summaryrefslogtreecommitdiffstats
path: root/test/integration/targets/aws_kms
diff options
context:
space:
mode:
Diffstat (limited to 'test/integration/targets/aws_kms')
-rw-r--r--test/integration/targets/aws_kms/tasks/main.yml153
-rw-r--r--test/integration/targets/aws_kms/templates/console-policy.j272
2 files changed, 118 insertions, 107 deletions
diff --git a/test/integration/targets/aws_kms/tasks/main.yml b/test/integration/targets/aws_kms/tasks/main.yml
index 784796bff2..2e8643a50e 100644
--- a/test/integration/targets/aws_kms/tasks/main.yml
+++ b/test/integration/targets/aws_kms/tasks/main.yml
@@ -1,21 +1,36 @@
-- block:
+- module_defaults:
+ group/aws:
+ region: "{{ aws_region }}"
+ aws_access_key: "{{ aws_access_key }}"
+ aws_secret_key: "{{ aws_secret_key }}"
+ security_token: "{{ security_token | default(omit) }}"
+ block:
+ # ============================================================
+ # PREPARATION
+ #
+ # Get some information about who we are before starting our tests
+ # we'll need this as soon as we start working on the policies
+ - name: get ARN of calling user
+ aws_caller_info:
+ register: aws_caller_info
+ # IAM Roles completes before the Role is fully instantiated, create it here
+ # to ensure it exists when we need it for updating the policies
+ - name: create an IAM role that can do nothing
+ iam_role:
+ name: "{{ resource_prefix }}-kms-role"
+ state: present
+ assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": "Deny"} }'
+ register: iam_role_result
# ============================================================
+ # TESTS
- name: See whether key exists and its current state
aws_kms_info:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
filters:
alias: "{{ resource_prefix }}-kms"
- name: create a key
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
tags:
Hello: World
@@ -31,10 +46,6 @@
- name: find facts about the key
aws_kms_info:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
filters:
alias: "{{ resource_prefix }}-kms"
register: new_key
@@ -44,15 +55,27 @@
that:
- new_key["keys"]|length == 1
- - name: create an IAM role that can do nothing
- iam_role:
- name: "{{ resource_prefix }}-kms-role"
- state: present
- assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": "Deny"} }'
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
- register: iam_role_result
+ - name: Update Policy on key to match AWS Console generate policy
+ aws_kms:
+ key_alias: "alias/{{ resource_prefix }}-kms"
+ policy: "{{ lookup('template', 'console-policy.j2') | to_json }}"
+ register: kms_policy_changed
+
+ - name: Policy should have been changed
+ assert:
+ that:
+ - kms_policy_changed is changed
+
+ - name: Attempt to re-assert the same policy
+ aws_kms:
+ key_alias: "alias/{{ resource_prefix }}-kms"
+ policy: "{{ lookup('template', 'console-policy.j2') | to_json }}"
+ register: kms_policy_changed
+
+ - name: Policy should not have changed since it was last set
+ assert:
+ that:
+ - kms_policy_changed is succeeded
- name: grant user-style access to production secrets
aws_kms:
@@ -60,17 +83,9 @@
key_alias: "alias/{{ resource_prefix }}-kms"
role_name: "{{ resource_prefix }}-kms-role"
grant_types: "role,role grant"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
- region: "{{ aws_region }}"
- name: find facts about the key
aws_kms_info:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
filters:
alias: "{{ resource_prefix }}-kms"
register: new_key
@@ -80,44 +95,15 @@
mode: deny
key_alias: "alias/{{ resource_prefix }}-kms"
role_arn: "{{ iam_role_result.iam_role.arn }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
- region: "{{ aws_region }}"
- name: find facts about the key
aws_kms_info:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
filters:
alias: "{{ resource_prefix }}-kms"
register: new_key
- - name: set aws environment base fact
- set_fact:
- aws_environment_base:
- AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
- AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
- no_log: True
-
- - name: set aws environment fact
- set_fact:
- aws_environment: "{{ aws_environment_base|combine(security_token|ternary({'AWS_SECURITY_TOKEN': security_token}, {})) }}"
- no_log: True
-
- - name: get ARN of calling user
- aws_caller_info:
- environment: "{{ aws_environment }}"
- register: aws_caller_info
-
- name: Allow the IAM role to use a specific Encryption Context
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
purge_grants: yes
@@ -143,10 +129,6 @@
- name: Add a second grant
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
grants:
@@ -170,10 +152,6 @@
- name: Add a second grant again
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
grants:
@@ -197,10 +175,6 @@
- name: Update the grants with purge_grants set
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
purge_grants: yes
@@ -225,10 +199,6 @@
- name: update third grant to change encryption context equals to subset
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
grants:
@@ -254,10 +224,6 @@
- name: tag encryption key
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
tags:
@@ -275,10 +241,6 @@
- name: add, replace, remove tags
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
purge_tags: yes
@@ -298,10 +260,6 @@
- name: make no real tag change
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
register: tag_kms_no_update
@@ -317,10 +275,6 @@
- name: update the key's description and disable it
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
description: test key for testing
@@ -336,10 +290,6 @@
- name: delete the key
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: absent
register: delete_kms
@@ -352,10 +302,6 @@
- name: undelete and enable the key
aws_kms:
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
state: present
enabled: yes
@@ -368,15 +314,11 @@
- undelete_kms.changed
always:
-
# ============================================================
+ # CLEAN-UP
- name: finish off by deleting key
aws_kms:
state: absent
- region: "{{ aws_region }}"
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
alias: "{{ resource_prefix }}-kms"
register: destroy_result
@@ -384,7 +326,4 @@
iam_role:
name: "{{ resource_prefix }}-kms-role"
state: absent
- aws_access_key: "{{ aws_access_key }}"
- aws_secret_key: "{{ aws_secret_key }}"
- security_token: "{{ security_token }}"
register: iam_role_result
diff --git a/test/integration/targets/aws_kms/templates/console-policy.j2 b/test/integration/targets/aws_kms/templates/console-policy.j2
new file mode 100644
index 0000000000..4b60ba5889
--- /dev/null
+++ b/test/integration/targets/aws_kms/templates/console-policy.j2
@@ -0,0 +1,72 @@
+{
+ "Id": "key-consolepolicy-3",
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "Enable IAM User Permissions",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam::{{ aws_caller_info.account }}:root"
+ },
+ "Action": "kms:*",
+ "Resource": "*"
+ },
+ {
+ "Sid": "Allow access for Key Administrators",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "{{ aws_caller_info.arn }}"
+ },
+ "Action": [
+ "kms:Create*",
+ "kms:Describe*",
+ "kms:Enable*",
+ "kms:List*",
+ "kms:Put*",
+ "kms:Update*",
+ "kms:Revoke*",
+ "kms:Disable*",
+ "kms:Get*",
+ "kms:Delete*",
+ "kms:TagResource",
+ "kms:UntagResource",
+ "kms:ScheduleKeyDeletion",
+ "kms:CancelKeyDeletion"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "Allow use of the key",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "{{ aws_caller_info.arn }}"
+ },
+ "Action": [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:DescribeKey"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "Allow attachment of persistent resources",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "{{ aws_caller_info.arn }}"
+ },
+ "Action": [
+ "kms:CreateGrant",
+ "kms:ListGrants",
+ "kms:RevokeGrant"
+ ],
+ "Resource": "*",
+ "Condition": {
+ "Bool": {
+ "kms:GrantIsForAWSResource": "true"
+ }
+ }
+ }
+ ]
+}