Skip to content

Commit

Permalink
aws_secret - fix deletion idempotency when not using instant deletion
Browse files Browse the repository at this point in the history
  • Loading branch information
tremble committed Aug 11, 2021
1 parent 90dea24 commit 371222f
Show file tree
Hide file tree
Showing 6 changed files with 359 additions and 247 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/681-aws_secret-deletion-idempotency.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
bugfixes:
- aws_secret - fix deletion idempotency when not using instant deletion (https://github.com/ansible-collections/community.aws/pull/681).
3 changes: 3 additions & 0 deletions plugins/modules/aws_secret.py
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,8 @@ def main():
elif current_secret.get("DeletedDate") and recovery_window == 0:
result = camel_dict_to_snake_dict(secrets_mgr.delete_secret(secret.name, recovery_window=recovery_window))
changed = True
else:
result = "secret already scheduled for deletion"
else:
result = "secret does not exist"
if state == 'present':
Expand All @@ -393,6 +395,7 @@ def main():
changed = True
result = camel_dict_to_snake_dict(secrets_mgr.get_secret(secret.name))
result.pop("response_metadata")

module.exit_json(changed=changed, secret=result)


Expand Down
5 changes: 0 additions & 5 deletions tests/integration/targets/aws_secret/aliases
Original file line number Diff line number Diff line change
@@ -1,6 +1 @@
# reason: missing-policy
# reason: broken
# The tests for configuring secret rotation seem to be missing a permission
disabled

cloud/aws
160 changes: 160 additions & 0 deletions tests/integration/targets/aws_secret/tasks/basic.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
---
- block:
# ============================================================
# Module parameter testing
# ============================================================
- name: test with no parameters
aws_secret:
register: result
ignore_errors: true
check_mode: true

- name: assert failure when called with no parameters
assert:
that:
- result.failed
- 'result.msg.startswith("missing required arguments:")'

# ============================================================
# Creation/Deletion testing
# ============================================================
- name: add secret to AWS Secrets Manager
aws_secret:
name: "{{ secret_name }}"
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result

- name: assert correct keys are returned
assert:
that:
- result.changed
- result.arn is not none
- result.name is not none
- result.tags is not none
- result.version_ids_to_stages is not none

- name: no changes to secret
aws_secret:
name: "{{ secret_name }}"
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result

- name: assert correct keys are returned
assert:
that:
- not result.changed
- result.arn is not none

- name: make change to secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result

- debug:
var: result

- name: assert correct keys are returned
assert:
that:
- result.changed
- result.arn is not none
- result.name is not none
- result.tags is not none
- result.version_ids_to_stages is not none

- name: add tags to secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
tags:
Foo: 'Bar'
Test: 'Tag'
register: result

- name: assert correct keys are returned
assert:
that:
- result.changed

- name: remove tags from secret
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
secret: "{{ super_secret_string }}"
register: result

- name: assert correct keys are returned
assert:
that:
- result.changed

- name: remove secret
aws_secret:
name: "{{ secret_name }}"
state: absent
recovery_window: 7
register: result

- name: assert key is deleted
assert:
that:
- result.changed

- name: remove secret (idempotency)
aws_secret:
name: "{{ secret_name }}"
state: absent
recovery_window: 7
register: result

- name: assert no change happened
assert:
that:
- not result.changed

- name: immediate secret removal
aws_secret:
name: "{{ secret_name }}"
state: absent
recovery_window: 0
register: result

- name: assert key is deleted
assert:
that:
- result.changed

# AWS Doesn't expose when the secret will be removed, all we can do is
# check that we didn't throw an error
- name: immediate secret removal
aws_secret:
name: "{{ secret_name }}"
state: absent
recovery_window: 0
register: result

- name: assert no change happened
assert:
that:
- not result.failed

always:
- name: remove secret
aws_secret:
name: "{{ secret_name }}"
state: absent
recovery_window: 0
ignore_errors: yes
Loading

0 comments on commit 371222f

Please sign in to comment.