From 39825901337484701cd3e52b63cfa653c9df2818 Mon Sep 17 00:00:00 2001
From: Tyler Schwend <tyler.schwend@intersection.com>
Date: Tue, 2 Jun 2020 14:59:29 -0400
Subject: [PATCH] fix: don't create aws_kms keys when in check mode (#30)

* fix: don't create aws_kms keys when in check mode
https://github.com/ansible/ansible/issues/68019

* fix: ftests for kms check mode

* style: avoid the big block

* lint: bad space

* fix: be sure to pass changed in result

* style: replace newlines

* fix: ftest ensure that check mode returned `changed`

* fix: bomb out early

Co-authored-by: Tyler Schwend <tyler@func-platform.schwend.us>
---
 plugins/modules/aws_kms.py                    |  6 +++-
 .../targets/aws_kms/tasks/main.yml            | 34 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/plugins/modules/aws_kms.py b/plugins/modules/aws_kms.py
index 577ec365d5c..6da965d4b99 100644
--- a/plugins/modules/aws_kms.py
+++ b/plugins/modules/aws_kms.py
@@ -824,6 +824,10 @@ def create_key(connection, module):
                   Tags=ansible_dict_to_boto3_tag_list(module.params['tags'], tag_name_key_name='TagKey', tag_value_key_name='TagValue'),
                   KeyUsage='ENCRYPT_DECRYPT',
                   Origin='AWS_KMS')
+
+    if module.check_mode:
+        return {'changed': True}
+
     if module.params.get('description'):
         params['Description'] = module.params['description']
     if module.params.get('policy'):
@@ -833,8 +837,8 @@ def create_key(connection, module):
         result = connection.create_key(**params)['KeyMetadata']
     except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
         module.fail_json_aws(e, msg="Failed to create initial key")
-    key = get_key_details(connection, module, result['KeyId'])
 
+    key = get_key_details(connection, module, result['KeyId'])
     update_alias(connection, module, key, module.params['alias'])
     update_key_rotation(connection, module, key, module.params.get('enable_key_rotation'))
 
diff --git a/tests/integration/targets/aws_kms/tasks/main.yml b/tests/integration/targets/aws_kms/tasks/main.yml
index d8408b95e9b..14ecde0a954 100644
--- a/tests/integration/targets/aws_kms/tasks/main.yml
+++ b/tests/integration/targets/aws_kms/tasks/main.yml
@@ -32,6 +32,28 @@
         filters:
           alias: "{{ resource_prefix }}-kms"
 
+    - name: create a key in check mode
+      check_mode: yes
+      aws_kms:
+        alias: "{{ resource_prefix }}-kms-check"
+        tags:
+          Hello: World
+        state: present
+        enabled: yes
+      register: create_kms_check
+
+    - name: find facts about the check mode key
+      aws_kms_info:
+        filters:
+          alias: "{{ resource_prefix }}-kms-check"
+      register: check_key
+
+    - name: ensure that check mode worked as expected
+      assert:
+        that:
+          - check_key["keys"]|length == 0
+          - create_kms_check is changed
+
     - name: create a key
       aws_kms:
         alias: "{{ resource_prefix }}-kms"
@@ -65,6 +87,17 @@
           - create_kms.tags['Hello'] == 'World'
           - create_kms.enable_key_rotation == true
 
+    - name: delete the key in check mode
+      check_mode: yes
+      aws_kms:
+        alias: "{{ resource_prefix }}-kms"
+        state: absent
+      register: delete_kms_check
+
+    - assert:
+        that:
+          - delete_kms_check is changed
+
     - name: find facts about the key
       aws_kms_info:
         filters:
@@ -76,6 +109,7 @@
         that:
           - new_key["keys"]|length == 1
           - new_key["keys"][0]["enable_key_rotation"] == true
+          - new_key["keys"][0]["key_state"] != PendingDeletion
 
     - name: Update Policy on key to match AWS Console generate policy
       aws_kms: