iam_server_certificates - initial integration tests

ansible-collections · Sep 27, 2021 · 053e5f5 · 053e5f5
1 parent 0769e8e
commit 053e5f5
Show file tree

Hide file tree

Showing 3 changed files with 311 additions and 4 deletions.
diff --git a/tests/integration/targets/iam_server_certificate/defaults/main.yml b/tests/integration/targets/iam_server_certificate/defaults/main.yml
@@ -1 +1,2 @@
 ---
+cert_name: 'ansible-test-{{ tiny_prefix }}'
diff --git a/tests/integration/targets/iam_server_certificate/tasks/generate-certs.yml b/tests/integration/targets/iam_server_certificate/tasks/generate-certs.yml
@@ -0,0 +1,65 @@
+################################################
+# Setup SSL certs to store in IAM
+################################################
+- name: 'Generate SSL Keys'
+  community.crypto.openssl_privatekey:
+    path: '{{ remote_tmp_dir }}/{{ item }}-key.pem'
+    size: 2048
+  loop:
+  - 'ca'
+  - 'cert1'
+  - 'cert2'
+
+- name: 'Generate CSRs'
+  community.crypto.openssl_csr:
+    path: '{{ remote_tmp_dir }}/{{ item }}.csr'
+    privatekey_path:  '{{ remote_tmp_dir }}/{{ item }}-key.pem'
+    common_name: '{{ item }}.ansible.test'
+    subject_alt_name: 'DNS:{{ item }}.ansible.test'
+    basic_constraints:
+    - 'CA:TRUE'
+  loop:
+  - 'ca'
+  - 'cert1'
+  - 'cert2'
+
+- name: 'Self-sign the "root"'
+  community.crypto.x509_certificate:
+    provider: selfsigned
+    path: '{{ remote_tmp_dir }}/ca.pem'
+    privatekey_path: '{{ remote_tmp_dir }}/ca-key.pem'
+    csr_path: '{{ remote_tmp_dir }}/ca.csr'
+
+- name: 'Sign the intermediate cert'
+  community.crypto.x509_certificate:
+    provider: ownca
+    path: '{{ remote_tmp_dir }}/cert1.pem'
+    csr_path: '{{ remote_tmp_dir }}/cert1.csr'
+    ownca_path: '{{ remote_tmp_dir }}/ca.pem'
+    ownca_privatekey_path: '{{ remote_tmp_dir }}/ca-key.pem'
+
+- name: 'Sign the end-cert'
+  community.crypto.x509_certificate:
+    provider: ownca
+    path: '{{ remote_tmp_dir }}/cert2.pem'
+    csr_path: '{{ remote_tmp_dir }}/cert2.csr'
+    ownca_path: '{{ remote_tmp_dir }}/cert1.pem'
+    ownca_privatekey_path: '{{ remote_tmp_dir }}/cert1-key.pem'
+
+- name: 'Re-Sign the end-cert'
+  community.crypto.x509_certificate:
+    provider: ownca
+    path: '{{ remote_tmp_dir }}/cert2-new.pem'
+    csr_path: '{{ remote_tmp_dir }}/cert2.csr'
+    ownca_path: '{{ remote_tmp_dir }}/cert1.pem'
+    ownca_privatekey_path: '{{ remote_tmp_dir }}/cert1-key.pem'
+
+- set_fact:
+    path_ca_cert: '{{ remote_tmp_dir }}/ca.pem'
+    path_ca_key: '{{ remote_tmp_dir }}/ca-key.pem'
+    path_intermediate_cert: '{{ remote_tmp_dir }}/cert1.pem'
+    path_intermediate_key: '{{ remote_tmp_dir }}/cert1-key.pem'
+    # Same key, updated cert
+    path_cert_a: '{{ remote_tmp_dir }}/cert2.pem'
+    path_cert_b: '{{ remote_tmp_dir }}/cert2-new.pem'
+    path_cert_key: '{{ remote_tmp_dir }}/cert2-key.pem'
diff --git a/tests/integration/targets/iam_server_certificate/tasks/main.yml b/tests/integration/targets/iam_server_certificate/tasks/main.yml
@@ -1,7 +1,13 @@
 ---
 # iam_server_certificate integration tests
 #
-# Current module limitations:
+# Note:
+#
+# AWS APIs only support renaming and/or updating
+# the *path*.
+#
+# It is not possible to update the cert/key/chain
+# without deleting the ceritifate
 #
 - module_defaults:
     group/aws:
@@ -10,12 +16,16 @@
       security_token: '{{ security_token | default(omit) }}'
       region: '{{ aws_region }}'
   block:
+  ################################################
+
   # Check that the alias works
-  - iam_cert: {}
+  - name: Test deprecated alias
+    iam_cert: {}
     ignore_errors: true
     register: iam_cert_alias
 
-  - iam_server_certificate: {}
+  - name: Test with no args
+    iam_server_certificate: {}
     ignore_errors: true
     register: no_args
 
@@ -26,9 +36,240 @@
       - no_args.msg == iam_cert_alias.msg
       - no_args.msg.startswith('missing required arguments')
 
+  ################################################
+
+  - include_tasks: 'generate-certs.yml'
+
+  ################################################
+
+  - name: Create Certificate
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+    register: create_cert
+
+  - name: check result - Create Certificate
+    assert:
+      that:
+      - create_cert is successful
+      - create_cert is changed
+
+  - name: Create Certificate - idempotency
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+    register: create_cert
+
+  - name: check result - Create Certificate - idempotency
+    assert:
+      that:
+      - create_cert is successful
+      - create_cert is not changed
+
+  ################################################
+
+  # Module explicitly blocks updating certs
+  - name: Update Certificate
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      state: present
+      cert: '{{ lookup("file", path_cert_b) }}'
+    register: update_cert
+    ignore_errors: True
+
+  - name: check result - Update Certificate
+    assert:
+      that:
+      - update_cert is failed
+      - '"already exists" in update_cert.msg'
+
+  ## AWS APIs provide no mechanism for accessing
+  ## any information about the key, and as such
+  ## the module can't tell if a key was updated.
+  # - name: Update Certificate
+  #   iam_server_certificate:
+  #     name: '{{ cert_name }}'
+  #     state: present
+  #     key: '{{ lookup("file", path_intermediate_key) }}'
+  #   register: update_cert
+  #   ignore_errors: True
+
+  ################################################
+
+  - name: Delete certificate
+    iam_cert:
+      name: '{{ cert_name }}'
+      state: absent
+    register: delete_cert
+
+  - name: Delete certificate - idempotency
+    iam_cert:
+      name: '{{ cert_name }}'
+      state: absent
+    register: delete_cert
+
+  ################################################
+
+  - name: Create Certificate with Chain and path
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+      cert_chain: '{{ lookup("file", path_intermediate_cert) }}'
+      path: '/example/'
+    register: create_cert
+
+  - name: check result - Create Certificate with Chain and path
+    assert:
+      that:
+      - create_cert is successful
+      - create_cert is changed
+
+  - name: Create Certificate with Chain and path - idempotency
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+      cert_chain: '{{ lookup("file", path_intermediate_cert) }}'
+      path: '/example/'
+    register: create_cert
+
+  - name: check result - Create Certificate with Chain and path - idempotency
+    assert:
+      that:
+      - create_cert is successful
+      - create_cert is not changed
+
+  ################################################
+
+  - name: Create Certificate with identical cert
+    iam_server_certificate:
+      name: '{{ cert_name }}-duplicate'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+    register: create_duplicate
+    ignore_errors: True
+
+  - name: check result - Create Certificate with identical cert
+    assert:
+      that:
+      - create_duplicate is failed
+
+  ################################################
+
+  - name: Create Certificate with forced identical cert
+    iam_server_certificate:
+      name: '{{ cert_name }}-duplicate'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+      dup_ok: true
+    register: create_duplicate
+    ignore_errors: True
+
+  - name: check result - Create Certificate with forced identical cert
+    assert:
+      that:
+      - create_duplicate is successful
+      - create_duplicate is changed
+
+  - name: Create Certificate with forced identical cert - idempotency
+    iam_server_certificate:
+      name: '{{ cert_name }}-duplicate'
+      state: present
+      cert: '{{ lookup("file", path_cert_a) }}'
+      key: '{{ lookup("file", path_cert_key) }}'
+      dup_ok: true
+    register: create_duplicate
+    ignore_errors: True
+
+  - name: check result - Create Certificate with forced identical cert - idempotency
+    assert:
+      that:
+      - create_duplicate is successful
+      - create_duplicate is not changed
+
+  ################################################
+
+  - name: Update certificate path
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      state: present
+      path: '/example/'
+      new_path: '/path/'
+    register: update_path
+    ignore_errors: True
+
+  - name: check result - Update certificate path
+    assert:
+      that:
+      - update_path is successful
+      - update_path is changed
+
+  # - name: Update certificate path - idempotency
+  #   iam_server_certificate:
+  #     name: '{{ cert_name }}'
+  #     state: present
+  #     path: '/example/'
+  #     new_path: '/path/'
+  #   register: update_path
+  #   ignore_errors: True
+
+  # - name: check result - Update certificate path - idempotency
+  #   assert:
+  #     that:
+  #     - update_path is successful
+  #     - update_path is not changed
+
+  ################################################
+
+  - name: Update certificate name
+    iam_server_certificate:
+      name: '{{ cert_name }}'
+      new_name: '{{ cert_name }}-renamed'
+      state: present
+    register: update_name
+    ignore_errors: True
+
+  - name: check result - Update certificate name
+    assert:
+      that:
+      - update_name is successful
+      - update_name is changed
+
+  # - name: Update certificate name - idempotency
+  #   iam_server_certificate:
+  #     name: '{{ cert_name }}'
+  #     new_name: '{{ cert_name }}-renamed'
+  #     state: present
+  #   register: update_name
+  #   ignore_errors: True
+
+  # - name: check result - Update certificate name - idempotency
+  #   assert:
+  #     that:
+  #     - update_name is successful
+  #     - update_name is not changed
+
   always:
-  - debug: msg=test
 
     ################################################
     # TEARDOWN STARTS HERE
     ################################################
+
+  - name: Delete certificate
+    iam_cert:
+      name: '{{ item }}'
+      state: absent
+    ignore_errors: true
+    loop:
+    - '{{ cert_name }}'
+    - '{{ cert_name }}-renamed'
+    - '{{ cert_name }}-duplicate'