Remove integration test reliance on the pre-existence of ansible_lamb…

…da_role (ansible-collections#63) * Migrate lambda tests to a unique IAM role (and clean up afterwards) * Migrate lambda_policy to a unique IAM role per-test (and clean up) * Use the Amazon provided AWSXrayWriteOnlyAccess policy rather than creating something custom * Migrate sns_topic to a unique IAM role per-test (and clean up) * Migrate s3_bucket_notifications to a unique IAM role per-test (and clean up) * CI relies on the very specific ansible-test-* pattern for role names * Minor lambda test cleanup - Reorder - Comments and spacing - Remove testing for standard AnsibleAWSModule boto behaviour, we have thorough tests for this now
alinabuzachis · Nov 23, 2020 · d82e219 · d82e219
1 parent 1371f21
commit d82e219
Show file tree

Hide file tree

Showing 12 changed files with 223 additions and 242 deletions.
diff --git a/tests/integration/targets/elb_target/playbooks/roles/elb_lambda_target/tasks/main.yml b/tests/integration/targets/elb_target/playbooks/roles/elb_lambda_target/tasks/main.yml
@@ -16,9 +16,9 @@
   - name: create or update service-role for lambda
     iam_role:
       name: '{{ lambda_role_name }}'
-      assume_role_policy_document: '{{ lookup(''file'', role_path + ''/files/assume-role.json'') }}'
+      assume_role_policy_document: '{{ lookup("file", role_path + "/files/assume-role.json") }}'
       managed_policy:
-      - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      - 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess'
     register: ROLE_ARN
   - name: when it is too fast, the role is not usable.
     pause:

diff --git a/tests/integration/targets/lambda/defaults/main.yml b/tests/integration/targets/lambda/defaults/main.yml
@@ -1,3 +1,10 @@
 ---
-# defaults file for aws_lambda test
-lambda_function_name: '{{resource_prefix}}'
+# defaults file for lambda integration test
+lambda_function_name: '{{ resource_prefix }}'
+# IAM role names have to be less than 64 characters
+# The 8 digit identifier at the end of resource_prefix helps determine during
+# which test something was created and allows tests to be run in parallel
+# Shippable resource_prefixes are in the format shippable-123456-123, so in those cases
+# we need both sets of digits to keep the resource name unique
+unique_id: "{{ resource_prefix | regex_search('(\\d+-?)(\\d+)$') }}"
+lambda_role_name: 'ansible-test-{{ unique_id }}-lambda'
diff --git a/tests/integration/targets/lambda/files/minimal_trust_policy.json b/tests/integration/targets/lambda/files/minimal_trust_policy.json
@@ -0,0 +1,12 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}