ansible/test/integration/targets/aws_kms/tasks/main.yml

- module_defaults:
    group/aws:
        region: "{{ aws_region }}"
        aws_access_key: "{{ aws_access_key }}"
        aws_secret_key: "{{ aws_secret_key }}"
        security_token: "{{ security_token | default(omit) }}"
  block:
    # ============================================================
    #   PREPARATION
    #
    # Get some information about who we are before starting our tests
    # we'll need this as soon as we start working on the policies
    - name: get ARN of calling user
      aws_caller_info:
      register: aws_caller_info

    # IAM Roles completes before the Role is fully instantiated, create it here
    # to ensure it exists when we need it for updating the policies
    - name: create an IAM role that can do nothing
      iam_role:
        name: "{{ resource_prefix }}-kms-role"
        state: present
        assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": "Deny"} }'
      register: iam_role_result
    # ============================================================
    #   TESTS
    - name: See whether key exists and its current state
      aws_kms_info:
        filters:
          alias: "{{ resource_prefix }}-kms"

    - name: create a key
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        tags:
          Hello: World
        state: present
        enabled: yes
      register: create_kms

    - name: assert that state is enabled
      assert:
        that:
          - create_kms.key_state == "Enabled"
          - create_kms.tags['Hello'] == 'World'

    - name: find facts about the key
      aws_kms_info:
        filters:
          alias: "{{ resource_prefix }}-kms"
      register: new_key

    - name: check that a key was found
      assert:
        that:
          - new_key["keys"]|length == 1

    - name: Update Policy on key to match AWS Console generate policy
      aws_kms:
        key_id: '{{ new_key["keys"][0]["key_id"] }}'
        policy: "{{ lookup('template', 'console-policy.j2') | to_json }}"
      register: kms_policy_changed

    - name: Policy should have been changed
      assert:
        that:
          - kms_policy_changed is changed

    - name: Attempt to re-assert the same policy
      aws_kms:
        alias: "alias/{{ resource_prefix }}-kms"
        policy: "{{ lookup('template', 'console-policy.j2') | to_json }}"
      register: kms_policy_changed

    - name: Policy should not have changed since it was last set
      assert:
        that:
          - kms_policy_changed is succeeded

    - name: grant user-style access to production secrets
      aws_kms:
        mode: grant
        alias: "alias/{{ resource_prefix }}-kms"
        role_name: "{{ resource_prefix }}-kms-role"
        grant_types: "role,role grant"

    - name: find facts about the key
      aws_kms_info:
        filters:
          alias: "{{ resource_prefix }}-kms"
      register: new_key

    - name: remove access to production secrets from role
      aws_kms:
        mode: deny
        alias: "alias/{{ resource_prefix }}-kms"
        role_arn: "{{ iam_role_result.iam_role.arn }}"

    - name: find facts about the key
      aws_kms_info:
        filters:
          alias: "{{ resource_prefix }}-kms"
      register: new_key

    - name: Allow the IAM role to use a specific Encryption Context
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        purge_grants: yes
        purge_tags: yes
        grants:
          - name: test_grant
            grantee_principal: "{{ iam_role_result.iam_role.arn }}"
            retiring_principal: "{{ aws_caller_info.arn }}"
            constraints:
              encryption_context_equals:
                environment: test
                application: testapp
            operations:
              - Decrypt
              - RetireGrant
      register: grant_one

    - name: assert grant added
      assert:
        that:
          - grant_one.changed
          - grant_one.grants|length == 1

    - name: Add a second grant
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        grants:
          - name: another_grant
            grantee_principal: "{{ iam_role_result.iam_role.arn }}"
            retiring_principal: "{{ aws_caller_info.arn }}"
            constraints:
              encryption_context_equals:
                Environment: second
                Application: anotherapp
            operations:
              - Decrypt
              - RetireGrant
      register: grant_two

    - name: assert grant added
      assert:
        that:
          - grant_two.changed
          - grant_two.grants|length == 2

    - name: Add a second grant again
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        grants:
          - name: another_grant
            grantee_principal: "{{ iam_role_result.iam_role.arn }}"
            retiring_principal: "{{ aws_caller_info.arn }}"
            constraints:
              encryption_context_equals:
                Environment: second
                Application: anotherapp
            operations:
              - Decrypt
              - RetireGrant
      register: grant_two_again

    - name: assert grant added
      assert:
        that:
          - not grant_two_again.changed
          - grant_two_again.grants|length == 2

    - name: Update the grants with purge_grants set
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        purge_grants: yes
        grants:
          - name: third_grant
            grantee_principal: "{{ iam_role_result.iam_role.arn }}"
            retiring_principal: "{{ aws_caller_info.arn }}"
            constraints:
              encryption_context_equals:
                environment: third
                application: onemoreapp
            operations:
              - Decrypt
              - RetireGrant
      register: grant_three

    - name: assert grants replaced
      assert:
        that:
          - grant_three.changed
          - grant_three.grants|length == 1

    - name: update third grant to change encryption context equals to subset
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        grants:
          - name: third_grant
            grantee_principal: "{{ iam_role_result.iam_role.arn }}"
            retiring_principal: "{{ aws_caller_info.arn }}"
            constraints:
              encryption_context_subset:
                environment: third
                application: onemoreapp
            operations:
              - Decrypt
              - RetireGrant
      register: grant_three_update

    - name: assert grants replaced
      assert:
        that:
          - "grant_three_update.changed"
          - "grant_three_update.grants|length == 1"
          - "'encryption_context_equals' not in grant_three_update.grants[0].constraints"
          - "'encryption_context_subset' in grant_three_update.grants[0].constraints"

    - name: tag encryption key
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        tags:
          tag_one: tag_one
          tag_two: tag_two
      register: tag_kms

    - name: assert tags added and grants remain in place
      assert:
        that:
          - "tag_kms.changed"
          - "tag_kms.grants|length == 1"
          - "'tag_one' in tag_kms.tags"
          - "'tag_two' in tag_kms.tags"

    - name: add, replace, remove tags
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        purge_tags: yes
        tags:
          tag_two: tag_two_updated
          tag_three: tag_three
      register: tag_kms_update

    - name: assert tags correctly changed
      assert:
        that:
          - "tag_kms_update.changed"
          - "'tag_one' not in tag_kms_update.tags"
          - "'tag_two' in tag_kms_update.tags"
          - "tag_kms_update.tags.tag_two == 'tag_two_updated'"
          - "'tag_three' in tag_kms_update.tags"

    - name: make no real tag change
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
      register: tag_kms_no_update

    - name: assert no change to tags
      assert:
        that:
          - "not tag_kms_no_update.changed"
          - "'tag_one' not in tag_kms_no_update.tags"
          - "'tag_two' in tag_kms_no_update.tags"
          - "tag_kms_no_update.tags.tag_two == 'tag_two_updated'"
          - "'tag_three' in tag_kms_no_update.tags"

    - name: update the key's description and disable it
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        description: test key for testing
        enabled: no
      register: update_key

    - name: assert that state is enabled
      assert:
        that:
          - update_key.description == "test key for testing"
          - update_key.key_state == "Disabled"
          - update_key.changed

    - name: delete the key
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: absent
      register: delete_kms

    - name: assert that state is pending deletion
      assert:
        that:
          - delete_kms.key_state == "PendingDeletion"
          - delete_kms.changed

    - name: re-delete the key
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: absent
      register: delete_kms

    - name: assert that state is pending deletion
      assert:
        that:
          - delete_kms.key_state == "PendingDeletion"
          - delete_kms is not changed

    - name: undelete and enable the key
      aws_kms:
        alias: "{{ resource_prefix }}-kms"
        state: present
        enabled: yes
      register: undelete_kms

    - name: assert that state is enabled
      assert:
        that:
          - undelete_kms.key_state == "Enabled"
          - undelete_kms.changed

    - name: delete a non-existant key
      aws_kms:
        key_id: '00000000-0000-0000-0000-000000000000'
        state: absent
      register: delete_kms

    - name: assert that state is unchanged
      assert:
        that:
          - delete_kms is not changed

  always:
    # ============================================================
    #   CLEAN-UP
    - name: finish off by deleting key
      aws_kms:
        state: absent
        alias: "{{ resource_prefix }}-kms"
      register: destroy_result

    - name: remove the IAM role
      iam_role:
        name: "{{ resource_prefix }}-kms-role"
        state: absent
      register: iam_role_result