Updating replica regions was not being tested

Add a test for changing a region
Fix a bug where the wrong region was being added to the remove list

plugins/modules/aws_secret.py

@@ -268,11 +268,9 @@ def remove_replication(self, name, regions):
             self.module.exit_json(changed=True)
         try:
             replica_regions = []
-            for replica in regions:
-                replica_regions.append(replica["region"])
             response = self.client.remove_regions_from_replication(
                 SecretId=name,
-                RemoveReplicaRegions=replica_regions)
+                RemoveReplicaRegions=regions)
         except (BotoCoreError, ClientError) as e:
             self.module.fail_json_aws(e, msg="Failed to replicate secret")
         return response
@@ -405,9 +403,9 @@ def compare_regions(desired_secret, current_secret):
                 if current_secret_region["Region"] == desired_secret_region["region"]:
                     regions_to_set_replication.remove(desired_secret_region)
                 else:
-                    regions_to_remove_replication.append(desired_secret_region)
+                    regions_to_remove_replication.append(current_secret_region["Region"])
         else:
-            regions_to_remove_replication.append({"region": current_secret_region["Region"]})
+            regions_to_remove_replication.append(current_secret_region["Region"])
 
     return regions_to_set_replication, regions_to_remove_replication
 

tests/integration/targets/aws_secret/tasks/replication.yml

@@ -76,3 +76,38 @@
         - result.replication_status[0]["region"] == 'us-east-2'
         - result.replication_status[1]["region"] == 'us-west-2'
         - result.replication_status[1]["kms_key_id"] == 'alias/aws/secretsmanager'
+
+  - name: change replica regions
+    aws_secret:
+      name: "{{ secret_name }}"
+      state: present
+      secret_type: 'string'
+      secret: "{{ super_secret_string }}"
+      replica:
+       - region: 'us-east-2'
+       - region: 'eu-central-1'
+         kms_key_id: 'alias/aws/secretsmanager'
+    register: result
+
+  - name: assert that replica regions changed
+    assert:
+      that:
+        - not result.failed
+        - result.replication_status[0]["region"] == 'us-east-2'
+        - result.replication_status[1]["region"] == 'eu-central-1'
+        - result.replication_status[1]["kms_key_id"] == 'alias/aws/secretsmanager'
+
+  always:
+  - name: remove region replica
+    aws_secret:
+      name: "{{ secret_name }}"
+      description: 'this is a change to remove replication'
+      state: present
+    register: result
+
+  - name: remove secret
+    aws_secret:
+      name: "{{ secret_name }}"
+      state: absent
+      recovery_window: 0
+    ignore_errors: yes