Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PR #1657/34e073d5 backport][stable-5] SSM connection plugin - Add encryption tests #1658

Merged
merged 1 commit into from
Jan 18, 2023
Merged

[PR #1657/34e073d5 backport][stable-5] SSM connection plugin - Add encryption tests #1658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/20230113-encryption.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
trivial:
- aws_ssm - add initial integration tests for encrypted aws_ssm connections
2 changes: 1 addition & 1 deletion tests/integration/targets/connection_aws_ssm_amazon/aliases
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

cloud/aws
connection_aws_ssm
4 changes: 4 additions & 0 deletions tests/integration/targets/connection_aws_ssm_encrypted_s3/aliases
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
time=20m

cloud/aws
connection_aws_ssm
6 changes: 6 additions & 0 deletions tests/integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_setup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
- hosts: localhost
roles:
- role: ../setup_connection_aws_ssm
vars:
target_os: fedora
encrypted_bucket: True
5 changes: 5 additions & 0 deletions ...integration/targets/connection_aws_ssm_encrypted_s3/aws_ssm_integration_test_teardown.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- hosts: localhost
tasks:
- include_role:
name: ../setup_connection_aws_ssm
tasks_from: cleanup.yml
3 changes: 3 additions & 0 deletions tests/integration/targets/connection_aws_ssm_encrypted_s3/meta/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
dependencies:
- connection
- setup_connection_aws_ssm
31 changes: 31 additions & 0 deletions tests/integration/targets/connection_aws_ssm_encrypted_s3/runme.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bash

PLAYBOOK_DIR=$(pwd)
set -eux

CMD_ARGS=("$@")

# Destroy Environment
cleanup() {

cd "${PLAYBOOK_DIR}"
ansible-playbook -c local aws_ssm_integration_test_teardown.yml "${CMD_ARGS[@]}"

}

trap "cleanup" EXIT

# Setup Environment
ansible-playbook -c local aws_ssm_integration_test_setup.yml "$@"

# Export the AWS Keys
set +x
. ./aws-env-vars.sh
set -x

cd ../connection

# Execute Integration tests
INVENTORY="${PLAYBOOK_DIR}/ssm_inventory" ./test.sh \
-e target_hosts=aws_ssm \
"$@"
2 changes: 1 addition & 1 deletion tests/integration/targets/connection_aws_ssm_fedora/aliases
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

cloud/aws
connection_aws_ssm
2 changes: 1 addition & 1 deletion tests/integration/targets/connection_aws_ssm_ubuntu/aliases
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

cloud/aws
connection_aws_ssm
2 changes: 1 addition & 1 deletion tests/integration/targets/connection_aws_ssm_windows/aliases
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
time=10m
time=20m

unstable
cloud/aws
Expand Down
15 changes: 9 additions & 6 deletions tests/integration/targets/setup_connection_aws_ssm/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,24 +11,27 @@ ami_details:
sudo systemctl start amazon-ssm-agent
os_type: linux
amazon:
owner: amazon
name: amzn2-ami-kernel-5.10-hvm-*-x86_64-gp2
ssm_parameter: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
# owner: amazon
# name: amzn2-ami-kernel-5.10-hvm-*-x86_64-gp2
user_data: |
#!/bin/sh
# Pre-Installed just needs started
sudo systemctl start amazon-ssm-agent
os_type: linux
ubuntu:
owner: amazon
name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server*
ssm_parameter: /aws/service/canonical/ubuntu/server-minimal/jammy/stable/current/amd64/hvm/ebs-gp2/ami-id
# owner: amazon
# name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server*
user_data: |
#!/bin/sh
# Pre-Installed just needs started
sudo systemctl start amazon-ssm-agent
os_type: linux
windows:
owner: amazon
name: Windows_Server-2022-English-Full-Base-*
ssm_parameter: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base
# owner: amazon
# name: Windows_Server-2022-English-Full-Base-*
user_data: |
<powershell>
Invoke-WebRequest -Uri "https://amazon-ssm-us-east-1.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe" -OutFile "C:\AmazonSSMAgentSetup.exe"
Expand Down
40 changes: 40 additions & 0 deletions tests/integration/targets/setup_connection_aws_ssm/tasks/encryption.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
## Task file for setup/teardown AWS resources for aws_ssm integration testing
- name: create a KMS key
aws_kms:
alias: '{{ kms_key_name }}'
grants:
- name: SSM-Agent-Access
grantee_principal: '{{ role_output.iam_role.arn }}'
retiring_principal: '{{ aws_caller_info.arn }}'
operations:
- Decrypt
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- DescribeKey
- Verify
- Sign
- RetireGrant
- name: Ansible-Test-Access
grantee_principal: '{{ aws_caller_info.arn }}'
retiring_principal: '{{ aws_caller_info.arn }}'
operations:
- Decrypt
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- DescribeKey
- Verify
- Sign
- RetireGrant
tags:
ansible-test: '{{ resource_prefix }}-connection-ssm'

# Note: This bucket will **NOT** be deleted, there are some nasty gotchas with the time it takes
# to properly enable encryption so we have a permanant bucket which is automatically emptied
- name: Ensure encrypted bucket exists
s3_bucket:
name: "{{ encrypted_s3_bucket_name }}"
when:
- encrypted_bucket | default(False)
42 changes: 27 additions & 15 deletions tests/integration/targets/setup_connection_aws_ssm/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@
region: '{{ aws_region }}'
block:

- name: get ARN of calling user
aws_caller_info:
register: aws_caller_info

- name: Ensure IAM instance role exists
iam_role:
name: "ansible-test-{{tiny_prefix}}-aws-ssm-role"
Expand All @@ -26,18 +30,35 @@
set_fact:
ami_configuration: '{{ ami_details[(target_os | default("fedora"))] }}'

- name: AMI Lookup
- name: AMI Lookup (ami_info)
ec2_ami_info:
owners: '{{ ami_configuration.owner }}'
owners: '{{ ami_configuration.owner | default("amazon") }}'
filters:
name: '{{ ami_configuration.name }}'
register: ec2_amis
when:
- ami_configuration.name | default(False)

- name: AMI Lookup (SSM Parameter)
when:
- ami_configuration.ssm_parameter | default(False)
block:
- set_fact:
# As a lookup plugin we don't have access to module_defaults
connection_args:
region: "{{ aws_region }}"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
aws_security_token: "{{ security_token | default(omit) }}"
no_log: True
- set_fact:
ssm_amis: "{{ lookup('aws_ssm', ami_configuration.ssm_parameter, **connection_args) }}"

- name: Set facts with latest AMIs
vars:
latest_ami: '{{ ec2_amis.images | sort(attribute="creation_date") | last }}'
latest_ami: '{{ ec2_amis.images | default([]) | sort(attribute="creation_date") | last }}'
set_fact:
latest_ami_id: '{{ latest_ami.image_id }}'
latest_ami_id: '{{ ssm_amis | default(latest_ami.image_id) }}'

# (Local installation of the SSM **client** which is then used by the plugin)
- name: Install Session Manager Client for Debian/Ubuntu
Expand Down Expand Up @@ -75,11 +96,8 @@
TestPrefix: '{{ resource_prefix }}'
register: instance_output

- name: create a KMS key
aws_kms:
alias: '{{ kms_key_name }}'
tags:
ansible-test: '{{ resource_prefix }}'
- name: setup encryption
include_tasks: 'encryption.yml'
when:
- encrypted_bucket | default(False)

Expand All @@ -88,12 +106,6 @@
name: "{{ s3_bucket_name }}"
register: s3_output

# Note: This bucket will **NOT** be deleted, there are some nasty gotchas with the time it takes
# to properly enable encryption so we have a permanant bucket which is automatically emptied
- name: Ensure encrypted bucket exists
s3_bucket:
name: "{{ encrypted_s3_bucket_name }}"

- name: Create Inventory file
template:
dest: "{{ playbook_dir }}/ssm_inventory"
Expand Down
4 changes: 3 additions & 1 deletion tests/integration/targets/setup_connection_aws_ssm/templates/inventory-combined.aws_ssm.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,15 @@ aws_ssm_windows

[aws_ssm:vars]
ansible_connection=community.aws.aws_ssm
ansible_aws_ssm_bucket_name={{ s3_bucket_name }}
ansible_aws_ssm_plugin=/usr/local/sessionmanagerplugin/bin/session-manager-plugin
ansible_python_interpreter=/usr/bin/env python3
local_tmp=/tmp/ansible-local-{{ tiny_prefix }}
{% if encrypted_bucket | default(False) %}
ansible_aws_ssm_bucket_sse_mode='aws:kms'
ansible_aws_ssm_bucket_sse_kms_key_id=alias/{{ kms_key_name }}
ansible_aws_ssm_bucket_name={{ encrypted_s3_bucket_name }}
{% else %}
ansible_aws_ssm_bucket_name={{ s3_bucket_name }}
{% endif %}

# support tests that target testhost
Expand Down