s3_bucket: Allow empty encryption_key_id with aws:kms (#62031)

* s3_bucket: Allow empty encryption_key_id with aws:kms to use KMS master key * Add idempotency check and cleanup example, dont require encryption_key_id
6 years ago · aa68f728fd
parent 2e81b813dd
commit aa68f728fd
2 changed files with 47 additions and 2 deletions
--- a/lib/ansible/modules/cloud/amazon/s3_bucket.py
+++ b/lib/ansible/modules/cloud/amazon/s3_bucket.py
@ -133,6 +133,24 @@ EXAMPLES = '''
    name: mydobucket
    s3_url: 'https://nyc3.digitaloceanspaces.com'

+# Create a bucket with AES256 encryption
+- s3_bucket:
+    name: mys3bucket
+    state: present
+    encryption: "AES256"
+
+# Create a bucket with aws:kms encryption, KMS key
+- s3_bucket:
+    name: mys3bucket
+    state: present
+    encryption: "aws:kms"
+    encryption_key_id: "arn:aws:kms:us-east-1:1234/5678example"
+
+# Create a bucket with aws:kms encryption, default key
+- s3_bucket:
+    name: mys3bucket
+    state: present
+    encryption: "aws:kms"
 '''

 import json
@ -326,7 +344,7 @@ def create_or_update_bucket(s3_client, module, location):
            changed = True
        elif encryption != 'none' and (encryption != current_encryption_algorithm) or (encryption == 'aws:kms' and current_encryption_key != encryption_key_id):
            expected_encryption = {'SSEAlgorithm': encryption}
-            if encryption == 'aws:kms':
+            if encryption == 'aws:kms' and encryption_key_id is not None:
                expected_encryption.update({'KMSMasterKeyID': encryption_key_id})
            try:
                put_bucket_encryption(s3_client, name, expected_encryption)
@ -660,7 +678,6 @@ def main():

    module = AnsibleAWSModule(
        argument_spec=argument_spec,
-        required_if=[['encryption', 'aws:kms', ['encryption_key_id']]]
    )

    region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module, boto3=True)
--- a/test/integration/targets/s3_bucket/tasks/main.yml
+++ b/test/integration/targets/s3_bucket/tasks/main.yml
@ -394,6 +394,34 @@
          - output.changed
          - not output.encryption

+    - name: Enable aws:kms encryption with KMS master key
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
+        state: present
+        encryption: "aws:kms"
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.encryption
+          - output.encryption.SSEAlgorithm == 'aws:kms'
+
+    - name: Enable aws:kms encryption with KMS master key (idempotent)
+      s3_bucket:
+        name: "{{ resource_prefix }}-testbucket-encrypt-ansible"
+        state: present
+        encryption: "aws:kms"
+        <<: *aws_connection_info
+      register: output
+
+    - assert:
+        that:
+          - not output.changed
+          - output.encryption
+          - output.encryption.SSEAlgorithm == 'aws:kms'
+
    # ============================================================
    - name: Pause to help with s3 bucket eventual consistency
      pause: