Skip to content

Commit

Permalink
Allow to disable encryption on cloudtrail (ansible-collections#1384)
Browse files Browse the repository at this point in the history
Allow to disable encryption on cloudtrail

SUMMARY

Allow to disable encryption on cloudtrail.
Note: Tests are not run in CI because of missing policy.

ISSUE TYPE


Bugfix Pull Request
Docs Pull Request
Feature Pull Request
New Module Pull Request

COMPONENT NAME

ADDITIONAL INFORMATION

Reviewed-by: Mark Chappell
  • Loading branch information
alinabuzachis authored Feb 23, 2023
1 parent e9301e4 commit 200392e
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 38 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/1384-cloudtrail-disable_encryption.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
bugfixes:
- cloudtrail - support to disabling encryption using ´´kms_key_id´´ (https://github.com/ansible-collections/amazon.aws/pull/1384).
7 changes: 4 additions & 3 deletions plugins/modules/cloudtrail.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
description:
- Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. This also has the effect of enabling log file encryption.
- The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
- Encryption can be disabled by setting I(kms_key_id="").
- See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html).
type: str
notes:
Expand Down Expand Up @@ -485,8 +486,8 @@ def main():
if module.params['enable_log_file_validation'] is not None:
ct_params['EnableLogFileValidation'] = module.params['enable_log_file_validation']

if module.params['kms_key_id']:
ct_params['KmsKeyId'] = module.params['kms_key_id']
if module.params["kms_key_id"] is not None:
ct_params["KmsKeyId"] = module.params["kms_key_id"]

client = module.client('cloudtrail')
region = module.region
Expand Down Expand Up @@ -590,7 +591,7 @@ def main():
results['exists'] = True
if not module.check_mode:
if tags:
ct_params['TagsList'] = ansible_dict_to_boto3_tag_list(tags)
ct_params["TagsList"] = ansible_dict_to_boto3_tag_list(tags)
# If we aren't in check_mode then actually create it
created_trail = create_trail(module, client, ct_params)
# Get the trail status
Expand Down
67 changes: 32 additions & 35 deletions tests/integration/targets/cloudtrail/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@
- name: pause to ensure role exists before attaching policy
pause:
seconds: 15

- name: 'Add inline policy to CloudWatch Role'
iam_policy:
state: present
Expand Down Expand Up @@ -213,8 +213,6 @@
- output.exists == True
- output.trail.name == cloudtrail_name



- name: 'No-op update to trail'
cloudtrail:
state: present
Expand Down Expand Up @@ -248,13 +246,12 @@
trail_arn: '{{ item.resource_id }}'
when: item.name == cloudtrail_name
loop: "{{ info.trail_list }}"

- name: 'Assert that the trail name is present in the info'
assert:
that:
- trail_present is defined
- trail_present == True


# ============================================================

Expand Down Expand Up @@ -1361,38 +1358,38 @@
# when using check_mode, with no kms permissions, and not giving kms_key_id as a key arn
# output will always be marked as changed.

#- name: 'Disable logging encryption (CHECK MODE)'
# cloudtrail:
# state: present
# name: '{{ cloudtrail_name }}'
# kms_key_id: ''
# register: output
# check_mode: yes
#- assert:
# that:
# - output is changed
- name: 'Disable logging encryption (CHECK MODE)'
cloudtrail:
state: present
name: '{{ cloudtrail_name }}'
kms_key_id: ''
register: output
check_mode: yes
- assert:
that:
- output is changed

#- name: 'Disable logging encryption'
# cloudtrail:
# state: present
# name: '{{ cloudtrail_name }}'
# kms_key_id: ''
# register: output
#- assert:
# that:
# - output.trail.kms_key_id == None
# - output is changed
- name: 'Disable logging encryption'
cloudtrail:
state: present
name: '{{ cloudtrail_name }}'
kms_key_id: ''
register: output
- assert:
that:
- output.trail.kms_key_id == ""
- output is changed

#- name: 'Disable logging encryption (no change)'
# cloudtrail:
# state: present
# name: '{{ cloudtrail_name }}'
# kms_key_id: ''
# register: output
#- assert:
# that:
# - output.kms_key_id == None
# - output is not changed
- name: 'Disable logging encryption (no change)'
cloudtrail:
state: present
name: '{{ cloudtrail_name }}'
kms_key_id: ''
register: output
- assert:
that:
- output.kms_key_id == ""
- output is not changed

# ============================================================

Expand Down

0 comments on commit 200392e

Please sign in to comment.