Skip to content

Commit

Permalink
iam_role - delete inline policies, stabilize for migration to amazon.…
Browse files Browse the repository at this point in the history
…aws (ansible-collections#1054)

iam_role - delete inline policies, stabilize for migration to amazon.aws

SUMMARY
Stabilize for migration to amazon.aws

delete inline policies before deleting the role
removed global vars and refactored function definitions
added some extra integration tests for check mode

ISSUE TYPE

Feature Pull Request

COMPONENT NAME
iam_role

Reviewed-by: Markus Bergholz <git@osuv.de>
Reviewed-by: Joseph Torcasso <None>
Reviewed-by: Alina Buzachis <None>
Reviewed-by: Jill R <None>

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@ce41867
  • Loading branch information
jatorcasso authored and alinabuzachis committed Oct 6, 2023
1 parent 63ac548 commit e5f5c2f
Show file tree
Hide file tree
Showing 11 changed files with 383 additions and 180 deletions.
297 changes: 155 additions & 142 deletions plugins/modules/iam_role.py

Large diffs are not rendered by default.

12 changes: 12 additions & 0 deletions tests/integration/targets/iam_role/tasks/boundary_policy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,18 @@
- iam_role is changed
- iam_role.iam_role.role_name == test_role

- name: "Configure Boundary Policy (no change) - check mode"
iam_role:
name: "{{ test_role }}"
create_instance_profile: no
boundary: "{{ boundary_policy }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Configure Boundary Policy (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down
21 changes: 21 additions & 0 deletions tests/integration/targets/iam_role/tasks/complex_role_creation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,27 @@
- '"create_date" in iam_role.iam_role'
- '"role_id" in iam_role.iam_role'

- name: "Complex IAM role (no change) - check mode"
iam_role:
name: "{{ test_role }}"
assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
boundary: "{{ boundary_policy }}"
create_instance_profile: no
description: "Ansible Test Role {{ resource_prefix }}"
managed_policy:
- "{{ safe_managed_policy }}"
- "{{ custom_policy_name }}"
max_session_duration: 43200
path: "{{ test_path }}"
tags:
TagA: "ValueA"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Complex IAM role (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down
52 changes: 50 additions & 2 deletions tests/integration/targets/iam_role/tasks/creation_deletion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@
iam_role:
name: "{{ test_role }}"
create_instance_profile: no
check_mode: yes
register: iam_role
check_mode: yes

- assert:
that:
Expand Down Expand Up @@ -114,6 +114,17 @@
- '"create_date" in iam_role.iam_role'
- '"role_id" in iam_role.iam_role'

- name: "Minimal IAM Role without instance profile (no change) - check mode"
iam_role:
name: "{{ test_role }}"
create_instance_profile: no
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Minimal IAM Role without instance profile (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down Expand Up @@ -170,6 +181,8 @@
- role_info is succeeded
- role_info.iam_roles | length == 0

# ------------------------------------------------------------------------------------------

# (with path)
- name: "Minimal IAM Role with path (CHECK MODE)"
iam_role:
Expand Down Expand Up @@ -203,6 +216,17 @@
- '"create_date" in iam_role.iam_role'
- '"role_id" in iam_role.iam_role'

- name: "Minimal IAM Role with path (no change) - check mode"
iam_role:
name: "{{ test_role }}"
path: "{{ test_path }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Minimal IAM Role with path (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down Expand Up @@ -292,7 +316,20 @@
- role_info is succeeded
- role_info.iam_roles | length == 0

# ------------------------------------------------------------------------------------------

# (with Instance profile)
- name: "Minimal IAM Role with instance profile - check mode"
iam_role:
name: "{{ test_role }}"
create_instance_profile: yes
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is changed

- name: "Minimal IAM Role with instance profile"
iam_role:
name: "{{ test_role }}"
Expand All @@ -314,6 +351,17 @@
- '"create_date" in iam_role.iam_role'
- '"role_id" in iam_role.iam_role'

- name: "Minimal IAM Role wth instance profile (no change) - check mode"
iam_role:
name: "{{ test_role }}"
create_instance_profile: yes
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Minimal IAM Role wth instance profile (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down Expand Up @@ -350,4 +398,4 @@
- '"permissions_boundary" not in role_info.iam_roles[0]'
- role_info.iam_roles[0].role_id == iam_role.iam_role.role_id
- role_info.iam_roles[0].role_name == test_role
- role_info.iam_roles[0].tags | length == 0
- role_info.iam_roles[0].tags | length == 0
24 changes: 24 additions & 0 deletions tests/integration/targets/iam_role/tasks/description_update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,17 @@
- iam_role.iam_role.role_name == test_role
- iam_role.iam_role.description == 'Ansible Test Role {{ resource_prefix }}'

- name: "Add Description (no change) - check mode"
iam_role:
name: "{{ test_role }}"
description: "Ansible Test Role {{ resource_prefix }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Add Description (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down Expand Up @@ -61,6 +72,8 @@
- role_info.iam_roles[0].role_name == test_role
- role_info.iam_roles[0].tags | length == 0

# ------------------------------------------------------------------------------------------

- name: "Update Description (CHECK MODE)"
iam_role:
name: "{{ test_role }}"
Expand All @@ -84,6 +97,17 @@
- iam_role.iam_role.role_name == test_role
- iam_role.iam_role.description == 'Ansible Test Role (updated) {{ resource_prefix }}'

- name: "Update Description (no change) - check mode"
iam_role:
name: "{{ test_role }}"
description: "Ansible Test Role (updated) {{ resource_prefix }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Update Description (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down
15 changes: 0 additions & 15 deletions tests/integration/targets/iam_role/tasks/inline_policy_update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,18 +46,3 @@
- role_info.iam_roles[0].tags | length == 1
- '"TagB" in role_info.iam_roles[0].tags'
- role_info.iam_roles[0].tags.TagB == "ValueB"

# XXX iam_role fails to remove inline policies before deleting the role
- name: "Detach inline policy a"
iam_policy:
state: absent
iam_type: "role"
iam_name: "{{ test_role }}"
policy_name: "inline-policy-a"

- name: "Detach inline policy b"
iam_policy:
state: absent
iam_type: "role"
iam_name: "{{ test_role }}"
policy_name: "inline-policy-b"
21 changes: 1 addition & 20 deletions tests/integration/targets/iam_role/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,7 @@
# - There are some known timing issues with boto3 returning before actions
# complete in the case of problems with "changed" status it's worth enabling
# the standard_pauses and paranoid_pauses options as a first step in debugging
#
# Possible Bugs:
# - Fails to delete role if inline policies not removed first


- name: "Setup AWS connection info"
module_defaults:
Expand Down Expand Up @@ -93,23 +91,6 @@
# ===================================================================
# Cleanup

# XXX iam_role fails to remove inline policies before deleting the role
- name: "Detach inline policy a"
iam_policy:
state: absent
iam_type: "role"
iam_name: "{{ test_role }}"
policy_name: "inline-policy-a"
ignore_errors: true

- name: "Detach inline policy b"
iam_policy:
state: absent
iam_type: "role"
iam_name: "{{ test_role }}"
policy_name: "inline-policy-b"
ignore_errors: true

- name: "Remove IAM Role"
iam_role:
state: absent
Expand Down
12 changes: 11 additions & 1 deletion tests/integration/targets/iam_role/tasks/max_session_update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,17 @@
- assert:
that:
- iam_role is not changed
- iam_role.iam_role.role_name == test_role

- name: "Update Max Session Duration (no change) - check mode"
iam_role:
name: "{{ test_role }}"
max_session_duration: 43200
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "iam_role_info after updating Max Session Duration"
iam_role_info:
Expand Down
42 changes: 42 additions & 0 deletions tests/integration/targets/iam_role/tasks/policy_update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,19 @@
- iam_role is changed
- iam_role.iam_role.role_name == test_role

- name: "Add Managed Policy (no change) - check mode"
iam_role:
name: "{{ test_role }}"
purge_policies: no
managed_policy:
- "{{ safe_managed_policy }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Add Managed Policy (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down Expand Up @@ -69,6 +82,8 @@
- '"TagB" in role_info.iam_roles[0].tags'
- role_info.iam_roles[0].tags.TagB == "ValueB"

# ------------------------------------------------------------------------------------------

- name: "Update Managed Policy without purge (CHECK MODE)"
iam_role:
name: "{{ test_role }}"
Expand All @@ -95,6 +110,19 @@
- iam_role is changed
- iam_role.iam_role.role_name == test_role

- name: "Update Managed Policy without purge (no change) - check mode"
iam_role:
name: "{{ test_role }}"
purge_policies: no
managed_policy:
- "{{ custom_policy_name }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Update Managed Policy without purge (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down Expand Up @@ -139,6 +167,8 @@
- '"TagB" in role_info.iam_roles[0].tags'
- role_info.iam_roles[0].tags.TagB == "ValueB"

# ------------------------------------------------------------------------------------------

# Managed Policies are purged by default
- name: "Update Managed Policy with purge (CHECK MODE)"
iam_role:
Expand All @@ -164,6 +194,18 @@
- iam_role is changed
- iam_role.iam_role.role_name == test_role

- name: "Update Managed Policy with purge (no change) - check mode"
iam_role:
name: "{{ test_role }}"
managed_policy:
- "{{ custom_policy_name }}"
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Update Managed Policy with purge (no change)"
iam_role:
name: "{{ test_role }}"
Expand Down
12 changes: 12 additions & 0 deletions tests/integration/targets/iam_role/tasks/role_removal.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,18 @@
- role_info is succeeded
- role_info.iam_roles | length == 0

- name: "Remove IAM Role (should be gone already) - check mode"
iam_role:
state: absent
name: "{{ test_role }}"
delete_instance_profile: yes
register: iam_role
check_mode: yes

- assert:
that:
- iam_role is not changed

- name: "Remove IAM Role (should be gone already)"
iam_role:
state: absent
Expand Down
Loading

0 comments on commit e5f5c2f

Please sign in to comment.