Add waiter to the iam_role module (ansible-collections#767)

Add waiter to the iam_role module SUMMARY This change adds the wait param used in other AWS modules, adding usage of a waiter for the iam_role creation / updates. Currently there is no waiting done to ensure the iam_role has actually created and is available before exiting. The tests have also been split up into separate files to make it a bit more manageable. Fixes: ansible-collections#710 ISSUE TYPE Feature Pull Request COMPONENT NAME iam_role ADDITIONAL INFORMATION Successful run completed of the iam_role integration test suite locally: ansible-test integration --docker centos8 -v iam_role --allow-unsupported PLAY RECAP ********************************************************************* testhost : ok=198 changed=46 unreachable=0 failed=0 skipped=0 rescued=0 ignored=7 AWS ACTIONS: ['iam:AddRoleToInstanceProfile', 'iam:AttachRolePolicy', 'iam:CreateInstanceProfile', 'iam:CreatePolicy', 'iam:CreateRole', 'iam:DeleteInstanceProfile', 'iam:DeletePolicy', 'iam:DeleteRole', 'iam:DeleteRolePermissionsBoundary', 'iam:DeleteRolePolicy', 'iam:DetachRolePolicy', 'iam:GetRole', 'iam:GetRolePolicy', 'iam:ListAttachedRolePolicies', 'iam:ListEntitiesForPolicy', 'iam:ListInstanceProfilesForRole', 'iam:ListPolicies', 'iam:ListPolicyVersions', 'iam:ListRolePolicies', 'iam:ListRoleTags', 'iam:ListRoles', 'iam:PutRolePermissionsBoundary', 'iam:PutRolePolicy', 'iam:RemoveRoleFromInstanceProfile', 'iam:TagRole', 'iam:UntagRole', 'iam:UpdateRole'] Run command: docker exec 56cb328c6d9af293d9e820e1f2a94fb8ca87e0769b2b9b6d46bad661f9edde65 tar czf /root/output.tgz --exclude .tmp -C /root/ansible/ansible_collections/community/aws/tests output Run command: docker exec -i 56cb328c6d9af293d9e820e1f2a94fb8ca87e0769b2b9b6d46bad661f9edde65 dd if=/root/output.tgz bs=65536 Run command: tar oxzf /tmp/ansible-result-k2lnga3v.tgz -C /mnt/c/Users/mark.woolley/Documents/GitHub/public/ansible_collections/community/aws/tests Run command: docker rm -f 56cb328c6d9af293d9e820e1f2a94fb8ca87e0769b2b9b6d46bad661f9edde65 Reviewed-by: Mark Chappell <None> Reviewed-by: None <None> This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections/community.aws@81d9abd
abikouo · Sep 20, 2023 · b27cd33 · b27cd33
1 parent 1d02b8c
commit b27cd33
Show file tree

Hide file tree

Showing 13 changed files with 1,637 additions and 1,543 deletions.
diff --git a/plugins/modules/iam_role.py b/plugins/modules/iam_role.py
diff --git a/tests/integration/targets/iam_role/defaults/main.yml b/tests/integration/targets/iam_role/defaults/main.yml
@@ -4,5 +4,3 @@ test_path: '/{{ resource_prefix }}/'
 safe_managed_policy: 'AWSDenyAll'
 custom_policy_name: '{{ resource_prefix }}-denyall'
 boundary_policy: 'arn:aws:iam::aws:policy/AWSDenyAll'
-paranoid_pauses: no
-standard_pauses: no
diff --git a/tests/integration/targets/iam_role/tasks/boundary_policy.yml b/tests/integration/targets/iam_role/tasks/boundary_policy.yml
@@ -0,0 +1,82 @@
+---
+- name: "Create minimal role with no boundary policy"
+  iam_role:
+    name: "{{ test_role }}"
+    create_instance_profile: no
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is changed
+      - iam_role.iam_role.role_name == test_role
+
+- name: "Configure Boundary Policy (CHECK MODE)"
+  iam_role:
+    name: "{{ test_role }}"
+    create_instance_profile: no
+    boundary: "{{ boundary_policy }}"
+  check_mode: yes
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is changed
+
+- name: "Configure Boundary Policy"
+  iam_role:
+    name: "{{ test_role }}"
+    create_instance_profile: no
+    boundary: "{{ boundary_policy }}"
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is changed
+      - iam_role.iam_role.role_name == test_role
+
+- name: "Configure Boundary Policy (no change)"
+  iam_role:
+    name: "{{ test_role }}"
+    create_instance_profile: no
+    boundary: "{{ boundary_policy }}"
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is not changed
+      - iam_role.iam_role.role_name == test_role
+
+- name: "iam_role_info after adding boundary policy"
+  iam_role_info:
+    name: "{{ test_role }}"
+  register: role_info
+
+- assert:
+    that:
+      - role_info is succeeded
+      - role_info.iam_roles | length == 1
+      - 'role_info.iam_roles[0].arn.startswith("arn")'
+      - 'role_info.iam_roles[0].arn.endswith("role/" + test_role )'
+      - '"assume_role_policy_document" in role_info.iam_roles[0]'
+      - '"create_date" in role_info.iam_roles[0]'
+      - '"description" not in role_info.iam_roles[0]'
+      - role_info.iam_roles[0].inline_policies | length == 0
+      - role_info.iam_roles[0].instance_profiles | length == 0
+      - role_info.iam_roles[0].managed_policies | length == 0
+      - role_info.iam_roles[0].max_session_duration == 3600
+      - role_info.iam_roles[0].path == '/'
+      - role_info.iam_roles[0].permissions_boundary.permissions_boundary_arn == boundary_policy
+      - role_info.iam_roles[0].permissions_boundary.permissions_boundary_type == 'Policy'
+      - role_info.iam_roles[0].role_id == iam_role.iam_role.role_id
+      - role_info.iam_roles[0].role_name == test_role
+
+- name: "Remove IAM Role"
+  iam_role:
+    state: absent
+    name: "{{ test_role }}"
+    delete_instance_profile: yes
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is changed
diff --git a/tests/integration/targets/iam_role/tasks/complex_role_creation.yml b/tests/integration/targets/iam_role/tasks/complex_role_creation.yml
@@ -0,0 +1,110 @@
+---
+- name: "Complex IAM Role (CHECK MODE)"
+  iam_role:
+    name: "{{ test_role }}"
+    assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
+    boundary: "{{ boundary_policy }}"
+    create_instance_profile: no
+    description: "Ansible Test Role {{ resource_prefix }}"
+    managed_policy:
+      - "{{ safe_managed_policy }}"
+      - "{{ custom_policy_name }}"
+    max_session_duration: 43200
+    path: "{{ test_path }}"
+    tags:
+      TagA: "ValueA"
+  check_mode: yes
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is changed
+
+- name: "iam_role_info after Complex Role creation in check_mode"
+  iam_role_info:
+    name: "{{ test_role }}"
+  register: role_info
+- assert:
+    that:
+      - role_info is succeeded
+      - role_info.iam_roles | length == 0
+
+- name: "Complex IAM Role"
+  iam_role:
+    name: "{{ test_role }}"
+    assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
+    boundary: "{{ boundary_policy }}"
+    create_instance_profile: no
+    description: "Ansible Test Role {{ resource_prefix }}"
+    managed_policy:
+      - "{{ safe_managed_policy }}"
+      - "{{ custom_policy_name }}"
+    max_session_duration: 43200
+    path: "{{ test_path }}"
+    tags:
+      TagA: "ValueA"
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is changed
+      - iam_role.iam_role.role_name == test_role
+      - 'iam_role.iam_role.arn.startswith("arn")'
+      - 'iam_role.iam_role.arn.endswith("role" + test_path + test_role )'
+      # Would be nice to test the contents...
+      - '"assume_role_policy_document" in iam_role.iam_role'
+      - iam_role.iam_role.attached_policies | length == 2
+      - iam_role.iam_role.max_session_duration == 43200
+      - iam_role.iam_role.path == test_path
+      - iam_role.iam_role.role_name == test_role
+      - '"create_date" in iam_role.iam_role'
+      - '"role_id" in iam_role.iam_role'
+
+- name: "Complex IAM role (no change)"
+  iam_role:
+    name: "{{ test_role }}"
+    assume_role_policy_document: '{{ lookup("file", "deny-assume.json") }}'
+    boundary: "{{ boundary_policy }}"
+    create_instance_profile: no
+    description: "Ansible Test Role {{ resource_prefix }}"
+    managed_policy:
+      - "{{ safe_managed_policy }}"
+      - "{{ custom_policy_name }}"
+    max_session_duration: 43200
+    path: "{{ test_path }}"
+    tags:
+      TagA: "ValueA"
+  register: iam_role
+
+- assert:
+    that:
+      - iam_role is not changed
+      - iam_role.iam_role.role_name == test_role
+
+- name: "iam_role_info after Role creation"
+  iam_role_info:
+    name: "{{ test_role }}"
+  register: role_info
+
+- assert:
+    that:
+      - role_info is succeeded
+      - role_info.iam_roles | length == 1
+      - 'role_info.iam_roles[0].arn.startswith("arn")'
+      - 'role_info.iam_roles[0].arn.endswith("role" + test_path + test_role )'
+      - '"assume_role_policy_document" in role_info.iam_roles[0]'
+      - '"create_date" in role_info.iam_roles[0]'
+      - 'role_info.iam_roles[0].description == "Ansible Test Role {{ resource_prefix }}"'
+      - role_info.iam_roles[0].inline_policies | length == 0
+      - role_info.iam_roles[0].instance_profiles | length == 0
+      - role_info.iam_roles[0].managed_policies | length == 2
+      - safe_managed_policy in ( role_info | community.general.json_query("iam_roles[*].managed_policies[*].policy_name") | list | flatten )
+      - custom_policy_name in ( role_info | community.general.json_query("iam_roles[*].managed_policies[*].policy_name") | list | flatten )
+      - role_info.iam_roles[0].max_session_duration == 43200
+      - role_info.iam_roles[0].path == test_path
+      - role_info.iam_roles[0].permissions_boundary.permissions_boundary_arn == boundary_policy
+      - role_info.iam_roles[0].permissions_boundary.permissions_boundary_type == 'Policy'
+      - role_info.iam_roles[0].role_id == iam_role.iam_role.role_id
+      - role_info.iam_roles[0].role_name == test_role
+      - '"TagA" in role_info.iam_roles[0].tags'
+      - role_info.iam_roles[0].tags.TagA == "ValueA"