diff --git a/lib/ansible/modules/cloud/google/gcp_kms_crypto_key.py b/lib/ansible/modules/cloud/google/gcp_kms_crypto_key.py new file mode 100644 index 00000000000..1b1f11bdebb --- /dev/null +++ b/lib/ansible/modules/cloud/google/gcp_kms_crypto_key.py @@ -0,0 +1,381 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright (C) 2017 Google +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file at +# https://www.github.com/GoogleCloudPlatform/magic-modules +# +# ---------------------------------------------------------------------------- + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +################################################################################ +# Documentation +################################################################################ + +ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'} + +DOCUMENTATION = ''' +--- +module: gcp_kms_crypto_key +description: +- A `CryptoKey` represents a logical key that can be used for cryptographic operations. +short_description: Creates a GCP CryptoKey +version_added: 2.9 +author: Google Inc. (@googlecloudplatform) +requirements: +- python >= 2.6 +- requests >= 2.18.4 +- google-auth >= 1.3.0 +options: + state: + description: + - Whether the given object should exist in GCP + choices: + - present + - absent + default: present + type: str + name: + description: + - The resource name for the CryptoKey. + required: true + type: str + labels: + description: + - Labels with user-defined metadata to apply to this resource. + required: false + type: dict + purpose: + description: + - Immutable purpose of CryptoKey. See U(https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) + for inputs. + - 'Some valid choices include: "ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT"' + required: false + default: ENCRYPT_DECRYPT + type: str + rotation_period: + description: + - Every time this period passes, generate a new CryptoKeyVersion and set it as + the primary. + - The first rotation will take place after the specified period. The rotation + period has the format of a decimal number with up to 9 fractional digits, followed + by the letter `s` (seconds). It must be greater than a day (ie, 86400). + required: false + type: str + version_template: + description: + - A template describing settings for new crypto key versions. + required: false + type: dict + suboptions: + algorithm: + description: + - The algorithm to use when creating a version based on this template. + - See the [algorithm reference](U(https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm)) + for possible inputs. + required: true + type: str + protection_level: + description: + - The protection level to use when creating a version based on this template. + - 'Some valid choices include: "SOFTWARE", "HSM"' + required: false + type: str + key_ring: + description: + - The KeyRing that this key belongs to. + - 'Format: `''projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}''`.' + required: true + type: str +extends_documentation_fragment: gcp +notes: +- 'API Reference: U(https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)' +- 'Creating a key: U(https://cloud.google.com/kms/docs/creating-keys#create_a_key)' +''' + +EXAMPLES = ''' +- name: create a key ring + gcp_kms_key_ring: + name: key-key-ring + location: us-central1 + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: keyring + +- name: create a crypto key + gcp_kms_crypto_key: + name: test_object + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +''' + +RETURN = ''' +name: + description: + - The resource name for the CryptoKey. + returned: success + type: str +creationTime: + description: + - The time that this resource was created on the server. + - This is in RFC3339 text format. + returned: success + type: str +labels: + description: + - Labels with user-defined metadata to apply to this resource. + returned: success + type: dict +purpose: + description: + - Immutable purpose of CryptoKey. See U(https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose) + for inputs. + returned: success + type: str +rotationPeriod: + description: + - Every time this period passes, generate a new CryptoKeyVersion and set it as the + primary. + - The first rotation will take place after the specified period. The rotation period + has the format of a decimal number with up to 9 fractional digits, followed by + the letter `s` (seconds). It must be greater than a day (ie, 86400). + returned: success + type: str +versionTemplate: + description: + - A template describing settings for new crypto key versions. + returned: success + type: complex + contains: + algorithm: + description: + - The algorithm to use when creating a version based on this template. + - See the [algorithm reference](U(https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm)) + for possible inputs. + returned: success + type: str + protectionLevel: + description: + - The protection level to use when creating a version based on this template. + returned: success + type: str +keyRing: + description: + - The KeyRing that this key belongs to. + - 'Format: `''projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}''`.' + returned: success + type: str +''' + +################################################################################ +# Imports +################################################################################ + +from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, remove_nones_from_dict, replace_resource_dict +import json + +################################################################################ +# Main +################################################################################ + + +def main(): + """Main function""" + + module = GcpModule( + argument_spec=dict( + state=dict(default='present', choices=['present', 'absent'], type='str'), + name=dict(required=True, type='str'), + labels=dict(type='dict'), + purpose=dict(default='ENCRYPT_DECRYPT', type='str'), + rotation_period=dict(type='str'), + version_template=dict(type='dict', options=dict(algorithm=dict(required=True, type='str'), protection_level=dict(type='str'))), + key_ring=dict(required=True, type='str'), + ) + ) + + if not module.params['scopes']: + module.params['scopes'] = ['https://www.googleapis.com/auth/cloudkms'] + + state = module.params['state'] + + fetch = fetch_resource(module, self_link(module)) + changed = False + + if fetch: + if state == 'present': + if is_different(module, fetch): + update(module, self_link(module), fetch) + fetch = fetch_resource(module, self_link(module)) + changed = True + else: + delete(module, self_link(module)) + fetch = {} + changed = True + else: + if state == 'present': + fetch = create(module, create_link(module)) + changed = True + else: + fetch = {} + + fetch.update({'changed': changed}) + + module.exit_json(**fetch) + + +def create(module, link): + auth = GcpSession(module, 'kms') + return return_if_object(module, auth.post(link, resource_to_request(module))) + + +def update(module, link, fetch): + auth = GcpSession(module, 'kms') + params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))} + request = resource_to_request(module) + return return_if_object(module, auth.patch(link, request, params=params)) + + +def updateMask(request, response): + update_mask = [] + if request.get('labels') != response.get('labels'): + update_mask.append('labels') + if request.get('rotationPeriod') != response.get('rotationPeriod'): + update_mask.append('rotationPeriod') + if request.get('versionTemplate') != response.get('versionTemplate'): + update_mask.append('versionTemplate') + return ','.join(update_mask) + + +def delete(module, link): + module.fail_json(msg="KeyRings cannot be deleted") + + +def resource_to_request(module): + request = { + u'labels': module.params.get('labels'), + u'purpose': module.params.get('purpose'), + u'rotationPeriod': module.params.get('rotation_period'), + u'versionTemplate': CryptoKeyVersiontemplate(module.params.get('version_template', {}), module).to_request(), + } + return_vals = {} + for k, v in request.items(): + if v or v is False: + return_vals[k] = v + + return return_vals + + +def fetch_resource(module, link, allow_not_found=True): + auth = GcpSession(module, 'kms') + return return_if_object(module, auth.get(link), allow_not_found) + + +def self_link(module): + return "https://cloudkms.googleapis.com/v1/{key_ring}/cryptoKeys/{name}".format(**module.params) + + +def collection(module): + return "https://cloudkms.googleapis.com/v1/{key_ring}/cryptoKeys".format(**module.params) + + +def create_link(module): + return "https://cloudkms.googleapis.com/v1/{key_ring}/cryptoKeys?cryptoKeyId={name}".format(**module.params) + + +def return_if_object(module, response, allow_not_found=False): + # If not found, return nothing. + if allow_not_found and response.status_code == 404: + return None + + # If no content, return nothing. + if response.status_code == 204: + return None + + try: + module.raise_for_status(response) + result = response.json() + except getattr(json.decoder, 'JSONDecodeError', ValueError): + module.fail_json(msg="Invalid JSON response with error: %s" % response.text) + + result = decode_response(result, module) + + if navigate_hash(result, ['error', 'errors']): + module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) + + return result + + +def is_different(module, response): + request = resource_to_request(module) + response = response_to_hash(module, response) + request = decode_response(request, module) + + # Remove all output-only from response. + response_vals = {} + for k, v in response.items(): + if k in request: + response_vals[k] = v + + request_vals = {} + for k, v in request.items(): + if k in response: + request_vals[k] = v + + return GcpRequest(request_vals) != GcpRequest(response_vals) + + +# Remove unnecessary properties from the response. +# This is for doing comparisons with Ansible's current parameters. +def response_to_hash(module, response): + return { + u'name': module.params.get('name'), + u'creationTime': response.get(u'creationTime'), + u'labels': response.get(u'labels'), + u'purpose': module.params.get('purpose'), + u'rotationPeriod': response.get(u'rotationPeriod'), + u'versionTemplate': CryptoKeyVersiontemplate(response.get(u'versionTemplate', {}), module).from_response(), + } + + +def decode_response(response, module): + if 'name' in response: + response['name'] = response['name'].split('/')[-1] + return response + + +class CryptoKeyVersiontemplate(object): + def __init__(self, request, module): + self.module = module + if request: + self.request = request + else: + self.request = {} + + def to_request(self): + return remove_nones_from_dict({u'algorithm': self.request.get('algorithm'), u'protectionLevel': self.request.get('protection_level')}) + + def from_response(self): + return remove_nones_from_dict({u'algorithm': self.request.get(u'algorithm'), u'protectionLevel': self.module.params.get('protection_level')}) + + +if __name__ == '__main__': + main() diff --git a/test/integration/targets/gcp_kms_crypto_key/aliases b/test/integration/targets/gcp_kms_crypto_key/aliases new file mode 100644 index 00000000000..9812f019ca4 --- /dev/null +++ b/test/integration/targets/gcp_kms_crypto_key/aliases @@ -0,0 +1,2 @@ +cloud/gcp +unsupported diff --git a/test/integration/targets/gcp_kms_crypto_key/defaults/main.yml b/test/integration/targets/gcp_kms_crypto_key/defaults/main.yml new file mode 100644 index 00000000000..ba66644fc1c --- /dev/null +++ b/test/integration/targets/gcp_kms_crypto_key/defaults/main.yml @@ -0,0 +1,2 @@ +--- +resource_name: "{{ resource_prefix }}" diff --git a/test/integration/targets/gcp_kms_crypto_key/meta/main.yml b/test/integration/targets/gcp_kms_crypto_key/meta/main.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/test/integration/targets/gcp_kms_crypto_key/tasks/main.yml b/test/integration/targets/gcp_kms_crypto_key/tasks/main.yml new file mode 100644 index 00000000000..ef2252c863e --- /dev/null +++ b/test/integration/targets/gcp_kms_crypto_key/tasks/main.yml @@ -0,0 +1,73 @@ +# Copyright 2019 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Pre-test setup +- name: create a key ring + gcp_kms_key_ring: + name: key-key-ring + location: us-central1 + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: keyring +- name: delete a crypto key + gcp_kms_crypto_key: + name: "{{ resource_name }}" + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: absent +#---------------------------------------------------------- +- name: create a crypto key + gcp_kms_crypto_key: + name: "{{ resource_name }}" + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: result +- name: assert changed is true + assert: + that: + - result.changed == true +- name: verify that crypto_key was created + gcp_kms_crypto_key_info: + key_ring: "projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/cloudkms + register: results +- name: verify that command succeeded + assert: + that: + - results['resources'] | map(attribute='name') | select("match", ".*{{ resource_name }}.*") | list | length == 1 +# ---------------------------------------------------------------------------- +- name: create a crypto key that already exists + gcp_kms_crypto_key: + name: "{{ resource_name }}" + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: result +- name: assert changed is false + assert: + that: + - result.changed == false