Rework example module to use EC2 rather than STS.

STS doesn't use regions...
ansible-collections · Jul 20, 2020 · 9ff52e6 · 9ff52e6
1 parent c9236f5
commit 9ff52e6
Show file tree

Hide file tree

Showing 8 changed files with 168 additions and 18 deletions.
diff --git a/tests/integration/targets/ansible_aws_module/main.yml b/tests/integration/targets/ansible_aws_module/main.yml
@@ -1,4 +1,7 @@
 - hosts: all
   gather_facts: no
+  collections:
+  - community.aws
+  - amazon.aws
   roles:
   - 'ansible_aws_module'
diff --git a/.../integration/targets/ansible_aws_module/roles/ansible_aws_module/library/boto3_example.py b/.../integration/targets/ansible_aws_module/roles/ansible_aws_module/library/boto3_example.py
@@ -15,6 +15,7 @@
     pass  # Handled by AnsibleAWSModule
 
 from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
+from ansible_collections.amazon.aws.plugins.module_utils.ec2 import ansible_dict_to_boto3_filter_list
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
 
 
@@ -24,18 +25,19 @@ def main():
         supports_check_mode=True,
     )
 
-    client = module.client('sts')
+    client = module.client('ec2')
+
+    filters = ansible_dict_to_boto3_filter_list({'name': 'amzn2-ami-hvm-2.0.202006*-x86_64-gp2'})
 
     try:
-        caller_info = client.get_caller_identity()
-        caller_info.pop('ResponseMetadata', None)
+        images = client.describe_images(ImageIds=[], Filters=filters, Owners=['amazon'], ExecutableUsers=[])
     except (BotoCoreError, ClientError) as e:
-        module.fail_json_aws(e, msg='Failed to retrieve caller identity')
+        module.fail_json_aws(e, msg='Failed to retrieve list of amis')
 
     # Return something, just because we can.
     module.exit_json(
         changed=False,
-        **camel_dict_to_snake_dict(caller_info))
+        **camel_dict_to_snake_dict(images))
 
 
 if __name__ == '__main__':

diff --git a/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/tasks/main.yml b/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/tasks/main.yml
@@ -1,8 +1,3 @@
 ---
-- name: 'run test module'
-  boto3_example:
-    #region: '{{ aws_region }}'
-    #aws_access_key: "{{ aws_access_key }}"
-    #aws_secret_key: "{{ aws_secret_key }}"
-    #security_token: "{{ security_token | default(omit) }}"
-    profile: 'test_profile'
+- name: 'Test that the varients we expect to succeed, do'
+  include_tasks: 'success.yml'
diff --git a/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/tasks/success.yml b/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/tasks/success.yml
@@ -0,0 +1,118 @@
+---
+##################################################################################
+# Tests using standard credential parameters
+
+- name: 'Test basic operation using simple credentials (simple-parameters)'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+  register: credential_result
+
+- name: 'Test basic operation using simple credentials (aws-parameters)'
+  boto3_example:
+    aws_region: '{{ aws_region }}'
+    aws_access_key: '{{ aws_access_key }}'
+    aws_secret_key: '{{ aws_secret_key }}'
+    aws_security_token: '{{ security_token }}'
+  register: credential_result
+
+- name: 'Test basic operation using simple credentials (ec2-parameters)'
+  boto3_example:
+    ec2_region: '{{ aws_region }}'
+    ec2_access_key: '{{ aws_access_key }}'
+    ec2_secret_key: '{{ aws_secret_key }}'
+    access_token: '{{ security_token }}'
+  register: credential_result
+
+##################################################################################
+# Tests using standard credentials from environment variables
+
+- name: 'Test basic operation using simple credentials (aws-environment)'
+  boto3_example:
+  environment:
+    AWS_REGION: '{{ aws_region }}'
+    AWS_ACCESS_KEY_ID: '{{ aws_access_key }}'
+    AWS_SECRET_ACCESS_KEY: '{{ aws_secret_key }}'
+    AWS_SECURITY_TOKEN: '{{ security_token }}'
+  register: credential_result
+
+- name: 'Test basic operation using simple credentials (aws2-environment)'
+  boto3_example:
+  environment:
+    AWS_DEFAULT_REGION: '{{ aws_region }}'
+    AWS_ACCESS_KEY: '{{ aws_access_key }}'
+    AWS_SECRET_KEY: '{{ aws_secret_key }}'
+    AWS_SESSION_TOKEN: '{{ security_token }}'
+  register: credential_result
+
+- name: 'Test basic operation using simple credentials (ec2-environment)'
+  boto3_example:
+  environment:
+    EC2_REGION: '{{ aws_region }}'
+    EC2_ACCESS_KEY: '{{ aws_access_key }}'
+    EC2_SECRET_KEY: '{{ aws_secret_key }}'
+    EC2_SECURITY_TOKEN: '{{ security_token }}'
+  register: credential_result
+
+##################################################################################
+# Tests using profiles instead of directly consuming credentials
+
+- name: 'Test basic operation using profile (simple-parameters)'
+  boto3_example:
+    profile: 'test_profile'
+  register: profile_result
+
+- name: 'Test basic operation using profile (aws-parameters)'
+  boto3_example:
+    profile: 'test_profile'
+  register: profile_result
+
+- name: 'Test basic operation using profile (aws-environment)'
+  boto3_example:
+  environment:
+    AWS_PROFILE: 'test_profile'
+  register: profile_result
+
+- name: 'Test basic operation using profile (aws2-environment)'
+  boto3_example:
+  environment:
+    AWS_DEFAULT_PROFILE: 'test_profile'
+  register: profile_result
+
+##################################################################################
+# Tests using profiles instead of directly consuming credentials
+
+- name: 'Test basic operation using standard endpoint (aws-parameters)'
+  boto3_example:
+    region: '{{ aws_region }}'
+    aws_endpoint_url: 'https://ec2.{{ aws_region }}.amazonaws.com'
+    aws_access_key: '{{ aws_access_key }}'
+    aws_secret_key: '{{ aws_secret_key }}'
+    aws_security_token: '{{ security_token }}'
+  register: standard_endpoint_result
+
+- name: 'Check that we connected to the standard endpoint'
+  assert:
+    that:
+    - standard_endpoint_result is successful
+    - '"ec2:DescribeImages" in standard_endpoint_result.resource_actions'
+
+# The FIPS endpoints aren't available in every region, this will trigger errors
+# outside of: [ us-east-1, us-east-2, us-west-1, us-west-2 ]
+
+- name: 'Test basic operation using FIPS endpoint (aws-parameters)'
+  boto3_example:
+    region: '{{ aws_region }}'
+    aws_endpoint_url: 'https://ec2-fips.{{ aws_region }}.amazonaws.com'
+    aws_access_key: '{{ aws_access_key }}'
+    aws_secret_key: '{{ aws_secret_key }}'
+    aws_security_token: '{{ security_token }}'
+  register: fips_endpoint_result
+
+- name: 'Check that we connected to the FIPS endpoint'
+  assert:
+    that:
+    - fips_endpoint_result is successful
+    - '"ec2-fips:DescribeImages" in fips_endpoint_result.resource_actions'
diff --git a/tests/integration/targets/ansible_aws_module/runme.sh b/tests/integration/targets/ansible_aws_module/runme.sh
@@ -8,4 +8,4 @@ export ANSIBLE_ROLES_PATH
 export AWS_CONFIG_FILE
 
 ansible-playbook setup.yml -i localhost "$@"
-ansible-playbook main.yml -i inventory "$@"
+ansible-playbook main.yml -i inventory "$@" -e "@session_credentials.yml"
diff --git a/tests/integration/targets/ansible_aws_module/setup.yml b/tests/integration/targets/ansible_aws_module/setup.yml
@@ -3,6 +3,37 @@
   connection: local
   gather_facts: no
   tasks:
+  # ===========================================================
+  # While CI uses a dedicated session, the easiest way to run
+  # tests outside of CI is with a simple access/secret key pair.
+  #
+  # For consistency, use sts_session_token to grab session
+  # credentials if we're not already using a session
+  # Note: this can't be done within a session, hence the slightly
+  # strange dance
+  - name: 'Get a session token if we are using a basic key'
+    when:
+    - security_token is not defined
+    block:
+    - name: 'Get a session token'
+      sts_session_token:
+        region: '{{ aws_region }}'
+        aws_access_key: '{{ aws_access_key }}'
+        aws_secret_key: '{{ aws_secret_key }}'
+      register: session_token
+      no_log: true
+    - name: 'Override initial tokens'
+      set_fact:
+        session_access_key: '{{ session_token.sts_creds.access_key }}'
+        session_secret_key: '{{ session_token.sts_creds.secret_key }}'
+        session_security_token: '{{ session_token.sts_creds.session_token }}'
+      no_log: true
+
+  - name: 'Write out credentials'
+    template:
+      dest: './session_credentials.yml'
+      src: 'session_credentials.yml.j2'
+
   - name: 'Write out boto config file'
     template:
       dest: './boto3_config'

diff --git a/tests/integration/targets/ansible_aws_module/templates/boto_config.j2 b/tests/integration/targets/ansible_aws_module/templates/boto_config.j2
@@ -1,7 +1,5 @@
 [profile test_profile]
 region = {{ aws_region }}
-aws_access_key_id = {{ aws_access_key }}
-aws_secret_access_key = {{ aws_secret_key }}
-{% if security_token is defined %}
-aws_security_token = {{ security_token }}
-{% endif %}
+aws_access_key_id = {{ session_access_key | default(aws_access_key) }}
+aws_secret_access_key = {{ session_secret_key | default(aws_secret_key) }}
+aws_security_token = {{ session_security_token | default(security_token) }}
diff --git a/tests/integration/targets/ansible_aws_module/templates/session_credentials.yml.j2 b/tests/integration/targets/ansible_aws_module/templates/session_credentials.yml.j2
@@ -0,0 +1,3 @@
+aws_access_key: {{ session_access_key | default(aws_access_key) }}
+aws_secret_key: {{ session_secret_key | default(aws_secret_key) }}
+security_token: {{ session_security_token | default(security_token) }}