Skip to content

Commit

Permalink
SSM connection plugin - Add encryption tests (#1657) (#1658)
Browse files Browse the repository at this point in the history
[PR #1657/34e073d5 backport][stable-5] SSM connection plugin - Add encryption tests

This is a backport of PR #1657 as merged into main (34e073d).
Depends-On: ansible/ansible-zuul-jobs#1746
SUMMARY
Expand on the aws_ssm connection integration tests

Follow up on suggestion to use ssm_parameter to locate AMIs
Add tests for connection using encrypted buckets

ISSUE TYPE

Feature Pull Request

COMPONENT NAME
aws_ssm
ADDITIONAL INFORMATION

Reviewed-by: Markus Bergholz <[email protected]>
  • Loading branch information
patchback[bot] authored Jan 18, 2023
1 parent 7dc4f32 commit b642edf
Show file tree
Hide file tree
Showing 14 changed files with 134 additions and 26 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/20230113-encryption.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
trivial:
- aws_ssm - add initial integration tests for encrypted aws_ssm connections
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

cloud/aws
connection_aws_ssm
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
time=20m

cloud/aws
connection_aws_ssm
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
- hosts: localhost
roles:
- role: ../setup_connection_aws_ssm
vars:
target_os: fedora
encrypted_bucket: True
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- hosts: localhost
tasks:
- include_role:
name: ../setup_connection_aws_ssm
tasks_from: cleanup.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
dependencies:
- connection
- setup_connection_aws_ssm
31 changes: 31 additions & 0 deletions tests/integration/targets/connection_aws_ssm_encrypted_s3/runme.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bash

PLAYBOOK_DIR=$(pwd)
set -eux

CMD_ARGS=("$@")

# Destroy Environment
cleanup() {

cd "${PLAYBOOK_DIR}"
ansible-playbook -c local aws_ssm_integration_test_teardown.yml "${CMD_ARGS[@]}"

}

trap "cleanup" EXIT

# Setup Environment
ansible-playbook -c local aws_ssm_integration_test_setup.yml "$@"

# Export the AWS Keys
set +x
. ./aws-env-vars.sh
set -x

cd ../connection

# Execute Integration tests
INVENTORY="${PLAYBOOK_DIR}/ssm_inventory" ./test.sh \
-e target_hosts=aws_ssm \
"$@"
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

cloud/aws
connection_aws_ssm
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

cloud/aws
connection_aws_ssm
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

unstable
cloud/aws
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,24 +11,27 @@ ami_details:
sudo systemctl start amazon-ssm-agent
os_type: linux
amazon:
owner: amazon
name: amzn2-ami-kernel-5.10-hvm-*-x86_64-gp2
ssm_parameter: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
# owner: amazon
# name: amzn2-ami-kernel-5.10-hvm-*-x86_64-gp2
user_data: |
#!/bin/sh
# Pre-Installed just needs started
sudo systemctl start amazon-ssm-agent
os_type: linux
ubuntu:
owner: amazon
name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server*
ssm_parameter: /aws/service/canonical/ubuntu/server-minimal/jammy/stable/current/amd64/hvm/ebs-gp2/ami-id
# owner: amazon
# name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server*
user_data: |
#!/bin/sh
# Pre-Installed just needs started
sudo systemctl start amazon-ssm-agent
os_type: linux
windows:
owner: amazon
name: Windows_Server-2022-English-Full-Base-*
ssm_parameter: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base
# owner: amazon
# name: Windows_Server-2022-English-Full-Base-*
user_data: |
<powershell>
Invoke-WebRequest -Uri "https://amazon-ssm-us-east-1.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe" -OutFile "C:\AmazonSSMAgentSetup.exe"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
## Task file for setup/teardown AWS resources for aws_ssm integration testing
- name: create a KMS key
aws_kms:
alias: '{{ kms_key_name }}'
grants:
- name: SSM-Agent-Access
grantee_principal: '{{ role_output.iam_role.arn }}'
retiring_principal: '{{ aws_caller_info.arn }}'
operations:
- Decrypt
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- DescribeKey
- Verify
- Sign
- RetireGrant
- name: Ansible-Test-Access
grantee_principal: '{{ aws_caller_info.arn }}'
retiring_principal: '{{ aws_caller_info.arn }}'
operations:
- Decrypt
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- DescribeKey
- Verify
- Sign
- RetireGrant
tags:
ansible-test: '{{ resource_prefix }}-connection-ssm'

# Note: This bucket will **NOT** be deleted, there are some nasty gotchas with the time it takes
# to properly enable encryption so we have a permanant bucket which is automatically emptied
- name: Ensure encrypted bucket exists
s3_bucket:
name: "{{ encrypted_s3_bucket_name }}"
when:
- encrypted_bucket | default(False)
42 changes: 27 additions & 15 deletions tests/integration/targets/setup_connection_aws_ssm/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@
region: '{{ aws_region }}'
block:

- name: get ARN of calling user
aws_caller_info:
register: aws_caller_info

- name: Ensure IAM instance role exists
iam_role:
name: "ansible-test-{{tiny_prefix}}-aws-ssm-role"
Expand All @@ -26,18 +30,35 @@
set_fact:
ami_configuration: '{{ ami_details[(target_os | default("fedora"))] }}'

- name: AMI Lookup
- name: AMI Lookup (ami_info)
ec2_ami_info:
owners: '{{ ami_configuration.owner }}'
owners: '{{ ami_configuration.owner | default("amazon") }}'
filters:
name: '{{ ami_configuration.name }}'
register: ec2_amis
when:
- ami_configuration.name | default(False)

- name: AMI Lookup (SSM Parameter)
when:
- ami_configuration.ssm_parameter | default(False)
block:
- set_fact:
# As a lookup plugin we don't have access to module_defaults
connection_args:
region: "{{ aws_region }}"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
aws_security_token: "{{ security_token | default(omit) }}"
no_log: True
- set_fact:
ssm_amis: "{{ lookup('aws_ssm', ami_configuration.ssm_parameter, **connection_args) }}"

- name: Set facts with latest AMIs
vars:
latest_ami: '{{ ec2_amis.images | sort(attribute="creation_date") | last }}'
latest_ami: '{{ ec2_amis.images | default([]) | sort(attribute="creation_date") | last }}'
set_fact:
latest_ami_id: '{{ latest_ami.image_id }}'
latest_ami_id: '{{ ssm_amis | default(latest_ami.image_id) }}'

# (Local installation of the SSM **client** which is then used by the plugin)
- name: Install Session Manager Client for Debian/Ubuntu
Expand Down Expand Up @@ -75,11 +96,8 @@
TestPrefix: '{{ resource_prefix }}'
register: instance_output

- name: create a KMS key
aws_kms:
alias: '{{ kms_key_name }}'
tags:
ansible-test: '{{ resource_prefix }}'
- name: setup encryption
include_tasks: 'encryption.yml'
when:
- encrypted_bucket | default(False)

Expand All @@ -88,12 +106,6 @@
name: "{{ s3_bucket_name }}"
register: s3_output

# Note: This bucket will **NOT** be deleted, there are some nasty gotchas with the time it takes
# to properly enable encryption so we have a permanant bucket which is automatically emptied
- name: Ensure encrypted bucket exists
s3_bucket:
name: "{{ encrypted_s3_bucket_name }}"

- name: Create Inventory file
template:
dest: "{{ playbook_dir }}/ssm_inventory"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,15 @@ aws_ssm_windows

[aws_ssm:vars]
ansible_connection=community.aws.aws_ssm
ansible_aws_ssm_bucket_name={{ s3_bucket_name }}
ansible_aws_ssm_plugin=/usr/local/sessionmanagerplugin/bin/session-manager-plugin
ansible_python_interpreter=/usr/bin/env python3
local_tmp=/tmp/ansible-local-{{ tiny_prefix }}
{% if encrypted_bucket | default(False) %}
ansible_aws_ssm_bucket_sse_mode='aws:kms'
ansible_aws_ssm_bucket_sse_kms_key_id=alias/{{ kms_key_name }}
ansible_aws_ssm_bucket_name={{ encrypted_s3_bucket_name }}
{% else %}
ansible_aws_ssm_bucket_name={{ s3_bucket_name }}
{% endif %}

# support tests that target testhost
Expand Down

0 comments on commit b642edf

Please sign in to comment.