kms_spec and kms_usage parameter for aws_kms module (#774)

kms_spec and kms_usage parameter for aws_kms module SUMMARY Add missing parameters kms_spec and kms_usage for aws_kms module, ISSUE TYPE Feature Pull Request COMPONENT NAME aws_kms Reviewed-by: Alina Buzachis <None> Reviewed-by: Mark Chappell <None> Reviewed-by: None <None>
ansible-collections · Oct 21, 2021 · a7164ae · a7164ae
1 parent 3bd5964
commit a7164ae
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 2 deletions.
diff --git a/changelogs/fragments/774-add-aws_kms_parameters.yml b/changelogs/fragments/774-add-aws_kms_parameters.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- aws_kms - add support for ``kms_spec`` and ``kms_usage`` parameter (https://github.com/ansible-collections/community.aws/pull/774).
diff --git a/plugins/modules/aws_kms.py b/plugins/modules/aws_kms.py
@@ -173,6 +173,24 @@
       - policy to apply to the KMS key.
       - See U(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
     type: json
+  key_spec:
+    aliases:
+      - customer_master_key_spec
+    description:
+      - Specifies the type of KMS key to create.
+      - The specification is not changeable once the key is created.
+    type: str
+    default: SYMMETRIC_DEFAULT
+    choices: ['SYMMETRIC_DEFAULT', 'RSA_2048', 'RSA_3072', 'RSA_4096', 'ECC_NIST_P256', 'ECC_NIST_P384', 'ECC_NIST_P521', 'ECC_SECG_P256K1']
+    version_added: 2.1.0
+  key_usage:
+    description:
+      - Determines the cryptographic operations for which you can use the KMS key.
+      - The usage is not changeable once the key is created.
+    type: str
+    default: ENCRYPT_DECRYPT
+    choices: ['ENCRYPT_DECRYPT', 'SIGN_VERIFY']
+    version_added: 2.1.0
 author:
   - Ted Timmons (@tedder)
   - Will Thames (@willthames)
@@ -852,9 +870,12 @@ def update_key(connection, module, key):
 
 
 def create_key(connection, module):
+    key_usage = module.params.get('key_usage')
+    key_spec = module.params.get('key_spec')
     params = dict(BypassPolicyLockoutSafetyCheck=False,
                   Tags=ansible_dict_to_boto3_tag_list(module.params['tags'], tag_name_key_name='TagKey', tag_value_key_name='TagValue'),
-                  KeyUsage='ENCRYPT_DECRYPT',
+                  KeyUsage=key_usage,
+                  CustomerMasterKeySpec=key_spec,
                   Origin='AWS_KMS')
 
     if module.check_mode:
@@ -1067,7 +1088,10 @@ def main():
         policy=dict(type='json'),
         purge_grants=dict(type='bool', default=False),
         state=dict(default='present', choices=['present', 'absent']),
-        enable_key_rotation=(dict(type='bool'))
+        enable_key_rotation=(dict(type='bool')),
+        key_spec=dict(type='str', default='SYMMETRIC_DEFAULT', aliases=['customer_master_key_spec'],
+                      choices=['SYMMETRIC_DEFAULT', 'RSA_2048', 'RSA_3072', 'RSA_4096', 'ECC_NIST_P256', 'ECC_NIST_P384', 'ECC_NIST_P521', 'ECC_SECG_P256K1']),
+        key_usage=dict(type='str', default='ENCRYPT_DECRYPT', choices=['ENCRYPT_DECRYPT', 'SIGN_VERIFY']),
     )
 
     module = AnsibleAWSModule(

diff --git a/tests/integration/targets/aws_kms/tasks/main.yml b/tests/integration/targets/aws_kms/tasks/main.yml
@@ -74,6 +74,8 @@
           - create_kms.key_state == "Enabled"
           - create_kms.tags['Hello'] == 'World'
           - create_kms.enable_key_rotation == false
+          - create_kms.key_usage == 'ENCRYPT_DECRYPT'
+          - create_kms.customer_master_key_spec == 'SYMMETRIC_DEFAULT'
 
     - name: Save IDs for later
       set_fact:
@@ -492,6 +494,28 @@
           - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 7
           - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 6
 
+    # ============================================================
+    # test different key usage and specs
+    - name: create kms key with different specs
+      aws_kms:
+        alias: '{{ kms_role_name }}-diff-spec-usage'
+        purge_grants: yes
+        key_spec: ECC_NIST_P256
+        key_usage: SIGN_VERIFY
+      register: create_diff_kms
+
+    - name: verify different specs on kms key
+      assert:
+        that:
+          - '"key_id" in create_diff_kms'
+          - create_diff_kms.key_id | length >= 36
+          - not create_diff_kms.key_id.startswith("arn:aws")
+          - '"key_arn" in create_diff_kms'
+          - create_diff_kms.key_arn.endswith(create_diff_kms.key_id)
+          - create_diff_kms.key_arn.startswith("arn:aws")
+          - create_diff_kms.key_usage == 'SIGN_VERIFY'
+          - create_diff_kms.customer_master_key_spec == 'ECC_NIST_P256'
+
   always:
     # ============================================================
     #   CLEAN-UP
@@ -503,6 +527,14 @@
       register: destroy_result
       ignore_errors: True
 
+    - name: delete kms key with different specs
+      aws_kms:
+        state: absent
+        alias: '{{ kms_role_name }}-diff-spec-usage'
+        pending_window: 7
+      register: destroy_result
+      ignore_errors: True
+
     # Should never exist, but just in case
     - name: finish off by deleting key
       aws_kms:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- aws_kms - add support for ``kms_spec`` and ``kms_usage`` parameter (https://github.com/ansible-collections/community.aws/pull/774).