From 362c45517d5a6cdbd39c263f3787232f0585e294 Mon Sep 17 00:00:00 2001
From: Will Thames <will@thames.id.au>
Date: Tue, 20 Aug 2019 21:15:40 +1000
Subject: [PATCH] aws_kms: fix failing tests (#60206)

Preserve tag key case by only calling camel_dict_to_snake_dict once,
before the tags are added.

Don't call assert_policy_shape as it seems to fail

Use aws_caller_info in the test suite now that it exists rather
than running `aws sts get_caller_identity`

Ensure that calls using `grant_types` can also use key aliases
---
 changelogs/fragments/kms_double_snake.yml     |  2 ++
 lib/ansible/modules/cloud/amazon/aws_kms.py   | 33 ++++++++++---------
 .../targets/aws_kms/tasks/main.yml            | 19 ++++-------
 3 files changed, 27 insertions(+), 27 deletions(-)
 create mode 100644 changelogs/fragments/kms_double_snake.yml

diff --git a/changelogs/fragments/kms_double_snake.yml b/changelogs/fragments/kms_double_snake.yml
new file mode 100644
index 00000000000..c2be3232f0b
--- /dev/null
+++ b/changelogs/fragments/kms_double_snake.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - aws_kms module ensure tag keys have their case preserved by avoiding a second unnecessary format conversion
diff --git a/lib/ansible/modules/cloud/amazon/aws_kms.py b/lib/ansible/modules/cloud/amazon/aws_kms.py
index ece6cc0a6b5..5339c049839 100644
--- a/lib/ansible/modules/cloud/amazon/aws_kms.py
+++ b/lib/ansible/modules/cloud/amazon/aws_kms.py
@@ -688,7 +688,7 @@ def update_key(connection, module, key):
 
     # make results consistent with kms_facts
     result = get_key_details(connection, module, key['key_id'])
-    module.exit_json(changed=changed, **camel_dict_to_snake_dict(result))
+    module.exit_json(changed=changed, **result)
 
 
 def create_key(connection, module):
@@ -725,7 +725,7 @@ def create_key(connection, module):
 
     # make results consistent with kms_facts
     result = get_key_details(connection, module, key['key_id'])
-    module.exit_json(changed=True, **camel_dict_to_snake_dict(result))
+    module.exit_json(changed=True, **result)
 
 
 def delete_key(connection, module, key):
@@ -739,7 +739,7 @@ def delete_key(connection, module, key):
             module.fail_json_aws(e, msg="Failed to schedule key for deletion")
 
     result = get_key_details(connection, module, key['key_id'])
-    module.exit_json(changed=changed, **camel_dict_to_snake_dict(result))
+    module.exit_json(changed=changed, **result)
 
 
 def get_arn_from_kms_alias(kms, aliasname):
@@ -774,7 +774,7 @@ def do_policy_grant(kms, keyarn, role_arn, granttypes, mode='grant', dry_run=Tru
     policy = json.loads(keyret['Policy'])
 
     changes_needed = {}
-    assert_policy_shape(policy)
+    # assert_policy_shape(policy)
     had_invalid_entries = False
     for statement in policy['Statement']:
         for granttype in ['role', 'role grant', 'admin']:
@@ -855,7 +855,7 @@ def assert_policy_shape(policy):
             errors.append('Policy is missing {0}.'.format(statementtype))
 
     if len(errors):
-        raise Exception('Problems asserting policy shape. Cowardly refusing to modify it: {0}'.format(' '.join(errors)))
+        raise Exception('Problems asserting policy shape. Cowardly refusing to modify it: {0}'.format(' '.join(errors)) + "\n" + str(policy))
     return None
 
 
@@ -893,6 +893,18 @@ def main():
     kms = module.client('kms')
     iam = module.client('iam')
 
+    all_keys = get_kms_facts(kms, module)
+    key_id = module.params.get('key_id')
+    alias = module.params.get('alias')
+    if alias.startswith('alias/'):
+        alias = alias[6:]
+    if key_id:
+        filtr = ('key-id', key_id)
+    elif module.params.get('alias'):
+        filtr = ('alias', alias)
+
+    candidate_keys = [key for key in all_keys if key_matches_filter(key, filtr)]
+
     if module.params.get('policy_grant_types') or mode == 'deny':
         module.deprecate('Managing the KMS IAM Policy via policy_mode and policy_grant_types is fragile'
                          ' and has been deprecated in favour of the policy option.', version='2.13')
@@ -908,7 +920,7 @@ def main():
                     module.fail_json(msg='{0} is an unknown grant type.'.format(g))
 
         ret = do_policy_grant(kms,
-                              module.params['policy_key_arn'],
+                              candidate_keys[0]['key_arn'],
                               module.params['policy_role_arn'],
                               module.params['policy_grant_types'],
                               mode=mode,
@@ -918,15 +930,6 @@ def main():
 
         module.exit_json(**result)
     else:
-        all_keys = get_kms_facts(kms, module)
-        key_id = module.params.get('key_id')
-        alias = module.params.get('alias')
-        if key_id:
-            filtr = ('key-id', key_id)
-        elif module.params.get('alias'):
-            filtr = ('alias', alias)
-
-        candidate_keys = [key for key in all_keys if key_matches_filter(key, filtr)]
 
         if module.params.get('state') == 'present':
             if candidate_keys:
diff --git a/test/integration/targets/aws_kms/tasks/main.yml b/test/integration/targets/aws_kms/tasks/main.yml
index b7533141dad..784796bff24 100644
--- a/test/integration/targets/aws_kms/tasks/main.yml
+++ b/test/integration/targets/aws_kms/tasks/main.yml
@@ -108,14 +108,9 @@
       no_log: True
 
     - name: get ARN of calling user
-      command: "{{ ansible_python_interpreter }} -c 'import boto3, json; sts = boto3.client(\"sts\"); print json.dumps(sts.get_caller_identity())'"
-      changed_when: False
+      aws_caller_info:
       environment: "{{ aws_environment }}"
-      register: sts_get_caller_results
-
-    - name: set caller_arn
-      set_fact:
-        caller_arn: "{{ (sts_get_caller_results.stdout|from_json).Arn }}"
+      register: aws_caller_info
 
     - name: Allow the IAM role to use a specific Encryption Context
       aws_kms:
@@ -130,7 +125,7 @@
         grants:
           - name: test_grant
             grantee_principal: "{{ iam_role_result.iam_role.arn }}"
-            retiring_principal: "{{ caller_arn }}"
+            retiring_principal: "{{ aws_caller_info.arn }}"
             constraints:
               encryption_context_equals:
                 environment: test
@@ -157,7 +152,7 @@
         grants:
           - name: another_grant
             grantee_principal: "{{ iam_role_result.iam_role.arn }}"
-            retiring_principal: "{{ caller_arn }}"
+            retiring_principal: "{{ aws_caller_info.arn }}"
             constraints:
               encryption_context_equals:
                 Environment: second
@@ -184,7 +179,7 @@
         grants:
           - name: another_grant
             grantee_principal: "{{ iam_role_result.iam_role.arn }}"
-            retiring_principal: "{{ caller_arn }}"
+            retiring_principal: "{{ aws_caller_info.arn }}"
             constraints:
               encryption_context_equals:
                 Environment: second
@@ -212,7 +207,7 @@
         grants:
           - name: third_grant
             grantee_principal: "{{ iam_role_result.iam_role.arn }}"
-            retiring_principal: "{{ caller_arn }}"
+            retiring_principal: "{{ aws_caller_info.arn }}"
             constraints:
               encryption_context_equals:
                 environment: third
@@ -239,7 +234,7 @@
         grants:
           - name: third_grant
             grantee_principal: "{{ iam_role_result.iam_role.arn }}"
-            retiring_principal: "{{ caller_arn }}"
+            retiring_principal: "{{ aws_caller_info.arn }}"
             constraints:
               encryption_context_subset:
                 environment: third