Skip to content

Commit

Permalink
fix: don't create aws_kms keys when in check mode (#30)
Browse files Browse the repository at this point in the history
* fix: don't create aws_kms keys when in check mode
ansible/ansible#68019

* fix: ftests for kms check mode

* style: avoid the big block

* lint: bad space

* fix: be sure to pass changed in result

* style: replace newlines

* fix: ftest ensure that check mode returned `changed`

* fix: bomb out early

Co-authored-by: Tyler Schwend <[email protected]>
  • Loading branch information
Tyler Schwend and Tyler Schwend authored Jun 2, 2020
1 parent 1861e88 commit 3982590
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 1 deletion.
6 changes: 5 additions & 1 deletion plugins/modules/aws_kms.py
Original file line number Diff line number Diff line change
Expand Up @@ -824,6 +824,10 @@ def create_key(connection, module):
Tags=ansible_dict_to_boto3_tag_list(module.params['tags'], tag_name_key_name='TagKey', tag_value_key_name='TagValue'),
KeyUsage='ENCRYPT_DECRYPT',
Origin='AWS_KMS')

if module.check_mode:
return {'changed': True}

if module.params.get('description'):
params['Description'] = module.params['description']
if module.params.get('policy'):
Expand All @@ -833,8 +837,8 @@ def create_key(connection, module):
result = connection.create_key(**params)['KeyMetadata']
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Failed to create initial key")
key = get_key_details(connection, module, result['KeyId'])

key = get_key_details(connection, module, result['KeyId'])
update_alias(connection, module, key, module.params['alias'])
update_key_rotation(connection, module, key, module.params.get('enable_key_rotation'))

Expand Down
34 changes: 34 additions & 0 deletions tests/integration/targets/aws_kms/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,28 @@
filters:
alias: "{{ resource_prefix }}-kms"

- name: create a key in check mode
check_mode: yes
aws_kms:
alias: "{{ resource_prefix }}-kms-check"
tags:
Hello: World
state: present
enabled: yes
register: create_kms_check

- name: find facts about the check mode key
aws_kms_info:
filters:
alias: "{{ resource_prefix }}-kms-check"
register: check_key

- name: ensure that check mode worked as expected
assert:
that:
- check_key["keys"]|length == 0
- create_kms_check is changed

- name: create a key
aws_kms:
alias: "{{ resource_prefix }}-kms"
Expand Down Expand Up @@ -65,6 +87,17 @@
- create_kms.tags['Hello'] == 'World'
- create_kms.enable_key_rotation == true

- name: delete the key in check mode
check_mode: yes
aws_kms:
alias: "{{ resource_prefix }}-kms"
state: absent
register: delete_kms_check

- assert:
that:
- delete_kms_check is changed

- name: find facts about the key
aws_kms_info:
filters:
Expand All @@ -76,6 +109,7 @@
that:
- new_key["keys"]|length == 1
- new_key["keys"][0]["enable_key_rotation"] == true
- new_key["keys"][0]["key_state"] != PendingDeletion

- name: Update Policy on key to match AWS Console generate policy
aws_kms:
Expand Down

0 comments on commit 3982590

Please sign in to comment.