iam_group - add support for setting the path

ansible-collections · Dec 1, 2023 · 720a585 · 720a585
1 parent 3333b65
commit 720a585
Show file tree

Hide file tree

Showing 9 changed files with 607 additions and 222 deletions.
diff --git a/changelogs/fragments/20231130-iam_group.yml b/changelogs/fragments/20231130-iam_group.yml
@@ -0,0 +1,4 @@
+minor_changes:
+- iam_group - add support for setting group path (https://github.com/ansible-collections/amazon.aws/pull/1892).
+- iam_group - adds attached_policies return value (https://github.com/ansible-collections/amazon.aws/pull/1892).
+- iam_group - code refactored to avoid single long function (https://github.com/ansible-collections/amazon.aws/pull/1892).
diff --git a/plugins/modules/iam_group.py b/plugins/modules/iam_group.py
diff --git a/tests/integration/targets/iam_group/defaults/main.yml b/tests/integration/targets/iam_group/defaults/main.yml
@@ -1,3 +1,7 @@
 ---
 test_user:  '{{ resource_prefix }}-user'
 test_group: '{{ resource_prefix }}-group'
+test_path: '/{{ resource_prefix }}-prefix/'
+
+safe_managed_policy: AWSDenyAll
+custom_policy_name: '{{ resource_prefix }}-denyall'
diff --git a/tests/integration/targets/iam_group/files/deny-all.json b/tests/integration/targets/iam_group/files/deny-all.json
@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "*"
+            ],
+            "Effect": "Deny",
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/tests/integration/targets/iam_group/tasks/deletion.yml b/tests/integration/targets/iam_group/tasks/deletion.yml
@@ -0,0 +1,42 @@
+---
+- name: remove group (check_mode)
+  iam_group:
+    name: '{{ test_group }}'
+    state: absent
+  register: iam_group
+  check_mode: true
+
+- assert:
+    that:
+      - iam_group is changed
+
+- name: remove group
+  iam_group:
+    name: '{{ test_group }}'
+    state: absent
+  register: iam_group
+
+- assert:
+    that:
+      - iam_group is changed
+
+- name: re-remove group (check_mode)
+  iam_group:
+    name: '{{ test_group }}'
+    state: absent
+  register: iam_group
+  check_mode: true
+
+- assert:
+    that:
+      - iam_group is not changed
+
+- name: re-remove group
+  iam_group:
+    name: '{{ test_group }}'
+    state: absent
+  register: iam_group
+
+- assert:
+    that:
+      - iam_group is not changed
diff --git a/tests/integration/targets/iam_group/tasks/main.yml b/tests/integration/targets/iam_group/tasks/main.yml
@@ -14,62 +14,19 @@
       name: '{{ test_user }}'
       state: present
 
-  - name: ensure group exists
-    iam_group:
-      name: '{{ test_group }}'
-      users:
-        - '{{ test_user }}'
+  - name: Create Safe IAM Managed Policy
+    iam_managed_policy:
       state: present
-    register: iam_group
+      policy_name: '{{ custom_policy_name }}'
+      policy_description: A safe (deny-all) managed policy
+      policy: "{{ lookup('file', 'deny-all.json') }}"
+    register: create_managed_policy
 
   - assert:
       that:
-        - iam_group.iam_group.users
-        - iam_group is changed
-
-  - name: add non existent user to group
-    iam_group:
-      name: '{{ test_group }}'
-      users:
-        - '{{ test_user }}'
-        - NonExistentUser
-      state: present
-    ignore_errors: yes
-    register: iam_group
-
-  - name: assert that adding non existent user to group fails with helpful message
-    assert:
-      that:
-        - iam_group is failed
-        - iam_group.msg.startswith("Couldn't add user NonExistentUser to group {{ test_group }}")
+      - create_managed_policy is succeeded
 
-  - name: remove a user
-    iam_group:
-      name: '{{ test_group }}'
-      purge_users: True
-      users: []
-      state: present
-    register: iam_group
-
-  - assert:
-      that:
-        - iam_group is changed
-        - not iam_group.iam_group.users
-
-  - name: re-remove a user (no change)
-    iam_group:
-      name: '{{ test_group }}'
-      purge_users: True
-      users: []
-      state: present
-    register: iam_group
-
-  - assert:
-      that:
-        - iam_group is not changed
-        - not iam_group.iam_group.users
-
-  - name: Add the user again
+  - name: ensure group exists
     iam_group:
       name: '{{ test_group }}'
       users:
@@ -79,47 +36,28 @@
 
   - assert:
       that:
+        - "'users' in iam_group.iam_group"
+        - "'group' in iam_group.iam_group"
+        - "'attached_policies' in iam_group.iam_group"
         - iam_group is changed
-        - iam_group.iam_group.users
+        - iam_group.iam_group.group.group_name == test_group
+        - iam_group.iam_group.group.path == "/"
 
-  - name: Re-add the user
-    iam_group:
-      name: '{{ test_group }}'
-      users:
-        - '{{ test_user }}'
-      state: present
-    register: iam_group
-
-  - assert:
-      that:
-        - iam_group is not changed
-        - iam_group.iam_group.users
+  - include_tasks: users.yml
+  - include_tasks: path.yml
+  - include_tasks: policy_update.yml
+  - include_tasks: deletion.yml
 
+  always:
   - name: remove group
     iam_group:
       name: '{{ test_group }}'
       state: absent
-    register: iam_group
-
-  - assert:
-      that:
-        - iam_group is changed
-
-  - name: re-remove group
-    iam_group:
-      name: '{{ test_group }}'
-      state: absent
-    register: iam_group
 
-  - assert:
-      that:
-        - iam_group is not changed
-
-  always:
-  - name: remove group
-    iam_group:
-      name: '{{ test_group }}'
+  - name: Remove Safe IAM Managed Policy
+    iam_managed_policy:
       state: absent
+      policy_name: '{{ custom_policy_name }}'
 
   - name: remove ansible user
     iam_user:

diff --git a/tests/integration/targets/iam_group/tasks/path.yml b/tests/integration/targets/iam_group/tasks/path.yml
@@ -0,0 +1,58 @@
+---
+# Path management
+
+- name: Set path (check_mode)
+  iam_group:
+    name: '{{ test_group }}'
+    path: '{{ test_path }}'
+    state: present
+  register: iam_group
+  check_mode: true
+
+- assert:
+    that:
+      - iam_group is changed
+
+- name: Set path
+  iam_group:
+    name: '{{ test_group }}'
+    path: '{{ test_path }}'
+    state: present
+  register: iam_group
+
+- assert:
+    that:
+      - iam_group is changed
+      - "'users' in iam_group.iam_group"
+      - "'group' in iam_group.iam_group"
+      - iam_group.iam_group.group.group_name == test_group
+      - iam_group.iam_group.group.path == test_path
+
+- name: Retry set path (check_mode)
+  iam_group:
+    name: '{{ test_group }}'
+    path: '{{ test_path }}'
+    state: present
+  register: iam_group
+  check_mode: true
+
+- assert:
+    that:
+      - iam_group is not changed
+
+- name: Retry set path
+  iam_group:
+    name: '{{ test_group }}'
+    path: '{{ test_path }}'
+    state: present
+  register: iam_group
+
+- assert:
+    that:
+      - iam_group is not changed
+      - "'users' in iam_group.iam_group"
+      - "'group' in iam_group.iam_group"
+      - iam_group.iam_group.group.group_name == test_group
+      - iam_group.iam_group.group.path == test_path
+
+# /end Path management