New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_kms enhancements #31960

Open
wants to merge 5 commits into
base: devel
from

Conversation

Projects
None yet
7 participants
@willthames
Contributor

willthames commented Oct 20, 2017

SUMMARY

Updates aws_kms module to create keys and grant access including encryption context

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

aws_kms

ANSIBLE VERSION
ansible 2.5.0 (devel 269672faf1) last updated 2017/10/18 17:05:01 (GMT +1000)
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/will/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/will/src/ansible/lib/ansible
  executable location = /home/will/src/ansible/bin/ansible
  python version = 2.7.13 (default, Sep  5 2017, 08:53:59) [GCC 7.1.1 20170622 (Red Hat 7.1.1-3)]
@willthames

This comment has been minimized.

Contributor

willthames commented Oct 20, 2017

This is partly based on #26733 which I should fix up to pass tests etc.

@willthames

This comment has been minimized.

Contributor

willthames commented Oct 20, 2017

cc @tedder

@ansibot

This comment has been minimized.

Contributor

ansibot commented Oct 20, 2017

@willthames this PR contains more than one new module.

Please submit only one new module per pullrequest. For further explanation, please read grouped module documentation

click here for bot help

alias:
description: An alias for a key. For safety, even though KMS does not require keys
to have an alias, this module expects all new keys to be given an alias
to make them easier to manage. Existing keys without an alias may be

This comment has been minimized.

@tedder

tedder Oct 20, 2017

Contributor

This isn't true, is it? The "For safety" sentence- because it's basically "alias is required.. unless not, which is okay".

@ansibot

This comment has been minimized.

Contributor

ansibot commented Oct 20, 2017

The test ansible-test sanity --test pep8 [?] failed with the following errors:

lib/ansible/modules/cloud/amazon/aws_kms.py:229:161: E501 line too long (958 > 160 characters)
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:134:161: E501 line too long (962 > 160 characters)

The test ansible-test sanity --test pylint [?] failed with the following error:

lib/ansible/modules/cloud/amazon/aws_kms_facts.py:322:0: dangerous-default-value Dangerous default value [] as argument

The test ansible-test sanity --test validate-modules [?] failed with the following errors:

lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (description) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (enabled) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (grants) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (purge_grants) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (purge_tags) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (state) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E309 version_added for new option (tags) should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms.py:230:4: E313 RETURN is not valid YAML
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:0:0: E307 version_added should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:0:0: E316 ANSIBLE_METADATA.metadata_version: not a valid value for dictionary value @ data['metadata_version']. Got '1.0'
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:135:4: E313 RETURN is not valid YAML
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:193:0: E107 Imports should be directly below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:194:0: E107 Imports should be directly below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:195:0: E107 Imports should be directly below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:196:0: E107 Imports should be directly below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:198:0: E107 Imports should be directly below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
lib/ansible/modules/cloud/amazon/aws_kms_facts.py:201:0: E107 Imports should be directly below DOCUMENTATION/EXAMPLES/RETURN/ANSIBLE_METADATA.
lib/ansible/modules/cloud/amazon/kms.py:0:0: E307 version_added should be 2.5. Currently 2.4
lib/ansible/modules/cloud/amazon/kms.py:0:0: E316 ANSIBLE_METADATA.metadata_version: not a valid value for dictionary value @ data['metadata_version']. Got '1.0'
lib/ansible/modules/cloud/amazon/kms.py:0:0: E319 RETURN.creation_date.sample: not a valid value for dictionary value @ data['sample']. Got datetime.datetime(2017, 4, 18, 5, 12, 8, 551000)

click here for bot help

@ansibot ansibot added the ci_verified label Oct 20, 2017

@tedder

This comment has been minimized.

Contributor

tedder commented Oct 20, 2017

Aside from my discussion-y comments it looks good. I'll run it in my jobs that do KMS stuff to make sure it hasn't broken anything.

@willthames willthames force-pushed the willthames:aws_kms_grants branch Oct 20, 2017

@ansibot ansibot removed the ci_verified label Oct 20, 2017

@ansibot

This comment has been minimized.

Contributor

ansibot commented Oct 20, 2017

The test ansible-test sanity --test pep8 [?] failed with the following error:

lib/ansible/modules/cloud/amazon/aws_kms.py:229:161: E501 line too long (958 > 160 characters)

The test ansible-test sanity --test pylint [?] failed with the following error:

lib/ansible/modules/cloud/amazon/aws_kms_facts.py:350:0: dangerous-default-value Dangerous default value [] as argument

The test ansible-test sanity --test validate-modules [?] failed with the following error:

lib/ansible/modules/cloud/amazon/aws_kms.py:230:4: E313 RETURN is not valid YAML

click here for bot help

@ansibot ansibot added the ci_verified label Oct 20, 2017

@willthames willthames force-pushed the willthames:aws_kms_grants branch Oct 20, 2017

@ansibot ansibot removed the ci_verified label Oct 20, 2017

@ansibot

This comment has been minimized.

Contributor

ansibot commented Oct 20, 2017

The test ansible-test sanity --test pep8 [?] failed with the following error:

test/sanity/pep8/legacy-files.txt:13:1: A201 Remove "lib/ansible/modules/cloud/amazon/aws_kms.py" since it passes the current rule set

The test ansible-test sanity --test validate-modules [?] failed with the following error:

lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E319 RETURN.creation_date.sample: not a valid value for dictionary value @ data['sample']. Got datetime.datetime(2017, 4, 18, 5, 12, 8, 551000)

click here for bot help

@ansibot ansibot added the ci_verified label Oct 20, 2017

@willthames willthames force-pushed the willthames:aws_kms_grants branch to 79c1945 Oct 20, 2017

@ansibot ansibot removed the ci_verified label Oct 20, 2017

@mkrizek mkrizek removed the needs_triage label Oct 20, 2017

@ansibot

This comment has been minimized.

Contributor

ansibot commented Oct 20, 2017

@Constantin007 @Constantin07 @Deepakkothandan @Etherdaemon @Java1Guy @Lujeni @MichaelBaydoun @Sodki @adq @akazakov @alachaum @amir343 @anryko @bekelchik @bpennypacker @brandond @carsongee @defunctio @dkhenry @fiunchinho @garethr @gunzy83 @gurumaia @hyperized @infectsoldier @j-carl @jarv @Java1Guy @jimbydamonk @jmenga @joelthompson @jonhadfield @jsdalton @jsmartin @kaczynskid @leedm777 @linuxdynasty @loia @lwade @MichaelBaydoun @michaeljs1990 @minichate @mjschultz @mmochan @nadirollo @nand0p @naslanidis @NickBall @pjodouin @psykotox @pwnall @raags @rickmendes @roadmapper @ryansydnor @scicoin-project @scottanderson42 @shepdelacreme @silviud @simplesteph @steynovich @tastychutney @tedder @tgerla @timmahoney @tombamford @whiter @wilvk @wimnat @zacblazic @zbal @zeekin @zimbatm

As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add shipit if you would like to see it merged.

click here for bot help

@ansibot ansibot removed the needs_revision label Oct 20, 2017

@ansibot

This comment has been minimized.

Contributor

ansibot commented Jun 27, 2018

The test ansible-test sanity --test pylint [explain] failed with 3 errors:

lib/ansible/modules/cloud/amazon/aws_kms.py:425:16: duplicate-except Catching previously caught exception type ClientError
lib/ansible/modules/cloud/amazon/aws_kms.py:441:12: duplicate-except Catching previously caught exception type ClientError
lib/ansible/modules/cloud/amazon/kms_facts.py:278:0: dangerous-default-value Dangerous default value [] as argument

The test ansible-test sanity --test validate-modules [explain] failed with 20 errors:

lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E324 Value for "default" from the argument_spec ('present') for "state" does not match the documentation (None)
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E325 argument_spec for "enabled" defines type="bool" but documentation does not
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E325 argument_spec for "purge_grants" defines type="bool" but documentation does not
lib/ansible/modules/cloud/amazon/aws_kms.py:0:0: E325 argument_spec for "purge_tags" defines type="bool" but documentation does not
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E307 version_added should be 2.7. Currently 2.4
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E316 ANSIBLE_METADATA.metadata_version: not a valid value for dictionary value @ data['metadata_version']. Got '1.0'
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.aliases: extra keys not allowed @ data['aliases']. Got {'description': 'list of aliases associated with the key', 'type': 'list', 'returned': 'always', 'sample': ['aws/acm', 'aws/ebs']}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.aws_account_id: extra keys not allowed @ data['aws_account_id']. Got {'description': 'The AWS Account ID that the key belongs to', 'type': 'str', 'returned': 'always', 'sample': 1234567890123}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.creation_date: extra keys not allowed @ data['creation_date']. Got {'description': 'Date of creation of the key', 'type': 'str', 'returned': 'always', 'sample': datetime.datetime(2017, 4, 18, 5, 12, 8, 551000)}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.description: expected a list for dictionary value @ data['description']. Got {'description': 'Description of the key', 'type': 'str', 'returned': 'always', 'sample': 'My Key for Protecting important stuff'}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.enabled: extra keys not allowed @ data['enabled']. Got {'description': 'Whether the key is enabled. True if C(KeyState) is true.', 'type': 'str', 'returned': 'always', 'sample': False}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.grants: extra keys not allowed @ data['grants']. Got {'description': 'list of grants associated with a key', 'type': 'complex', 'returned': 'always', 'contains': {'constraints': {'description': 'Constraints on the encryption context that the grant allows. See U(https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html) for further details', 'type': 'dict', 'returned': 'always', 'sample': {'encryption_context_equals': {'aws:lambda:_function_arn': 'arn:aws:lambda:ap-southeast-2:012345678912:function:xyz'}}}, 'creation_date': {...
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.key_arn: extra keys not allowed @ data['key_arn']. Got {'description': 'ARN of key', 'type': 'str', 'returned': 'always', 'sample': 'arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890'}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.key_id: extra keys not allowed @ data['key_id']. Got {'description': 'ID of key', 'type': 'str', 'returned': 'always', 'sample': 'abcd1234-abcd-1234-5678-ef1234567890'}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.key_state: extra keys not allowed @ data['key_state']. Got {'description': 'The state of the key', 'type': 'str', 'returned': 'always', 'sample': 'PendingDeletion'}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.key_usage: extra keys not allowed @ data['key_usage']. Got {'description': 'The cryptographic operations for which you can use the key.', 'type': 'str', 'returned': 'always', 'sample': 'ENCRYPT_DECRYPT'}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.origin: extra keys not allowed @ data['origin']. Got {'description': "The source of the key's key material. When this value is C(AWS_KMS), AWS KMS created the key material. When this value is C(EXTERNAL), the key material was imported or the CMK lacks key material.", 'type': 'str', 'returned': 'always', 'sample': 'AWS_KMS'}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.returned: required key not provided @ data['returned']. Got None
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.tags: extra keys not allowed @ data['tags']. Got {'description': 'dictionary of tags applied to the key', 'type': 'dict', 'returned': 'always', 'sample': {'Name': 'myKey', 'Purpose': 'protecting_stuff'}}
lib/ansible/modules/cloud/amazon/kms_facts.py:0:0: E319 RETURN.keys.type: required key not provided @ data['type']. Got None

click here for bot help

@ansibot ansibot added the ci_verified label Jun 27, 2018

willthames added some commits Jul 13, 2017

Major aws_kms restructure
* Allow creation and deletion of keys (deletion just schedules for
  deletion, recreating an old key is just cancelling its deletion)
* Allow grants to be set, thus enabling encryption contexts to be
  used with keys
* Allow tags to be added and modified
* Add tests

@willthames willthames force-pushed the willthames:aws_kms_grants branch Jun 27, 2018

@ansibot

This comment has been minimized.

Contributor

ansibot commented Jun 27, 2018

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

lib/ansible/modules/cloud/amazon/aws_kms.py:429:16: duplicate-except Catching previously caught exception type ClientError
lib/ansible/modules/cloud/amazon/aws_kms.py:445:12: duplicate-except Catching previously caught exception type ClientError

click here for bot help

@willthames willthames force-pushed the willthames:aws_kms_grants branch Jun 27, 2018

@ansibot ansibot removed the ci_verified label Jun 27, 2018

@ansibot

This comment has been minimized.

Contributor

ansibot commented Jun 27, 2018

The test ansible-test sanity --test pylint [explain] failed with 2 errors:

lib/ansible/modules/cloud/amazon/aws_kms.py:429:16: duplicate-except Catching previously caught exception type ClientError
lib/ansible/modules/cloud/amazon/aws_kms.py:445:12: duplicate-except Catching previously caught exception type ClientError

click here for bot help

@ansibot ansibot added the ci_verified label Jun 27, 2018

if module.params.get('description'):
params['Description'] = module.params['description']
if module.params.get('policy'):
params['Policy'] = module.params['policy']

This comment has been minimized.

@deiwin

deiwin Dec 7, 2018

Contributor

policy should be added to argument_spec to be usable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment