From b642edfc59d543a31e3b49cfa0366dce9cdfda38 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Wed, 18 Jan 2023 09:10:59 +0000 Subject: [PATCH] SSM connection plugin - Add encryption tests (#1657) (#1658) [PR #1657/34e073d5 backport][stable-5] SSM connection plugin - Add encryption tests This is a backport of PR #1657 as merged into main (34e073d). Depends-On: ansible/ansible-zuul-jobs#1746 SUMMARY Expand on the aws_ssm connection integration tests Follow up on suggestion to use ssm_parameter to locate AMIs Add tests for connection using encrypted buckets ISSUE TYPE Feature Pull Request COMPONENT NAME aws_ssm ADDITIONAL INFORMATION Reviewed-by: Markus Bergholz --- changelogs/fragments/20230113-encryption.yml | 2 + .../targets/connection_aws_ssm_amazon/aliases | 2 +- .../connection_aws_ssm_encrypted_s3/aliases | 4 ++ .../aws_ssm_integration_test_setup.yml | 6 +++ .../aws_ssm_integration_test_teardown.yml | 5 +++ .../meta/main.yml | 3 ++ .../connection_aws_ssm_encrypted_s3/runme.sh | 31 ++++++++++++++ .../targets/connection_aws_ssm_fedora/aliases | 2 +- .../targets/connection_aws_ssm_ubuntu/aliases | 2 +- .../connection_aws_ssm_windows/aliases | 2 +- .../defaults/main.yml | 15 ++++--- .../tasks/encryption.yml | 40 ++++++++++++++++++ .../setup_connection_aws_ssm/tasks/main.yml | 42 ++++++++++++------- .../templates/inventory-combined.aws_ssm.j2 | 4 +- 14 files changed, 134 insertions(+), 26 deletions(-) create mode 100644 changelogs/fragments/20230113-encryption.yml create mode 100644 tests/integration/targets/connection_aws_ssm_encrypted_s3/aliases create mode 100644 tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_setup.yml create mode 100644 tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_teardown.yml create mode 100644 tests/integration/targets/connection_aws_ssm_encrypted_s3/meta/main.yml create mode 100755 tests/integration/targets/connection_aws_ssm_encrypted_s3/runme.sh create mode 100644 tests/integration/targets/setup_connection_aws_ssm/tasks/encryption.yml diff --git a/changelogs/fragments/20230113-encryption.yml b/changelogs/fragments/20230113-encryption.yml new file mode 100644 index 00000000000..a267f272f57 --- /dev/null +++ b/changelogs/fragments/20230113-encryption.yml @@ -0,0 +1,2 @@ +trivial: +- aws_ssm - add initial integration tests for encrypted aws_ssm connections diff --git a/tests/integration/targets/connection_aws_ssm_amazon/aliases b/tests/integration/targets/connection_aws_ssm_amazon/aliases index eb8e0b8914b..2f6a2beab2a 100644 --- a/tests/integration/targets/connection_aws_ssm_amazon/aliases +++ b/tests/integration/targets/connection_aws_ssm_amazon/aliases @@ -1,4 +1,4 @@ -time=10m +time=20m cloud/aws connection_aws_ssm diff --git a/tests/integration/targets/connection_aws_ssm_encrypted_s3/aliases b/tests/integration/targets/connection_aws_ssm_encrypted_s3/aliases new file mode 100644 index 00000000000..2f6a2beab2a --- /dev/null +++ b/tests/integration/targets/connection_aws_ssm_encrypted_s3/aliases @@ -0,0 +1,4 @@ +time=20m + +cloud/aws +connection_aws_ssm diff --git a/tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_setup.yml b/tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_setup.yml new file mode 100644 index 00000000000..6206976f1a7 --- /dev/null +++ b/tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_setup.yml @@ -0,0 +1,6 @@ +- hosts: localhost + roles: + - role: ../setup_connection_aws_ssm + vars: + target_os: fedora + encrypted_bucket: True diff --git a/tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_teardown.yml b/tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_teardown.yml new file mode 100644 index 00000000000..3ab6f74cf64 --- /dev/null +++ b/tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_teardown.yml @@ -0,0 +1,5 @@ +- hosts: localhost + tasks: + - include_role: + name: ../setup_connection_aws_ssm + tasks_from: cleanup.yml diff --git a/tests/integration/targets/connection_aws_ssm_encrypted_s3/meta/main.yml b/tests/integration/targets/connection_aws_ssm_encrypted_s3/meta/main.yml new file mode 100644 index 00000000000..d055eb86e84 --- /dev/null +++ b/tests/integration/targets/connection_aws_ssm_encrypted_s3/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - connection + - setup_connection_aws_ssm diff --git a/tests/integration/targets/connection_aws_ssm_encrypted_s3/runme.sh b/tests/integration/targets/connection_aws_ssm_encrypted_s3/runme.sh new file mode 100755 index 00000000000..c99b3b0663b --- /dev/null +++ b/tests/integration/targets/connection_aws_ssm_encrypted_s3/runme.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +PLAYBOOK_DIR=$(pwd) +set -eux + +CMD_ARGS=("$@") + +# Destroy Environment +cleanup() { + + cd "${PLAYBOOK_DIR}" + ansible-playbook -c local aws_ssm_integration_test_teardown.yml "${CMD_ARGS[@]}" + +} + +trap "cleanup" EXIT + +# Setup Environment +ansible-playbook -c local aws_ssm_integration_test_setup.yml "$@" + +# Export the AWS Keys +set +x +. ./aws-env-vars.sh +set -x + +cd ../connection + +# Execute Integration tests +INVENTORY="${PLAYBOOK_DIR}/ssm_inventory" ./test.sh \ + -e target_hosts=aws_ssm \ + "$@" diff --git a/tests/integration/targets/connection_aws_ssm_fedora/aliases b/tests/integration/targets/connection_aws_ssm_fedora/aliases index eb8e0b8914b..2f6a2beab2a 100644 --- a/tests/integration/targets/connection_aws_ssm_fedora/aliases +++ b/tests/integration/targets/connection_aws_ssm_fedora/aliases @@ -1,4 +1,4 @@ -time=10m +time=20m cloud/aws connection_aws_ssm diff --git a/tests/integration/targets/connection_aws_ssm_ubuntu/aliases b/tests/integration/targets/connection_aws_ssm_ubuntu/aliases index eb8e0b8914b..2f6a2beab2a 100644 --- a/tests/integration/targets/connection_aws_ssm_ubuntu/aliases +++ b/tests/integration/targets/connection_aws_ssm_ubuntu/aliases @@ -1,4 +1,4 @@ -time=10m +time=20m cloud/aws connection_aws_ssm diff --git a/tests/integration/targets/connection_aws_ssm_windows/aliases b/tests/integration/targets/connection_aws_ssm_windows/aliases index ad8f7302c86..a9f7ce49d36 100644 --- a/tests/integration/targets/connection_aws_ssm_windows/aliases +++ b/tests/integration/targets/connection_aws_ssm_windows/aliases @@ -1,4 +1,4 @@ -time=10m +time=20m unstable cloud/aws diff --git a/tests/integration/targets/setup_connection_aws_ssm/defaults/main.yml b/tests/integration/targets/setup_connection_aws_ssm/defaults/main.yml index e4886a0b2d4..fb54b2cbbc2 100644 --- a/tests/integration/targets/setup_connection_aws_ssm/defaults/main.yml +++ b/tests/integration/targets/setup_connection_aws_ssm/defaults/main.yml @@ -11,24 +11,27 @@ ami_details: sudo systemctl start amazon-ssm-agent os_type: linux amazon: - owner: amazon - name: amzn2-ami-kernel-5.10-hvm-*-x86_64-gp2 + ssm_parameter: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 + # owner: amazon + # name: amzn2-ami-kernel-5.10-hvm-*-x86_64-gp2 user_data: | #!/bin/sh # Pre-Installed just needs started sudo systemctl start amazon-ssm-agent os_type: linux ubuntu: - owner: amazon - name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server* + ssm_parameter: /aws/service/canonical/ubuntu/server-minimal/jammy/stable/current/amd64/hvm/ebs-gp2/ami-id + # owner: amazon + # name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server* user_data: | #!/bin/sh # Pre-Installed just needs started sudo systemctl start amazon-ssm-agent os_type: linux windows: - owner: amazon - name: Windows_Server-2022-English-Full-Base-* + ssm_parameter: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base + # owner: amazon + # name: Windows_Server-2022-English-Full-Base-* user_data: | Invoke-WebRequest -Uri "https://amazon-ssm-us-east-1.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe" -OutFile "C:\AmazonSSMAgentSetup.exe" diff --git a/tests/integration/targets/setup_connection_aws_ssm/tasks/encryption.yml b/tests/integration/targets/setup_connection_aws_ssm/tasks/encryption.yml new file mode 100644 index 00000000000..100839beb9e --- /dev/null +++ b/tests/integration/targets/setup_connection_aws_ssm/tasks/encryption.yml @@ -0,0 +1,40 @@ +--- +## Task file for setup/teardown AWS resources for aws_ssm integration testing +- name: create a KMS key + aws_kms: + alias: '{{ kms_key_name }}' + grants: + - name: SSM-Agent-Access + grantee_principal: '{{ role_output.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + operations: + - Decrypt + - Encrypt + - GenerateDataKey + - GenerateDataKeyWithoutPlaintext + - DescribeKey + - Verify + - Sign + - RetireGrant + - name: Ansible-Test-Access + grantee_principal: '{{ aws_caller_info.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + operations: + - Decrypt + - Encrypt + - GenerateDataKey + - GenerateDataKeyWithoutPlaintext + - DescribeKey + - Verify + - Sign + - RetireGrant + tags: + ansible-test: '{{ resource_prefix }}-connection-ssm' + +# Note: This bucket will **NOT** be deleted, there are some nasty gotchas with the time it takes +# to properly enable encryption so we have a permanant bucket which is automatically emptied +- name: Ensure encrypted bucket exists + s3_bucket: + name: "{{ encrypted_s3_bucket_name }}" + when: + - encrypted_bucket | default(False) diff --git a/tests/integration/targets/setup_connection_aws_ssm/tasks/main.yml b/tests/integration/targets/setup_connection_aws_ssm/tasks/main.yml index 291a2daa891..509e8eec5e2 100644 --- a/tests/integration/targets/setup_connection_aws_ssm/tasks/main.yml +++ b/tests/integration/targets/setup_connection_aws_ssm/tasks/main.yml @@ -11,6 +11,10 @@ region: '{{ aws_region }}' block: + - name: get ARN of calling user + aws_caller_info: + register: aws_caller_info + - name: Ensure IAM instance role exists iam_role: name: "ansible-test-{{tiny_prefix}}-aws-ssm-role" @@ -26,18 +30,35 @@ set_fact: ami_configuration: '{{ ami_details[(target_os | default("fedora"))] }}' - - name: AMI Lookup + - name: AMI Lookup (ami_info) ec2_ami_info: - owners: '{{ ami_configuration.owner }}' + owners: '{{ ami_configuration.owner | default("amazon") }}' filters: name: '{{ ami_configuration.name }}' register: ec2_amis + when: + - ami_configuration.name | default(False) + + - name: AMI Lookup (SSM Parameter) + when: + - ami_configuration.ssm_parameter | default(False) + block: + - set_fact: + # As a lookup plugin we don't have access to module_defaults + connection_args: + region: "{{ aws_region }}" + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + aws_security_token: "{{ security_token | default(omit) }}" + no_log: True + - set_fact: + ssm_amis: "{{ lookup('aws_ssm', ami_configuration.ssm_parameter, **connection_args) }}" - name: Set facts with latest AMIs vars: - latest_ami: '{{ ec2_amis.images | sort(attribute="creation_date") | last }}' + latest_ami: '{{ ec2_amis.images | default([]) | sort(attribute="creation_date") | last }}' set_fact: - latest_ami_id: '{{ latest_ami.image_id }}' + latest_ami_id: '{{ ssm_amis | default(latest_ami.image_id) }}' # (Local installation of the SSM **client** which is then used by the plugin) - name: Install Session Manager Client for Debian/Ubuntu @@ -75,11 +96,8 @@ TestPrefix: '{{ resource_prefix }}' register: instance_output - - name: create a KMS key - aws_kms: - alias: '{{ kms_key_name }}' - tags: - ansible-test: '{{ resource_prefix }}' + - name: setup encryption + include_tasks: 'encryption.yml' when: - encrypted_bucket | default(False) @@ -88,12 +106,6 @@ name: "{{ s3_bucket_name }}" register: s3_output - # Note: This bucket will **NOT** be deleted, there are some nasty gotchas with the time it takes - # to properly enable encryption so we have a permanant bucket which is automatically emptied - - name: Ensure encrypted bucket exists - s3_bucket: - name: "{{ encrypted_s3_bucket_name }}" - - name: Create Inventory file template: dest: "{{ playbook_dir }}/ssm_inventory" diff --git a/tests/integration/targets/setup_connection_aws_ssm/templates/inventory-combined.aws_ssm.j2 b/tests/integration/targets/setup_connection_aws_ssm/templates/inventory-combined.aws_ssm.j2 index 80b08244caa..ea73a93752f 100644 --- a/tests/integration/targets/setup_connection_aws_ssm/templates/inventory-combined.aws_ssm.j2 +++ b/tests/integration/targets/setup_connection_aws_ssm/templates/inventory-combined.aws_ssm.j2 @@ -28,13 +28,15 @@ aws_ssm_windows [aws_ssm:vars] ansible_connection=community.aws.aws_ssm -ansible_aws_ssm_bucket_name={{ s3_bucket_name }} ansible_aws_ssm_plugin=/usr/local/sessionmanagerplugin/bin/session-manager-plugin ansible_python_interpreter=/usr/bin/env python3 local_tmp=/tmp/ansible-local-{{ tiny_prefix }} {% if encrypted_bucket | default(False) %} ansible_aws_ssm_bucket_sse_mode='aws:kms' ansible_aws_ssm_bucket_sse_kms_key_id=alias/{{ kms_key_name }} +ansible_aws_ssm_bucket_name={{ encrypted_s3_bucket_name }} +{% else %} +ansible_aws_ssm_bucket_name={{ s3_bucket_name }} {% endif %} # support tests that target testhost