[cloud] Create ECS integration test suite (ansible#33757)

Tests for: * ecs_cluster * ecs_service * ecs_service_facts * ecs_taskdefinition * ecs_taskdefinition_facts * Add idempotency testing Test ecs_cluster, ecs_service and ecs_taskdefinition for trivial idempotency. Add FIXMEs to the tests because the latter two fail. Remove unused dependencies
mgu · Dec 15, 2017 · 866d7fd · 866d7fd
1 parent b5318e2
commit 866d7fd
Show file tree

Hide file tree

Showing 9 changed files with 558 additions and 2 deletions.
diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json
@@ -131,10 +131,14 @@
             "Effect": "Allow",
             "Action": [
                 "elasticloadbalancing:ConfigureHealthCheck",
+                "elasticloadbalancing:CreateListener",
                 "elasticloadbalancing:CreateLoadBalancer",
                 "elasticloadbalancing:CreateLoadBalancerListeners",
+                "elasticloadbalancing:CreateTargetGroup",
+                "elasticloadbalancing:DeleteListener",
                 "elasticloadbalancing:DeleteLoadBalancer",
                 "elasticloadbalancing:DeleteLoadBalancerListeners",
+                "elasticloadbalancing:DeleteTargetGroup",
                 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                 "elasticloadbalancing:DescribeInstanceHealth",
                 "elasticloadbalancing:DescribeLoadBalancerAttributes",
@@ -212,14 +216,39 @@
             "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
         },
         {
-            "Sid": "AllowLambdaRoleManagement",
+            "Sid": "AllowRoleManagement",
             "Effect": "Allow",
             "Action": [
                 "iam:PassRole"
             ],
             "Resource": [
-                "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
+                "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
+                "arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
+                "arn:aws:iam::{{aws_account}}:role/ecsServiceRole"
             ]
+        },
+        {
+          "Sid": "AllowECSManagement",
+          "Effect": "Allow",
+          "Action": [
+            "application-autoscaling:Describe*",
+            "application-autoscaling:PutScalingPolicy",
+            "application-autoscaling:RegisterScalableTarget",
+            "cloudwatch:DescribeAlarms",
+            "cloudwatch:PutMetricAlarm",
+            "ecs:CreateCluster",
+            "ecs:CreateService",
+            "ecs:DeleteCluster",
+            "ecs:DeleteService",
+            "ecs:Describe*",
+            "ecs:DeregisterTaskDefinition",
+            "ecs:List*",
+            "ecs:RegisterTaskDefinition",
+            "ecs:UpdateService"
+          ],
+          "Resource": [
+            "*"
+          ]
         }
     ]
 }
diff --git a/hacking/aws_config/testing_policies/ecs-policy.json b/hacking/aws_config/testing_policies/ecs-policy.json
@@ -0,0 +1,57 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "UnspecifiedCodeRepositories",
+            "Effect": "Allow",
+            "Action": [
+                "ecr:DescribeRepositories",
+                "ecr:CreateRepository"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "SpecifiedCodeRepositories",
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetRepositoryPolicy",
+                "ecr:SetRepositoryPolicy",
+                "ecr:DeleteRepository",
+                "ecr:DeleteRepositoryPolicy",
+                "ecr:DeleteRepositoryPolicy"
+            ],
+            "Resource": [
+                "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
+            ]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "application-autoscaling:Describe*",
+            "application-autoscaling:PutScalingPolicy",
+            "application-autoscaling:RegisterScalableTarget",
+            "cloudwatch:DescribeAlarms",
+            "cloudwatch:PutMetricAlarm",
+            "ecs:List*",
+            "ecs:Describe*",
+            "ecs:CreateCluster",
+            "ecs:DeleteCluster",
+            "ecs:CreateService",
+            "ecs:UpdateService",
+            "elasticloadbalancing:Describe*",
+            "iam:AttachRolePolicy",
+            "iam:CreateRole",
+            "iam:GetPolicy",
+            "iam:GetPolicyVersion",
+            "iam:GetRole",
+            "iam:ListAttachedRolePolicies",
+            "iam:ListRoles",
+            "iam:ListGroups",
+            "iam:ListUsers"
+          ],
+          "Resource": [
+            "*"
+          ]
+        }
+    ]
+}
diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json
@@ -0,0 +1,22 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "iam:GetPolicy",
+                "iam:GetPolicyVersion",
+                "iam:GetRole",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListGroups",
+                "iam:ListInstanceProfilesForRole",
+                "iam:ListPolicies",
+                "iam:ListRoles",
+                "iam:ListRolePolicies",
+                "iam:ListUsers"
+            ],
+            "Resource": "*",
+            "Effect": "Allow",
+            "Sid": "AllowReadOnlyIAMUse"
+        }
+    ]
+}
diff --git a/test/integration/targets/ecs_cluster/aliases b/test/integration/targets/ecs_cluster/aliases
@@ -0,0 +1,5 @@
+cloud/aws
+ecs_service_facts
+ecs_task
+ecs_taskdefinition
+ecs_taskdefinition_facts
diff --git a/test/integration/targets/ecs_cluster/defaults/main.yml b/test/integration/targets/ecs_cluster/defaults/main.yml
@@ -0,0 +1,35 @@
+# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
+# amzn-ami-2017.09.b-amazon-ecs-optimized
+ecs_agent_images:
+  us-east-1: ami-71ef560b
+  us-east-2: ami-1b8ca37e
+
+ecs_cluster_name: "{{ resource_prefix }}"
+user_data: |
+  #!/bin/bash
+  echo ECS_CLUSTER={{ ecs_cluster_name }} >> /etc/ecs/ecs.config
+
+ecs_service_name: "{{ resource_prefix }}-service"
+ecs_task_image_path: nginx
+ecs_task_name: "{{ resource_prefix }}-task"
+ecs_task_memory: 128
+ecs_task_containers:
+- name: "{{ ecs_task_name }}"
+  image: "{{ ecs_task_image_path }}"
+  essential: true
+  memory: "{{ ecs_task_memory }}"
+  portMappings:
+  - containerPort: "{{ ecs_task_container_port }}"
+    hostPort: "{{ ecs_task_host_port|default(0) }}"
+  mountPoints: "{{ ecs_task_mount_points|default([]) }}"
+ecs_service_deployment_configuration:
+  minimum_healthy_percent: 0
+  maximum_percent: 100
+ecs_service_placement_strategy:
+  - type: binpack
+    field: memory
+  - type: spread
+    field: attribute:ecs.availability-zone
+ecs_task_container_port: 8080
+ecs_target_group_name: "{{ resource_prefix[:29] }}-tg"
+ecs_load_balancer_name: "{{ resource_prefix[:29] }}-lb"
diff --git a/test/integration/targets/ecs_cluster/files/ec2-trust-policy.json b/test/integration/targets/ecs_cluster/files/ec2-trust-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
diff --git a/test/integration/targets/ecs_cluster/files/ecs-trust-policy.json b/test/integration/targets/ecs_cluster/files/ecs-trust-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ecs.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
diff --git a/test/integration/targets/ecs_cluster/meta/main.yml b/test/integration/targets/ecs_cluster/meta/main.yml
@@ -0,0 +1 @@
+dependencies: []