mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 21:44:00 -07:00 
			
		
		
		
	Lambda policy arn (#38863)
* Fix the function_name handling logic for lambda_policy Switch the logic handling function_names that are ARNs so that ARNs are correctly handled and detected * Add tests for lambda_policy function_arn Ensure that function_arn works. Needs a reasonable ansible_lambda_role.
This commit is contained in:
		
					parent
					
						
							
								4e56dcd01a
							
						
					
				
			
			
				commit
				
					
						0b4f92d852
					
				
			
		
					 3 changed files with 81 additions and 64 deletions
				
			
		|  | @ -0,0 +1,12 @@ | |||
| { | ||||
|   "Version": "2012-10-17", | ||||
|   "Statement": [ | ||||
|     { | ||||
|       "Effect": "Allow", | ||||
|       "Principal": { | ||||
|         "Service": "lambda.amazonaws.com" | ||||
|       }, | ||||
|       "Action": "sts:AssumeRole" | ||||
|     } | ||||
|   ] | ||||
| } | ||||
|  | @ -5,6 +5,15 @@ | |||
| 
 | ||||
| - block: | ||||
| 
 | ||||
|     - name: set up AWS credentials | ||||
|       set_fact: | ||||
|         aws_connection_info: &aws_connection_info | ||||
|           aws_region: '{{ aws_region }}' | ||||
|           aws_access_key: '{{ aws_access_key }}' | ||||
|           aws_secret_key: '{{ aws_secret_key }}' | ||||
|           security_token: '{{ security_token }}' | ||||
|       no_log: yes | ||||
| 
 | ||||
|     # ============================================================ | ||||
|     - name: test with no parameters | ||||
|       lambda_policy: | ||||
|  | @ -54,7 +63,6 @@ | |||
|     - name: test exceptions generated by forcing bad ec2 url | ||||
|       lambda_policy: | ||||
|         function_name: "{{ lambda_function_name }}" | ||||
|         region: "{{ec2_region}}" | ||||
|         state: present | ||||
|         statement_id: api-gateway-invoke-lambdas | ||||
|         action: lambda:InvokeFunction | ||||
|  | @ -89,38 +97,43 @@ | |||
|         dest: "{{output_dir}}/mini_http_lambda.zip" | ||||
|       register: zip_res | ||||
| 
 | ||||
|     # This should exist, but there's no expectation that the test user should be able to | ||||
|     # create/update this role, merely validate that it's there. | ||||
|     # Use ansible -m iam_role -a 'name=ansible_lambda_role | ||||
|     # assume_role_policy_document={{ lookup("file", "test/integration/targets/lambda_policy/files/minimal_trust_policy.json", convert_data=False) }} | ||||
|     # ' -vvv localhost | ||||
|     # to create this through more privileged credentials before running this test suite. | ||||
|     - name: create minimal lambda role | ||||
|       iam_role: | ||||
|         name: ansible_lambda_role | ||||
|         assume_role_policy_document: "{{ lookup('file', 'minimal_trust_policy.json', convert_data=False) }}" | ||||
|         create_instance_profile: no | ||||
|         <<: *aws_connection_info | ||||
|       register: iam_role | ||||
| 
 | ||||
|     - name: wait 10 seconds for role to become available | ||||
|       pause: | ||||
|         seconds: 10 | ||||
|       when: iam_role.changed | ||||
| 
 | ||||
|     - name: test state=present - upload the lambda | ||||
|       lambda: | ||||
|         name="{{lambda_function_name}}" | ||||
|         runtime="python2.7" | ||||
|         handler="mini_http_lambda.handler" | ||||
|         role="ansible_lambda_role" | ||||
|         ec2_region='{{ec2_region}}' | ||||
|         aws_access_key='{{aws_access_key}}' | ||||
|         aws_secret_key='{{aws_secret_key}}' | ||||
|         security_token='{{security_token}}' | ||||
|         zip_file="{{zip_res.dest}}" | ||||
|         name: "{{lambda_function_name}}" | ||||
|         runtime: "python2.7" | ||||
|         handler: "mini_http_lambda.handler" | ||||
|         role: "ansible_lambda_role" | ||||
|         zip_file: "{{zip_res.dest}}" | ||||
|         <<: *aws_connection_info | ||||
|       register: lambda_result | ||||
| 
 | ||||
|     - name: install aws cli - FIXME temporary this should go for a lighterweight solution | ||||
|       command: pip install awscli | ||||
|       register: result | ||||
| 
 | ||||
|     - name: get the aws account ID for use in future commands | ||||
|       command: aws sts get-caller-identity --output text --query 'Account' | ||||
|       environment: | ||||
|           AWS_ACCESS_KEY_ID: '{{aws_access_key}}' | ||||
|           AWS_SECRET_ACCESS_KEY: '{{aws_secret_key}}' | ||||
|           AWS_SESSION_TOKEN: '{{security_token}}' | ||||
|       register: result | ||||
| 
 | ||||
|     - name: register account id | ||||
|       set_fact: | ||||
|         aws_account_id: "{{ result.stdout | replace('\n', '') }}" | ||||
|       aws_caller_facts: | ||||
|         <<: *aws_connection_info | ||||
|       register: aws_caller_facts | ||||
| 
 | ||||
|     - name: register lambda uri for use in template | ||||
|       set_fact: | ||||
|         mini_lambda_uri: "arn:aws:apigateway:{{ec2_region}}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ec2_region}}:{{aws_account_id}}:function:{{ lambda_result.configuration.function_name }}/invocations" | ||||
|         mini_lambda_uri: "arn:aws:apigateway:{{ aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ aws_region }}:{{ aws_caller_facts.account }}:function:{{ lambda_result.configuration.function_name }}/invocations" | ||||
| 
 | ||||
|     - name: build API file | ||||
|       template: | ||||
|  | @ -131,19 +144,16 @@ | |||
|       aws_api_gateway: | ||||
|         api_file: "{{output_dir}}/endpoint-test-swagger-api.yml.j2" | ||||
|         stage: "lambdabased" | ||||
|         region: '{{ec2_region}}' | ||||
|         aws_access_key: '{{aws_access_key}}' | ||||
|         aws_secret_key: '{{aws_secret_key}}' | ||||
|         security_token: '{{security_token}}' | ||||
|         <<: *aws_connection_info | ||||
|       register: create_result | ||||
| 
 | ||||
| 
 | ||||
|     - name: register api id for later | ||||
|       set_fact: | ||||
|         api_id: "{{ create_result.api_id }}" | ||||
| 
 | ||||
|     - name: check API fails with permissions failure | ||||
|       uri: url="https://{{create_result.api_id}}.execute-api.{{ec2_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester" | ||||
|       uri: | ||||
|         url: "https://{{create_result.api_id}}.execute-api.{{aws_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester" | ||||
|       register: unauth_uri_result | ||||
|       ignore_errors: true | ||||
| 
 | ||||
|  | @ -156,18 +166,26 @@ | |||
|     - name: give api gateway execute permissions on lambda | ||||
|       lambda_policy: | ||||
|         function_name: "{{ lambda_function_name }}" | ||||
|         region: "{{ec2_region}}" | ||||
|         state: present | ||||
|         statement_id: api-gateway-invoke-lambdas | ||||
|         action: lambda:InvokeFunction | ||||
|         principal: apigateway.amazonaws.com | ||||
|         source_arn: "arn:aws:execute-api:{{ ec2_region }}:{{ aws_account_id }}:*/*" | ||||
|         aws_access_key: '{{aws_access_key}}' | ||||
|         aws_secret_key: '{{aws_secret_key}}' | ||||
|         security_token: '{{security_token}}' | ||||
|         source_arn: "arn:aws:execute-api:{{ aws_region }}:{{ aws_caller_facts.account }}:*/*" | ||||
|         <<: *aws_connection_info | ||||
| 
 | ||||
|     - name: try again but with ARN | ||||
|       lambda_policy: | ||||
|         function_name: "{{ lambda_result.configuration.function_arn }}" | ||||
|         state: present | ||||
|         statement_id: api-gateway-invoke-lambdas | ||||
|         action: lambda:InvokeFunction | ||||
|         principal: apigateway.amazonaws.com | ||||
|         source_arn: "arn:aws:execute-api:{{ aws_region }}:{{ aws_caller_facts.account }}:*/*" | ||||
|         <<: *aws_connection_info | ||||
| 
 | ||||
|     - name: check API works with execute permissions | ||||
|       uri: url="https://{{create_result.api_id}}.execute-api.{{ec2_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester" | ||||
|       uri: | ||||
|         url: "https://{{create_result.api_id}}.execute-api.{{aws_region}}.amazonaws.com/lambdabased/mini/Mr_Ansible_Tester" | ||||
|       register: uri_result | ||||
| 
 | ||||
|     - name: assert API works success | ||||
|  | @ -180,10 +198,7 @@ | |||
|       aws_api_gateway: | ||||
|         api_file: "{{output_dir}}/endpoint-test-swagger-api.yml.j2" | ||||
|         stage: "lambdabased" | ||||
|         region: '{{ec2_region}}' | ||||
|         aws_access_key: '{{aws_access_key}}' | ||||
|         aws_secret_key: '{{aws_secret_key}}' | ||||
|         security_token: '{{security_token}}' | ||||
|         <<: *aws_connection_info | ||||
|       register: create_result | ||||
|       ignore_errors: true | ||||
| 
 | ||||
|  | @ -193,26 +208,16 @@ | |||
|     # ============================================================ | ||||
|     - name: destroy lambda for test cleanup if created | ||||
|       lambda: | ||||
|         name="{{lambda_function_name}}" | ||||
|         ec2_region='{{ec2_region}}' | ||||
|         ec2_access_key='{{ec2_access_key}}' | ||||
|         ec2_secret_key='{{ec2_secret_key}}' | ||||
|         security_token='{{security_token}}' | ||||
|         state=absent | ||||
|         name: "{{lambda_function_name}}" | ||||
|         <<: *aws_connection_info | ||||
|         state: absent | ||||
|       register: result | ||||
|       ignore_errors: yes | ||||
| 
 | ||||
|     - name: destroy API for test cleanup if created | ||||
|       aws_api_gateway: | ||||
|         state: absent | ||||
|         api_id: '{{api_id}}' | ||||
|         region: '{{ec2_region}}' | ||||
|         aws_access_key: '{{ec2_access_key}}' | ||||
|         aws_secret_key: '{{ec2_secret_key}}' | ||||
|         security_token: '{{security_token}}' | ||||
|         <<: *aws_connection_info | ||||
|       register: destroy_result | ||||
| 
 | ||||
|     - name: assert destroy statements succeeded | ||||
|       assert: | ||||
|         that: | ||||
|            - 'destroy_result.changed == True' | ||||
|            - 'result is not failed' | ||||
|       ignore_errors: yes | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue