From 540ab3e3a3ab19b7058153208c02e06e538cee2b Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 26 Feb 2022 10:23:57 +0100 Subject: [PATCH] initial integration tests --- .../networkfirewall_rule_group/aliases | 3 + .../defaults/main.yml | 2 + .../networkfirewall_rule_group/meta/main.yml | 4 + .../tasks/5-tuple.yml | 579 ++++++ .../tasks/cleanup.yml | 19 + .../tasks/domain_list.yml | 1662 +++++++++++++++++ .../networkfirewall_rule_group/tasks/main.yml | 44 + .../tasks/managed.yml | 10 + .../tasks/minimal.yml | 771 ++++++++ .../tasks/rule_strings.yml | 480 +++++ .../tasks/stateful.yml | 1362 ++++++++++++++ 11 files changed, 4936 insertions(+) create mode 100644 tests/integration/targets/networkfirewall_rule_group/aliases create mode 100644 tests/integration/targets/networkfirewall_rule_group/defaults/main.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/meta/main.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/5-tuple.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/cleanup.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/domain_list.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/main.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/managed.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/minimal.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/rule_strings.yml create mode 100644 tests/integration/targets/networkfirewall_rule_group/tasks/stateful.yml diff --git a/tests/integration/targets/networkfirewall_rule_group/aliases b/tests/integration/targets/networkfirewall_rule_group/aliases new file mode 100644 index 00000000000..dd36cb2db92 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/aliases @@ -0,0 +1,3 @@ +cloud/aws + +networkfirewall_rule_group_info diff --git a/tests/integration/targets/networkfirewall_rule_group/defaults/main.yml b/tests/integration/targets/networkfirewall_rule_group/defaults/main.yml new file mode 100644 index 00000000000..fa49aa20c20 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/defaults/main.yml @@ -0,0 +1,2 @@ +--- +group_name_prefix: 'AnsibleTest-{{ tiny_prefix }}' diff --git a/tests/integration/targets/networkfirewall_rule_group/meta/main.yml b/tests/integration/targets/networkfirewall_rule_group/meta/main.yml new file mode 100644 index 00000000000..f09ab4af198 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: setup_botocore_pip + vars: + botocore_version: "1.23.23" diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/5-tuple.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/5-tuple.yml new file mode 100644 index 00000000000..a74c8886f24 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/5-tuple.yml @@ -0,0 +1,579 @@ +--- +# +# Basic manipulation of 5-Tuple based rule groups +# - Creation +# - Deletion +# - Updating Rules +- vars: + tuple_group_name: '{{ group_name_prefix }}-5TupleGroup' + rule_one: + source: '192.0.2.74' + destination: '198.51.100.0/24' + source_port: 'any' + destination_port: 22 + action: 'pass' + protocol: 'TCP' + sid: '10001' + rule_two: + action: 'pass' + direction: 'any' + source: 'any' + destination: 'any' + source_port: 'any' + destination_port: 'any' + protocol: 'icmp' + sid: '10002' + rule_options: + itype: [3] + rule_three: + action: 'drop' + direction: 'forward' + source: '$EXAMPLE_SOURCE' + destination: '$EXAMPLE_DEST' + source_port: 'any' + destination_port: '$HTTPS_PORT' + protocol: 'http' + sid: '10003' + rule_options: + # Raw strings need the extra quotes + content: '"index.php"' + # Empty == no 'setting' (is valid) + http_uri: + ip_variables: + EXAMPLE_SOURCE: '203.0.113.0/24' + EXAMPLE_DEST: '192.0.2.117' + port_variables: + HTTPS_PORT: '8443' + # Formatted version of the options + rule_one_options: + - keyword: 'sid:10001' + rule_two_options: + - keyword: 'sid:10002' + - keyword: 'itype' + settings: ['3'] + rule_three_options: + - keyword: 'sid:10003' + - keyword: 'content' + # Ẽxtra quotes are deliberate + settings: ['"index.php"'] + - keyword: 'http_uri' + block: + ################################################################### + # Creation + + # Bare minimum rule, wouldn't actually check anything since neither HTTP not + # HTTPS traffic is being inspected + - name: '(CHECK) Create a 5-Tuple Rule Group' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + capacity: 50 + rule_list: + - '{{ rule_one }}' + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - '"rules_source" in tuple_group.rule_group.rule_group' + - '"stateful_rules" in tuple_group.rule_group.rule_group.rules_source' + - tuple_group.rule_group.rule_group.rules_source.stateful_rules | length == 1 + - '"action" in first_rule' + - '"header" in first_rule' + - '"rule_options" in first_rule' + - first_rule.action == 'PASS' + - '"destination" in first_rule.header' + - '"destination_port" in first_rule.header' + - '"direction" in first_rule.header' + - '"protocol" in first_rule.header' + - '"source" in first_rule.header' + - '"source_port" in first_rule.header' + - first_rule.header.destination == '198.51.100.0/24' + - first_rule.header.destination_port == '22' + - first_rule.header.source == '192.0.2.74' + - first_rule.header.source_port == 'any' + - first_rule.header.protocol == 'TCP' + - first_rule.header.direction == 'FORWARD' + - first_rule.rule_options == rule_one_options + vars: + first_rule: '{{ tuple_group.rule_group.rule_group.rules_source.stateful_rules[0] }}' + + - name: 'Create a 5-Tuple Rule Group' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + capacity: 50 + rule_list: + - '{{ rule_one }}' + register: tuple_group + + - assert: + that: + - tuple_group is changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_id" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn.startswith(account_arn) + - tuple_group.rule_group.rule_group_metadata.rule_group_arn.endswith(tuple_group_name) + - '"rules_source" in tuple_group.rule_group.rule_group' + + - name: Save RuleGroup ID/ARN for later + set_fact: + minimal_rule_group_id: '{{ tuple_group.rule_group.rule_group_metadata.rule_group_id }}' + minimal_rule_group_arn: '{{ tuple_group.rule_group.rule_group_metadata.rule_group_arn }}' + + - name: '(CHECK) Create a 5-Tuple Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + capacity: 50 + rule_list: + - '{{ rule_one }}' + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is not changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + - name: 'Create a 5-Tuple Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + capacity: 50 + rule_list: + - '{{ rule_one }}' + register: tuple_group + + - assert: + that: + - tuple_group is not changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + ################################################################### + # Add some extra variables, properly tested in stateful.yml + + - name: 'Set IP and Port variables' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variables }}' + port_variables: '{{ port_variables }}' + register: port_variables + + - assert: + that: + - port_variables is changed + + ################################################################### + # Update + + - name: '(CHECK) Update a 5-Tuple Rule Group with new rules' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + - '"stateful_rules" in tuple_group.rule_group.rule_group.rules_source' + - tuple_group.rule_group.rule_group.rules_source.stateful_rules | length == 3 + - '"action" in first_rule' + - '"header" in first_rule' + - '"rule_options" in first_rule' + - first_rule.action == 'PASS' + - '"destination" in first_rule.header' + - '"destination_port" in first_rule.header' + - '"direction" in first_rule.header' + - '"protocol" in first_rule.header' + - '"source" in first_rule.header' + - '"source_port" in first_rule.header' + - first_rule.header.destination == '198.51.100.0/24' + - first_rule.header.destination_port == '22' + - first_rule.header.source == '192.0.2.74' + - first_rule.header.source_port == 'any' + - first_rule.header.protocol == 'TCP' + - first_rule.header.direction == 'FORWARD' + - first_rule.rule_options == rule_one_options + - '"action" in second_rule' + - '"header" in second_rule' + - '"rule_options" in second_rule' + - second_rule.action == 'PASS' + - '"destination" in second_rule.header' + - '"destination_port" in second_rule.header' + - '"direction" in second_rule.header' + - '"protocol" in second_rule.header' + - '"source" in second_rule.header' + - '"source_port" in second_rule.header' + - second_rule.header.destination == 'any' + - second_rule.header.destination_port == 'any' + - second_rule.header.source == 'any' + - second_rule.header.source_port == 'any' + - second_rule.header.protocol == 'ICMP' + - second_rule.header.direction == 'ANY' + - second_rule.rule_options == rule_two_options + - '"action" in third_rule' + - '"header" in third_rule' + - '"rule_options" in third_rule' + - third_rule.action == 'DROP' + - '"destination" in third_rule.header' + - '"destination_port" in third_rule.header' + - '"direction" in third_rule.header' + - '"protocol" in third_rule.header' + - '"source" in third_rule.header' + - '"source_port" in third_rule.header' + - third_rule.header.destination == '$EXAMPLE_DEST' + - third_rule.header.destination_port == '$HTTPS_PORT' + - third_rule.header.source == '$EXAMPLE_SOURCE' + - third_rule.header.source_port == 'any' + - third_rule.header.protocol == 'HTTP' + - third_rule.header.direction == 'FORWARD' + - third_rule.rule_options == rule_three_options + vars: + first_rule: '{{ tuple_group.rule_group.rule_group.rules_source.stateful_rules[0] }}' + second_rule: '{{ tuple_group.rule_group.rule_group.rules_source.stateful_rules[1] }}' + third_rule: '{{ tuple_group.rule_group.rule_group.rules_source.stateful_rules[2] }}' + + - name: 'Update a 5-Tuple Rule Group with new rules' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + + - assert: + that: + - tuple_group is changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_id" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + - name: '(CHECK) Update a 5-Tuple Rule Group with new rules (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is not changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + - name: 'Update a 5-Tuple Rule Group with new rules (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + + - assert: + that: + - tuple_group is not changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + ##### + + - name: '(CHECK) Update a 5-Tuple Rule Group by removing first rule' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + - '"stateful_rules" in tuple_group.rule_group.rule_group.rules_source' + - tuple_group.rule_group.rule_group.rules_source.stateful_rules | length == 2 + - '"action" in first_rule' + - '"header" in first_rule' + - '"rule_options" in first_rule' + - first_rule.action == 'PASS' + - '"destination" in first_rule.header' + - '"destination_port" in first_rule.header' + - '"direction" in first_rule.header' + - '"protocol" in first_rule.header' + - '"source" in first_rule.header' + - '"source_port" in first_rule.header' + - first_rule.header.destination == 'any' + - first_rule.header.destination_port == 'any' + - first_rule.header.source == 'any' + - first_rule.header.source_port == 'any' + - first_rule.header.protocol == 'ICMP' + - first_rule.header.direction == 'ANY' + - first_rule.rule_options == rule_two_options + - '"action" in second_rule' + - '"header" in second_rule' + - '"rule_options" in second_rule' + - second_rule.action == 'DROP' + - '"destination" in second_rule.header' + - '"destination_port" in second_rule.header' + - '"direction" in second_rule.header' + - '"protocol" in second_rule.header' + - '"source" in second_rule.header' + - '"source_port" in second_rule.header' + - second_rule.header.destination == '$EXAMPLE_DEST' + - second_rule.header.destination_port == '$HTTPS_PORT' + - second_rule.header.source == '$EXAMPLE_SOURCE' + - second_rule.header.source_port == 'any' + - second_rule.header.protocol == 'HTTP' + - second_rule.header.direction == 'FORWARD' + - second_rule.rule_options == rule_three_options + vars: + first_rule: '{{ tuple_group.rule_group.rule_group.rules_source.stateful_rules[0] }}' + second_rule: '{{ tuple_group.rule_group.rule_group.rules_source.stateful_rules[1] }}' + + - name: 'Update a 5-Tuple Rule Group by removing first rule' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + + - assert: + that: + - tuple_group is changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_id" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + - name: '(CHECK) Update a 5-Tuple Rule Group by removing first rule (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is not changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + - name: 'Update a 5-Tuple Rule Group by removing first rule (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + rule_list: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: tuple_group + + - assert: + that: + - tuple_group is not changed + - '"rule_group" in tuple_group' + - '"rule_group" in tuple_group.rule_group' + - '"rule_group_metadata" in tuple_group.rule_group' + - '"capacity" in tuple_group.rule_group.rule_group_metadata' + - '"rule_group_name" in tuple_group.rule_group.rule_group_metadata' + - '"type" in tuple_group.rule_group.rule_group_metadata' + - tuple_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - tuple_group.rule_group.rule_group_metadata.capacity == 50 + - tuple_group.rule_group.rule_group_metadata.rule_group_name == tuple_group_name + - tuple_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - tuple_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in tuple_group.rule_group.rule_group' + + ################################################################### + # Deletion + + - name: '(CHECK) Delete Domain List rule group' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + state: absent + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is changed + + - name: 'Delete Domain List rule group' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + state: absent + register: tuple_group + + - assert: + that: + - tuple_group is changed + + # The Rule Group may still exist in a "DELETING" state, we should still + # return not changed + - name: 'Delete Domain List rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + state: absent + register: tuple_group + check_mode: true + + - assert: + that: + - tuple_group is not changed + + - name: '(CHECK) Delete Domain List rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + state: absent + register: tuple_group + + - assert: + that: + - tuple_group is not changed + + always: + - name: '(always) Delete Domain List rule group' + networkfirewall_rule_group: + name: '{{ tuple_group_name }}' + type: 'stateful' + state: absent + ignore_errors: true diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/cleanup.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/cleanup.yml new file mode 100644 index 00000000000..7bcd3fab081 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/cleanup.yml @@ -0,0 +1,19 @@ +--- +- name: 'Fetch all account rule groups' + networkfirewall_rule_group_info: {} + register: account_rules_info + ignore_errors: true + +- name: 'Get a list of all rules matching {{ group_name_prefix }}' + set_fact: + matching_rules: '{{ account_rules_info.rule_list | select("search", group_name_prefix) | list }}' + ignore_errors: true + +# These should just be "no-ops" caused by the deletion being in-progress. +# Waiters are not supported at this time. +- name: 'Delete matching rule groups' + networkfirewall_rule_group: + arn: '{{ item }}' + state: absent + ignore_errors: true + loop: '{{ matching_rules }}' diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/domain_list.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/domain_list.yml new file mode 100644 index 00000000000..e4f797f6618 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/domain_list.yml @@ -0,0 +1,1662 @@ +--- +# +# Basic manipulation of Domain List based rule groups +# - Creation +# - Deletion +# - Updating Rules +# -- Domain list +# -- Inspected Protocols +# -- Action +# -- Source IPs +- vars: + domains_group_name: '{{ group_name_prefix }}-DomainListGroup' + block: + ################################################################### + # Creation + + # Bare minimum rule, wouldn't actually check anything since neither HTTP not + # HTTPS traffic is being inspected + - name: '(CHECK) Create a Domain List Rule Group' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + capacity: 50 + domain_list: + domain_names: 'example.com' + action: allow + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com'] + + - name: 'Create a Domain List Rule Group' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + capacity: 50 + domain_list: + domain_names: 'example.com' + action: allow + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn.startswith(account_arn) + - domain_group.rule_group.rule_group_metadata.rule_group_arn.endswith(domains_group_name) + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com'] + + - name: Save RuleGroup ID/ARN for later + set_fact: + minimal_rule_group_id: '{{ domain_group.rule_group.rule_group_metadata.rule_group_id }}' + minimal_rule_group_arn: '{{ domain_group.rule_group.rule_group_metadata.rule_group_arn }}' + + - name: '(CHECK) Create a Domain List Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + capacity: 50 + domain_list: + domain_names: 'example.com' + action: allow + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com'] + + - name: 'Create a Domain List Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + capacity: 50 + domain_list: + domain_names: 'example.com' + action: allow + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com'] + + ##### + + - name: '(CHECK) Create a Domain List Rule Group - List instead of string (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + capacity: 50 + domain_list: + domain_names: + - 'example.com' + action: allow + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com'] + + - name: 'Create a Domain List Rule Group List - instead of string (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + capacity: 50 + domain_list: + domain_names: + - 'example.com' + action: allow + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com'] + + + ################################################################### + # Update + + - name: '(CHECK) Update a Domain List Rule Group with new domains' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: allow + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with new domains' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: allow + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: '(CHECK) Update a Domain List Rule Group with new domains (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: allow + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with new domains (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: allow + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'ALLOWLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with new action' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with new action' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: '(CHECK) Update a Domain List Rule Group with new action (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with new action (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with HTTP only' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with HTTP only' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: '(CHECK) Update a Domain List Rule Group with HTTP only (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with HTTP only (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with HTTPS only' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_https: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with HTTPS only' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_https: true + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: '(CHECK) Update a Domain List Rule Group with HTTPS only (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_https: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with HTTPS only (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_https: true + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with HTTP and HTTPS' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with HTTP and HTTPS' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: '(CHECK) Update a Domain List Rule Group with HTTP and HTTPS (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with HTTP and HTTPS (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with Source IP list' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: '203.0.113.0/24' + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24'] + + - name: 'Update a Domain List Rule Group with Source IP list' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: '203.0.113.0/24' + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24'] + + - name: '(CHECK) Update a Domain List Rule Group with Source IP list (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: '203.0.113.0/24' + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24'] + + - name: 'Update a Domain List Rule Group with Source IP list (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: '203.0.113.0/24' + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with updated Source IP list' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: + - '203.0.113.0/24' + - '198.51.100.248' + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24', '198.51.100.248'] + + - name: 'Update a Domain List Rule Group with updated Source IP list' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: + - '203.0.113.0/24' + - '198.51.100.248' + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24', '198.51.100.248'] + + - name: '(CHECK) Update a Domain List Rule Group with updated Source IP list (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: + - '203.0.113.0/24' + - '198.51.100.248' + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24', '198.51.100.248'] + + - name: 'Update a Domain List Rule Group with updated Source IP list (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + source_ips: + - '203.0.113.0/24' + - '198.51.100.248' + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - '"ip_sets" in domain_group.rule_group.rule_group.rule_variables' + - '"HOME_NET" in domain_group.rule_group.rule_group.rule_variables.ip_sets' + - domain_group.rule_group.rule_group.rule_variables.ip_sets['HOME_NET'] == ['203.0.113.0/24', '198.51.100.248'] + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with removed Source IP list' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - domain_group.rule_group.rule_group.rule_variables == {} + + - name: 'Update a Domain List Rule Group with removed Source IP list' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - domain_group.rule_group.rule_group.rule_variables == {} + + - name: '(CHECK) Update a Domain List Rule Group with removed Source IP list (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - domain_group.rule_group.rule_group.rule_variables == {} + + - name: 'Update a Domain List Rule Group with removed Source IP list (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + filter_http: true + filter_https: true + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == ['HTTP_HOST', 'TLS_SNI'] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + - '"rule_variables" in domain_group.rule_group.rule_group' + - domain_group.rule_group.rule_group.rule_variables == {} + + ##### + + - name: '(CHECK) Update a Domain List Rule Group with no protocols' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with no protocols' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + + - assert: + that: + - domain_group is changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_id" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: '(CHECK) Update a Domain List Rule Group with no protocols (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + - name: 'Update a Domain List Rule Group with no protocols (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + domain_list: + domain_names: + - 'example.com' + - '.example.net' + action: deny + register: domain_group + + - assert: + that: + - domain_group is not changed + - '"rule_group" in domain_group' + - '"rule_group" in domain_group.rule_group' + - '"rule_group_metadata" in domain_group.rule_group' + - '"capacity" in domain_group.rule_group.rule_group_metadata' + - '"rule_group_name" in domain_group.rule_group.rule_group_metadata' + - '"type" in domain_group.rule_group.rule_group_metadata' + - domain_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - domain_group.rule_group.rule_group_metadata.capacity == 50 + - domain_group.rule_group.rule_group_metadata.rule_group_name == domains_group_name + - domain_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - domain_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in domain_group.rule_group.rule_group' + - '"rules_source_list" in domain_group.rule_group.rule_group.rules_source' + - '"generated_rules_type" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"target_types" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - '"targets" in domain_group.rule_group.rule_group.rules_source.rules_source_list' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.generated_rules_type == 'DENYLIST' + - domain_group.rule_group.rule_group.rules_source.rules_source_list.target_types == [] + - domain_group.rule_group.rule_group.rules_source.rules_source_list.targets == ['example.com', '.example.net'] + + ################################################################### + # Deletion + + - name: '(CHECK) Delete Domain List rule group' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + state: absent + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is changed + + - name: 'Delete Domain List rule group' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + state: absent + register: domain_group + + - assert: + that: + - domain_group is changed + + # The Rule Group may still exist in a "DELETING" state, we should still + # return not changed + - name: 'Delete Domain List rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + state: absent + register: domain_group + check_mode: true + + - assert: + that: + - domain_group is not changed + + - name: '(CHECK) Delete Domain List rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + state: absent + register: domain_group + + - assert: + that: + - domain_group is not changed + + always: + - name: '(always) Delete Domain List rule group' + networkfirewall_rule_group: + name: '{{ domains_group_name }}' + type: 'stateful' + state: absent + ignore_errors: true diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/main.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/main.yml new file mode 100644 index 00000000000..6180ece914d --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/main.yml @@ -0,0 +1,44 @@ +--- +- module_defaults: + group/aws: + aws_access_key: '{{ aws_access_key | default(omit) }}' + aws_secret_key: '{{ aws_secret_key | default(omit) }}' + security_token: '{{ security_token | default(omit) }}' + region: '{{ aws_region | default(omit) }}' + collections: + - amazon.aws + - community.aws + block: + # Fetch some info about the account so we can build ARNs + - aws_caller_info: {} + register: caller_info + - name: 'Generate the ARN pattern to search for' + vars: + _caller_info: '{{ caller_info.arn.split(":") }}' + _base_arn: 'arn:{{_caller_info[1]}}:network-firewall:{{aws_region}}' + set_fact: + account_arn: '{{_base_arn}}:{{_caller_info[4]}}:stateful-rulegroup/' + managed_arn: '{{_base_arn}}:aws-managed:stateful-rulegroup/' + + # List the Managed Rule Groups (there's no access to the rules themselves) + - include_tasks: 'managed.yml' + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + # Minimal tests and manipulation of common metadata + - include_tasks: 'minimal.yml' + + # Tests Manipulation of common Stateful settings + - include_tasks: 'stateful.yml' + + # Tests Manipulation of Suricata formatted rule strings + - include_tasks: 'rule_strings.yml' + + # Tests Manipulation of DomainList rule groups + - include_tasks: 'domain_list.yml' + + # Tests Manipulation of 5-Tuple rule groups + - include_tasks: '5-tuple.yml' + + always: + - include_tasks: 'cleanup.yml' diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/managed.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/managed.yml new file mode 100644 index 00000000000..a79a5d9bac6 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/managed.yml @@ -0,0 +1,10 @@ +--- +# Tests related to the Managed Firewall rules +- networkfirewall_rule_group_info: + scope: managed + register: managed_rules_info + +- assert: + that: + - '"rule_list" in managed_rules_info' + - managed_rules_info.rule_list | length > 0 diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/minimal.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/minimal.yml new file mode 100644 index 00000000000..63de71dbba3 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/minimal.yml @@ -0,0 +1,771 @@ +--- +# +# Basic manipulation of a Firewall Group +# - Minimal Creation +# - Deletion +# - Updating Metadata +# -- description +# -- tags +# +# Uses an 'allow all' string based rule, but doesn't attempt to manipulate the +# rule itself +# +- vars: + minimal_group_name: '{{ group_name_prefix }}-MinimalGroup' + missing_group_name: '{{ group_name_prefix }}-MissingGroup' + first_tags: + 'Key with Spaces': Value with spaces + CamelCaseKey: CamelCaseValue + pascalCaseKey: pascalCaseValue + snake_case_key: snake_case_value + second_tags: + 'New Key with Spaces': Value with spaces + NewCamelCaseKey: CamelCaseValue + newPascalCaseKey: pascalCaseValue + new_snake_case_key: snake_case_value + third_tags: + 'Key with Spaces': Value with spaces + CamelCaseKey: CamelCaseValue + pascalCaseKey: pascalCaseValue + snake_case_key: snake_case_value + 'New Key with Spaces': Updated Value with spaces + final_tags: + 'Key with Spaces': Value with spaces + CamelCaseKey: CamelCaseValue + pascalCaseKey: pascalCaseValue + snake_case_key: snake_case_value + 'New Key with Spaces': Updated Value with spaces + NewCamelCaseKey: CamelCaseValue + newPascalCaseKey: pascalCaseValue + new_snake_case_key: snake_case_value + block: + # Test basic functionality of the modules + - name: 'Fetch all account rule groups' + networkfirewall_rule_group_info: {} + register: account_rules_info + + - assert: + that: + - '"rule_list" in account_rules_info' + - '"rule_groups" in account_rules_info' + # We've not created anything yet, so there's no guarantee anything will be here + + ################################################################### + # Creation + + # The simplest form of rule group + - name: '(CHECK) Create a Rule Group with minimal settings' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + # Needed for creation + capacity: 100 + # Needed for creation - We'll test manipulating them later + rule_strings: + - 'pass tcp any any -> any any (sid:1000001;)' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + + # The simplest form of rule group + - name: 'Create a Rule Group with minimal settings' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + # Needed for creation + capacity: 100 + # Needed for creation - We'll test manipulating them later + rule_strings: + - 'pass tcp any any -> any any (sid:1000001;)' + register: minimal_group + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_id" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn.startswith(account_arn) + - minimal_group.rule_group.rule_group_metadata.rule_group_arn.endswith(minimal_group_name) + + - name: Save RuleGroup ID/ARN for later + set_fact: + minimal_rule_group_id: '{{ minimal_group.rule_group.rule_group_metadata.rule_group_id }}' + minimal_rule_group_arn: '{{ minimal_group.rule_group.rule_group_metadata.rule_group_arn }}' + + - name: '(CHECK) Create a Rule Group with minimal settings (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + capacity: 100 + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + + - name: 'Create a Rule Group with minimal settings (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + capacity: 100 + register: minimal_group + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + + ################################################################### + # Capacity + + # Capacity can't be changed after creation + - name: '(CHECK) Attempt to change capacity' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + capacity: 200 + register: minimal_group + ignore_errors: true + check_mode: true + + - assert: + that: + - minimal_group is failed + + - name: 'Attempt to change capacity' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + capacity: 200 + register: minimal_group + ignore_errors: true + + - assert: + that: + - minimal_group is failed + + ################################################################### + # Description + + - name: '(CHECK) Add a description' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Example Description' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Example Description' + + - name: 'Add a description' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Example Description' + register: minimal_group + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Example Description' + + - name: '(CHECK) Add a description (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Example Description' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Example Description' + + - name: 'Add a description (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Example Description' + register: minimal_group + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Example Description' + + ##### + + - name: '(CHECK) Update a description' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Updated description' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + + - name: 'Update a description' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Updated description' + register: minimal_group + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + + - name: '(CHECK) Update a description (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Updated description' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + + - name: 'Update a description (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + description: 'Updated description' + register: minimal_group + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + + ################################################################### + # Tags + + - name: '(CHECK) Tag Rule Group' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ first_tags }}' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - '"tags" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == first_tags + + - name: 'Tag Rule Group' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ first_tags }}' + register: minimal_group + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == first_tags + + - name: '(CHECK) Tag Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ first_tags }}' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == first_tags + + - name: 'Tag Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ first_tags }}' + register: minimal_group + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == first_tags + + ##### + + - name: '(CHECK) Update tags with purge' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ second_tags }}' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - '"tags" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == second_tags + + - name: 'Update tags with purge' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ second_tags }}' + register: minimal_group + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == second_tags + + - name: '(CHECK) Update tags with purge (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ second_tags }}' + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == second_tags + + - name: 'Update tags with purge (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ second_tags }}' + register: minimal_group + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == second_tags + + ##### + + - name: '(CHECK) Update tags with no purge' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ third_tags }}' + purge_tags: false + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - '"tags" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == final_tags + + - name: 'Update tags with no purge' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ third_tags }}' + purge_tags: false + register: minimal_group + + - assert: + that: + - minimal_group is changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == final_tags + + - name: '(CHECK) Update tags with no purge (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ third_tags }}' + purge_tags: false + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == final_tags + + - name: 'Update tags with no purge (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + tags: '{{ third_tags }}' + purge_tags: false + register: minimal_group + + - assert: + that: + - minimal_group is not changed + - '"rule_group" in minimal_group' + - '"rule_group" in minimal_group.rule_group' + - '"rule_group_metadata" in minimal_group.rule_group' + - '"capacity" in minimal_group.rule_group.rule_group_metadata' + - '"rule_group_name" in minimal_group.rule_group.rule_group_metadata' + - '"type" in minimal_group.rule_group.rule_group_metadata' + - minimal_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - minimal_group.rule_group.rule_group_metadata.capacity == 100 + - minimal_group.rule_group.rule_group_metadata.rule_group_name == minimal_group_name + - minimal_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - minimal_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - minimal_group.rule_group.rule_group_metadata.description == 'Updated description' + - minimal_group.rule_group.rule_group_metadata.tags == final_tags + + ################################################################### + # Deletion + + - name: '(CHECK) Delete minimal rule group' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + state: absent + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is changed + + - name: 'Delete minimal rule group' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + state: absent + register: minimal_group + + - assert: + that: + - minimal_group is changed + + # The Rule Group may still exist in a "DELETING" state, we should still + # return not changed + - name: 'Delete minimal rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + state: absent + register: minimal_group + check_mode: true + + - assert: + that: + - minimal_group is not changed + + - name: '(CHECK) Delete minimal rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + state: absent + register: minimal_group + + - assert: + that: + - minimal_group is not changed + + ##### + - name: '(CHECK) Delete missing rule group' + networkfirewall_rule_group: + name: '{{ missing_group_name }}' + type: 'stateful' + state: absent + register: missing_group + check_mode: true + + - assert: + that: + - missing_group is not changed + + - name: 'Delete missing rule group' + networkfirewall_rule_group: + name: '{{ missing_group_name }}' + type: 'stateful' + state: absent + + - assert: + that: + - missing_group is not changed + + always: + - name: '(always) Delete minimal rule group' + networkfirewall_rule_group: + name: '{{ minimal_group_name }}' + type: 'stateful' + state: absent + ignore_errors: true diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/rule_strings.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/rule_strings.yml new file mode 100644 index 00000000000..b536d039bc1 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/rule_strings.yml @@ -0,0 +1,480 @@ +--- +# +# Basic manipulation of Suricata String based rule groups +# - Minimal Creation +# - Deletion +# - Updating Rules +# +- vars: + strings_group_name: '{{ group_name_prefix }}-SuricataGroup' + rule_one: 'pass tcp any any -> any any (sid:1000001;)' + rule_two: 'drop tcp any any -> any any (sid:1000002;)' + rule_three: 'alert tcp any any -> any any (sid:1000003;)' + all_rules: |- + {{ rule_one }} + {{ rule_two }} + {{ rule_three }} + last_rules: |- + {{ rule_two }} + {{ rule_three }} + block: + ################################################################### + # Creation + + - name: '(CHECK) Create a rule_strings Rule Group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: '{{ rule_one }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == rule_one + + - name: 'Create a rule_strings Rule Group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: '{{ rule_one }}' + register: strings_group + + - assert: + that: + - strings_group is changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_id" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn.startswith(account_arn) + - strings_group.rule_group.rule_group_metadata.rule_group_arn.endswith(strings_group_name) + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == rule_one + + - name: Save RuleGroup ID/ARN for later + set_fact: + minimal_rule_group_id: '{{ strings_group.rule_group.rule_group_metadata.rule_group_id }}' + minimal_rule_group_arn: '{{ strings_group.rule_group.rule_group_metadata.rule_group_arn }}' + + - name: '(CHECK) Create a rule_strings Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: '{{ rule_one }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == rule_one + + - name: 'Create a rule_strings Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: '{{ rule_one }}' + register: strings_group + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == rule_one + + ##### + + - name: '(CHECK) Test that rule_strings as a list with one element behaves the same as a single string' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_one }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == rule_one + + - name: 'Test that rule_strings as a list with one element behaves the same as a single string' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_one }}' + register: strings_group + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == rule_one + + ################################################################### + # Update + + - name: '(CHECK) Update a rule_strings Rule Group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == all_rules + + - name: 'Update a rule_strings Rule Group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + + - assert: + that: + - strings_group is changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_id" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == all_rules + + - name: '(CHECK) Update a rule_strings Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == all_rules + + - name: 'Update a rule_strings Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_one }}' + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == all_rules + + ##### + + - name: '(CHECK) Update(2) a rule_strings Rule Group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == last_rules + + - name: 'Update(2) a rule_strings Rule Group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + + - assert: + that: + - strings_group is changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_id" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == last_rules + + - name: '(CHECK) Update(2) a rule_strings Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == last_rules + + - name: 'Update(2) a rule_strings Rule Group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + rule_strings: + - '{{ rule_two }}' + - '{{ rule_three }}' + register: strings_group + + - assert: + that: + - strings_group is not changed + - '"rule_group" in strings_group' + - '"rule_group" in strings_group.rule_group' + - '"rule_group_metadata" in strings_group.rule_group' + - '"capacity" in strings_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strings_group.rule_group.rule_group_metadata' + - '"type" in strings_group.rule_group.rule_group_metadata' + - strings_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strings_group.rule_group.rule_group_metadata.capacity == 100 + - strings_group.rule_group.rule_group_metadata.rule_group_name == strings_group_name + - strings_group.rule_group.rule_group_metadata.rule_group_arn == minimal_rule_group_arn + - strings_group.rule_group.rule_group_metadata.rule_group_id == minimal_rule_group_id + - '"rules_source" in strings_group.rule_group.rule_group' + - '"rules_string" in strings_group.rule_group.rule_group.rules_source' + - strings_group.rule_group.rule_group.rules_source.rules_string == last_rules + + ################################################################### + # Deletion + + - name: '(CHECK) Delete rule_strings rule group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + state: absent + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is changed + + - name: 'Delete rule_strings rule group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + state: absent + register: strings_group + + - assert: + that: + - strings_group is changed + + # The Rule Group may still exist in a "DELETING" state, we should still + # return not changed + - name: 'Delete rule_strings rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + state: absent + register: strings_group + check_mode: true + + - assert: + that: + - strings_group is not changed + + - name: '(CHECK) Delete rule_strings rule group (idempotency)' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + state: absent + register: strings_group + + - assert: + that: + - strings_group is not changed + + always: + - name: '(always) Delete rule_strings rule group' + networkfirewall_rule_group: + name: '{{ strings_group_name }}' + type: 'stateful' + state: absent + ignore_errors: true diff --git a/tests/integration/targets/networkfirewall_rule_group/tasks/stateful.yml b/tests/integration/targets/networkfirewall_rule_group/tasks/stateful.yml new file mode 100644 index 00000000000..cd2ea4a3081 --- /dev/null +++ b/tests/integration/targets/networkfirewall_rule_group/tasks/stateful.yml @@ -0,0 +1,1362 @@ +--- +# +# Manipulation of options common to stateful rules +# - Minimal Creation +# - Updating IP Variables +# - Updating Port Variables +# - Setting RuleOrder +# +- vars: + strict_ro_group_name: '{{ group_name_prefix }}-StrictROGroup' + default_ro_group_name: '{{ group_name_prefix }}-DefaultROGroup' + stateful_group_name: '{{ group_name_prefix }}-StatefulGroup' + rule_one: 'pass tcp any any -> any any (sid:1000001;)' + ip_variable_one: + EXAMPLE_IP: '192.0.2.5' + ip_variable_one_list: + EXAMPLE_IP: ['192.0.2.5'] + ip_variable_two: + ANOTHER_EXAMPLE: ['198.51.100.13', '198.51.100.235', '203.0.113.0/24'] + ip_variable_both: + EXAMPLE_IP: ['192.0.2.5'] + ANOTHER_EXAMPLE: ['198.51.100.13', '198.51.100.235', '203.0.113.0/24'] + port_variable_one: + EXAMPLE_PORT: '22' + port_variable_one_list: + EXAMPLE_PORT: ['22'] + port_variable_two: + ANOTHER_PORT: ['443', '8443'] + port_variable_both: + EXAMPLE_PORT: ['22'] + ANOTHER_PORT: ['443', '8443'] + block: + ################################################################### + # Creation + + - name: 'Create a Stateful Rule Group' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: '{{ rule_one }}' + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn.startswith(account_arn) + - stateful_group.rule_group.rule_group_metadata.rule_group_arn.endswith(stateful_group_name) + # Check that we've defaulted to the DEFAULT rule order + + - name: Save RuleGroup ID/ARN for later + set_fact: + stateful_rule_group_id: '{{ stateful_group.rule_group.rule_group_metadata.rule_group_id }}' + stateful_rule_group_arn: '{{ stateful_group.rule_group.rule_group_metadata.rule_group_arn }}' + + ################################################################### + # Update IP Variables + + - name: '(CHECK) Add IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one }}' + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_one_list + + - name: 'Add IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one }}' + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_one_list + + - name: '(CHECK) Add IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one }}' + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_one_list + + - name: 'Add IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one }}' + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_one_list + + ##### + + - name: '(CHECK) Ensure IP Variable string/list equivalence (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one_list }}' + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_one_list + + - name: 'Ensure IP Variable string/list equivalence (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one_list }}' + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_one_list + + ##### + + - name: '(CHECK) Replace IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_two }}' + purge_ip_variables: true + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_two + + - name: 'Replace IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_two }}' + purge_ip_variables: true + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_two + + - name: '(CHECK) Replace IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_two }}' + purge_ip_variables: true + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_two + + - name: 'Replace IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_two }}' + purge_ip_variables: true + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_two + + ##### + + - name: '(CHECK) Add extra IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one_list }}' + purge_ip_variables: false + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + - name: 'Add extra IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one_list }}' + purge_ip_variables: false + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + - name: '(CHECK) Add extra IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one_list }}' + purge_ip_variables: false + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + - name: 'Add extra IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: '{{ ip_variable_one_list }}' + purge_ip_variables: false + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + ################################################################### + # Update Port Variables + + - name: '(CHECK) Add IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one }}' + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_one_list + + - name: 'Add IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one }}' + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_one_list + + - name: '(CHECK) Add IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one }}' + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_one_list + + - name: 'Add IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one }}' + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_one_list + + ##### + + - name: '(CHECK) Ensure IP Variable string/list equivalence (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one_list }}' + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_one_list + + - name: 'Ensure IP Variable string/list equivalence (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one_list }}' + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_one_list + + ##### + + - name: '(CHECK) Replace IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_two }}' + purge_port_variables: true + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_two + + - name: 'Replace IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_two }}' + purge_port_variables: true + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_two + + - name: '(CHECK) Replace IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_two }}' + purge_port_variables: true + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_two + + - name: 'Replace IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_two }}' + purge_port_variables: true + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_two + + ##### + + - name: '(CHECK) Add extra IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one_list }}' + purge_port_variables: false + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_both + + - name: 'Add extra IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one_list }}' + purge_port_variables: false + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_both + + - name: '(CHECK) Add extra IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one_list }}' + purge_port_variables: false + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_both + + - name: 'Add extra IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: '{{ port_variable_one_list }}' + purge_port_variables: false + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + - stateful_group.rule_group.rule_group.rule_variables.port_sets == port_variable_both + + ##### + + - name: '(CHECK) Remove Port Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: {} + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + - name: 'Remove Port Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: {} + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + - name: '(CHECK) Remove Port Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: {} + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + - name: 'Remove Port Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + port_variables: {} + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" in stateful_group.rule_group.rule_group.rule_variables' + - stateful_group.rule_group.rule_group.rule_variables.ip_sets == ip_variable_both + + ##### + + - name: '(CHECK) Remove IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: {} + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" not in stateful_group.rule_group.rule_group.rule_variables' + + - name: 'Remove IP Variable' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: {} + register: stateful_group + + - assert: + that: + - stateful_group is changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_id" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" not in stateful_group.rule_group.rule_group.rule_variables' + + - name: '(CHECK) Remove IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: {} + register: stateful_group + check_mode: true + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" not in stateful_group.rule_group.rule_group.rule_variables' + + - name: 'Remove IP Variable (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + ip_variables: {} + register: stateful_group + + - assert: + that: + - stateful_group is not changed + - '"rule_group" in stateful_group' + - '"rule_group" in stateful_group.rule_group' + - '"rule_group_metadata" in stateful_group.rule_group' + - '"capacity" in stateful_group.rule_group.rule_group_metadata' + - '"rule_group_name" in stateful_group.rule_group.rule_group_metadata' + - '"type" in stateful_group.rule_group.rule_group_metadata' + - stateful_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - stateful_group.rule_group.rule_group_metadata.capacity == 100 + - stateful_group.rule_group.rule_group_metadata.rule_group_name == stateful_group_name + - stateful_group.rule_group.rule_group_metadata.rule_group_arn == stateful_rule_group_arn + - stateful_group.rule_group.rule_group_metadata.rule_group_id == stateful_rule_group_id + - '"rule_variables" in stateful_group.rule_group.rule_group' + - '"port_sets" not in stateful_group.rule_group.rule_group.rule_variables' + - '"ip_sets" not in stateful_group.rule_group.rule_group.rule_variables' + + ################################################################### + # Rule Order + + - name: '(CHECK) Attempt to update the Default Rule Order' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + rule_order: 'strict' + register: stateful_group + ignore_errors: True + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - stateful_group is failed + + - name: 'Attempt to update the Default Rule Order' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + rule_order: 'strict' + register: stateful_group + ignore_errors: True + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - stateful_group is failed + + ##### + + - name: '(CHECK) Attempt to update the Default Rule Order (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + rule_order: 'default' + register: stateful_group + ignore_errors: True + + # Because the default rule order doesn't necessitate the setting of + # RuleOptions, for 'default' the existence of statefule_rule_options (and specifically rule_order) + # isn't guaranteed, so we don't explicitly test for it here, instead we rely + # on 'changed' doing the right thing. + - assert: + that: + - stateful_group is not changed + + - name: 'Attempt to update the Default Rule Order (idempotency)' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + rule_order: 'default' + register: stateful_group + ignore_errors: True + + - assert: + that: + - stateful_group is not changed + + ################################################################### + # Creation with 'strict' rule ordering + + - name: '(CHECK) Create a Rule Group with strict order' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: + - 'pass tcp any any -> any any (sid:1000001;)' + rule_order: strict + register: strict_group + check_mode: true + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is changed + - '"rule_group" in strict_group' + - '"rule_group" in strict_group.rule_group' + - '"rule_group_metadata" in strict_group.rule_group' + - '"capacity" in strict_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strict_group.rule_group.rule_group_metadata' + - '"type" in strict_group.rule_group.rule_group_metadata' + - strict_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strict_group.rule_group.rule_group_metadata.capacity == 100 + - strict_group.rule_group.rule_group_metadata.rule_group_name == strict_ro_group_name + - '"stateful_rule_options" in strict_group.rule_group.rule_group' + - '"rule_order" in strict_group.rule_group.rule_group.stateful_rule_options' + - strict_group.rule_group.rule_group.stateful_rule_options.rule_order == 'STRICT_ORDER' + + - name: 'Create a Rule Group with strict order' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: + - 'pass tcp any any -> any any (sid:1000001;)' + rule_order: strict + register: strict_group + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is changed + - '"rule_group" in strict_group' + - '"rule_group" in strict_group.rule_group' + - '"rule_group_metadata" in strict_group.rule_group' + - '"capacity" in strict_group.rule_group.rule_group_metadata' + - '"rule_group_arn" in strict_group.rule_group.rule_group_metadata' + - '"rule_group_id" in strict_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strict_group.rule_group.rule_group_metadata' + - '"type" in strict_group.rule_group.rule_group_metadata' + - strict_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strict_group.rule_group.rule_group_metadata.capacity == 100 + - strict_group.rule_group.rule_group_metadata.rule_group_name == strict_ro_group_name + - strict_group.rule_group.rule_group_metadata.rule_group_arn.startswith(account_arn) + - strict_group.rule_group.rule_group_metadata.rule_group_arn.endswith(strict_ro_group_name) + - '"stateful_rule_options" in strict_group.rule_group.rule_group' + - '"rule_order" in strict_group.rule_group.rule_group.stateful_rule_options' + - strict_group.rule_group.rule_group.stateful_rule_options.rule_order == 'STRICT_ORDER' + + - name: Save RuleGroup ID/ARN for later + set_fact: + strict_rule_group_id: '{{ strict_group.rule_group.rule_group_metadata.rule_group_id }}' + strict_rule_group_arn: '{{ strict_group.rule_group.rule_group_metadata.rule_group_arn }}' + + - name: '(CHECK) Create a Rule Group with strict order (idempotency)' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: + - 'pass tcp any any -> any any (sid:1000001;)' + rule_order: strict + register: strict_group + check_mode: true + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is not changed + - '"rule_group" in strict_group' + - '"rule_group" in strict_group.rule_group' + - '"rule_group_metadata" in strict_group.rule_group' + - '"capacity" in strict_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strict_group.rule_group.rule_group_metadata' + - '"type" in strict_group.rule_group.rule_group_metadata' + - strict_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strict_group.rule_group.rule_group_metadata.capacity == 100 + - strict_group.rule_group.rule_group_metadata.rule_group_name == strict_ro_group_name + - strict_group.rule_group.rule_group_metadata.rule_group_arn == strict_rule_group_arn + - strict_group.rule_group.rule_group_metadata.rule_group_id == strict_rule_group_id + - '"stateful_rule_options" in strict_group.rule_group.rule_group' + - '"rule_order" in strict_group.rule_group.rule_group.stateful_rule_options' + - strict_group.rule_group.rule_group.stateful_rule_options.rule_order == 'STRICT_ORDER' + + - name: 'Create a Rule Group with strict order (idempotency)' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + capacity: 100 + rule_strings: + - 'pass tcp any any -> any any (sid:1000001;)' + rule_order: strict + register: strict_group + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is not changed + - '"rule_group" in strict_group' + - '"rule_group" in strict_group.rule_group' + - '"rule_group_metadata" in strict_group.rule_group' + - '"capacity" in strict_group.rule_group.rule_group_metadata' + - '"rule_group_name" in strict_group.rule_group.rule_group_metadata' + - '"type" in strict_group.rule_group.rule_group_metadata' + - strict_group.rule_group.rule_group_metadata.type == 'STATEFUL' + - strict_group.rule_group.rule_group_metadata.capacity == 100 + - strict_group.rule_group.rule_group_metadata.rule_group_name == strict_ro_group_name + - strict_group.rule_group.rule_group_metadata.rule_group_arn == strict_rule_group_arn + - strict_group.rule_group.rule_group_metadata.rule_group_id == strict_rule_group_id + - '"stateful_rule_options" in strict_group.rule_group.rule_group' + - '"rule_order" in strict_group.rule_group.rule_group.stateful_rule_options' + - strict_group.rule_group.rule_group.stateful_rule_options.rule_order == 'STRICT_ORDER' + + ################################################################### + # Rule Order + + - name: '(CHECK) Attempt to update the Default Rule Order from strict' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + rule_order: 'default' + register: strict_group + ignore_errors: True + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is failed + + - name: 'Attempt to update the Default Rule Order from strict' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + rule_order: 'default' + register: strict_group + ignore_errors: True + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is failed + + ##### + + - name: '(CHECK) Attempt to update the Default Rule Order from strict (idempotency)' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + rule_order: 'strict' + register: strict_group + ignore_errors: True + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is not changed + + - name: 'Attempt to update the Default Rule Order from strict (idempotency)' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + rule_order: 'strict' + register: strict_group + ignore_errors: True + vars: + ansible_python_interpreter: "{{ botocore_virtualenv_interpreter }}" + + - assert: + that: + - strict_group is not changed + + + ################################################################### + # Deletion + + - name: 'Delete Stateful rule group' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + state: absent + register: stateful_group + + - assert: + that: + - stateful_group is changed + + - name: 'Delete Strict rule group' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + state: absent + register: strict_group + + - assert: + that: + - strict_group is changed + + always: + - name: '(always) Delete Stateful rule group' + networkfirewall_rule_group: + name: '{{ stateful_group_name }}' + type: 'stateful' + state: absent + ignore_errors: true + + - name: '(always) Delete Strict rule group' + networkfirewall_rule_group: + name: '{{ strict_ro_group_name }}' + type: 'stateful' + state: absent + ignore_errors: true