucket/roles/s3_bucket/tasks/tags.yml | 256 ++++++++++ .../s3_bucket}/templates/policy-updated.json | 0 .../s3_bucket}/templates/policy.json | 0 test/integration/targets/s3_bucket/runme.sh | 12 + .../targets/s3_bucket/tasks/main.yml | 452 ------------------ 18 files changed, 777 insertions(+), 453 deletions(-) create mode 100644 test/integration/targets/s3_bucket/inventory create mode 100644 test/integration/targets/s3_bucket/main.yml create mode 100644 test/integration/targets/s3_bucket/meta/main.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/defaults/main.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/meta/main.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/complex.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/dotted.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/main.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/missing.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/simple.yml create mode 100644 test/integration/targets/s3_bucket/roles/s3_bucket/tasks/tags.yml rename test/integration/targets/s3_bucket/{ => roles/s3_bucket}/templates/policy-updated.json (100%) rename test/integration/targets/s3_bucket/{ => roles/s3_bucket}/templates/policy.json (100%) create mode 100755 test/integration/targets/s3_bucket/runme.sh delete mode 100644 test/integration/targets/s3_bucket/tasks/main.yml diff --git a/test/integration/targets/s3_bucket/aliases b/test/integration/targets/s3_bucket/aliases index dd849540d507c6..a112c3d1bb26f0 100644 --- a/test/integration/targets/s3_bucket/aliases +++ b/test/integration/targets/s3_bucket/aliases @@ -1,3 +1,2 @@ cloud/aws shippable/aws/group1 -unstable diff --git a/test/integration/targets/s3_bucket/inventory b/test/integration/targets/s3_bucket/inventory new file mode 100644 index 00000000000000..2968f764cfaddb --- /dev/null +++ b/test/integration/targets/s3_bucket/inventory @@ -0,0 +1,12 @@ +[tests] +missing +simple +complex +dotted +tags +encryption_kms +encryption_sse + +[all:vars] +ansible_connection=local +ansible_python_interpreter="{{ ansible_playbook_python }}" diff --git a/test/integration/targets/s3_bucket/main.yml b/test/integration/targets/s3_bucket/main.yml new file mode 100644 index 00000000000000..22fc0d64f73395 --- /dev/null +++ b/test/integration/targets/s3_bucket/main.yml @@ -0,0 +1,12 @@ +--- +# Beware: most of our tests here are run in parallel. +# To add new tests you'll need to add a new host to the inventory and a matching +# '{{ inventory_hostname }}'.yml file in roles/s3_bucket/tasks/ + +# VPC should get cleaned up once all hosts have run +- hosts: all + gather_facts: no + strategy: free + #serial: 10 + roles: + - s3_bucket diff --git a/test/integration/targets/s3_bucket/meta/main.yml b/test/integration/targets/s3_bucket/meta/main.yml new file mode 100644 index 00000000000000..38b31be0728b52 --- /dev/null +++ b/test/integration/targets/s3_bucket/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - prepare_tests + - setup_ec2 + - setup_remote_tmp_dir diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/defaults/main.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/defaults/main.yml new file mode 100644 index 00000000000000..b4fd58adfc9850 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/defaults/main.yml @@ -0,0 +1,2 @@ +--- +bucket_name: '{{ resource_prefix }}-{{ inventory_hostname | regex_replace("_","-") }}' diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/meta/main.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/meta/main.yml new file mode 100644 index 00000000000000..38b31be0728b52 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - prepare_tests + - setup_ec2 + - setup_remote_tmp_dir diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/complex.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/complex.yml new file mode 100644 index 00000000000000..274c0ef41bfe55 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/complex.yml @@ -0,0 +1,135 @@ +--- +- block: + - name: 'Create more complex s3_bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + policy: "{{ lookup('template','policy.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + register: output + + - assert: + that: + - output is changed + - output.name == '{{ bucket_name }}' + - output.requester_pays + - output.versioning.MfaDelete == 'Disabled' + - output.versioning.Versioning == 'Enabled' + - output.tags.example == 'tag1' + - output.tags.another == 'tag2' + - output.policy.Statement[0].Action == 's3:GetObject' + - output.policy.Statement[0].Effect == 'Allow' + - output.policy.Statement[0].Principal == '*' + - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*' + - output.policy.Statement[0].Sid == 'AddPerm' + + # ============================================================ + + - name: 'Pause to help with s3 bucket eventual consistency' + wait_for: + timeout: 10 + delegate_to: localhost + + - name: 'Try to update the same complex s3_bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + policy: "{{ lookup('template','policy.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + register: output + + - assert: + that: + - output is not changed + + # ============================================================ + - name: 'Update bucket policy on complex bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + policy: "{{ lookup('template','policy-updated.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + register: output + + - assert: + that: + - output is changed + - output.policy.Statement[0].Action == 's3:GetObject' + - output.policy.Statement[0].Effect == 'Deny' + - output.policy.Statement[0].Principal == '*' + - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*' + - output.policy.Statement[0].Sid == 'AddPerm' + + # ============================================================ + + - name: 'Pause to help with s3 bucket eventual consistency' + wait_for: + timeout: 10 + delegate_to: localhost + + - name: Update attributes for s3_bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + policy: "{{ lookup('template','policy.json') }}" + requester_pays: no + versioning: no + tags: + example: tag1-udpated + another: tag2 + register: output + + - assert: + that: + - output is changed + - output.name == '{{ bucket_name }}' + - not output.requester_pays + - output.versioning.MfaDelete == 'Disabled' + - output.versioning.Versioning in ['Suspended', 'Disabled'] + - output.tags.example == 'tag1-udpated' + - output.tags.another == 'tag2' + - output.policy.Statement[0].Action == 's3:GetObject' + - output.policy.Statement[0].Effect == 'Allow' + - output.policy.Statement[0].Principal == '*' + - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ bucket_name }}/*' + - output.policy.Statement[0].Sid == 'AddPerm' + + - name: 'Delete complex test bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is changed + + - name: 'Re-delete complex test bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is not changed + + # ============================================================ + always: + - name: 'Ensure all buckets are deleted' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/dotted.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/dotted.yml new file mode 100644 index 00000000000000..7d4e0ae9eabd40 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/dotted.yml @@ -0,0 +1,54 @@ +--- +- block: + - name: 'Ensure bucket_name contains a .' + set_fact: + bucket_name: '{{ bucket_name }}.something' + + # ============================================================ + # + - name: 'Create bucket with dot in name' + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - assert: + that: + - output is changed + - output.name == '{{ bucket_name }}' + + + # ============================================================ + + - name: 'Pause to help with s3 bucket eventual consistency' + wait_for: + timeout: 10 + delegate_to: localhost + + - name: 'Delete s3_bucket with dot in name' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is changed + + - name: 'Re-delete s3_bucket with dot in name' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is not changed + + # ============================================================ + always: + - name: 'Ensure all buckets are deleted' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml new file mode 100644 index 00000000000000..869dd40236d6f2 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_kms.yml @@ -0,0 +1,88 @@ +--- +- module_defaults: + group/aws: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token | default(omit) }}" + region: "{{ aws_region }}" + block: + + # ============================================================ + + - name: 'Create a simple bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - name: 'Enable aws:kms encryption with KMS master key' + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: "aws:kms" + register: output + + - assert: + that: + - output.changed + - output.encryption + - output.encryption.SSEAlgorithm == 'aws:kms' + + - name: 'Re-enable aws:kms encryption with KMS master key (idempotent)' + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: "aws:kms" + register: output + + - assert: + that: + - not output.changed + - output.encryption + - output.encryption.SSEAlgorithm == 'aws:kms' + + # ============================================================ + + - name: Disable encryption from bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: "none" + register: output + + - assert: + that: + - output.changed + - not output.encryption + + - name: Disable encryption from bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: "none" + register: output + + - assert: + that: + - output is not changed + - not output.encryption + + # ============================================================ + + - name: Delete encryption test s3 bucket + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output.changed + + # ============================================================ + always: + - name: Ensure all buckets are deleted + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml new file mode 100644 index 00000000000000..aa04d899064e40 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_sse.yml @@ -0,0 +1,88 @@ +--- +- module_defaults: + group/aws: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token | default(omit) }}" + region: "{{ aws_region }}" + block: + + # ============================================================ + + - name: 'Create a simple bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - name: 'Enable aws:kms encryption with KMS master key' + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: 'AES256' + register: output + + - assert: + that: + - output.changed + - output.encryption + - output.encryption.SSEAlgorithm == 'AES256' + + - name: 'Re-enable aws:kms encryption with KMS master key (idempotent)' + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: 'AES256' + register: output + + - assert: + that: + - not output.changed + - output.encryption + - output.encryption.SSEAlgorithm == 'AES256' + + # ============================================================ + + - name: Disable encryption from bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: "none" + register: output + + - assert: + that: + - output.changed + - not output.encryption + + - name: Disable encryption from bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + encryption: "none" + register: output + + - assert: + that: + - output is not changed + - not output.encryption + + # ============================================================ + + - name: Delete encryption test s3 bucket + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output.changed + + # ============================================================ + always: + - name: Ensure all buckets are deleted + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/main.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/main.yml new file mode 100644 index 00000000000000..8eba03ba1a7738 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# Beware: most of our tests here are run in parallel. +# To add new tests you'll need to add a new host to the inventory and a matching +# '{{ inventory_hostname }}'.yml file in roles/ec2_roles/tasks/ +# +# ############################################################################### + +- name: "Wrap up all tests and setup AWS credentials" + module_defaults: + group/aws: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token | default(omit) }}" + region: "{{ aws_region }}" + block: + - debug: + msg: "{{ inventory_hostname }} start: {{ lookup('pipe','date') }}" + - include_tasks: '{{ inventory_hostname }}.yml' + - debug: + msg: "{{ inventory_hostname }} finish: {{ lookup('pipe','date') }}" diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/missing.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/missing.yml new file mode 100644 index 00000000000000..4d827680eed3d6 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/missing.yml @@ -0,0 +1,26 @@ +--- +- name: 'Attempt to delete non-existent buckets' + block: + # ============================================================ + # + # While in theory the 'simple' test case covers this there are + # ways in which eventual-consistency could catch us out. + # + - name: 'Delete non-existstent s3_bucket (never created)' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is success + - output is not changed + + # ============================================================ + always: + - name: 'Ensure all buckets are deleted' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/simple.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/simple.yml new file mode 100644 index 00000000000000..3499804bb40dbf --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/simple.yml @@ -0,0 +1,64 @@ +--- +- name: 'Run simple tests' + block: + # Note: s3_bucket doesn't support check_mode + + # ============================================================ + - name: 'Create a simple s3_bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - assert: + that: + - output is success + - output is changed + - output.name == '{{ bucket_name }}' + - not output.requester_pays + + # ============================================================ + - name: 'Try to update the simple bucket with the same values' + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - assert: + that: + - output is success + - output is not changed + - output.name == '{{ bucket_name }}' + - not output.requester_pays + + # ============================================================ + - name: 'Delete the simple s3_bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is success + - output is changed + + # ============================================================ + - name: 'Re-delete the simple s3_bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output is success + - output is not changed + + # ============================================================ + always: + - name: 'Ensure all buckets are deleted' + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/tags.yml b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/tags.yml new file mode 100644 index 00000000000000..437dd2ca5fd016 --- /dev/null +++ b/test/integration/targets/s3_bucket/roles/s3_bucket/tasks/tags.yml @@ -0,0 +1,256 @@ +--- +- name: 'Run tagging tests' + block: + + # ============================================================ + - name: 'Create simple s3_bucket for testing tagging' + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - assert: + that: + - output.changed + - output.name == '{{ bucket_name }}' + + # ============================================================ + + - name: 'Add tags to s3 bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + tags: + example: tag1 + another: tag2 + register: output + + - assert: + that: + - output.changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.another == 'tag2' + + - name: 'Re-Add tags to s3 bucket' + s3_bucket: + name: '{{ bucket_name }}' + state: present + tags: + example: tag1 + another: tag2 + register: output + + - assert: + that: + - output is not changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.another == 'tag2' + + # ============================================================ + + - name: Remove a tag from an s3_bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + tags: + example: tag1 + register: output + + - assert: + that: + - output.changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - "'another' not in output.tags" + + - name: Re-remove the tag from an s3_bucket + s3_bucket: + name: '{{ bucket_name }}' + state: present + tags: + example: tag1 + register: output + + - assert: + that: + - output is not changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - "'another' not in output.tags" + + ## ============================================================ + + #- name: 'Pause to help with s3 bucket eventual consistency' + # wait_for: + # timeout: 10 + # delegate_to: localhost + + ## ============================================================ + + - name: 'Add a tag for s3_bucket with purge_tags False' + s3_bucket: + name: '{{ bucket_name }}' + state: present + purge_tags: no + tags: + anewtag: here + register: output + + - assert: + that: + - output.changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.anewtag == 'here' + + - name: 'Re-add a tag for s3_bucket with purge_tags False' + s3_bucket: + name: '{{ bucket_name }}' + state: present + purge_tags: no + tags: + anewtag: here + register: output + + - assert: + that: + - output is not changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.anewtag == 'here' + + ## ============================================================ + + #- name: 'Pause to help with s3 bucket eventual consistency' + # wait_for: + # timeout: 10 + # delegate_to: localhost + + ## ============================================================ + + - name: Update a tag for s3_bucket with purge_tags False + s3_bucket: + name: '{{ bucket_name }}' + state: present + purge_tags: no + tags: + anewtag: next + register: output + + - assert: + that: + - output.changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.anewtag == 'next' + + - name: Re-update a tag for s3_bucket with purge_tags False + s3_bucket: + name: '{{ bucket_name }}' + state: present + purge_tags: no + tags: + anewtag: next + register: output + + - assert: + that: + - output is not changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.anewtag == 'next' + + ## ============================================================ + + #- name: 'Pause to help with s3 bucket eventual consistency' + # wait_for: + # timeout: 10 + # delegate_to: localhost + + ## ============================================================ + + - name: Pass empty tags dict for s3_bucket with purge_tags False + s3_bucket: + name: '{{ bucket_name }}' + state: present + purge_tags: no + tags: {} + register: output + + - assert: + that: + - output is not changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + - output.tags.anewtag == 'next' + + ## ============================================================ + + #- name: 'Pause to help with s3 bucket eventual consistency' + # wait_for: + # timeout: 10 + # delegate_to: localhost + + ## ============================================================ + + - name: Do not specify any tag to ensure previous tags are not removed + s3_bucket: + name: '{{ bucket_name }}' + state: present + register: output + + - assert: + that: + - not output.changed + - output.name == '{{ bucket_name }}' + - output.tags.example == 'tag1' + + # ============================================================ + + - name: Remove all tags + s3_bucket: + name: '{{ bucket_name }}' + state: present + tags: {} + register: output + + - assert: + that: + - output.changed + - output.name == '{{ bucket_name }}' + - output.tags == {} + + - name: Re-remove all tags + s3_bucket: + name: '{{ bucket_name }}' + state: present + tags: {} + register: output + + - assert: + that: + - output is not changed + - output.name == '{{ bucket_name }}' + - output.tags == {} + + # ============================================================ + + - name: Delete bucket + s3_bucket: + name: '{{ bucket_name }}' + state: absent + register: output + + - assert: + that: + - output.changed + + # ============================================================ + always: + - name: Ensure all buckets are deleted + s3_bucket: + name: '{{ bucket_name }}' + state: absent + ignore_errors: yes diff --git a/test/integration/targets/s3_bucket/templates/policy-updated.json b/test/integration/targets/s3_bucket/roles/s3_bucket/templates/policy-updated.json similarity index 100% rename from test/integration/targets/s3_bucket/templates/policy-updated.json rename to test/integration/targets/s3_bucket/roles/s3_bucket/templates/policy-updated.json diff --git a/test/integration/targets/s3_bucket/templates/policy.json b/test/integration/targets/s3_bucket/roles/s3_bucket/templates/policy.json similarity index 100% rename from test/integration/targets/s3_bucket/templates/policy.json rename to test/integration/targets/s3_bucket/roles/s3_bucket/templates/policy.json diff --git a/test/integration/targets/s3_bucket/runme.sh b/test/integration/targets/s3_bucket/runme.sh new file mode 100755 index 00000000000000..aa324772bbef96 --- /dev/null +++ b/test/integration/targets/s3_bucket/runme.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +# +# Beware: most of our tests here are run in parallel. +# To add new tests you'll need to add a new host to the inventory and a matching +# '{{ inventory_hostname }}'.yml file in roles/ec2_instance/tasks/ + + +set -eux + +export ANSIBLE_ROLES_PATH=../ + +ansible-playbook main.yml -i inventory "$@" diff --git a/test/integration/targets/s3_bucket/tasks/main.yml b/test/integration/targets/s3_bucket/tasks/main.yml deleted file mode 100644 index 472859eca8e1b3..00000000000000 --- a/test/integration/targets/s3_bucket/tasks/main.yml +++ /dev/null @@ -1,452 +0,0 @@ ---- - -- block: - - # ============================================================ - - name: set connection information for all tasks - set_fact: - aws_connection_info: &aws_connection_info - aws_access_key: "{{ aws_access_key | default('') }}" - aws_secret_key: "{{ aws_secret_key | default('') }}" - security_token: "{{ security_token | default('') }}" - region: "{{ aws_region | default('') }}" - no_log: true - - # ============================================================ - - name: Create simple s3_bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible" - state: present - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.name == '{{ resource_prefix }}-testbucket-ansible' - - not output.requester_pays - - # ============================================================ - - name: Try to update the same bucket with the same values - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible" - state: present - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - - output.name == '{{ resource_prefix }}-testbucket-ansible' - - not output.requester_pays - - # ============================================================ - - name: Delete test s3_bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible" - state: absent - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - # ============================================================ - - name: Set bucket_name variable to be able to use it in lookup('template') - set_fact: - bucket_name: "{{ resource_prefix }}-testbucket-ansible-complex" - - - name: Create more complex s3_bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: yes - versioning: yes - tags: - example: tag1 - another: tag2 - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.name == '{{ resource_prefix }}-testbucket-ansible-complex' - - output.requester_pays - - output.versioning.MfaDelete == 'Disabled' - - output.versioning.Versioning == 'Enabled' - - output.tags.example == 'tag1' - - output.tags.another == 'tag2' - - output.policy.Statement[0].Action == 's3:GetObject' - - output.policy.Statement[0].Effect == 'Allow' - - output.policy.Statement[0].Principal == '*' - - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*' - - output.policy.Statement[0].Sid == 'AddPerm' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Try to update the same complex s3_bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: yes - versioning: yes - tags: - example: tag1 - another: tag2 - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - - # ============================================================ - - name: Update bucket policy on complex bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy-updated.json') }}" - requester_pays: yes - versioning: yes - tags: - example: tag1 - another: tag2 - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.policy.Statement[0].Action == 's3:GetObject' - - output.policy.Statement[0].Effect == 'Deny' - - output.policy.Statement[0].Principal == '*' - - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*' - - output.policy.Statement[0].Sid == 'AddPerm' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Update attributes for s3_bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - tags: - example: tag1-udpated - another: tag2 - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.name == '{{ resource_prefix }}-testbucket-ansible-complex' - - not output.requester_pays - - output.versioning.MfaDelete == 'Disabled' - - output.versioning.Versioning in ['Suspended', 'Disabled'] - - output.tags.example == 'tag1-udpated' - - output.tags.another == 'tag2' - - output.policy.Statement[0].Action == 's3:GetObject' - - output.policy.Statement[0].Effect == 'Allow' - - output.policy.Statement[0].Principal == '*' - - output.policy.Statement[0].Resource == 'arn:aws:s3:::{{ resource_prefix }}-testbucket-ansible-complex/*' - - output.policy.Statement[0].Sid == 'AddPerm' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Remove a tag for s3_bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - tags: - example: tag1-udpated - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.tags.example == 'tag1-udpated' - - "'another' not in output.tags" - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Add a tag for s3_bucket with purge_tags False - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - purge_tags: no - tags: - anewtag: here - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.tags.example == 'tag1-udpated' - - output.tags.anewtag == 'here' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Update a tag for s3_bucket with purge_tags False - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - purge_tags: no - tags: - anewtag: next - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.tags.example == 'tag1-udpated' - - output.tags.anewtag == 'next' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Pass empty tags dict for s3_bucket with purge_tags False - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - purge_tags: no - tags: {} - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - - output.tags.example == 'tag1-udpated' - - output.tags.anewtag == 'next' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Do not specify any tag to ensure previous tags are not removed - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - - output.tags.example == 'tag1-udpated' - - # ============================================================ - - name: Remove all tags - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: present - policy: "{{ lookup('template','policy.json') }}" - requester_pays: no - versioning: no - tags: {} - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.tags == {} - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 5 - - - name: Delete complex s3 bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-complex" - state: absent - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - # ============================================================ - - name: Create bucket with dot in name - s3_bucket: - name: "{{ resource_prefix }}.testbucket.ansible" - state: present - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.name == '{{ resource_prefix }}.testbucket.ansible' - - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 15 - - - name: Delete s3_bucket with dot in name - s3_bucket: - name: "{{ resource_prefix }}.testbucket.ansible" - state: absent - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - # ============================================================ - - name: Try to delete a missing bucket (should not fail) - s3_bucket: - name: "{{ resource_prefix }}-testbucket-ansible-missing" - state: absent - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - # ============================================================ - - name: Create bucket with AES256 encryption enabled - s3_bucket: - name: "{{ resource_prefix }}-testbucket-encrypt-ansible" - state: present - encryption: "AES256" - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.name == '{{ resource_prefix }}-testbucket-encrypt-ansible' - - output.encryption - - output.encryption.SSEAlgorithm == 'AES256' - - - name: Update bucket with same encryption config - s3_bucket: - name: "{{ resource_prefix }}-testbucket-encrypt-ansible" - state: present - encryption: "AES256" - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - - output.encryption - - output.encryption.SSEAlgorithm == 'AES256' - - - name: Disable encryption from bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-encrypt-ansible" - state: present - encryption: "none" - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - not output.encryption - - - name: Enable aws:kms encryption with KMS master key - s3_bucket: - name: "{{ resource_prefix }}-testbucket-encrypt-ansible" - state: present - encryption: "aws:kms" - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - - output.encryption - - output.encryption.SSEAlgorithm == 'aws:kms' - - - name: Enable aws:kms encryption with KMS master key (idempotent) - s3_bucket: - name: "{{ resource_prefix }}-testbucket-encrypt-ansible" - state: present - encryption: "aws:kms" - <<: *aws_connection_info - register: output - - - assert: - that: - - not output.changed - - output.encryption - - output.encryption.SSEAlgorithm == 'aws:kms' - - # ============================================================ - - name: Pause to help with s3 bucket eventual consistency - pause: - seconds: 10 - - - name: Delete encryption test s3 bucket - s3_bucket: - name: "{{ resource_prefix }}-testbucket-encrypt-ansible" - state: absent - <<: *aws_connection_info - register: output - - - assert: - that: - - output.changed - # ============================================================ - always: - - name: Ensure all buckets are deleted - s3_bucket: - name: "{{item}}" - state: absent - <<: *aws_connection_info - ignore_errors: yes - with_items: - - "{{ resource_prefix }}-testbucket-ansible" - - "{{ resource_prefix }}-testbucket-ansible-complex" - - "{{ resource_prefix }}.testbucket.ansible" - - "{{ resource_prefix }}-testbucket-encrypt-ansible"