archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

aws_kms: fix failing tests (#60206)

Browse Source 
Preserve tag key case by only calling camel_dict_to_snake_dict once,
before the tags are added.

Don't call assert_policy_shape as it seems to fail

Use aws_caller_info in the test suite now that it exists rather
than running `aws sts get_caller_identity`

Ensure that calls using `grant_types` can also use key aliases
pull/60963/head
Will Thames 5 years ago committed by Sloane Hertel
parent 7224114c3c
commit 362c45517d
3 changed files with 27 additions and 27 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/kms_double_snake.yml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- aws_kms module ensure tag keys have their case preserved by avoiding a second unnecessary format conversion

33
lib/ansible/modules/cloud/amazon/aws_kms.py
Unescape Escape View File

@ -688,7 +688,7 @@ def update_key(connection, module, key):
# make results consistent with kms_facts
result = get_key_details(connection, module, key['key_id'])
module.exit_json(changed=changed, **camel_dict_to_snake_dict(result))
module.exit_json(changed=changed, **result)
def create_key(connection, module):
@ -725,7 +725,7 @@ def create_key(connection, module):
# make results consistent with kms_facts
result = get_key_details(connection, module, key['key_id'])
module.exit_json(changed=True, **camel_dict_to_snake_dict(result))
module.exit_json(changed=True, **result)
def delete_key(connection, module, key):
@ -739,7 +739,7 @@ def delete_key(connection, module, key):
module.fail_json_aws(e, msg="Failed to schedule key for deletion")
result = get_key_details(connection, module, key['key_id'])
module.exit_json(changed=changed, **camel_dict_to_snake_dict(result))
module.exit_json(changed=changed, **result)
def get_arn_from_kms_alias(kms, aliasname):
@ -774,7 +774,7 @@ def do_policy_grant(kms, keyarn, role_arn, granttypes, mode='grant', dry_run=Tru
policy = json.loads(keyret['Policy'])
changes_needed = {}
assert_policy_shape(policy)
# assert_policy_shape(policy)
had_invalid_entries = False
for statement in policy['Statement']:
for granttype in ['role', 'role grant', 'admin']:
@ -855,7 +855,7 @@ def assert_policy_shape(policy):
errors.append('Policy is missing {0}.'.format(statementtype))
if len(errors):
raise Exception('Problems asserting policy shape. Cowardly refusing to modify it: {0}'.format(' '.join(errors)))
raise Exception('Problems asserting policy shape. Cowardly refusing to modify it: {0}'.format(' '.join(errors)) + "\n" + str(policy))
return None
@ -893,6 +893,18 @@ def main():
kms = module.client('kms')
iam = module.client('iam')
all_keys = get_kms_facts(kms, module)
key_id = module.params.get('key_id')
alias = module.params.get('alias')
if alias.startswith('alias/'):
alias = alias[6:]
if key_id:
filtr = ('key-id', key_id)
elif module.params.get('alias'):
filtr = ('alias', alias)
candidate_keys = [key for key in all_keys if key_matches_filter(key, filtr)]
if module.params.get('policy_grant_types') or mode == 'deny':
module.deprecate('Managing the KMS IAM Policy via policy_mode and policy_grant_types is fragile'
' and has been deprecated in favour of the policy option.', version='2.13')
@ -908,7 +920,7 @@ def main():
module.fail_json(msg='{0} is an unknown grant type.'.format(g))
ret = do_policy_grant(kms,
module.params['policy_key_arn'],
candidate_keys[0]['key_arn'],
module.params['policy_role_arn'],
module.params['policy_grant_types'],
mode=mode,
@ -918,15 +930,6 @@ def main():
module.exit_json(**result)
else:
all_keys = get_kms_facts(kms, module)
key_id = module.params.get('key_id')
alias = module.params.get('alias')
if key_id:
filtr = ('key-id', key_id)
elif module.params.get('alias'):
filtr = ('alias', alias)
candidate_keys = [key for key in all_keys if key_matches_filter(key, filtr)]
if module.params.get('state') == 'present':
if candidate_keys:

19
test/integration/targets/aws_kms/tasks/main.yml
Unescape Escape View File

@ -108,14 +108,9 @@
no_log: True
- name: get ARN of calling user
command: "{{ ansible_python_interpreter }} -c 'import boto3, json; sts = boto3.client(\"sts\"); print json.dumps(sts.get_caller_identity())'"
changed_when: False
aws_caller_info:
environment: "{{ aws_environment }}"
register: sts_get_caller_results
- name: set caller_arn
set_fact:
caller_arn: "{{ (sts_get_caller_results.stdout|from_json).Arn }}"
register: aws_caller_info
- name: Allow the IAM role to use a specific Encryption Context
aws_kms:
@ -130,7 +125,7 @@
grants:
- name: test_grant
grantee_principal: "{{ iam_role_result.iam_role.arn }}"
retiring_principal: "{{ caller_arn }}"
retiring_principal: "{{ aws_caller_info.arn }}"
constraints:
encryption_context_equals:
environment: test
@ -157,7 +152,7 @@
grants:
- name: another_grant
grantee_principal: "{{ iam_role_result.iam_role.arn }}"
retiring_principal: "{{ caller_arn }}"
retiring_principal: "{{ aws_caller_info.arn }}"
constraints:
encryption_context_equals:
Environment: second
@ -184,7 +179,7 @@
grants:
- name: another_grant
grantee_principal: "{{ iam_role_result.iam_role.arn }}"
retiring_principal: "{{ caller_arn }}"
retiring_principal: "{{ aws_caller_info.arn }}"
constraints:
encryption_context_equals:
Environment: second
@ -212,7 +207,7 @@
grants:
- name: third_grant
grantee_principal: "{{ iam_role_result.iam_role.arn }}"
retiring_principal: "{{ caller_arn }}"
retiring_principal: "{{ aws_caller_info.arn }}"
constraints:
encryption_context_equals:
environment: third
@ -239,7 +234,7 @@
grants:
- name: third_grant
grantee_principal: "{{ iam_role_result.iam_role.arn }}"
retiring_principal: "{{ caller_arn }}"
retiring_principal: "{{ aws_caller_info.arn }}"
constraints:
encryption_context_subset:
environment: third

Write Preview
Loading…
Cancel
Save