diff --git a/changelogs/fragments/774-add-aws_kms_parameters.yml b/changelogs/fragments/774-add-aws_kms_parameters.yml new file mode 100644 index 00000000000..ae58afa509c --- /dev/null +++ b/changelogs/fragments/774-add-aws_kms_parameters.yml @@ -0,0 +1,2 @@ +minor_changes: +- aws_kms - add support for ``kms_spec`` and ``kms_usage`` parameter (https://github.com/ansible-collections/community.aws/pull/774). diff --git a/plugins/modules/aws_kms.py b/plugins/modules/aws_kms.py index 13bbd7f4619..41a5ee63c69 100644 --- a/plugins/modules/aws_kms.py +++ b/plugins/modules/aws_kms.py @@ -173,6 +173,24 @@ - policy to apply to the KMS key. - See U(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) type: json + key_spec: + aliases: + - customer_master_key_spec + description: + - Specifies the type of KMS key to create. + - The specification is not changeable once the key is created. + type: str + default: SYMMETRIC_DEFAULT + choices: ['SYMMETRIC_DEFAULT', 'RSA_2048', 'RSA_3072', 'RSA_4096', 'ECC_NIST_P256', 'ECC_NIST_P384', 'ECC_NIST_P521', 'ECC_SECG_P256K1'] + version_added: 2.1.0 + key_usage: + description: + - Determines the cryptographic operations for which you can use the KMS key. + - The usage is not changeable once the key is created. + type: str + default: ENCRYPT_DECRYPT + choices: ['ENCRYPT_DECRYPT', 'SIGN_VERIFY'] + version_added: 2.1.0 author: - Ted Timmons (@tedder) - Will Thames (@willthames) @@ -852,9 +870,12 @@ def update_key(connection, module, key): def create_key(connection, module): + key_usage = module.params.get('key_usage') + key_spec = module.params.get('key_spec') params = dict(BypassPolicyLockoutSafetyCheck=False, Tags=ansible_dict_to_boto3_tag_list(module.params['tags'], tag_name_key_name='TagKey', tag_value_key_name='TagValue'), - KeyUsage='ENCRYPT_DECRYPT', + KeyUsage=key_usage, + CustomerMasterKeySpec=key_spec, Origin='AWS_KMS') if module.check_mode: @@ -1067,7 +1088,10 @@ def main(): policy=dict(type='json'), purge_grants=dict(type='bool', default=False), state=dict(default='present', choices=['present', 'absent']), - enable_key_rotation=(dict(type='bool')) + enable_key_rotation=(dict(type='bool')), + key_spec=dict(type='str', default='SYMMETRIC_DEFAULT', aliases=['customer_master_key_spec'], + choices=['SYMMETRIC_DEFAULT', 'RSA_2048', 'RSA_3072', 'RSA_4096', 'ECC_NIST_P256', 'ECC_NIST_P384', 'ECC_NIST_P521', 'ECC_SECG_P256K1']), + key_usage=dict(type='str', default='ENCRYPT_DECRYPT', choices=['ENCRYPT_DECRYPT', 'SIGN_VERIFY']), ) module = AnsibleAWSModule( diff --git a/tests/integration/targets/aws_kms/tasks/main.yml b/tests/integration/targets/aws_kms/tasks/main.yml index 2f98979eb91..214f0ddc955 100644 --- a/tests/integration/targets/aws_kms/tasks/main.yml +++ b/tests/integration/targets/aws_kms/tasks/main.yml @@ -74,6 +74,8 @@ - create_kms.key_state == "Enabled" - create_kms.tags['Hello'] == 'World' - create_kms.enable_key_rotation == false + - create_kms.key_usage == 'ENCRYPT_DECRYPT' + - create_kms.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - name: Save IDs for later set_fact: @@ -492,6 +494,28 @@ - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 7 - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 6 + # ============================================================ + # test different key usage and specs + - name: create kms key with different specs + aws_kms: + alias: '{{ kms_role_name }}-diff-spec-usage' + purge_grants: yes + key_spec: ECC_NIST_P256 + key_usage: SIGN_VERIFY + register: create_diff_kms + + - name: verify different specs on kms key + assert: + that: + - '"key_id" in create_diff_kms' + - create_diff_kms.key_id | length >= 36 + - not create_diff_kms.key_id.startswith("arn:aws") + - '"key_arn" in create_diff_kms' + - create_diff_kms.key_arn.endswith(create_diff_kms.key_id) + - create_diff_kms.key_arn.startswith("arn:aws") + - create_diff_kms.key_usage == 'SIGN_VERIFY' + - create_diff_kms.customer_master_key_spec == 'ECC_NIST_P256' + always: # ============================================================ # CLEAN-UP @@ -503,6 +527,14 @@ register: destroy_result ignore_errors: True + - name: delete kms key with different specs + aws_kms: + state: absent + alias: '{{ kms_role_name }}-diff-spec-usage' + pending_window: 7 + register: destroy_result + ignore_errors: True + # Should never exist, but just in case - name: finish off by deleting key aws_kms: