From 9c6ad391812b0c01daee539b2095f4b3b09f22b4 Mon Sep 17 00:00:00 2001
From: Alina Buzachis <abuzachis@redhat.com>
Date: Tue, 21 Feb 2023 18:11:38 +0100
Subject: [PATCH 1/3] Allow to disable encryption on cloudtrail

Signed-off-by: Alina Buzachis <abuzachis@redhat.com>
---
 plugins/modules/cloudtrail.py                 |  3 +-
 .../targets/cloudtrail/tasks/main.yml         | 67 +++++++++----------
 2 files changed, 34 insertions(+), 36 deletions(-)

diff --git a/plugins/modules/cloudtrail.py b/plugins/modules/cloudtrail.py
index fc4c47dbee0..da9dbef31b4 100644
--- a/plugins/modules/cloudtrail.py
+++ b/plugins/modules/cloudtrail.py
@@ -83,6 +83,7 @@
     description:
       - Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. This also has the effect of enabling log file encryption.
       - The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
+      - Encryption can be disabled by setting I(kms_key_id="").
       - See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html).
     type: str
 notes:
@@ -485,7 +486,7 @@ def main():
     if module.params['enable_log_file_validation'] is not None:
         ct_params['EnableLogFileValidation'] = module.params['enable_log_file_validation']
 
-    if module.params['kms_key_id']:
+    if module.params['kms_key_id'] is not None:
         ct_params['KmsKeyId'] = module.params['kms_key_id']
 
     client = module.client('cloudtrail')
diff --git a/tests/integration/targets/cloudtrail/tasks/main.yml b/tests/integration/targets/cloudtrail/tasks/main.yml
index 7ceaf8711cf..ec9b22879de 100644
--- a/tests/integration/targets/cloudtrail/tasks/main.yml
+++ b/tests/integration/targets/cloudtrail/tasks/main.yml
@@ -179,7 +179,7 @@
   - name: pause to ensure role exists before attaching policy
     pause:
       seconds: 15
-  
+
   - name: 'Add inline policy to CloudWatch Role'
     iam_policy:
       state: present
@@ -213,8 +213,6 @@
       - output.exists == True
       - output.trail.name == cloudtrail_name
 
-  
-
   - name: 'No-op update to trail'
     cloudtrail:
       state: present
@@ -248,13 +246,12 @@
       trail_arn: '{{ item.resource_id }}'
     when: item.name == cloudtrail_name
     loop: "{{ info.trail_list }}"
- 
+
   - name: 'Assert that the trail name is present in the info'
     assert:
       that:
       - trail_present is defined
       - trail_present == True
-      
 
   # ============================================================
 
@@ -1361,38 +1358,38 @@
       # when using check_mode, with no kms permissions, and not giving kms_key_id as a key arn
       # output will always be marked as changed.
 
-  #- name: 'Disable logging encryption (CHECK MODE)'
-  #  cloudtrail:
-  #    state: present
-  #    name: '{{ cloudtrail_name }}'
-  #    kms_key_id: ''
-  #  register: output
-  #  check_mode: yes
-  #- assert:
-  #    that:
-  #    - output is changed
+  - name: 'Disable logging encryption (CHECK MODE)'
+    cloudtrail:
+      state: present
+      name: '{{ cloudtrail_name }}'
+      kms_key_id: ''
+    register: output
+    check_mode: yes
+  - assert:
+     that:
+     - output is changed
 
-  #- name: 'Disable logging encryption'
-  #  cloudtrail:
-  #    state: present
-  #    name: '{{ cloudtrail_name }}'
-  #    kms_key_id: ''
-  #  register: output
-  #- assert:
-  #    that:
-  #    - output.trail.kms_key_id == None
-  #    - output is changed
+  - name: 'Disable logging encryption'
+    cloudtrail:
+      state: present
+      name: '{{ cloudtrail_name }}'
+      kms_key_id: ''
+    register: output
+  - assert:
+     that:
+     - output.trail.kms_key_id == ""
+     - output is changed
 
-  #- name: 'Disable logging encryption (no change)'
-  #  cloudtrail:
-  #    state: present
-  #    name: '{{ cloudtrail_name }}'
-  #    kms_key_id: ''
-  #  register: output
-  #- assert:
-  #    that:
-  #    - output.kms_key_id == None
-  #    - output is not changed
+  - name: 'Disable logging encryption (no change)'
+    cloudtrail:
+      state: present
+      name: '{{ cloudtrail_name }}'
+      kms_key_id: ''
+    register: output
+  - assert:
+     that:
+     - output.kms_key_id == ""
+     - output is not changed
 
   # ============================================================
 

From 0090ffee1f1413f558ac5612f51136b85b3f3fae Mon Sep 17 00:00:00 2001
From: Alina Buzachis <abuzachis@redhat.com>
Date: Tue, 21 Feb 2023 18:17:21 +0100
Subject: [PATCH 2/3] Add changelog fragment

Signed-off-by: Alina Buzachis <abuzachis@redhat.com>
---
 changelogs/fragments/1384-cloudtrail-disable_encryption.yml | 2 ++
 plugins/modules/cloudtrail.py                               | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/1384-cloudtrail-disable_encryption.yml

diff --git a/changelogs/fragments/1384-cloudtrail-disable_encryption.yml b/changelogs/fragments/1384-cloudtrail-disable_encryption.yml
new file mode 100644
index 00000000000..3e491aeb807
--- /dev/null
+++ b/changelogs/fragments/1384-cloudtrail-disable_encryption.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- cloudtrail - Allow to disable encryption by ´´kms_key_id=´´ (https://github.com/ansible-collections/amazon.aws/pull/1384).
diff --git a/plugins/modules/cloudtrail.py b/plugins/modules/cloudtrail.py
index da9dbef31b4..0d794391bbd 100644
--- a/plugins/modules/cloudtrail.py
+++ b/plugins/modules/cloudtrail.py
@@ -486,8 +486,8 @@ def main():
     if module.params['enable_log_file_validation'] is not None:
         ct_params['EnableLogFileValidation'] = module.params['enable_log_file_validation']
 
-    if module.params['kms_key_id'] is not None:
-        ct_params['KmsKeyId'] = module.params['kms_key_id']
+    if module.params["kms_key_id"] is not None:
+        ct_params["KmsKeyId"] = module.params["kms_key_id"]
 
     client = module.client('cloudtrail')
     region = module.region
@@ -591,7 +591,7 @@ def main():
         results['exists'] = True
         if not module.check_mode:
             if tags:
-                ct_params['TagsList'] = ansible_dict_to_boto3_tag_list(tags)
+                ct_params["TagsList"] = ansible_dict_to_boto3_tag_list(tags)
             # If we aren't in check_mode then actually create it
             created_trail = create_trail(module, client, ct_params)
             # Get the trail status

From 7b89b7083b3f9c33a8bc604be2f561f7506078ae Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Thu, 23 Feb 2023 08:58:02 +0100
Subject: [PATCH 3/3] minor tweak to changelog wording

---
 changelogs/fragments/1384-cloudtrail-disable_encryption.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelogs/fragments/1384-cloudtrail-disable_encryption.yml b/changelogs/fragments/1384-cloudtrail-disable_encryption.yml
index 3e491aeb807..f493df8feda 100644
--- a/changelogs/fragments/1384-cloudtrail-disable_encryption.yml
+++ b/changelogs/fragments/1384-cloudtrail-disable_encryption.yml
@@ -1,2 +1,2 @@
 bugfixes:
-- cloudtrail - Allow to disable encryption by ´´kms_key_id=´´ (https://github.com/ansible-collections/amazon.aws/pull/1384).
+- cloudtrail - support to disabling encryption using ´´kms_key_id´´ (https://github.com/ansible-collections/amazon.aws/pull/1384).