From 5c2d330eb478272506a9612c4de1ab412a18d7cd Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Wed, 4 Dec 2024 14:40:39 -0500 Subject: [PATCH 1/4] Updates to networking role --- roles/ec2_networking_resources/README.md | 47 ++++- .../defaults/main.yml | 12 ++ .../meta/argument_specs.yml | 66 ++++++- .../ec2_networking_resources/tasks/create.yml | 80 ++++++++ .../ec2_networking_resources/tasks/delete.yml | 61 +++++++ roles/ec2_networking_resources/tasks/main.yml | 29 +-- .../defaults/main.yml | 3 +- .../tasks/main.yml | 100 +--------- .../tasks/teardown.yml | 57 ++++++ .../tasks/test_all_options.yml | 172 ++++++++++++++++++ .../tasks/test_required_options.yml | 94 ++++++++++ 11 files changed, 586 insertions(+), 135 deletions(-) create mode 100644 roles/ec2_networking_resources/tasks/create.yml create mode 100644 roles/ec2_networking_resources/tasks/delete.yml create mode 100644 tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml create mode 100644 tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml create mode 100644 tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml diff --git a/roles/ec2_networking_resources/README.md b/roles/ec2_networking_resources/README.md index ff3754b9..56d91c97 100644 --- a/roles/ec2_networking_resources/README.md +++ b/roles/ec2_networking_resources/README.md @@ -26,24 +26,34 @@ An AWS account with the following permissions: Role Variables -------------- -* **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create. -* **ec2_networking_resources_vpc_cidr_block**: (Required) The CIDR block to use for the VPC being created. -* **ec2_networking_resources_subnet_cidr_block**: (Required) The CIDR block to use for subnet being created. -* **ec2_networking_resources_sg_internal_name**: (Required) The name of the security group to create. -* **ec2_networking_resources_sg_internal_description**: (Required) The description of the security group being created. -* **ec2_networking_resources_sg_internal_rules**: (Optional) List of rules to apply to the security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys: +* **ec2_networking_resources_operation**: (Optional) Target operation for the networking resources role. Choices are ["create", "delete"]. Defaults to "create". +* **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create or delete. +* **ec2_networking_resources_vpc_cidr_block**: (Optional) The CIDR block to use for the VPC being created. Required if `ec2_networking_resources_operation` is "create". +* **ec2_networking_resources_subnet_cidr_block**: (Optional) The CIDR block to use for subnet being created. Required if `ec2_networking_resources_operation` is "create". +* **ec2_networking_resources_sg_internal_name**: (Optional) The name of the internal security group to create. Required if `ec2_networking_resources_operation` is "create". +* **ec2_networking_resources_sg_internal_description**: (Optional) The description of the internal security group being created. Defaults to "Security group for internal access". +* **ec2_networking_resources_sg_internal_rules**: (Optional) List of rules to apply to the internal security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys: * **proto** (str): The IP protocol name. * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010. * **cidr_ip** (str): The CIDR block traffic is coming from. +* **ec2_networking_resources_sg_external_name**: (Optional) The name of the external security group to create. +* **ec2_networking_resources_sg_external_description**: (Optional) The description of the external security group being created. Defaults to "Security group for external access". Ignored if ec2_networking_resources_sg_external_name is not provided. +* **ec2_networking_resources_sg_external_rules**: (Optional) List of rules to apply to the external security group being created. By default, allows all inbound http and https traffic. Ignored if ec2_networking_resources_sg_external_name is not provided. A rule should contain the following keys: + * **proto** (str): The IP protocol name. + * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010. + * **cidr_ip** (str): The CIDR block traffic is coming from. +* **ec2_networking_resources_create_igw**: (Optional) Whether to create an internet gateway and route traffic to it. Defaults to `false`. Dependencies ------------ - role: [aws_setup_credentials](../aws_setup_credentials/README.md) -Example Playbook +Examples ---------------- +Create networking resources: + ```yaml - hosts: localhost roles: @@ -52,7 +62,7 @@ Example Playbook ec2_networking_resources_vpc_name: my-vpn ec2_networking_resources_vpc_cidr_block: 10.0.1.0/16 ec2_networking_resources_subnet_cidr_block: 10.0.1.0/26 - ec2_networking_resources_sg_internal_name: my-sg + ec2_networking_resources_sg_internal_name: my-internal-sg ec2_networking_resources_sg_internal_description: My internal security group ec2_networking_resources_sg_internal_rules: - proto: tcp @@ -61,6 +71,27 @@ Example Playbook - ports: tcp ports: 8000-8010 cidr_ip: 10.0.1.0/16 + ec2_networking_resources_sg_external_name: my-external-sg + ec2_networking_resources_sg_external_description: My external security group + ec2_networking_resources_sg_external_rules: + - proto: tcp + ports: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + ports: 443 + cidr_ip: 0.0.0.0/0 + ec2_networking_resources_create_igw: true +``` + +Delete networking resources: + +```yaml +- hosts: localhost + roles: + - role: cloud.aws_ops.ec2_networking_resources + vars: + ec2_networking_resources_operation: delete + ec2_networking_resources_vpc_name: my-vpn ``` License diff --git a/roles/ec2_networking_resources/defaults/main.yml b/roles/ec2_networking_resources/defaults/main.yml index 817e2c2d..faf8bfc4 100644 --- a/roles/ec2_networking_resources/defaults/main.yml +++ b/roles/ec2_networking_resources/defaults/main.yml @@ -1,5 +1,17 @@ --- +ec2_networking_resources_operation: create +ec2_networking_resources_vpc_cidr_block: "{{ ec2_networking_resources_operation == 'delete' | ternary('', omit) }}" +ec2_networking_resources_sg_internal_description: Security group for internal access ec2_networking_resources_sg_internal_rules: - proto: tcp ports: 22 cidr_ip: "{{ ec2_networking_resources_vpc_cidr_block }}" +ec2_networking_resources_sg_external_description: Security group for external access +ec2_networking_resources_sg_external_rules: + - proto: tcp + ports: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + ports: 443 + cidr_ip: 0.0.0.0/0 +ec2_networking_resources_create_igw: false diff --git a/roles/ec2_networking_resources/meta/argument_specs.yml b/roles/ec2_networking_resources/meta/argument_specs.yml index 66ff6f77..1347e866 100644 --- a/roles/ec2_networking_resources/meta/argument_specs.yml +++ b/roles/ec2_networking_resources/meta/argument_specs.yml @@ -4,28 +4,36 @@ argument_specs: short_description: A role to create a basic networking environment for an EC2 instance. description: - A role to create a basic networking environment for an EC2 instance. - - Creates a VPC, subnet, route table and security groups. + - Creates a VPC, subnet, route table, security groups. + - Can optionally create an external security group and/or internet gateway to allow external access. + - Can also delete networking resources created by this role using the "delete" operation. options: + ec2_networking_resources_operation: + description: + - Whether to create or delete the resources. + choices: [create, delete] + default: create ec2_networking_resources_vpc_name: description: - - The name of the VPC to create. + - The name of the VPC to create or delete. required: true ec2_networking_resources_vpc_cidr_block: description: - - The CIDR block for the VPC being created. - required: true + - The CIDR block for the VPC being created. Required when creating resources. + required: false ec2_networking_resources_subnet_cidr_block: description: - - The CIDR block for the subnet being created. - required: true + - The CIDR block for the subnet being created. Required when creating resources. + required: false ec2_networking_resources_sg_internal_name: description: - - The name of the security group to create for internal access to the EC2 instance. - required: true + - The name of the security group to create for internal access to the EC2 instance. Required when creating resources. + required: false ec2_networking_resources_sg_internal_description: description: - The description of the security group for internal access to the EC2 instance. - required: true + required: false + default: Security group for internal access ec2_networking_resources_sg_internal_rules: description: - A list of security group rules to apply to the security group for internal access. @@ -49,3 +57,43 @@ argument_specs: elements: str cidr_ip: description: The CIDR range traffic is coming from. + ec2_networking_resources_sg_external_name: + description: + - The name of the security group to create for external access to the EC2 instance. + required: false + ec2_networking_resources_sg_external_description: + description: + - The description of the security group for external access to the EC2 instance. + required: false + default: Security group for external access + ec2_networking_resources_sg_external_rules: + description: + - A list of security group rules to apply to the security group for external access. + - By default, will add rules to allow all HTTP and HTTPS traffic. + required: false + type: list + elements: dict + default: + - proto: tcp + ports: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + ports: 443 + cidr_ip: 0.0.0.0/0 + options: + proto: + description: The IP protocol name. + ports: + description: + - A list of ports the traffic is going to. + - Elements can be a single port, or a range of ports (for example, 8000-8100). + type: list + elements: str + cidr_ip: + description: The CIDR range traffic is coming from. + ec2_networking_resources_create_igw: + description: + - Whether to create an internet gateway and route traffic to internet. + required: false + type: bool + default: false diff --git a/roles/ec2_networking_resources/tasks/create.yml b/roles/ec2_networking_resources/tasks/create.yml new file mode 100644 index 00000000..28ea0b84 --- /dev/null +++ b/roles/ec2_networking_resources/tasks/create.yml @@ -0,0 +1,80 @@ +--- +- name: Validate options + ansible.builtin.fail: + msg: "When creating resources, all of the following options must be provided: ec2_networking_resources_vpc_cidr_block, ec2_networking_resources_subnet_cidr_block, ec2_networking_resources_sg_internal_name" + when: ec2_networking_resources_vpc_cidr_block | default("", true) == "" or + ec2_networking_resources_subnet_cidr_block | default("", true) == "" or + ec2_networking_resources_sg_internal_name | default("", true) == "" + +- name: Create VPC + amazon.aws.ec2_vpc_net: + name: "{{ ec2_networking_resources_vpc_name }}" + cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}" + register: ec2_networking_resources_vpc_result + +- name: Set VPC ID + ansible.builtin.set_fact: + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + +- name: Create VPC subnet + amazon.aws.ec2_vpc_subnet: + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + cidr: "{{ ec2_networking_resources_subnet_cidr_block }}" + register: ec2_networking_resources_subnet_result + +- name: Set subnet ID + ansible.builtin.set_fact: + subnet_id: "{{ ec2_networking_resources_subnet_result.subnet.id }}" + +- name: Create custom route table for subnet + amazon.aws.ec2_vpc_route_table: + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + subnets: + - "{{ ec2_networking_resources_subnet_result.subnet.id }}" + register: ec2_networking_resources_route_table_result + +- name: Create security group for internal access + amazon.aws.ec2_security_group: + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + name: "{{ ec2_networking_resources_sg_internal_name }}" + description: "{{ ec2_networking_resources_sg_internal_description }}" + rules: "{{ ec2_networking_resources_sg_internal_rules }}" + register: ec2_networking_resources_internal_sg_result + +- name: Set internal security group ID + ansible.builtin.set_fact: + internal_sg_id: "{{ ec2_networking_resources_internal_sg_result.group_id }}" + +- name: Create security group for external access if provided + when: ec2_networking_resources_sg_external_name | default("", true) != "" + block: + - name: Create security group for external access + amazon.aws.ec2_security_group: + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + name: "{{ ec2_networking_resources_sg_external_name }}" + description: "{{ ec2_networking_resources_sg_external_description }}" + rules: "{{ ec2_networking_resources_sg_external_rules }}" + register: ec2_networking_resources_external_sg_result + + - name: Set external security group ID + ansible.builtin.set_fact: + external_sg_id: "{{ ec2_networking_resources_external_sg_result.group_id }}" + +- name: Create internet gateway and route traffic to it + when: ec2_networking_resources_create_igw is true + block: + - name: Create internet gateway + amazon.aws.ec2_vpc_igw: + state: present + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + register: ec2_networking_resources_internet_gateway_result + + - name: Update route table + amazon.aws.ec2_vpc_route_table: + state: present + lookup: id + route_table_id: "{{ ec2_networking_resources_route_table_result.route_table.id }}" + vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + routes: + - dest: "0.0.0.0/0" + gateway_id: "{{ ec2_networking_resources_internet_gateway_result.gateway_id }}" diff --git a/roles/ec2_networking_resources/tasks/delete.yml b/roles/ec2_networking_resources/tasks/delete.yml new file mode 100644 index 00000000..d2a26704 --- /dev/null +++ b/roles/ec2_networking_resources/tasks/delete.yml @@ -0,0 +1,61 @@ +--- +- name: Get VPC info + amazon.aws.ec2_vpc_net_info: + filters: + "tag:Name": "{{ ec2_networking_resources_vpc_name }}" + register: vpc_info + +- name: Set VPC ID + ansible.builtin.set_fact: + vpc_id: "{{ vpc_info.vpcs[0].vpc_id }}" + +- name: Get VPC security groups + amazon.aws.ec2_security_group_info: + filters: + vpc-id: "{{ vpc_id }}" + register: vpc_security_groups + +- name: Delete VPC security groups + amazon.aws.ec2_security_group: + state: absent + group_id: "{{ item.group_id }}" + loop: "{{ vpc_security_groups.security_groups }}" + when: item.group_name != "default" + +- name: Get VPC subnets + amazon.aws.ec2_vpc_subnet_info: + filters: + vpc-id: "{{ vpc_id }}" + register: vpc_subnets + +- name: Delete VPC subnets + amazon.aws.ec2_vpc_subnet: + state: absent + vpc_id: "{{ vpc_id }}" + cidr: "{{ item.cidr_block }}" + loop: "{{ vpc_subnets.subnets }}" + +- name: Delete VPC internet gateways + amazon.aws.ec2_vpc_igw: + state: absent + vpc_id: "{{ vpc_id }}" + +- name: Get VPC route tables + amazon.aws.ec2_vpc_route_table_info: + filters: + vpc-id: "{{ vpc_id }}" + register: vpc_route_tables + +- name: Delete VPC route tables + amazon.aws.ec2_vpc_route_table: + state: absent + vpc_id: "{{ vpc_id }}" + lookup: id + route_table_id: "{{ item.id }}" + loop: "{{ vpc_route_tables.route_tables }}" + when: item.associations | length == 0 or true not in item.associations | map(attribute='main') + +- name: Delete VPC + amazon.aws.ec2_vpc_net: + vpc_id: "{{ vpc_id }}" + state: absent diff --git a/roles/ec2_networking_resources/tasks/main.yml b/roles/ec2_networking_resources/tasks/main.yml index 9564020f..c4d824fb 100644 --- a/roles/ec2_networking_resources/tasks/main.yml +++ b/roles/ec2_networking_resources/tasks/main.yml @@ -3,27 +3,10 @@ module_defaults: group/aws: "{{ aws_setup_credentials__output }}" block: - - name: Create VPC - amazon.aws.ec2_vpc_net: - name: "{{ ec2_networking_resources_vpc_name }}" - cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}" - register: ec2_networking_resources_vpc_result + - name: Include create operations + ansible.builtin.include_tasks: create.yml + when: ec2_networking_resources_operation == 'create' - - name: Create VPC subnet - amazon.aws.ec2_vpc_subnet: - vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - cidr: "{{ ec2_networking_resources_subnet_cidr_block }}" - register: ec2_networking_resources_subnet_result - - - name: Create route table - amazon.aws.ec2_vpc_route_table: - vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - subnets: - - "{{ ec2_networking_resources_subnet_result.subnet.id }}" - - - name: Create security group for internal access - amazon.aws.ec2_security_group: - vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - name: "{{ ec2_networking_resources_sg_internal_name }}" - description: "{{ ec2_networking_resources_sg_internal_description }}" - rules: "{{ ec2_networking_resources_sg_internal_rules }}" + - name: Include delete operations + ansible.builtin.include_tasks: delete.yml + when: ec2_networking_resources_operation == 'delete' diff --git a/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml b/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml index 6703ade8..fe23be18 100644 --- a/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml +++ b/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml @@ -4,4 +4,5 @@ aws_security_token: "{{ security_token | default(omit) }}" vpc_name: "{{ resource_prefix }}-vpc" vpc_cidr_block: "10.0.1.0/24" subnet_cidr_block: "10.0.1.0/26" -sg_name: "{{ resource_prefix }}-sg" +internal_sg_name: "{{ resource_prefix }}-internal-sg" +external_sg_name: "{{ resource_prefix }}-external-sg" diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/main.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/main.yml index f96d0250..c18a41bc 100644 --- a/tests/integration/targets/test_ec2_networking_resources/tasks/main.yml +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/main.yml @@ -6,101 +6,13 @@ aws_secret_key: "{{ aws_secret_key }}" security_token: "{{ security_token | default(omit) }}" region: "{{ aws_region }}" - block: - - name: Create networking infrastructure - ansible.builtin.include_role: - name: cloud.aws_ops.ec2_networking_resources - vars: - ec2_networking_resources_vpc_name: "{{ vpc_name }}" - ec2_networking_resources_vpc_cidr_block: "{{ vpc_cidr_block }}" - ec2_networking_resources_subnet_cidr_block: "{{ subnet_cidr_block }}" - ec2_networking_resources_sg_internal_name: "{{ sg_name }}" - ec2_networking_resources_sg_internal_description: Test security group - - - name: Get the created VPC - amazon.aws.ec2_vpc_net_info: - filters: - "tag:Name": "{{ vpc_name }}" - cidr: "{{ vpc_cidr_block }}" - register: _vpc - - - name: Assert the VPC exists - ansible.builtin.assert: - that: - - _vpc.vpcs | length == 1 - - _vpc.vpcs[0].cidr_block == vpc_cidr_block - - - name: Get the created subnet - amazon.aws.ec2_vpc_subnet_info: - filters: - vpc-id: "{{ _vpc.vpcs[0].id }}" - cidr-block: "{{ subnet_cidr_block }}" - register: _subnet - - - name: Assert subnet has been created - ansible.builtin.assert: - that: - - _subnet.subnets | length == 1 - - _subnet.subnets[0].cidr_block == subnet_cidr_block - - - name: Get security group - amazon.aws.ec2_security_group_info: - filters: - group-name: "{{ sg_name }}" - register: _security_group + - name: Run tests for case 1 - Create networking resources with required options only + ansible.builtin.include_tasks: tasks/test_required_options.yml - - name: Assert default security group has been created - ansible.builtin.assert: - that: - - _security_group.security_groups | length == 1 - - _sg_rule.from_port == 22 - - _sg_rule.to_port == 22 - - _sg_rule.ip_protocol == "tcp" - - _sg_rule.ip_ranges[0].cidr_ip == vpc_cidr_block - vars: - _sg_rule: "{{ _security_group.security_groups[0].ip_permissions[0] }}" + - name: Run tests for case 2 - Create networking resources with all options + ansible.builtin.include_tasks: tasks/test_all_options.yml always: - - name: Delete the security group - amazon.aws.ec2_security_group: - state: absent - name: "{{ sg_name }}" - ignore_errors: true - - - name: Get the VPC - amazon.aws.ec2_vpc_net_info: - filters: - "tag:Name": "{{ vpc_name }}" - cidr: "{{ vpc_cidr_block }}" - register: vpc - ignore_errors: true - - - name: Delete the VPC subnet - amazon.aws.ec2_vpc_subnet: - state: absent - vpc_id: "{{ vpc.vpcs[0].id }}" - cidr: "{{ subnet_cidr_block }}" - ignore_errors: true - - - name: Get the route tables - amazon.aws.ec2_vpc_route_table_info: - filters: - vpc-id: "{{ vpc.vpcs[0].id }}" - register: routes - ignore_errors: true - - - name: Delete the route tables - amazon.aws.ec2_vpc_route_table: - state: absent - route_table_id: "{{ item.route_table_id }}" - lookup: id - loop: "{{ routes.route_tables }}" - ignore_errors: true - - - name: Delete the VPC - amazon.aws.ec2_vpc_net: - state: absent - name: "{{ vpc_name }}" - cidr_block: "{{ vpc_cidr_block }}" - ignore_errors: true + - name: Delete any leftover resources used in tests + ansible.builtin.include_tasks: teardown.yml diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml new file mode 100644 index 00000000..66477821 --- /dev/null +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml @@ -0,0 +1,57 @@ +--- +- name: Teardown + block: + - name: Delete the internal security group + amazon.aws.ec2_security_group: + state: absent + name: "{{ internal_sg_name }}" + ignore_errors: true + + - name: Delete the external security group + amazon.aws.ec2_security_group: + state: absent + name: "{{ external_sg_name }}" + ignore_errors: true + + - name: Get the VPC + amazon.aws.ec2_vpc_net_info: + filters: + "tag:Name": "{{ vpc_name }}" + cidr: "{{ vpc_cidr_block }}" + register: vpc + ignore_errors: true + + - name: Delete the VPC subnet + amazon.aws.ec2_vpc_subnet: + state: absent + vpc_id: "{{ vpc.vpcs[0].id }}" + cidr: "{{ subnet_cidr_block }}" + ignore_errors: true + + - name: Delete the internet gateway attached to the VPC + amazon.aws.ec2_vpc_igw: + state: absent + vpc_id: "{{ vpc.vpcs[0].id }}" + ignore_errors: true + + - name: Get the route tables + amazon.aws.ec2_vpc_route_table_info: + filters: + vpc-id: "{{ vpc.vpcs[0].id }}" + register: routes + ignore_errors: true + + - name: Delete the route tables + amazon.aws.ec2_vpc_route_table: + state: absent + route_table_id: "{{ item.route_table_id }}" + lookup: id + loop: "{{ routes.route_tables }}" + ignore_errors: true + + - name: Delete the VPC + amazon.aws.ec2_vpc_net: + state: absent + name: "{{ vpc_name }}" + cidr_block: "{{ vpc_cidr_block }}" + ignore_errors: true diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml new file mode 100644 index 00000000..7b92599f --- /dev/null +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml @@ -0,0 +1,172 @@ +--- +- name: Create networking infrastructure with ansible.builtin.set_fact: options + ansible.builtin.include_role: + name: cloud.aws_ops.ec2_networking_resources + vars: + ec2_networking_resources_operation: create + ec2_networking_resources_vpc_name: "{{ vpc_name }}" + ec2_networking_resources_vpc_cidr_block: "{{ vpc_cidr_block }}" + ec2_networking_resources_subnet_cidr_block: "{{ subnet_cidr_block }}" + ec2_networking_resources_sg_internal_name: "{{ internal_sg_name }}" + ec2_networking_resources_sg_internal_description: "Test internal sg" + ec2_networking_resources_sg_internal_rules: + - proto: tcp + ports: 22 + cidr_ip: "{{ vpc_cidr_block }}" + ec2_networking_resources_sg_external_name: "{{ external_sg_name }}" + ec2_networking_resources_sg_external_description: "Test external sg" + ec2_networking_resources_sg_external_rules: + - proto: tcp + ports: 443 + cidr_ip: 0.0.0.0/0 + ec2_networking_resources_create_igw: true + +- name: Get the created VPC + amazon.aws.ec2_vpc_net_info: + filters: + "tag:Name": "{{ vpc_name }}" + cidr: "{{ vpc_cidr_block }}" + register: _vpc + +- name: Assert the VPC exists + ansible.builtin.assert: + that: + - _vpc.vpcs | length == 1 + - _vpc.vpcs[0].cidr_block == vpc_cidr_block + +- name: Get the created subnet + amazon.aws.ec2_vpc_subnet_info: + filters: + vpc-id: "{{ _vpc.vpcs[0].id }}" + cidr-block: "{{ subnet_cidr_block }}" + register: _subnet + +- name: Assert subnet has been created + ansible.builtin.assert: + that: + - _subnet.subnets | length == 1 + - _subnet.subnets[0].cidr_block == subnet_cidr_block + +- name: Get internal security group + amazon.aws.ec2_security_group_info: + filters: + group-name: "{{ internal_sg_name }}" + register: _internal_security_group + +- name: Assert internal security group has been created + ansible.builtin.assert: + that: + - _internal_security_group.security_groups | length == 1 + - _sg_rule.from_port == 22 + - _sg_rule.to_port == 22 + - _sg_rule.ip_protocol == "tcp" + - _sg_rule.ip_ranges[0].cidr_ip == vpc_cidr_block + vars: + _sg_rule: "{{ _internal_security_group.security_groups[0].ip_permissions[0] }}" + +- name: Get external security group + amazon.aws.ec2_security_group_info: + filters: + group-name: "{{ external_sg_name }}" + register: _external_security_group + +- name: Assert external security group has been created + ansible.builtin.assert: + that: + - _external_security_group.security_groups | length == 1 + - _sg_rule.from_port == 443 + - _sg_rule.to_port == 443 + - _sg_rule.ip_protocol == "tcp" + - _sg_rule.ip_ranges[0].cidr_ip == "0.0.0.0/0" + vars: + _sg_rule: "{{ _external_security_group.security_groups[0].ip_permissions[0] }}" + +- name: Get internet gateway + amazon.aws.ec2_vpc_igw_info: + filters: + "attachment.vpc-id": "{{ _vpc.vpcs[0].id }}" + register: _internet_gateway + +- name: Assert internet gateway has been created + ansible.builtin.assert: + that: + - _internet_gateway.internet_gateways | length == 1 + +- name: Get route tables for VPC + amazon.aws.ec2_vpc_route_table_info: + filters: + vpc-id: "{{ _vpc.vpcs[0].id }}" + register: _route_tables + +- name: Assert route table has been created + ansible.builtin.assert: + that: + - item.associations[0].subnet_id == _subnet.subnets[0].id + - _internet_gateway.internet_gateways[0].internet_gateway_id in item.routes | map(attribute="gateway_id") + - '"0.0.0.0/0" in item.routes | map(attribute="destination_cidr_block")' + loop: "{{ _route_tables.route_tables }}" + when: true not in item.associations | map(attribute="main") + +- name: Delete created networking infrastructure + ansible.builtin.include_role: + name: cloud.aws_ops.ec2_networking_resources + vars: + ec2_networking_resources_operation: delete + ec2_networking_resources_vpc_name: "{{ vpc_name }}" + +- name: Get the deleted VPC + amazon.aws.ec2_vpc_net_info: + filters: + "tag:Name": "{{ vpc_name }}" + cidr: "{{ vpc_cidr_block }}" + register: _deleted_vpc + +- name: Assert the VPC does not exist + ansible.builtin.assert: + that: + - _deleted_vpc.vpcs | length == 0 + +- name: Get the deleted subnet + amazon.aws.ec2_vpc_subnet_info: + filters: + vpc-id: "{{ _vpc.vpcs[0].id }}" + cidr-block: "{{ subnet_cidr_block }}" + register: _deleted_subnet + +- name: Assert subnet does not exists + ansible.builtin.assert: + that: + - _deleted_subnet.subnets | length == 0 + +- name: Get the deleted internal security group + amazon.aws.ec2_security_group_info: + filters: + group-name: "{{ internal_sg_name }}" + register: _deleted_internal_security_group + +- name: Assert internal security group has been deleted + ansible.builtin.assert: + that: + - _deleted_internal_security_group.security_groups | length == 0 + +- name: Get the deleted external security group + amazon.aws.ec2_security_group_info: + filters: + group-name: "{{ external_sg_name }}" + register: _deleted_external_security_group + +- name: Assert external security group has been deleted + ansible.builtin.assert: + that: + - _deleted_external_security_group.security_groups | length == 0 + +- name: Get the deleted internet gateway + amazon.aws.ec2_vpc_igw_info: + filters: + "attachment.vpc-id": "{{ _vpc.vpcs[0].id }}" + register: _deleted_internet_gateway + +- name: Assert internet gateway has been deleted + ansible.builtin.assert: + that: + - _deleted_internet_gateway.internet_gateways | length == 0 diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml new file mode 100644 index 00000000..ec78ad50 --- /dev/null +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml @@ -0,0 +1,94 @@ +--- +- name: Create networking infrastructure with only required options + ansible.builtin.include_role: + name: cloud.aws_ops.ec2_networking_resources + vars: + ec2_networking_resources_vpc_name: "{{ vpc_name }}" + ec2_networking_resources_vpc_cidr_block: "{{ vpc_cidr_block }}" + ec2_networking_resources_subnet_cidr_block: "{{ subnet_cidr_block }}" + ec2_networking_resources_sg_internal_name: "{{ internal_sg_name }}" + +- name: Get the created VPC + amazon.aws.ec2_vpc_net_info: + filters: + "tag:Name": "{{ vpc_name }}" + cidr: "{{ vpc_cidr_block }}" + register: _vpc + +- name: Assert the VPC exists + ansible.builtin.assert: + that: + - _vpc.vpcs | length == 1 + - _vpc.vpcs[0].cidr_block == vpc_cidr_block + +- name: Get the created subnet + amazon.aws.ec2_vpc_subnet_info: + filters: + vpc-id: "{{ _vpc.vpcs[0].id }}" + cidr-block: "{{ subnet_cidr_block }}" + register: _subnet + +- name: Assert subnet has been created + ansible.builtin.assert: + that: + - _subnet.subnets | length == 1 + - _subnet.subnets[0].cidr_block == subnet_cidr_block + +- name: Get internal security group + amazon.aws.ec2_security_group_info: + filters: + group-name: "{{ internal_sg_name }}" + register: _internal_security_group + +- name: Assert internal security group has been created + ansible.builtin.assert: + that: + - _internal_security_group.security_groups | length == 1 + - _sg_rule.from_port == 22 + - _sg_rule.to_port == 22 + - _sg_rule.ip_protocol == "tcp" + - _sg_rule.ip_ranges[0].cidr_ip == vpc_cidr_block + vars: + _sg_rule: "{{ _internal_security_group.security_groups[0].ip_permissions[0] }}" + +- name: Delete created networking infrastructure + ansible.builtin.include_role: + name: cloud.aws_ops.ec2_networking_resources + vars: + ec2_networking_resources_operation: delete + ec2_networking_resources_vpc_name: "{{ vpc_name }}" + +- name: Get the deleted VPC + amazon.aws.ec2_vpc_net_info: + filters: + "tag:Name": "{{ vpc_name }}" + cidr: "{{ vpc_cidr_block }}" + register: _deleted_vpc + +- name: Assert the VPC does not exist + ansible.builtin.assert: + that: + - _deleted_vpc.vpcs | length == 0 + +- name: Get the deleted subnet + amazon.aws.ec2_vpc_subnet_info: + filters: + vpc-id: "{{ _vpc.vpcs[0].id }}" + cidr-block: "{{ subnet_cidr_block }}" + register: _deleted_subnet + +- name: Assert subnet does not exists + ansible.builtin.assert: + that: + - _deleted_subnet.subnets | length == 0 + +- name: Get the deleted internal security group + amazon.aws.ec2_security_group_info: + filters: + group-name: "{{ internal_sg_name }}" + register: _deleted_internal_security_group + +- name: Assert internal security group has been deleted + ansible.builtin.assert: + that: + - _deleted_internal_security_group.security_groups | length == 0 From 8b8e275a7c486504714df908e8d34484501acaa5 Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Wed, 4 Dec 2024 14:58:20 -0500 Subject: [PATCH 2/4] Add changelog fragment --- .../fragments/2024-12-04_ec2_networking_role_add_options.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml diff --git a/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml b/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml new file mode 100644 index 00000000..932057bd --- /dev/null +++ b/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml @@ -0,0 +1,2 @@ +minor_changes: +- ec2_networking_resources - Add optional networking resources and ability to delete resources created by role. (https://github.com/redhat-cop/cloud.aws_ops/pull/126) From d65d180302f9493e80e0db1e87137b488dbc7863 Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Wed, 4 Dec 2024 15:05:42 -0500 Subject: [PATCH 3/4] Fix typo --- .../test_ec2_networking_resources/tasks/test_all_options.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml index 7b92599f..b08e7614 100644 --- a/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml @@ -1,5 +1,5 @@ --- -- name: Create networking infrastructure with ansible.builtin.set_fact: options +- name: Create networking infrastructure with all options ansible.builtin.include_role: name: cloud.aws_ops.ec2_networking_resources vars: From 7fece3beabf1193f778e06e442df30d18a66760e Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Thu, 5 Dec 2024 11:50:29 -0500 Subject: [PATCH 4/4] Updates based on PR feedback --- roles/ec2_networking_resources/README.md | 32 +++------- .../defaults/main.yml | 12 +--- .../meta/argument_specs.yml | 54 +++------------- .../ec2_networking_resources/tasks/create.yml | 55 ++++------------ .../defaults/main.yml | 3 +- .../tasks/teardown.yml | 10 +-- .../tasks/test_all_options.yml | 62 +++++-------------- .../tasks/test_required_options.yml | 24 +++---- 8 files changed, 62 insertions(+), 190 deletions(-) diff --git a/roles/ec2_networking_resources/README.md b/roles/ec2_networking_resources/README.md index 56d91c97..6f1f75c2 100644 --- a/roles/ec2_networking_resources/README.md +++ b/roles/ec2_networking_resources/README.md @@ -30,18 +30,12 @@ Role Variables * **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create or delete. * **ec2_networking_resources_vpc_cidr_block**: (Optional) The CIDR block to use for the VPC being created. Required if `ec2_networking_resources_operation` is "create". * **ec2_networking_resources_subnet_cidr_block**: (Optional) The CIDR block to use for subnet being created. Required if `ec2_networking_resources_operation` is "create". -* **ec2_networking_resources_sg_internal_name**: (Optional) The name of the internal security group to create. Required if `ec2_networking_resources_operation` is "create". -* **ec2_networking_resources_sg_internal_description**: (Optional) The description of the internal security group being created. Defaults to "Security group for internal access". -* **ec2_networking_resources_sg_internal_rules**: (Optional) List of rules to apply to the internal security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys: - * **proto** (str): The IP protocol name. - * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010. - * **cidr_ip** (str): The CIDR block traffic is coming from. -* **ec2_networking_resources_sg_external_name**: (Optional) The name of the external security group to create. -* **ec2_networking_resources_sg_external_description**: (Optional) The description of the external security group being created. Defaults to "Security group for external access". Ignored if ec2_networking_resources_sg_external_name is not provided. -* **ec2_networking_resources_sg_external_rules**: (Optional) List of rules to apply to the external security group being created. By default, allows all inbound http and https traffic. Ignored if ec2_networking_resources_sg_external_name is not provided. A rule should contain the following keys: - * **proto** (str): The IP protocol name. - * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010. - * **cidr_ip** (str): The CIDR block traffic is coming from. +* **ec2_networking_resources_sg_name**: (Optional) The name of the security group to create. Required if `ec2_networking_resources_operation` is "create". +* **ec2_networking_resources_sg_description**: (Optional) The description of the security group being created. Defaults to "Security group for EC2 instance". +* **ec2_networking_resources_sg_rules**: (Optional) List of rules to apply to the security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys: + * **proto** (str): The IP protocol name. + * **ports** (list): A list of ports traffic is going to. Can be a single port or a range of ports, for example 8000-8010. + * **cidr_ip** (str): The CIDR block traffic is coming from. * **ec2_networking_resources_create_igw**: (Optional) Whether to create an internet gateway and route traffic to it. Defaults to `false`. Dependencies @@ -52,7 +46,7 @@ Dependencies Examples ---------------- -Create networking resources: +Create networking resources with an internet gateway and allow HTTP/HTTPS traffic: ```yaml - hosts: localhost @@ -62,19 +56,13 @@ Create networking resources: ec2_networking_resources_vpc_name: my-vpn ec2_networking_resources_vpc_cidr_block: 10.0.1.0/16 ec2_networking_resources_subnet_cidr_block: 10.0.1.0/26 - ec2_networking_resources_sg_internal_name: my-internal-sg - ec2_networking_resources_sg_internal_description: My internal security group - ec2_networking_resources_sg_internal_rules: + ec2_networking_resources_sg_name: my-sg + ec2_networking_resources_sg_description: My security group + ec2_networking_resources_sg_rules: - proto: tcp ports: 22 cidr_ip: 10.0.1.0/16 - ports: tcp - ports: 8000-8010 - cidr_ip: 10.0.1.0/16 - ec2_networking_resources_sg_external_name: my-external-sg - ec2_networking_resources_sg_external_description: My external security group - ec2_networking_resources_sg_external_rules: - - proto: tcp ports: 80 cidr_ip: 0.0.0.0/0 - proto: tcp diff --git a/roles/ec2_networking_resources/defaults/main.yml b/roles/ec2_networking_resources/defaults/main.yml index faf8bfc4..5fb78af7 100644 --- a/roles/ec2_networking_resources/defaults/main.yml +++ b/roles/ec2_networking_resources/defaults/main.yml @@ -1,17 +1,9 @@ --- ec2_networking_resources_operation: create ec2_networking_resources_vpc_cidr_block: "{{ ec2_networking_resources_operation == 'delete' | ternary('', omit) }}" -ec2_networking_resources_sg_internal_description: Security group for internal access -ec2_networking_resources_sg_internal_rules: +ec2_networking_resources_sg_description: Security group for EC2 instance +ec2_networking_resources_sg_rules: - proto: tcp ports: 22 cidr_ip: "{{ ec2_networking_resources_vpc_cidr_block }}" -ec2_networking_resources_sg_external_description: Security group for external access -ec2_networking_resources_sg_external_rules: - - proto: tcp - ports: 80 - cidr_ip: 0.0.0.0/0 - - proto: tcp - ports: 443 - cidr_ip: 0.0.0.0/0 ec2_networking_resources_create_igw: false diff --git a/roles/ec2_networking_resources/meta/argument_specs.yml b/roles/ec2_networking_resources/meta/argument_specs.yml index 1347e866..e80b3211 100644 --- a/roles/ec2_networking_resources/meta/argument_specs.yml +++ b/roles/ec2_networking_resources/meta/argument_specs.yml @@ -4,8 +4,8 @@ argument_specs: short_description: A role to create a basic networking environment for an EC2 instance. description: - A role to create a basic networking environment for an EC2 instance. - - Creates a VPC, subnet, route table, security groups. - - Can optionally create an external security group and/or internet gateway to allow external access. + - Creates a VPC, subnet, route table, and security group. + - Can optionally create an internet gateway. - Can also delete networking resources created by this role using the "delete" operation. options: ec2_networking_resources_operation: @@ -25,18 +25,18 @@ argument_specs: description: - The CIDR block for the subnet being created. Required when creating resources. required: false - ec2_networking_resources_sg_internal_name: + ec2_networking_resources_sg_name: description: - - The name of the security group to create for internal access to the EC2 instance. Required when creating resources. + - The name of the security group to create. Required when creating resources. required: false - ec2_networking_resources_sg_internal_description: + ec2_networking_resources_sg_description: description: - - The description of the security group for internal access to the EC2 instance. + - The description of the security group. required: false - default: Security group for internal access - ec2_networking_resources_sg_internal_rules: + default: Security group for EC2 instance + ec2_networking_resources_sg_rules: description: - - A list of security group rules to apply to the security group for internal access. + - A list of security group rules to apply to the security group. - By default, will add a rule to allow SSH access from within the VPC created by the role. required: false type: list @@ -57,43 +57,9 @@ argument_specs: elements: str cidr_ip: description: The CIDR range traffic is coming from. - ec2_networking_resources_sg_external_name: - description: - - The name of the security group to create for external access to the EC2 instance. - required: false - ec2_networking_resources_sg_external_description: - description: - - The description of the security group for external access to the EC2 instance. - required: false - default: Security group for external access - ec2_networking_resources_sg_external_rules: - description: - - A list of security group rules to apply to the security group for external access. - - By default, will add rules to allow all HTTP and HTTPS traffic. - required: false - type: list - elements: dict - default: - - proto: tcp - ports: 80 - cidr_ip: 0.0.0.0/0 - - proto: tcp - ports: 443 - cidr_ip: 0.0.0.0/0 - options: - proto: - description: The IP protocol name. - ports: - description: - - A list of ports the traffic is going to. - - Elements can be a single port, or a range of ports (for example, 8000-8100). - type: list - elements: str - cidr_ip: - description: The CIDR range traffic is coming from. ec2_networking_resources_create_igw: description: - - Whether to create an internet gateway and route traffic to internet. + - Whether to create an internet gateway and route traffic to it. required: false type: bool default: false diff --git a/roles/ec2_networking_resources/tasks/create.yml b/roles/ec2_networking_resources/tasks/create.yml index 28ea0b84..93d4f847 100644 --- a/roles/ec2_networking_resources/tasks/create.yml +++ b/roles/ec2_networking_resources/tasks/create.yml @@ -1,10 +1,10 @@ --- - name: Validate options ansible.builtin.fail: - msg: "When creating resources, all of the following options must be provided: ec2_networking_resources_vpc_cidr_block, ec2_networking_resources_subnet_cidr_block, ec2_networking_resources_sg_internal_name" + msg: "When creating resources, all of the following options must be provided: ec2_networking_resources_vpc_cidr_block, ec2_networking_resources_subnet_cidr_block, ec2_networking_resources_sg_name" when: ec2_networking_resources_vpc_cidr_block | default("", true) == "" or ec2_networking_resources_subnet_cidr_block | default("", true) == "" or - ec2_networking_resources_sg_internal_name | default("", true) == "" + ec2_networking_resources_sg_name | default("", true) == "" - name: Create VPC amazon.aws.ec2_vpc_net: @@ -12,53 +12,19 @@ cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}" register: ec2_networking_resources_vpc_result -- name: Set VPC ID - ansible.builtin.set_fact: - vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - - name: Create VPC subnet amazon.aws.ec2_vpc_subnet: vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" cidr: "{{ ec2_networking_resources_subnet_cidr_block }}" register: ec2_networking_resources_subnet_result -- name: Set subnet ID - ansible.builtin.set_fact: - subnet_id: "{{ ec2_networking_resources_subnet_result.subnet.id }}" - -- name: Create custom route table for subnet - amazon.aws.ec2_vpc_route_table: - vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - subnets: - - "{{ ec2_networking_resources_subnet_result.subnet.id }}" - register: ec2_networking_resources_route_table_result - -- name: Create security group for internal access +- name: Create security group amazon.aws.ec2_security_group: vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - name: "{{ ec2_networking_resources_sg_internal_name }}" - description: "{{ ec2_networking_resources_sg_internal_description }}" - rules: "{{ ec2_networking_resources_sg_internal_rules }}" - register: ec2_networking_resources_internal_sg_result - -- name: Set internal security group ID - ansible.builtin.set_fact: - internal_sg_id: "{{ ec2_networking_resources_internal_sg_result.group_id }}" - -- name: Create security group for external access if provided - when: ec2_networking_resources_sg_external_name | default("", true) != "" - block: - - name: Create security group for external access - amazon.aws.ec2_security_group: - vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" - name: "{{ ec2_networking_resources_sg_external_name }}" - description: "{{ ec2_networking_resources_sg_external_description }}" - rules: "{{ ec2_networking_resources_sg_external_rules }}" - register: ec2_networking_resources_external_sg_result - - - name: Set external security group ID - ansible.builtin.set_fact: - external_sg_id: "{{ ec2_networking_resources_external_sg_result.group_id }}" + name: "{{ ec2_networking_resources_sg_name }}" + description: "{{ ec2_networking_resources_sg_description }}" + rules: "{{ ec2_networking_resources_sg_rules }}" + register: ec2_networking_resources_sg_result - name: Create internet gateway and route traffic to it when: ec2_networking_resources_create_igw is true @@ -69,12 +35,13 @@ vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" register: ec2_networking_resources_internet_gateway_result - - name: Update route table + - name: Create route table amazon.aws.ec2_vpc_route_table: state: present - lookup: id - route_table_id: "{{ ec2_networking_resources_route_table_result.route_table.id }}" vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}" + subnets: + - "{{ ec2_networking_resources_subnet_result.subnet.id }}" routes: - dest: "0.0.0.0/0" gateway_id: "{{ ec2_networking_resources_internet_gateway_result.gateway_id }}" + register: ec2_networking_resources_route_table_result diff --git a/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml b/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml index fe23be18..6703ade8 100644 --- a/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml +++ b/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml @@ -4,5 +4,4 @@ aws_security_token: "{{ security_token | default(omit) }}" vpc_name: "{{ resource_prefix }}-vpc" vpc_cidr_block: "10.0.1.0/24" subnet_cidr_block: "10.0.1.0/26" -internal_sg_name: "{{ resource_prefix }}-internal-sg" -external_sg_name: "{{ resource_prefix }}-external-sg" +sg_name: "{{ resource_prefix }}-sg" diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml index 66477821..5d7507ca 100644 --- a/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/teardown.yml @@ -1,16 +1,10 @@ --- - name: Teardown block: - - name: Delete the internal security group + - name: Delete the security group amazon.aws.ec2_security_group: state: absent - name: "{{ internal_sg_name }}" - ignore_errors: true - - - name: Delete the external security group - amazon.aws.ec2_security_group: - state: absent - name: "{{ external_sg_name }}" + name: "{{ sg_name }}" ignore_errors: true - name: Get the VPC diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml index b08e7614..68592872 100644 --- a/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/test_all_options.yml @@ -7,18 +7,12 @@ ec2_networking_resources_vpc_name: "{{ vpc_name }}" ec2_networking_resources_vpc_cidr_block: "{{ vpc_cidr_block }}" ec2_networking_resources_subnet_cidr_block: "{{ subnet_cidr_block }}" - ec2_networking_resources_sg_internal_name: "{{ internal_sg_name }}" - ec2_networking_resources_sg_internal_description: "Test internal sg" - ec2_networking_resources_sg_internal_rules: + ec2_networking_resources_sg_name: "{{ sg_name }}" + ec2_networking_resources_sg_description: "Test sg" + ec2_networking_resources_sg_irules: - proto: tcp ports: 22 cidr_ip: "{{ vpc_cidr_block }}" - ec2_networking_resources_sg_external_name: "{{ external_sg_name }}" - ec2_networking_resources_sg_external_description: "Test external sg" - ec2_networking_resources_sg_external_rules: - - proto: tcp - ports: 443 - cidr_ip: 0.0.0.0/0 ec2_networking_resources_create_igw: true - name: Get the created VPC @@ -47,39 +41,22 @@ - _subnet.subnets | length == 1 - _subnet.subnets[0].cidr_block == subnet_cidr_block -- name: Get internal security group +- name: Get security group amazon.aws.ec2_security_group_info: filters: - group-name: "{{ internal_sg_name }}" - register: _internal_security_group + group-name: "{{ sg_name }}" + register: _security_group -- name: Assert internal security group has been created +- name: Assert security group has been created ansible.builtin.assert: that: - - _internal_security_group.security_groups | length == 1 + - _security_group.security_groups | length == 1 - _sg_rule.from_port == 22 - _sg_rule.to_port == 22 - _sg_rule.ip_protocol == "tcp" - _sg_rule.ip_ranges[0].cidr_ip == vpc_cidr_block vars: - _sg_rule: "{{ _internal_security_group.security_groups[0].ip_permissions[0] }}" - -- name: Get external security group - amazon.aws.ec2_security_group_info: - filters: - group-name: "{{ external_sg_name }}" - register: _external_security_group - -- name: Assert external security group has been created - ansible.builtin.assert: - that: - - _external_security_group.security_groups | length == 1 - - _sg_rule.from_port == 443 - - _sg_rule.to_port == 443 - - _sg_rule.ip_protocol == "tcp" - - _sg_rule.ip_ranges[0].cidr_ip == "0.0.0.0/0" - vars: - _sg_rule: "{{ _external_security_group.security_groups[0].ip_permissions[0] }}" + _sg_rule: "{{ _security_group.security_groups[0].ip_permissions[0] }}" - name: Get internet gateway amazon.aws.ec2_vpc_igw_info: @@ -138,27 +115,16 @@ that: - _deleted_subnet.subnets | length == 0 -- name: Get the deleted internal security group - amazon.aws.ec2_security_group_info: - filters: - group-name: "{{ internal_sg_name }}" - register: _deleted_internal_security_group - -- name: Assert internal security group has been deleted - ansible.builtin.assert: - that: - - _deleted_internal_security_group.security_groups | length == 0 - -- name: Get the deleted external security group +- name: Get the deleted security group amazon.aws.ec2_security_group_info: filters: - group-name: "{{ external_sg_name }}" - register: _deleted_external_security_group + group-name: "{{ sg_name }}" + register: _deleted_security_group -- name: Assert external security group has been deleted +- name: Assert security group has been deleted ansible.builtin.assert: that: - - _deleted_external_security_group.security_groups | length == 0 + - _deleted_security_group.security_groups | length == 0 - name: Get the deleted internet gateway amazon.aws.ec2_vpc_igw_info: diff --git a/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml b/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml index ec78ad50..4af51cdb 100644 --- a/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml +++ b/tests/integration/targets/test_ec2_networking_resources/tasks/test_required_options.yml @@ -6,7 +6,7 @@ ec2_networking_resources_vpc_name: "{{ vpc_name }}" ec2_networking_resources_vpc_cidr_block: "{{ vpc_cidr_block }}" ec2_networking_resources_subnet_cidr_block: "{{ subnet_cidr_block }}" - ec2_networking_resources_sg_internal_name: "{{ internal_sg_name }}" + ec2_networking_resources_sg_name: "{{ sg_name }}" - name: Get the created VPC amazon.aws.ec2_vpc_net_info: @@ -34,22 +34,22 @@ - _subnet.subnets | length == 1 - _subnet.subnets[0].cidr_block == subnet_cidr_block -- name: Get internal security group +- name: Get security group amazon.aws.ec2_security_group_info: filters: - group-name: "{{ internal_sg_name }}" - register: _internal_security_group + group-name: "{{ sg_name }}" + register: _security_group -- name: Assert internal security group has been created +- name: Assert security group has been created ansible.builtin.assert: that: - - _internal_security_group.security_groups | length == 1 + - _security_group.security_groups | length == 1 - _sg_rule.from_port == 22 - _sg_rule.to_port == 22 - _sg_rule.ip_protocol == "tcp" - _sg_rule.ip_ranges[0].cidr_ip == vpc_cidr_block vars: - _sg_rule: "{{ _internal_security_group.security_groups[0].ip_permissions[0] }}" + _sg_rule: "{{ _security_group.security_groups[0].ip_permissions[0] }}" - name: Delete created networking infrastructure ansible.builtin.include_role: @@ -82,13 +82,13 @@ that: - _deleted_subnet.subnets | length == 0 -- name: Get the deleted internal security group +- name: Get the deleted security group amazon.aws.ec2_security_group_info: filters: - group-name: "{{ internal_sg_name }}" - register: _deleted_internal_security_group + group-name: "{{ sg_name }}" + register: _deleted_security_group -- name: Assert internal security group has been deleted +- name: Assert security group has been deleted ansible.builtin.assert: that: - - _deleted_internal_security_group.security_groups | length == 0 + - _deleted_security_group.security_groups | length == 0