Make example AWS UUIDS follow a specific pattern (ansible-collections…

…#1539) Make example AWS UUIDS follow a specific pattern SUMMARY Various AWS IAM resources have UUID which follow a specific pattern. Similarly AWS accounts are all 12 digit numbers (text aliases in a couple of cases). To minimize the risk of accidental data leaks use a consistent Account ID in examples (123456789012), and a specific format for the UUIDS: (AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)12345EXAMPLE54321 While this does nothing about historic data, having consistency makes it easier to prevent future leaks. Note: We should follow this up with an update to the developer docs, however I'd like to get this in prior to 5.0.0 ISSUE TYPE Docs Pull Request COMPONENT NAME plugins/modules/acm_certificate_info.py plugins/modules/application_autoscaling_policy.py plugins/modules/autoscaling_launch_config.py plugins/modules/autoscaling_launch_config_info.py plugins/modules/codecommit_repository.py plugins/modules/directconnect_link_aggregation_group.py plugins/modules/dms_endpoint.py plugins/modules/dynamodb_table.py plugins/modules/ec2_transit_gateway_info.py plugins/modules/ec2_transit_gateway_vpc_attachment.py plugins/modules/ec2_transit_gateway_vpc_attachment_info.py plugins/modules/ec2_vpc_peer.py plugins/modules/ec2_vpc_peering_info.py plugins/modules/ec2_vpc_vpn_info.py plugins/modules/ecs_cluster.py plugins/modules/ecs_ecr.py plugins/modules/ecs_service.py plugins/modules/ecs_service_info.py plugins/modules/ecs_task.py plugins/modules/efs.py plugins/modules/efs_info.py plugins/modules/eks_cluster.py plugins/modules/elasticache_subnet_group.py plugins/modules/elb_network_lb.py plugins/modules/elb_target_group.py plugins/modules/elb_target_group_info.py plugins/modules/elb_target_info.py plugins/modules/iam_group.py plugins/modules/iam_managed_policy.py plugins/modules/iam_mfa_device_info.py plugins/modules/iam_server_certificate_info.py plugins/modules/lightsail.py plugins/modules/lightsail_static_ip.py plugins/modules/msk_cluster.py plugins/modules/s3_bucket_notification.py plugins/modules/sns_topic.py plugins/modules/sns_topic_info.py plugins/modules/sqs_queue.py plugins/modules/stepfunctions_state_machine.py plugins/modules/stepfunctions_state_machine_execution.py plugins/modules/storagegateway_info.py plugins/modules/wafv2_web_acl.py ADDITIONAL INFORMATION While the 'secret' nature of these UUIDs is debatable (they're closer to user names than passwords), deliberately mangling them makes it easier for InfoSec teams to spot when their secret counterparts may have been leaked in combination with a real 'public' part. This commit was initially merged in https://github.com/ansible-collections/community.aws See: ansible-collections@9476422
abikouo · Oct 13, 2023 · 3dfbe9d · 3dfbe9d
1 parent 983ddec
commit 3dfbe9d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 19 deletions.
diff --git a/plugins/modules/iam_server_certificate_info.py b/plugins/modules/iam_server_certificate_info.py
@@ -58,7 +58,7 @@
     description: The Amazon resource name of the server certificate
     returned: success
     type: str
-    sample: "arn:aws:iam::911277865346:server-certificate/server-cert-name"
+    sample: "arn:aws:iam::123456789012:server-certificate/server-cert-name"
 path:
     description: The path of the server certificate
     returned: success
@@ -106,7 +106,7 @@ def get_server_certs(iam, name=None):
             "server_certificate_name": "server-cert-name",
             "expiration": "2017-06-15T12:00:00+00:00",
             "path": "/",
-            "arn": "arn:aws:iam::911277865346:server-certificate/server-cert-name"
+            "arn": "arn:aws:iam::123456789012:server-certificate/server-cert-name"
         }
     """
     results = dict()

diff --git a/tests/integration/targets/iam_server_certificate/tasks/main.yml b/tests/integration/targets/iam_server_certificate/tasks/main.yml
@@ -245,7 +245,7 @@
       cert: '{{ cert_a_data }}'
       key: '{{ lookup("file", path_cert_key) }}'
       cert_chain: '{{ chain_cert_data }}'
-      path: '/example/'
+      path: '/ansible-test-example/'
     register: create_cert
     check_mode: true
 
@@ -262,7 +262,7 @@
       cert: '{{ cert_a_data }}'
       key: '{{ lookup("file", path_cert_key) }}'
       cert_chain: '{{ chain_cert_data }}'
-      path: '/example/'
+      path: '/ansible-test-example/'
     register: create_cert
 
   - name: check result - Create Certificate with Chain and path
@@ -279,7 +279,7 @@
       - create_cert.arn.startswith('arn:aws')
       - create_cert.arn.endswith(cert_name)
       - create_cert.name == cert_name
-      - create_cert.cert_path == '/example/'
+      - create_cert.cert_path == '/ansible-test-example/'
       - create_cert.cert_body == cert_a_data
 
   - name: Create Certificate with Chain and path - idempotency - check_mode
@@ -289,7 +289,7 @@
       cert: '{{ cert_a_data }}'
       key: '{{ lookup("file", path_cert_key) }}'
       cert_chain: '{{ chain_cert_data }}'
-      path: '/example/'
+      path: '/ansible-test-example/'
     register: create_cert
     check_mode: true
 
@@ -306,7 +306,7 @@
       cert: '{{ cert_a_data }}'
       key: '{{ lookup("file", path_cert_key) }}'
       cert_chain: '{{ chain_cert_data }}'
-      path: '/example/'
+      path: '/ansible-test-example/'
     register: create_cert
 
   - name: check result - Create Certificate with Chain and path - idempotency
@@ -323,7 +323,7 @@
       - create_cert.arn.startswith('arn:aws')
       - create_cert.arn.endswith(cert_name)
       - create_cert.name == cert_name
-      - create_cert.cert_path == '/example/'
+      - create_cert.cert_path == '/ansible-test-example/'
       - create_cert.cert_body == cert_a_data
 
   ################################################
@@ -446,8 +446,8 @@
     iam_server_certificate:
       name: '{{ cert_name }}'
       state: present
-      path: '/example/'
-      new_path: '/path/'
+      path: '/ansible-test-example/'
+      new_path: '/ansible-test-path/'
     register: update_path
     check_mode: true
 
@@ -461,8 +461,8 @@
     iam_server_certificate:
       name: '{{ cert_name }}'
       state: present
-      path: '/example/'
-      new_path: '/path/'
+      path: '/ansible-test-example/'
+      new_path: '/ansible-test-path/'
     register: update_path
 
   - name: check result - Update certificate path
@@ -479,15 +479,15 @@
       - update_path.arn.startswith('arn:aws')
       - update_path.arn.endswith(cert_name)
       - update_path.name == cert_name
-      - update_path.cert_path == '/path/'
+      - update_path.cert_path == '/ansible-test-path/'
       - update_path.cert_body == cert_a_data
 
   - name: Update certificate path - idempotency - check_mode
     iam_server_certificate:
       name: '{{ cert_name }}'
       state: present
-      path: '/example/'
-      new_path: '/path/'
+      path: '/ansible-test-example/'
+      new_path: '/ansible-test-path/'
     register: update_path
     check_mode: true
 
@@ -501,8 +501,8 @@
     iam_server_certificate:
       name: '{{ cert_name }}'
       state: present
-      path: '/example/'
-      new_path: '/path/'
+      path: '/ansible-test-example/'
+      new_path: '/ansible-test-path/'
     register: update_path
 
   - name: check result - Update certificate path - idempotency
@@ -548,7 +548,7 @@
       - update_name.arn.startswith('arn:aws')
       - update_name.arn.endswith('-renamed')
       - update_name.name.endswith('renamed')
-      - update_name.cert_path == '/path/'
+      - update_name.cert_path == '/ansible-test-path/'
       - update_name.cert_body == cert_a_data
 
   - name: Update certificate name - idempotency - check_mode
@@ -586,7 +586,7 @@
       - update_name.arn.startswith('arn:aws')
       - update_name.arn.endswith('-renamed')
       - update_name.name.endswith('renamed')
-      - update_name.cert_path == '/path/'
+      - update_name.cert_path == '/ansible-test-path/'
       - update_name.cert_body == cert_a_data
 
   always: