Skip to content

Commit

Permalink
secretsmanager_secret - Support adding JSON (#1333) (#1342)
Browse files Browse the repository at this point in the history 
[PR #1333/5097a76d backport][stable-4] secretsmanager_secret - Support adding JSON

This is a backport of PR #1333 as merged into main (5097a76).
SUMMARY
fixes: #656
Amazon supports passing JSON in as the secret as a mechanism for storing and retreiving more complex structures.
While in theory it's possible to pass JSON in as a string to secretsmanager_secret.  However, because Ansible often does funky things with when templated strings are passed to a parameter (#656) it's non-trivial to pass JSON into secretsmanager_secret.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME
secretsmanager_secret
ADDITIONAL INFORMATION
Backstory:
If Ansible sees {{ }} within a string it'll trigger the safe_eval handlers, automatically converting the JSON into a complex structure of lists/dicts, which is then converted to the python string representation of the complex structures - the python string representation is not valid JSON and breaks the AWS integration.

Reviewed-by: Mark Chappell <None>
  • Loading branch information
@patchback
patchback[bot] authored Jul 10, 2022
1 parent b02c322 commit e4c02c9
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 1 deletion.
2 changes: 2 additions & 0 deletions changelogs/fragments/656-secrets-json.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- secretsmanager_secret - add support for storing JSON in secrets (https://github.com/ansible-collections/community.aws/issues/656).
12 changes: 11 additions & 1 deletion plugins/modules/aws_secret.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,16 @@
secret:
description:
- Specifies string or binary data that you want to encrypt and store in the new version of the secret.
- Mutually exclusive with the I(json_secret) option.
default: ""
type: str
json_secret:
description:
- Specifies JSON-formatted data that you want to encrypt and store in the new version of the
secret.
- Mutually exclusive with the I(secret) option.
type: json
version_added: 4.1.0
resource_policy:
description:
- Specifies JSON-formatted resource policy to attach to the secret. Useful when granting cross-account access
Expand Down Expand Up @@ -421,13 +429,15 @@ def main():
'kms_key_id': dict(),
'secret_type': dict(choices=['binary', 'string'], default="string"),
'secret': dict(default="", no_log=True),
'json_secret': dict(type='json', no_log=True),
'resource_policy': dict(type='json', default=None),
'tags': dict(type='dict', default=None, aliases=['resource_tags']),
'purge_tags': dict(type='bool', default=True),
'rotation_lambda': dict(),
'rotation_interval': dict(type='int', default=30),
'recovery_window': dict(type='int', default=30),
},
mutually_exclusive=[['secret', 'json_secret']],
supports_check_mode=True,
)

Expand All @@ -438,7 +448,7 @@ def main():
secret = Secret(
module.params.get('name'),
module.params.get('secret_type'),
module.params.get('secret'),
module.params.get('secret') or module.params.get('json_secret'),
description=module.params.get('description'),
kms_key_id=module.params.get('kms_key_id'),
resource_policy=module.params.get('resource_policy'),
Expand Down
76 changes: 76 additions & 0 deletions tests/integration/targets/aws_secret/tasks/basic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,15 @@
# - object *NOT* updated
# - Tests idemoptency

- set_fact:
# As a lookup plugin we won't have access to module_defaults
connection_args:
region: "{{ aws_region }}"
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
aws_security_token: "{{ security_token | default(omit) }}"
no_log: True

- vars:
first_tags:
'Key with Spaces': Value with spaces
Expand Down Expand Up @@ -612,6 +621,73 @@
that:
- not result.changed

# ============================================================
# Update secret using JSON string
# ============================================================

- name: Update secret with JSON (CHECK_MODE)
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
json_secret:
my_key: '{{ super_secret_string }}'
register: result
check_mode: True

- name: assert key would be changed
assert:
that:
- result.changed

- name: Update secret with JSON
aws_secret:
name: "{{ secret_name }}"
state: present
description: 'this is a change to this secret'
secret_type: 'string'
json_secret:
my_key: '{{ super_secret_string }}'
register: result

- name: assert key is changed
assert:
that:
- result.changed

- name: Update secret with JSON - idempotency (CHECK_MODE)
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
json_secret:
my_key: '{{ super_secret_string }}'
register: result
check_mode: True

- name: assert key is not changed
assert:
that:
- result is not changed

- name: Update secret with JSON - idempotency
aws_secret:
name: "{{ secret_name }}"
description: 'this is a change to this secret'
state: present
secret_type: 'string'
json_secret:
my_key: '{{ super_secret_string }}'
register: result
check_mode: True

- name: assert key is not changed
assert:
that:
- result is not changed

# ============================================================
# Removal testing
# ============================================================
Expand Down

0 comments on commit e4c02c9

Please sign in to comment.