diff --git a/tests/integration/targets/iam_server_certificate/defaults/main.yml b/tests/integration/targets/iam_server_certificate/defaults/main.yml index ed97d539c09..1f136642a70 100644 --- a/tests/integration/targets/iam_server_certificate/defaults/main.yml +++ b/tests/integration/targets/iam_server_certificate/defaults/main.yml @@ -1 +1,2 @@ --- +cert_name: 'ansible-test-{{ tiny_prefix }}' diff --git a/tests/integration/targets/iam_server_certificate/tasks/generate-certs.yml b/tests/integration/targets/iam_server_certificate/tasks/generate-certs.yml new file mode 100644 index 00000000000..02d2dac7322 --- /dev/null +++ b/tests/integration/targets/iam_server_certificate/tasks/generate-certs.yml @@ -0,0 +1,65 @@ +################################################ +# Setup SSL certs to store in IAM +################################################ +- name: 'Generate SSL Keys' + community.crypto.openssl_privatekey: + path: '{{ remote_tmp_dir }}/{{ item }}-key.pem' + size: 2048 + loop: + - 'ca' + - 'cert1' + - 'cert2' + +- name: 'Generate CSRs' + community.crypto.openssl_csr: + path: '{{ remote_tmp_dir }}/{{ item }}.csr' + privatekey_path: '{{ remote_tmp_dir }}/{{ item }}-key.pem' + common_name: '{{ item }}.ansible.test' + subject_alt_name: 'DNS:{{ item }}.ansible.test' + basic_constraints: + - 'CA:TRUE' + loop: + - 'ca' + - 'cert1' + - 'cert2' + +- name: 'Self-sign the "root"' + community.crypto.x509_certificate: + provider: selfsigned + path: '{{ remote_tmp_dir }}/ca.pem' + privatekey_path: '{{ remote_tmp_dir }}/ca-key.pem' + csr_path: '{{ remote_tmp_dir }}/ca.csr' + +- name: 'Sign the intermediate cert' + community.crypto.x509_certificate: + provider: ownca + path: '{{ remote_tmp_dir }}/cert1.pem' + csr_path: '{{ remote_tmp_dir }}/cert1.csr' + ownca_path: '{{ remote_tmp_dir }}/ca.pem' + ownca_privatekey_path: '{{ remote_tmp_dir }}/ca-key.pem' + +- name: 'Sign the end-cert' + community.crypto.x509_certificate: + provider: ownca + path: '{{ remote_tmp_dir }}/cert2.pem' + csr_path: '{{ remote_tmp_dir }}/cert2.csr' + ownca_path: '{{ remote_tmp_dir }}/cert1.pem' + ownca_privatekey_path: '{{ remote_tmp_dir }}/cert1-key.pem' + +- name: 'Re-Sign the end-cert' + community.crypto.x509_certificate: + provider: ownca + path: '{{ remote_tmp_dir }}/cert2-new.pem' + csr_path: '{{ remote_tmp_dir }}/cert2.csr' + ownca_path: '{{ remote_tmp_dir }}/cert1.pem' + ownca_privatekey_path: '{{ remote_tmp_dir }}/cert1-key.pem' + +- set_fact: + path_ca_cert: '{{ remote_tmp_dir }}/ca.pem' + path_ca_key: '{{ remote_tmp_dir }}/ca-key.pem' + path_intermediate_cert: '{{ remote_tmp_dir }}/cert1.pem' + path_intermediate_key: '{{ remote_tmp_dir }}/cert1-key.pem' + # Same key, updated cert + path_cert_a: '{{ remote_tmp_dir }}/cert2.pem' + path_cert_b: '{{ remote_tmp_dir }}/cert2-new.pem' + path_cert_key: '{{ remote_tmp_dir }}/cert2-key.pem' diff --git a/tests/integration/targets/iam_server_certificate/tasks/main.yml b/tests/integration/targets/iam_server_certificate/tasks/main.yml index f0c6946728a..d715641c4c3 100644 --- a/tests/integration/targets/iam_server_certificate/tasks/main.yml +++ b/tests/integration/targets/iam_server_certificate/tasks/main.yml @@ -1,7 +1,13 @@ --- # iam_server_certificate integration tests # -# Current module limitations: +# Note: +# +# AWS APIs only support renaming and/or updating +# the *path*. +# +# It is not possible to update the cert/key/chain +# without deleting the ceritifate # - module_defaults: group/aws: @@ -10,12 +16,16 @@ security_token: '{{ security_token | default(omit) }}' region: '{{ aws_region }}' block: + ################################################ + # Check that the alias works - - iam_cert: {} + - name: Test deprecated alias + iam_cert: {} ignore_errors: true register: iam_cert_alias - - iam_server_certificate: {} + - name: Test with no args + iam_server_certificate: {} ignore_errors: true register: no_args @@ -26,9 +36,240 @@ - no_args.msg == iam_cert_alias.msg - no_args.msg.startswith('missing required arguments') + ################################################ + + - include_tasks: 'generate-certs.yml' + + ################################################ + + - name: Create Certificate + iam_server_certificate: + name: '{{ cert_name }}' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + register: create_cert + + - name: check result - Create Certificate + assert: + that: + - create_cert is successful + - create_cert is changed + + - name: Create Certificate - idempotency + iam_server_certificate: + name: '{{ cert_name }}' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + register: create_cert + + - name: check result - Create Certificate - idempotency + assert: + that: + - create_cert is successful + - create_cert is not changed + + ################################################ + + # Module explicitly blocks updating certs + - name: Update Certificate + iam_server_certificate: + name: '{{ cert_name }}' + state: present + cert: '{{ lookup("file", path_cert_b) }}' + register: update_cert + ignore_errors: True + + - name: check result - Update Certificate + assert: + that: + - update_cert is failed + - '"already exists" in update_cert.msg' + + ## AWS APIs provide no mechanism for accessing + ## any information about the key, and as such + ## the module can't tell if a key was updated. + # - name: Update Certificate + # iam_server_certificate: + # name: '{{ cert_name }}' + # state: present + # key: '{{ lookup("file", path_intermediate_key) }}' + # register: update_cert + # ignore_errors: True + + ################################################ + + - name: Delete certificate + iam_cert: + name: '{{ cert_name }}' + state: absent + register: delete_cert + + - name: Delete certificate - idempotency + iam_cert: + name: '{{ cert_name }}' + state: absent + register: delete_cert + + ################################################ + + - name: Create Certificate with Chain and path + iam_server_certificate: + name: '{{ cert_name }}' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + cert_chain: '{{ lookup("file", path_intermediate_cert) }}' + path: '/example/' + register: create_cert + + - name: check result - Create Certificate with Chain and path + assert: + that: + - create_cert is successful + - create_cert is changed + + - name: Create Certificate with Chain and path - idempotency + iam_server_certificate: + name: '{{ cert_name }}' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + cert_chain: '{{ lookup("file", path_intermediate_cert) }}' + path: '/example/' + register: create_cert + + - name: check result - Create Certificate with Chain and path - idempotency + assert: + that: + - create_cert is successful + - create_cert is not changed + + ################################################ + + - name: Create Certificate with identical cert + iam_server_certificate: + name: '{{ cert_name }}-duplicate' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + register: create_duplicate + ignore_errors: True + + - name: check result - Create Certificate with identical cert + assert: + that: + - create_duplicate is failed + + ################################################ + + - name: Create Certificate with forced identical cert + iam_server_certificate: + name: '{{ cert_name }}-duplicate' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + dup_ok: true + register: create_duplicate + ignore_errors: True + + - name: check result - Create Certificate with forced identical cert + assert: + that: + - create_duplicate is successful + - create_duplicate is changed + + - name: Create Certificate with forced identical cert - idempotency + iam_server_certificate: + name: '{{ cert_name }}-duplicate' + state: present + cert: '{{ lookup("file", path_cert_a) }}' + key: '{{ lookup("file", path_cert_key) }}' + dup_ok: true + register: create_duplicate + ignore_errors: True + + - name: check result - Create Certificate with forced identical cert - idempotency + assert: + that: + - create_duplicate is successful + - create_duplicate is not changed + + ################################################ + + - name: Update certificate path + iam_server_certificate: + name: '{{ cert_name }}' + state: present + path: '/example/' + new_path: '/path/' + register: update_path + ignore_errors: True + + - name: check result - Update certificate path + assert: + that: + - update_path is successful + - update_path is changed + + # - name: Update certificate path - idempotency + # iam_server_certificate: + # name: '{{ cert_name }}' + # state: present + # path: '/example/' + # new_path: '/path/' + # register: update_path + # ignore_errors: True + + # - name: check result - Update certificate path - idempotency + # assert: + # that: + # - update_path is successful + # - update_path is not changed + + ################################################ + + - name: Update certificate name + iam_server_certificate: + name: '{{ cert_name }}' + new_name: '{{ cert_name }}-renamed' + state: present + register: update_name + ignore_errors: True + + - name: check result - Update certificate name + assert: + that: + - update_name is successful + - update_name is changed + + # - name: Update certificate name - idempotency + # iam_server_certificate: + # name: '{{ cert_name }}' + # new_name: '{{ cert_name }}-renamed' + # state: present + # register: update_name + # ignore_errors: True + + # - name: check result - Update certificate name - idempotency + # assert: + # that: + # - update_name is successful + # - update_name is not changed + always: - - debug: msg=test ################################################ # TEARDOWN STARTS HERE ################################################ + + - name: Delete certificate + iam_cert: + name: '{{ item }}' + state: absent + ignore_errors: true + loop: + - '{{ cert_name }}' + - '{{ cert_name }}-renamed' + - '{{ cert_name }}-duplicate'