rds_subnet_group : Sanity Check fixes (docs) and Integration tests

hacking/aws_config/testing_policies/database-policy.json

@@ -88,6 +88,17 @@
           "Effect": "Allow",
           "Resource": "*"
         },
+        {
+            "Sid": "AllowRDSSubnetGroups",
+            "Effect": "Allow",
+            "Action": [
+                "rds:CreateDBSubnetGroup",
+                "rds:DeleteDBSubnetGroup",
+                "rds:DescribeDBSubnetGroups",
+                "rds:ModifyDBSubnetGroup"
+            ],
+            "Resource": ["*"]
+        },
         {
           "Sid": "DMSEndpoints",
           "Effect": "Allow",

lib/ansible/modules/cloud/amazon/rds_subnet_group.py

@@ -23,18 +23,23 @@
     description:
       - Specifies whether the subnet should be present or absent.
     required: true
-    default: present
     choices: [ 'present' , 'absent' ]
+    type: str
   name:
     description:
       - Database subnet group identifier.
     required: true
+    type: str
   description:
     description:
-      - Database subnet group description. Only set when a new group is added.
+      - Database subnet group description.
+      - Required when I(state=present).
+    type: str
   subnets:
     description:
       - List of subnet IDs that make up the database subnet group.
+      - Required when I(state=present).
+    type: list
 author: "Scott Anderson (@tastychutney)"
 extends_documentation_fragment:
     - aws
@@ -138,7 +143,7 @@ def main():
     group_subnets = module.params.get('subnets') or {}
 
     if state == 'present':
-        for required in ['name', 'description', 'subnets']:
+        for required in ['description', 'subnets']:
             if not module.params.get(required):
                 module.fail_json(msg=str("Parameter %s required for state='present'" % required))
     else:

test/integration/targets/rds_subnet_group/aliases

@@ -0,0 +1,2 @@
+cloud/aws
+shippable/aws/group2

test/integration/targets/rds_subnet_group/defaults/main.yml

@@ -0,0 +1,8 @@
+vpc_cidr: '10.{{ 256 | random(seed=resource_prefix) }}.0.0/16'
+subnet_a: '10.{{ 256 | random(seed=resource_prefix) }}.10.0/24'
+subnet_b: '10.{{ 256 | random(seed=resource_prefix) }}.11.0/24'
+subnet_c: '10.{{ 256 | random(seed=resource_prefix) }}.12.0/24'
+subnet_d: '10.{{ 256 | random(seed=resource_prefix) }}.13.0/24'
+
+group_description: 'Created by integration test : {{ resource_prefix }}'
+group_description_changed: 'Created by integration test : {{ resource_prefix }} - changed'

test/integration/targets/rds_subnet_group/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- prepare_tests
+- setup_ec2

test/integration/targets/rds_subnet_group/tasks/main.yml

@@ -0,0 +1,113 @@
+---
+# Tests for rds_subnet_group
+#
+# Note: (From Amazon's documentation)
+# https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/rds.html#RDS.Client.modify_db_subnet_group
+# DB subnet groups must contain at least one subnet in at least two AZs in the
+# AWS Region.
+
+- module_defaults:
+    group/aws:
+      aws_access_key: '{{ aws_access_key }}'
+      aws_secret_key: '{{ aws_secret_key }}'
+      security_token: '{{ security_token | default(omit) }}'
+      region: '{{ aws_region }}'
+  block:
+
+  # ============================================================
+
+  - name: 'Fetch AZ availability'
+    aws_az_info:
+    register: az_info
+
+  - name: 'Assert that we have multiple AZs available to us'
+    assert:
+      that: az_info.availability_zones | length >= 2
+
+  - name: 'Pick AZs'
+    set_fact:
+      az_one: '{{ az_info.availability_zones[0].zone_name }}'
+      az_two: '{{ az_info.availability_zones[1].zone_name }}'
+
+  # ============================================================
+
+  - name: 'Create a VPC'
+    ec2_vpc_net:
+      state: present
+      cidr_block: '{{ vpc_cidr }}'
+      name: '{{ resource_prefix }}'
+    register: vpc
+
+  - name: 'Create subnets'
+    ec2_vpc_subnet:
+      state: present
+      cidr: '{{ item.cidr }}'
+      az: '{{ item.az }}'
+      vpc_id: '{{ vpc.vpc.id }}'
+      tags:
+        Name: '{{ item.name }}'
+    with_items:
+    - cidr: '{{ subnet_a }}'
+      az: '{{ az_one }}'
+      name: '{{ resource_prefix }}-subnet-a'
+    - cidr: '{{ subnet_b }}'
+      az: '{{ az_two }}'
+      name: '{{ resource_prefix }}-subnet-b'
+    - cidr: '{{ subnet_c }}'
+      az: '{{ az_one }}'
+      name: '{{ resource_prefix }}-subnet-c'
+    - cidr: '{{ subnet_d }}'
+      az: '{{ az_two }}'
+      name: '{{ resource_prefix }}-subnet-d'
+    register: subnets
+
+  - set_fact:
+      subnet_ids: '{{ subnets | json_query("results[].subnet.id") | list }}'
+
+  # ============================================================
+
+  - include_tasks: 'params.yml'
+
+  - include_tasks: 'tests.yml'
+
+  # ============================================================
+
+  always:
+  - name: 'Remove subnet group'
+    rds_subnet_group:
+      state: absent
+      name: '{{ resource_prefix }}'
+    ignore_errors: yes
+
+  - name: 'Remove subnets'
+    ec2_vpc_subnet:
+      state: absent
+      cidr: '{{ item.cidr }}'
+      vpc_id: '{{ vpc.vpc.id }}'
+    with_items:
+    - cidr: '{{ subnet_a }}'
+      name: '{{ resource_prefix }}-subnet-a'
+    - cidr: '{{ subnet_b }}'
+      name: '{{ resource_prefix }}-subnet-b'
+    - cidr: '{{ subnet_c }}'
+      name: '{{ resource_prefix }}-subnet-c'
+    - cidr: '{{ subnet_d }}'
+      name: '{{ resource_prefix }}-subnet-d'
+    ignore_errors: yes
+    register: removed_subnets
+    until: removed_subnets is succeeded
+    retries: 5
+    delay: 5
+
+  - name: 'Remove the VPC'
+    ec2_vpc_net:
+      state: absent
+      cidr_block: '{{ vpc_cidr }}'
+      name: '{{ resource_prefix }}'
+    ignore_errors: yes
+    register: removed_vpc
+    until: removed_vpc is success
+    retries: 5
+    delay: 5
+
+  # ============================================================

test/integration/targets/rds_subnet_group/tasks/params.yml

@@ -0,0 +1,62 @@
+---
+# Try creating without a description
+- name: 'Create a subnet group (no description)'
+  rds_subnet_group:
+    state: present
+    name: '{{ resource_prefix }}'
+    subnets:
+    - '{{ subnet_ids[0] }}'
+    - '{{ subnet_ids[1] }}'
+  ignore_errors: yes
+  register: create_missing_param
+- assert:
+    that:
+    - create_missing_param is failed
+    - "'description' in create_missing_param.msg"
+    - "\"required for state='present'\" in create_missing_param.msg"
+
+# Try creating without subnets
+- name: 'Create a subnet group (no subnets)'
+  rds_subnet_group:
+    state: present
+    name: '{{ resource_prefix }}'
+    description: '{{ group_description }}'
+  ignore_errors: yes
+  register: create_missing_param
+- assert:
+    that:
+    - create_missing_param is failed
+    - "'subnets' in create_missing_param.msg"
+    - "\"required for state='present'\" in create_missing_param.msg"
+
+# XXX This feels like a bad pattern
+# Try deleting with subnets
+- name: 'Delete a subnet group (with subnets)'
+  rds_subnet_group:
+    state: absent
+    name: '{{ resource_prefix }}'
+    subnets:
+    - '{{ subnet_ids[0] }}'
+    - '{{ subnet_ids[1] }}'
+  ignore_errors: yes
+  register: delete_extra_param
+- assert:
+    that:
+    - delete_extra_param is failed
+    - "'subnets' in delete_extra_param.msg"
+    - "\"not allowed for state='absent'\" in delete_extra_param.msg"
+
+# XXX This feels like a bad pattern
+# Try deleting with a description
+- name: 'Create a subnet group (with description)'
+  rds_subnet_group:
+    state: absent
+    name: '{{ resource_prefix }}'
+    description: '{{ group_description }}'
+  ignore_errors: yes
+  register: delete_extra_param
+- assert:
+    that:
+    - delete_extra_param is failed
+    - "'description' in delete_extra_param.msg"
+    - "\"not allowed for state='absent'\" in delete_extra_param.msg"