mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-10-22 12:03:58 -07:00
[aws] ec2_group multi-account and peered VPC bugfix (#45296)
* Add tests to replicate bug #44788 * Handle when userId is same account due to in-account peering * Module defaults for main.yml * Turn off VPC peering tests in CI
This commit is contained in:
Ryan Brown
GitHub
parent
12e2d6d01f
commit
079299db4d
3 changed files with 145 additions and 12 deletions
|
|
@ -9,7 +9,13 @@
|
|||
# - include: ../../setup_ec2/tasks/common.yml module_name: ec2_group
|
||||
|
||||
- include: ./credential_tests.yml
|
||||
- block:
|
||||
- module_defaults:
|
||||
group/aws:
|
||||
aws_access_key: "{{ aws_access_key }}"
|
||||
aws_secret_key: "{{ aws_secret_key }}"
|
||||
security_token: "{{ security_token }}"
|
||||
region: "{{ aws_region }}"
|
||||
block:
|
||||
# ============================================================
|
||||
- name: set up aws connection info
|
||||
set_fact:
|
||||
|
|
@ -42,6 +48,8 @@
|
|||
Name: "{{ resource_prefix }}-vpc"
|
||||
Description: "Created by ansible-test"
|
||||
register: vpc_result
|
||||
#TODO(ryansb): Update CI for VPC peering permissions
|
||||
#- include: ./multi_account.yml
|
||||
- include: ./numeric_protos.yml
|
||||
- include: ./rule_group_create.yml
|
||||
- include: ./egress_tests.yml
|
||||
|
|
|
|||
124
test/integration/targets/ec2_group/tasks/multi_account.yml
Normal file
124
test/integration/targets/ec2_group/tasks/multi_account.yml
Normal file
|
|
@ -0,0 +1,124 @@
|
|||
- block:
|
||||
- aws_caller_facts:
|
||||
register: caller_facts
|
||||
- name: create a VPC
|
||||
ec2_vpc_net:
|
||||
name: "{{ resource_prefix }}-vpc-2"
|
||||
state: present
|
||||
cidr_block: "10.232.233.128/26"
|
||||
tags:
|
||||
Description: "Created by ansible-test"
|
||||
register: vpc_result_2
|
||||
- name: Peer the secondary-VPC to the main VPC
|
||||
ec2_vpc_peer:
|
||||
vpc_id: '{{ vpc_result_2.vpc.id }}'
|
||||
peer_vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
peer_owner_id: '{{ caller_facts.account }}'
|
||||
peer_region: '{{ aws_region }}'
|
||||
register: peer_origin
|
||||
- name: Accept the secondary-VPC peering connection in the main VPC
|
||||
ec2_vpc_peer:
|
||||
peer_vpc_id: '{{ vpc_result_2.vpc.id }}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
state: accept
|
||||
peering_id: '{{ peer_origin.peering_id }}'
|
||||
peer_owner_id: '{{ caller_facts.account }}'
|
||||
peer_region: '{{ aws_region }}'
|
||||
- name: Create group in second VPC
|
||||
ec2_group:
|
||||
name: '{{ ec2_group_name }}-external'
|
||||
description: '{{ ec2_group_description }}'
|
||||
vpc_id: '{{ vpc_result_2.vpc.id }}'
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
cidr_ip: 0.0.0.0/0
|
||||
ports:
|
||||
- 80
|
||||
rule_desc: 'http whoo'
|
||||
register: external
|
||||
- name: Create group in internal VPC
|
||||
ec2_group:
|
||||
name: '{{ ec2_group_name }}-internal'
|
||||
description: '{{ ec2_group_description }}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
group_id: '{{ caller_facts.account }}/{{ external.group_id }}/{{ ec2_group_name }}-external'
|
||||
ports:
|
||||
- 80
|
||||
- name: Re-make same rule, expecting changed=false in internal VPC
|
||||
ec2_group:
|
||||
name: '{{ ec2_group_name }}-internal'
|
||||
description: '{{ ec2_group_description }}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
group_id: '{{ caller_facts.account }}/{{ external.group_id }}/{{ ec2_group_name }}-external'
|
||||
ports:
|
||||
- 80
|
||||
register: out
|
||||
- assert:
|
||||
that:
|
||||
- out is not changed
|
||||
- name: Try again with a bad group_id group in internal VPC
|
||||
ec2_group:
|
||||
name: '{{ ec2_group_name }}-internal'
|
||||
description: '{{ ec2_group_description }}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
state: present
|
||||
rules:
|
||||
- proto: "tcp"
|
||||
group_id: '{{ external.group_id }}/{{ caller_facts.account }}/{{ ec2_group_name }}-external'
|
||||
ports:
|
||||
- 80
|
||||
register: out
|
||||
ignore_errors: true
|
||||
- assert:
|
||||
that:
|
||||
- out is failed
|
||||
always:
|
||||
- pause: seconds=5
|
||||
- name: Delete secondary-VPC side of peer
|
||||
ec2_vpc_peer:
|
||||
vpc_id: '{{ vpc_result_2.vpc.id }}'
|
||||
peer_vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
peering_id: '{{ peer_origin.peering_id }}'
|
||||
state: absent
|
||||
peer_owner_id: '{{ caller_facts.account }}'
|
||||
peer_region: '{{ aws_region }}'
|
||||
ignore_errors: yes
|
||||
- name: Delete main-VPC side of peer
|
||||
ec2_vpc_peer:
|
||||
peer_vpc_id: '{{ vpc_result_2.vpc.id }}'
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
state: absent
|
||||
peering_id: '{{ peer_origin.peering_id }}'
|
||||
peer_owner_id: '{{ caller_facts.account }}'
|
||||
peer_region: '{{ aws_region }}'
|
||||
ignore_errors: yes
|
||||
- name: Clean up group in second VPC
|
||||
ec2_group:
|
||||
name: '{{ ec2_group_name }}-external'
|
||||
description: '{{ ec2_group_description }}'
|
||||
state: absent
|
||||
vpc_id: '{{ vpc_result_2.vpc.id }}'
|
||||
ignore_errors: yes
|
||||
- name: Clean up group in second VPC
|
||||
ec2_group:
|
||||
name: '{{ ec2_group_name }}-internal'
|
||||
description: '{{ ec2_group_description }}'
|
||||
state: absent
|
||||
vpc_id: '{{ vpc_result.vpc.id }}'
|
||||
ignore_errors: yes
|
||||
- name: tidy up VPC
|
||||
ec2_vpc_net:
|
||||
name: "{{ resource_prefix }}-vpc-2"
|
||||
state: absent
|
||||
cidr_block: "10.232.233.128/26"
|
||||
ignore_errors: yes
|
||||
register: removed
|
||||
retries: 10
|
||||
until: removed is not failed
|
||||
Loading…
Add table
Add a link
Reference in a new issue