-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_kms: Update policy on existing keys (when passed) #60059
Conversation
@tremble, just so you are aware we have a dedicated Working Group for aws. |
The test
The test
|
@tremble this change looks reasonable to me but needs the test suite updated to match (so that it would have caught this problem) |
The test
The test
|
@willthames the integration tests appear to be broken. This may be due to the older version of Boto3 I'm running (rhel 7), however, I'm seeing things like
Which looks like some refactoring around aliases hasn't done what's expected. |
See also #60206 for initial test fixes |
This PR looks reasonable, but do we care if the policy matches? I wasted way too much time trying to debug my policy before checking the module source and finding the root cause. Just write the policy and be done with it. How do we handle the BypassPolicyLockoutSafetyCheck? It should default to False, only set to True by the user. This behavior can be dangerous, but allowed IMHO. |
We do care if the policy matches, otherwise how do we know whether to report |
@omonnig Am I understanding correctly that this PR falsely flagged your new policy as not changing anything? Or are you just worried about the additional complexity? As @willthames mentioned it's there so that "changed" can be correctly reported. Personally I try to ensure that my playbooks are idempotent and "changed" only shows up when something's really changed. re BypassPolicyLockoutSafetyCheck that would likely want to be an additional option, and for the sake of keeping PRs simple I'd rather not pull it into this PR. |
@willthames Should I rebase this change on top of #60206 and see if I can test the shape / policy pieces as a part of this PR built on top of #60206 ? |
Sorry, @willthames, I was not thinking straight. The Changed functionality is very important and should be included in this PR. I will put the BypassPolicyLockoutSafetyCheck in another PR. |
@willthames @omonnig https://github.com/tremble/ansible/tree/aws_kms_keyid_only now uses compare_policies instead of json.dumps I'll update this PR once @jillr or @willthames can give me an idea which order we're going to try and merge everything in. |
c165a7f
to
f059fa5
Compare
And just for the curious, the reason a simple json dump doesn't work is that it would appear Amazon mangle the Principal lists. My basic testing seems to show that when you add a new principal to the list then where-ever in the list you add it Amazon will add it to the end of the list. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test suite passes for me, change looks good. Thanks @tremble.
Looks like security-policy.json is missing a permission:
|
…ook. iam_roles aren't fully created when iam_role completes, there's a delay on the Amazon side before they're fully recognised.
@willthames added |
Tests pass for me locally now, thanks @tremble! |
* aws_kms: (integration tests) Use module_defaults to reduce the copy and paste * aws_kms: (integration tests) make sure policy option functions. * aws_kms: (integration tests) Move iam_role creation to start of playbook. iam_roles aren't fully created when iam_role completes, there's a delay on the Amazon side before they're fully recognised. * aws_kms: Update policy on existing keys (when passed)
SUMMARY
Update policy on existing keys when policy is passed as an option.
Fixes #59987
ISSUE TYPE
COMPONENT NAME
lib/ansible/modules/cloud/amazon/aws_kms.py
ADDITIONAL INFORMATION
@willthames PR as promised on Friday