From 8e20a36be2ab6af9b5e299febdf69a6dee638f32 Mon Sep 17 00:00:00 2001 From: tjarra Date: Thu, 31 Mar 2022 03:10:15 -0300 Subject: [PATCH] New module aws_eks_fargate_profile (#942) New module aws_eks_fargate_profile SUMMARY (this is a copy of #941 because i messed up my original branch) New Module - aws_eks_fargate_profile This create a new module to manage fargate profiles in EKS clusters. Requires: ansible-collections/amazon.aws#651 ISSUE TYPE New Module Pull Request COMPONENT NAME aws_eks_fargate_profile ADDITIONAL INFORMATION community.aws.aws_eks_fargate_profile - name: create Fargate Profile aws_eks_fargate_profile: name: 'my-profile' state: present cluster_name: 'my-eks-cluster' role_arn: 'arn:aws:iam::999999999999:role/eks-FargatePodExecutionRole' subnets: - subnet-aaaa1111 selectors: - namespace: 'test_nm' labels: label1: test wait: true tags: env: test foo: bar Reviewed-by: Markus Bergholz Reviewed-by: Mark Woolley Reviewed-by: None Reviewed-by: Alina Buzachis Reviewed-by: Jill R (cherry picked from commit 719483ff49b3e56eb90efc74304c1b2a81f1c4bd) --- meta/runtime.yml | 1 + plugins/modules/eks_fargate_profile.py | 353 ++++++++++++++ .../targets/eks_fargate_profile/aliases | 1 + .../eks_fargate_profile/defaults/main.yaml | 45 ++ .../eks-fargate-profile-trust-policy.json | 12 + .../files/eks-trust-policy.json | 12 + .../tasks/cleanup_eks_cluster.yml | 79 ++++ .../tasks/create_eks_cluster.yml | 97 ++++ .../eks_fargate_profile/tasks/full_test.yml | 429 ++++++++++++++++++ .../eks_fargate_profile/tasks/main.yaml | 15 + 10 files changed, 1044 insertions(+) create mode 100644 plugins/modules/eks_fargate_profile.py create mode 100644 tests/integration/targets/eks_fargate_profile/aliases create mode 100644 tests/integration/targets/eks_fargate_profile/defaults/main.yaml create mode 100644 tests/integration/targets/eks_fargate_profile/files/eks-fargate-profile-trust-policy.json create mode 100644 tests/integration/targets/eks_fargate_profile/files/eks-trust-policy.json create mode 100644 tests/integration/targets/eks_fargate_profile/tasks/cleanup_eks_cluster.yml create mode 100644 tests/integration/targets/eks_fargate_profile/tasks/create_eks_cluster.yml create mode 100644 tests/integration/targets/eks_fargate_profile/tasks/full_test.yml create mode 100644 tests/integration/targets/eks_fargate_profile/tasks/main.yaml diff --git a/meta/runtime.yml b/meta/runtime.yml index f1fd9c16b3b..b7f995fae12 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -110,6 +110,7 @@ action_groups: - efs - efs_info - efs_tag + - eks_fargate_profile - elasticache - elasticache_info - elasticache_parameter_group diff --git a/plugins/modules/eks_fargate_profile.py b/plugins/modules/eks_fargate_profile.py new file mode 100644 index 00000000000..973b9497c2e --- /dev/null +++ b/plugins/modules/eks_fargate_profile.py @@ -0,0 +1,353 @@ +#!/usr/bin/python +# Copyright (c) 2022 Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + + +DOCUMENTATION = r''' +--- +module: eks_fargate_profile +version_added: 3.2.0 +short_description: Manage EKS Fargate Profile +description: + - Manage EKS Fargate Profile. +author: Tiago Jarra (@tjarra) +options: + name: + description: Name of EKS Fargate Profile. + required: True + type: str + cluster_name: + description: Name of EKS Cluster. + required: True + type: str + role_arn: + description: + - ARN of IAM role used by the EKS cluster. + - Required when I(state=present). + type: str + subnets: + description: + - list of subnet IDs for the Kubernetes cluster. + - Required when I(state=present). + type: list + elements: str + selectors: + description: + - A list of selectors to use in fargate profile. + - Required when I(state=present). + type: list + elements: dict + suboptions: + namespace: + description: A namespace used in fargate profile. + type: str + labels: + description: A dictionary of labels used in fargate profile. + type: dict + state: + description: Create or delete the Fargate Profile. + choices: + - absent + - present + default: present + type: str + tags: + description: A dictionary of resource tags. + type: dict + purge_tags: + description: + - Purge existing tags that are not found in the cluster. + type: bool + default: true + wait: + description: >- + Specifies whether the module waits until the profile is created or deleted before moving on. + type: bool + default: false + wait_timeout: + description: >- + The duration in seconds to wait for the cluster to become active. Defaults + to 1200 seconds (20 minutes). + default: 1200 + type: int +extends_documentation_fragment: +- amazon.aws.aws +- amazon.aws.ec2 + +''' + +EXAMPLES = r''' +# Note: These examples do not set authentication details, see the AWS Guide for details. + +- name: Create an EKS Fargate Profile + community.aws.eks_fargate_profile: + name: test_fargate + cluster_name: test_cluster + role_arn: my_eks_role + subnets: + - subnet-aaaa1111 + selectors: + - namespace: nm-test + labels: + - label1: test + state: present + wait: yes + +- name: Remove an EKS Fargate Profile + community.aws.eks_fargate_profile: + name: test_fargate + cluster_name: test_cluster + wait: yes + state: absent +''' + +RETURN = r''' +fargate_profile_name: + description: Name of Fargate Profile. + returned: when state is present + type: str + sample: test_profile +fargate_profile_arn: + description: ARN of the Fargate Profile. + returned: when state is present + type: str + sample: arn:aws:eks:us-east-1:1231231123:safd +cluster_name: + description: Name of EKS Cluster. + returned: when state is present + type: str + sample: test-cluster +created_at: + description: Fargate Profile creation date and time. + returned: when state is present + type: str + sample: '2022-01-18T20:00:00.111000+00:00' +pod_execution_role_arn: + description: ARN of the IAM Role used by Fargate Profile. + returned: when state is present + type: str + sample: arn:aws:eks:us-east-1:1231231123:role/asdf +subnets: + description: List of subnets used in Fargate Profile. + returned: when state is present + type: list + sample: + - subnet-qwerty123 + - subnet-asdfg456 +selectors: + description: Selector configuration. + returned: when state is present + type: complex + contains: + namespace: + description: Name of the kubernetes namespace used in profile. + returned: when state is present + type: str + sample: nm-test + labels: + description: List of kubernetes labels used in profile. + returned: when state is present + type: list + sample: + - label1: test1 + - label2: test2 +tags: + description: A dictionary of resource tags. + returned: when state is present + type: dict + sample: + foo: bar + env: test +status: + description: status of the EKS Fargate Profile. + returned: when state is present + type: str + sample: + - CREATING + - ACTIVE +''' + +from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule, is_boto3_error_code +from ansible_collections.amazon.aws.plugins.module_utils.ec2 import compare_aws_tags +from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict +from ansible_collections.amazon.aws.plugins.module_utils.waiters import get_waiter + +try: + import botocore.exceptions +except ImportError: + pass + + +def validate_tags(client, module, fargate_profile): + changed = False + + try: + existing_tags = client.list_tags_for_resource(resourceArn=fargate_profile['fargateProfileArn'])['tags'] + tags_to_add, tags_to_remove = compare_aws_tags(existing_tags, module.params.get('tags'), module.params.get('purge_tags')) + except(botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: + module.fail_json_aws(e, msg='Unable to list or compare tags for Fargate Profile %s' % module.params.get('name')) + + if tags_to_remove: + changed = True + if not module.check_mode: + try: + client.untag_resource(resourceArn=fargate_profile['fargateProfileArn'], tagKeys=tags_to_remove) + except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: + module.fail_json_aws(e, msg='Unable to set tags for Fargate Profile %s' % module.params.get('name')) + + if tags_to_add: + changed = True + if not module.check_mode: + try: + client.tag_resource(resourceArn=fargate_profile['fargateProfileArn'], tags=tags_to_add) + except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: + module.fail_json_aws(e, msg='Unable to set tags for Fargate Profile %s' % module.params.get('name')) + + return changed + + +def create_or_update_fargate_profile(client, module): + name = module.params.get('name') + subnets = module.params['subnets'] + role_arn = module.params['role_arn'] + cluster_name = module.params['cluster_name'] + selectors = module.params['selectors'] + tags = module.params['tags'] + wait = module.params.get('wait') + fargate_profile = get_fargate_profile(client, module, name, cluster_name) + + if fargate_profile: + changed = False + if set(fargate_profile['podExecutionRoleArn']) != set(role_arn): + module.fail_json(msg="Cannot modify Execution Role") + if set(fargate_profile['subnets']) != set(subnets): + module.fail_json(msg="Cannot modify Subnets") + if fargate_profile['selectors'] != selectors: + module.fail_json(msg="Cannot modify Selectors") + + changed = validate_tags(client, module, fargate_profile) + + if wait: + wait_until(client, module, 'fargate_profile_active', name, cluster_name) + fargate_profile = get_fargate_profile(client, module, name, cluster_name) + + module.exit_json(changed=changed, **camel_dict_to_snake_dict(fargate_profile)) + + if module.check_mode: + module.exit_json(changed=True) + + check_profiles_status(client, module, cluster_name) + + try: + params = dict(fargateProfileName=name, + podExecutionRoleArn=role_arn, + subnets=subnets, + clusterName=cluster_name, + selectors=selectors, + tags=tags + ) + fargate_profile = client.create_fargate_profile(**params) + except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e: + module.fail_json_aws(e, msg="Couldn't create fargate profile %s" % name) + + if wait: + wait_until(client, module, 'fargate_profile_active', name, cluster_name) + fargate_profile = get_fargate_profile(client, module, name, cluster_name) + + module.exit_json(changed=True, **camel_dict_to_snake_dict(fargate_profile)) + + +def delete_fargate_profile(client, module): + name = module.params.get('name') + cluster_name = module.params['cluster_name'] + existing = get_fargate_profile(client, module, name, cluster_name) + wait = module.params.get('wait') + if not existing or existing["status"] == "DELETING": + module.exit_json(changed=False) + + if not module.check_mode: + check_profiles_status(client, module, cluster_name) + try: + client.delete_fargate_profile(clusterName=cluster_name, fargateProfileName=name) + except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e: + module.fail_json_aws(e, msg="Couldn't delete fargate profile %s" % name) + + if wait: + wait_until(client, module, 'fargate_profile_deleted', name, cluster_name) + + module.exit_json(changed=True) + + +def get_fargate_profile(client, module, name, cluster_name): + try: + return client.describe_fargate_profile(clusterName=cluster_name, fargateProfileName=name)['fargateProfile'] + except is_boto3_error_code('ResourceNotFoundException'): + return None + except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e: # pylint: disable=duplicate-except + module.fail_json_aws(e, msg="Couldn't get fargate profile") + + +# Check if any fargate profiles is in changing states, if so, wait for the end +def check_profiles_status(client, module, cluster_name): + try: + list_profiles = client.list_fargate_profiles(clusterName=cluster_name) + + for name in list_profiles["fargateProfileNames"]: + fargate_profile = get_fargate_profile(client, module, name, cluster_name) + if fargate_profile["status"] == 'CREATING': + wait_until(client, module, 'fargate_profile_active', fargate_profile["fargateProfileName"], cluster_name) + elif fargate_profile["status"] == 'DELETING': + wait_until(client, module, 'fargate_profile_deleted', fargate_profile["fargateProfileName"], cluster_name) + except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e: + module.fail_json_aws(e, msg="Couldn't not find EKS cluster") + + +def wait_until(client, module, waiter_name, name, cluster_name): + wait_timeout = module.params.get('wait_timeout') + waiter = get_waiter(client, waiter_name) + attempts = 1 + int(wait_timeout / waiter.config.delay) + try: + waiter.wait(clusterName=cluster_name, fargateProfileName=name, WaiterConfig={'MaxAttempts': attempts}) + except botocore.exceptions.WaiterError as e: + module.fail_json_aws(e, msg="An error occurred waiting") + + +def main(): + argument_spec = dict( + name=dict(required=True), + cluster_name=dict(required=True), + role_arn=dict(), + subnets=dict(type='list', elements='str'), + selectors=dict(type='list', elements='dict', options=dict( + namespace=dict(type='str'), + labels=dict(type='dict', default={}) + )), + tags=dict(type='dict', default={}), + purge_tags=dict(type='bool', default=True), + state=dict(choices=['absent', 'present'], default='present'), + wait=dict(default=False, type='bool'), + wait_timeout=dict(default=1200, type='int') + ) + + module = AnsibleAWSModule( + argument_spec=argument_spec, + required_if=[['state', 'present', ['role_arn', 'subnets', 'selectors']]], + supports_check_mode=True, + ) + + try: + client = module.client('eks') + except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e: + module.fail_json_aws(e, msg="Couldn't connect to AWS") + + if module.params.get('state') == 'present': + create_or_update_fargate_profile(client, module) + else: + delete_fargate_profile(client, module) + + +if __name__ == '__main__': + main() diff --git a/tests/integration/targets/eks_fargate_profile/aliases b/tests/integration/targets/eks_fargate_profile/aliases new file mode 100644 index 00000000000..0b84301d76c --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/aliases @@ -0,0 +1 @@ +cloud/aws \ No newline at end of file diff --git a/tests/integration/targets/eks_fargate_profile/defaults/main.yaml b/tests/integration/targets/eks_fargate_profile/defaults/main.yaml new file mode 100644 index 00000000000..005db76ae04 --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/defaults/main.yaml @@ -0,0 +1,45 @@ +eks_cluster_name: "{{ resource_prefix }}" +eks_fargate_profile_name_a: fp-template-a +eks_fargate_profile_name_b: fp-template-b + +selectors: + - namespace: "fp-default" + +tags: + foo: bar + env: test + +eks_subnets: + - zone: a + cidr: 10.0.1.0/24 + type: private + tag: internal-elb + - zone: b + cidr: 10.0.2.0/24 + type: public + tag: elb + +eks_security_groups: + - name: "{{ eks_cluster_name }}-control-plane-sg" + description: "EKS Control Plane Security Group" + rules: + - group_name: "{{ eks_cluster_name }}-workers-sg" + group_desc: "EKS Worker Security Group" + ports: 443 + proto: tcp + rules_egress: + - group_name: "{{ eks_cluster_name }}-workers-sg" + group_desc: "EKS Worker Security Group" + from_port: 1025 + to_port: 65535 + proto: tcp + - name: "{{ eks_cluster_name }}-workers-sg" + description: "EKS Worker Security Group" + rules: + - group_name: "{{ eks_cluster_name }}-workers-sg" + proto: tcp + from_port: 1 + to_port: 65535 + - group_name: "{{ eks_cluster_name }}-control-plane-sg" + ports: 10250 + proto: tcp diff --git a/tests/integration/targets/eks_fargate_profile/files/eks-fargate-profile-trust-policy.json b/tests/integration/targets/eks_fargate_profile/files/eks-fargate-profile-trust-policy.json new file mode 100644 index 00000000000..eec12ce49d7 --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/files/eks-fargate-profile-trust-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks-fargate-pods.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} \ No newline at end of file diff --git a/tests/integration/targets/eks_fargate_profile/files/eks-trust-policy.json b/tests/integration/targets/eks_fargate_profile/files/eks-trust-policy.json new file mode 100644 index 00000000000..85cfb59dd28 --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/files/eks-trust-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/tests/integration/targets/eks_fargate_profile/tasks/cleanup_eks_cluster.yml b/tests/integration/targets/eks_fargate_profile/tasks/cleanup_eks_cluster.yml new file mode 100644 index 00000000000..d30761fa3ce --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/tasks/cleanup_eks_cluster.yml @@ -0,0 +1,79 @@ +- name: Delete IAM role + iam_role: + name: "{{ iam_role_fargate.role_name }}" + state: absent + ignore_errors: true + +- name: remove EKS cluster + aws_eks_cluster: + name: '{{ eks_cluster_name }}' + state: absent + wait: 'yes' + register: eks_delete + ignore_errors: 'yes' +- name: create list of all additional EKS security groups + set_fact: + additional_eks_sg: + - name: '{{ eks_cluster_name }}-workers-sg' + +- name: set all security group rule lists to empty to remove circular dependency + ec2_group: + name: '{{ item.name }}' + description: '{{ item.description }}' + state: present + rules: [] + rules_egress: [] + purge_rules: 'yes' + purge_rules_egress: 'yes' + vpc_id: '{{ setup_vpc.vpc.id }}' + with_items: '{{ eks_security_groups }}' + ignore_errors: 'yes' + +- name: remove security groups + ec2_group: + name: '{{ item.name }}' + state: absent + vpc_id: '{{ setup_vpc.vpc.id }}' + with_items: '{{ eks_security_groups|reverse|list + additional_eks_sg }}' + ignore_errors: 'yes' + +- name: remove Route Tables + ec2_vpc_route_table: + state: absent + vpc_id: '{{ setup_vpc.vpc.id }}' + route_table_id: '{{ item }}' + lookup: id + ignore_errors: 'yes' + with_items: + - '{{ public_route_table.route_table.route_table_id }}' + - '{{ nat_route_table.route_table.route_table_id }}' + +- name: remove setup Nat Gateway + amazon.aws.ec2_vpc_nat_gateway: + state: absent + nat_gateway_id: '{{ setup_nat_gateway.nat_gateway_id}}' + release_eip: 'yes' + wait: 'yes' + ignore_errors: 'yes' + +- name: remove setup subnet + ec2_vpc_subnet: + az: '{{ aws_region }}{{ item.zone }}' + vpc_id: '{{ setup_vpc.vpc.id }}' + cidr: '{{ item.cidr}}' + state: absent + with_items: '{{ eks_subnets }}' + ignore_errors: 'yes' + +- name: remove Internet Gateway + amazon.aws.ec2_vpc_igw: + state: absent + vpc_id: '{{ setup_vpc.vpc.id}}' + ignore_errors: 'yes' + +- name: remove setup VPC + ec2_vpc_net: + cidr_block: 10.0.0.0/16 + state: absent + name: '{{ resource_prefix }}_aws_eks' + ignore_errors: 'yes' diff --git a/tests/integration/targets/eks_fargate_profile/tasks/create_eks_cluster.yml b/tests/integration/targets/eks_fargate_profile/tasks/create_eks_cluster.yml new file mode 100644 index 00000000000..d5affa5b58d --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/tasks/create_eks_cluster.yml @@ -0,0 +1,97 @@ +# Create a EKS Cluster to test Fargate Profile +# This space was a copy by aws_eks_cluster integration test +- name: ensure IAM instance role exists + iam_role: + name: ansible-test-aws_eks_cluster_role + assume_role_policy_document: '{{ lookup(''file'',''eks-trust-policy.json'') }}' + state: present + create_instance_profile: 'no' + managed_policies: + - AmazonEKSServicePolicy + - AmazonEKSClusterPolicy + register: iam_role + +- name: create a VPC to work in + ec2_vpc_net: + cidr_block: 10.0.0.0/16 + state: present + name: '{{ resource_prefix }}_aws_eks' + resource_tags: + Name: '{{ resource_prefix }}_aws_eks' + register: setup_vpc + +- name: create subnets + ec2_vpc_subnet: + az: '{{ aws_region }}{{ item.zone }}' + tags: '{ "Name": "{{ resource_prefix }}_aws_eks-subnet-{{ item.type }}-{{ item.zone }}", "kubernetes.io/role/{{ item.tag }}": "1" }' + vpc_id: '{{ setup_vpc.vpc.id }}' + cidr: '{{ item.cidr }}' + state: present + register: setup_subnets + with_items: + - '{{ eks_subnets }}' + +- name: create Internet Gateway + amazon.aws.ec2_vpc_igw: + vpc_id: '{{ setup_vpc.vpc.id }}' + state: present + tags: + Name: '{{ resource_prefix }}_IGW' + register: setup_igw + +- name: Set up public subnet route table + community.aws.ec2_vpc_route_table: + vpc_id: '{{ setup_vpc.vpc.id }}' + tags: + Name: Public + subnets: '{{ setup_subnets.results|selectattr(''subnet.tags.Name'', ''contains'', ''public'') | map(attribute=''subnet.id'') }}' + routes: + - dest: 0.0.0.0/0 + gateway_id: '{{ setup_igw.gateway_id }}' + register: public_route_table + +- name: create Natgateway + amazon.aws.ec2_vpc_nat_gateway: + if_exist_do_not_create: yes + state: present + subnet_id: '{{ (setup_subnets.results|selectattr(''subnet.tags.Name'', ''contains'', ''public'') | map(attribute=''subnet.id''))[0] }}' + wait: true + tags: + Name: '{{ resource_prefix }}_NAT' + register: setup_nat_gateway + +- name: Set up NAT-protected route table + community.aws.ec2_vpc_route_table: + vpc_id: '{{ setup_vpc.vpc.id }}' + tags: + Name: Internal + subnets: '{{setup_subnets.results|selectattr(''subnet.tags.Name'', ''contains'', ''private'') | map(attribute=''subnet.id'') }}' + routes: + - dest: 0.0.0.0/0 + nat_gateway_id: '{{ setup_nat_gateway.nat_gateway_id }}' + register: nat_route_table + +- name: create security groups to use for EKS + ec2_group: + name: '{{ item.name }}' + description: '{{ item.description }}' + state: present + rules: '{{ item.rules }}' + rules_egress: '{{ item.rules_egress|default(omit) }}' + vpc_id: '{{ setup_vpc.vpc.id }}' + with_items: '{{ eks_security_groups }}' + register: setup_security_groups + +- name: create EKS cluster + aws_eks_cluster: + name: '{{ eks_cluster_name }}' + security_groups: '{{ eks_security_groups | map(attribute=''name'') }}' + subnets: '{{ setup_subnets.results | map(attribute=''subnet.id'') }}' + role_arn: '{{ iam_role.arn }}' + wait: true + register: eks_create + +- name: check that EKS cluster was created + assert: + that: + - eks_create.name == eks_cluster_name \ No newline at end of file diff --git a/tests/integration/targets/eks_fargate_profile/tasks/full_test.yml b/tests/integration/targets/eks_fargate_profile/tasks/full_test.yml new file mode 100644 index 00000000000..b992125b334 --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/tasks/full_test.yml @@ -0,0 +1,429 @@ +# Creating dependencies +- name: create IAM instance role + iam_role: + name: 'ansible-test-aws_eks_fargate_profile' + assume_role_policy_document: '{{ lookup(''file'',''eks-fargate-profile-trust-policy.json'') }}' + state: present + create_instance_profile: no + managed_policies: + - AmazonEKSFargatePodExecutionRolePolicy + register: iam_role_fargate + +- name: Pause a few seconds to ensure IAM role is available to next task + pause: + seconds: 10 + +# Test - Try Create Fargate profile in non existent EKS +- name: attempt to create fargate profile in non existent eks + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: fake_cluster + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + register: aws_eks_non_existent_eks + ignore_errors: 'yes' + +- name: check that eks_fargate_profile did nothing + assert: + that: + - aws_eks_non_existent_eks is failed + +# Test - Try deleting a non-existent fargate profile +- name: delete an as yet non-existent fargate profile + eks_fargate_profile: + name: fake_profile + cluster_name: '{{ eks_cluster_name }}' + state: absent + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + register: eks_fargate_profile_delete_non_existent + ignore_errors: 'yes' + +- name: check that eks_fargate_profile did nothing + assert: + that: + - eks_fargate_profile_delete_non_existent is not changed + +# Test - Try Create Fargate Profile A with wait and public subnet +- name: Try create Fargate Profile with public subnets + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'public') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + register: eks_fargate_profile_create + ignore_errors: 'yes' + +- name: check that eks_fargate_profile is not created + assert: + that: + - not eks_fargate_profile_create.changed + - eks_fargate_profile_create.msg.endswith("provided in Fargate Profile is not a private subnet") + +# Create Fargate_profile with wait +- name: create Fargate Profile with wait (check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: '{{ tags }}' + register: eks_fargate_profile_create + ignore_errors: 'yes' + check_mode: True + +- name: check that eks_fargate_profile_create is changed (check mode) + assert: + that: + - eks_fargate_profile_create.changed + +- name: create Fargate Profile with wait + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: '{{ tags }}' + register: eks_fargate_profile_create + ignore_errors: 'yes' + +- name: check that eks_fargate_profile is created + assert: + that: + - eks_fargate_profile_create.changed + - eks_fargate_profile_create.status == "ACTIVE" + +- name: Try create same Fargate Profile with wait (idempotency)(check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: '{{ tags }}' + register: eks_fargate_profile_create + ignore_errors: 'yes' + check_mode: True + +- name: check that eks_fargate_profile_create is not changed (idempotency)(check mode) + assert: + that: + - not eks_fargate_profile_create.changed + +- name: Try create same Fargate Profile with wait (idempotency) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: '{{ tags }}' + register: eks_fargate_profile_create + ignore_errors: 'yes' + +- name: check that eks_fargate_profile_create is not changed (idempotency) + assert: + that: + - not eks_fargate_profile_create.changed + +# Update tags Fargate_profile +- name: update tags in Fargate Profile a with wait (check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: + env: test + test: foo + register: eks_fargate_profile_update + ignore_errors: 'yes' + check_mode: True + +- name: check that eks_fargate_profile_update is changed (check mode) + assert: + that: + - eks_fargate_profile_update.changed + +- name: update tags in Fargate Profile a with wait + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: + env: test + test: foo + register: eks_fargate_profile_update + ignore_errors: 'yes' + +- name: check that eks_fargate_profile_update is changed + assert: + that: + - eks_fargate_profile_update.changed + +- name: Try update tags again in Fargate Profile a with wait (idempotency)(check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: + env: test + test: foo + register: eks_fargate_profile_update + ignore_errors: 'yes' + check_mode: True + +- name: check that eks_fargate_profile_update is not changed (idempotency)(check mode) + assert: + that: + - not eks_fargate_profile_update.changed + +- name: Try update tags again in Fargate Profile a with wait (idempotency) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + wait: true + tags: + env: test + test: foo + register: eks_fargate_profile_update + ignore_errors: 'yes' + +- name: check that eks_fargate_profile_update is not changed (idempotency) + assert: + that: + - not eks_fargate_profile_update.changed + +# Create Fargate Profile b without wait +- name: create Fargate Profile b without wait (check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + register: eks_fargate_profile_create_b + ignore_errors: 'yes' + check_mode: True + +- name: check that eks_fargate_profile is created (check mode) + assert: + that: + - eks_fargate_profile_create_b.changed + +- name: create Fargate Profile b without wait + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + register: eks_fargate_profile_create_b + ignore_errors: 'yes' + +- name: check that eks_fargate_profile is created + assert: + that: + - eks_fargate_profile_create_b.changed + - eks_fargate_profile_create_b.status == "CREATING" + +- name: create Fargate Profile b without wait (idempotency)(check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + register: eks_fargate_profile_create_b + ignore_errors: 'yes' + check_mode: True + +- name: check that eks_fargate_profile_b is not changed (idempotency)(check mode) + assert: + that: + - not eks_fargate_profile_create_b.changed + +- name: create Fargate Profile without wait (idempotency) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + state: present + cluster_name: '{{ eks_cluster_name }}' + role_arn: '{{ iam_role_fargate.arn }}' + subnets: >- + {{setup_subnets.results|selectattr('subnet.tags.Name', 'contains', + 'private') | map(attribute='subnet.id') }} + selectors: '{{ selectors }}' + register: eks_fargate_profile_create_b + ignore_errors: 'yes' + +- name: check that eks_fargate_profile is not changed (idempotency) + assert: + that: + - not eks_fargate_profile_create_b.changed + +# Delete Fargate Profile A without wait (test check_profiles_status function) +- name: delete a fargate profile a (check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + register: eks_fargate_profile_delete + check_mode: True + +- name: check that eks_fargate_profile a is changed (check mode) + assert: + that: + - eks_fargate_profile_delete.changed + +- name: delete a fargate profile + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + register: eks_fargate_profile_delete + +- name: check that eks_fargate_profile is deleted + assert: + that: + - eks_fargate_profile_delete.changed + +- name: delete a fargate profile a (idempotency)(check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + register: eks_fargate_profile_delete + check_mode: True + +- name: check that eks_fargate_profile did nothing (idempotency)(check mode) + assert: + that: + - not eks_fargate_profile_delete.changed + +- name: delete a fargate profile a (idempotency) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_a }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + register: eks_fargate_profile_delete + +- name: check that eks_fargate_profile did nothing (idempotency) + assert: + that: + - not eks_fargate_profile_delete.changed + +# Delete Fargate Profile b with wait +- name: delete a fargate profile b (check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + wait: true + register: eks_fargate_profile_b_delete + check_mode: True + +- name: check that eks_fargate_profile is deleted (check mode) + assert: + that: + - eks_fargate_profile_b_delete.changed + +- name: delete a fargate profile b + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + wait: true + register: eks_fargate_profile_b_delete + +- name: check that eks_fargate_profile is deleted + assert: + that: + - eks_fargate_profile_b_delete.changed + +- name: delete a fargate profile b (idempotency)(check mode) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + wait: true + register: eks_fargate_profile_b_delete + +- name: check that eks_fargate_profile did nothing (idempotency)(check mode) + assert: + that: + - not eks_fargate_profile_b_delete.changed + +- name: delete a fargate profile b (idempotency) + eks_fargate_profile: + name: '{{ eks_fargate_profile_name_b }}' + cluster_name: '{{ eks_cluster_name }}' + state: absent + wait: true + register: eks_fargate_profile_b_delete + +- name: check that eks_fargate_profile did nothing (idempotency) + assert: + that: + - not eks_fargate_profile_b_delete.changed \ No newline at end of file diff --git a/tests/integration/targets/eks_fargate_profile/tasks/main.yaml b/tests/integration/targets/eks_fargate_profile/tasks/main.yaml new file mode 100644 index 00000000000..77298dc81f1 --- /dev/null +++ b/tests/integration/targets/eks_fargate_profile/tasks/main.yaml @@ -0,0 +1,15 @@ +--- +- name: 'eks_cluster integration tests' + collections: + - amazon.aws + module_defaults: + group/aws: + aws_access_key: '{{ aws_access_key }}' + aws_secret_key: '{{ aws_secret_key }}' + security_token: '{{ security_token | default(omit) }}' + region: '{{ aws_region }}' + block: + - include_tasks: create_eks_cluster.yml + - include_tasks: full_test.yml + always: + - include_tasks: cleanup_eks_cluster.yml \ No newline at end of file