From 2a06103ff8de2030a9e4088b5d67d1fbd4e7e5d5 Mon Sep 17 00:00:00 2001
From: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
Date: Wed, 21 Dec 2022 14:29:22 -0500
Subject: [PATCH 1/3] secretsmanager_secret: add 'overwrite' parameter

Adds an 'overwrite' parameter

    - If set to True, an existing secret with the same name will be overwritten.
    - If set to False, a secret with the given name will only be created if none exists.

Closes #1626
Signed-off-by: Brad Solomon <81818815+brsolomon-deloitte@users.noreply.github.com>
---
 plugins/modules/secretsmanager_secret.py | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/plugins/modules/secretsmanager_secret.py b/plugins/modules/secretsmanager_secret.py
index 337b28669bc..d05f71521ac 100644
--- a/plugins/modules/secretsmanager_secret.py
+++ b/plugins/modules/secretsmanager_secret.py
@@ -29,6 +29,13 @@
     default: 'present'
     choices: ['present', 'absent']
     type: str
+  overwrite:
+    description:
+    - Whether to overwrite an existing secret with the same name.
+    - If set to True, an existing secret with the same I(name) will be overwritten.
+    - If set to False, a secret with the given I(name) will only be created if none exists.
+    type: bool
+    default: True
   recovery_window:
     description:
     - Only used if state is absent.
@@ -130,6 +137,14 @@
     state: absent
     secret_type: 'string'
     secret: "{{ super_secret_string }}"
+
+- name: Only create a new secret, but do not update if alredy exists by name
+  community.aws.secretsmanager_secret:
+    name: 'random_string'
+    state: present
+    secret_type: 'string'
+    secret: "{{ lookup('community.general.random_string', length=16, special=false) }}"
+    overwrite: false
 '''
 
 RETURN = r'''
@@ -524,6 +539,7 @@ def main():
         argument_spec={
             'name': dict(required=True),
             'state': dict(choices=['present', 'absent'], default='present'),
+            'overwrite': dict(type='bool', default=True),
             'description': dict(default=""),
             'replica': dict(type='list', elements='dict', options=replica_args),
             'kms_key_id': dict(),
@@ -580,12 +596,15 @@ def main():
                 result = secrets_mgr.put_resource_policy(secret)
             changed = True
         else:
+            # current_secret exists; decide what to do with it
             if current_secret.get("DeletedDate"):
                 secrets_mgr.restore_secret(secret.name)
                 changed = True
             if not secrets_mgr.secrets_match(secret, current_secret):
-                result = secrets_mgr.update_secret(secret)
-                changed = True
+                overwrite = module.params.get('overwrite')
+                if overwrite:
+                    result = secrets_mgr.update_secret(secret)
+                    changed = True
             if not rotation_match(secret, current_secret):
                 result = secrets_mgr.update_rotation(secret)
                 changed = True

From 569d371a6cd67aee9f20cb189914724cc45129e0 Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Wed, 8 Feb 2023 12:31:16 +0100
Subject: [PATCH 2/3] docs nitpick and changelog

---
 .../fragments/1628-secretsmanager_secret-overwrite.yml       | 2 ++
 plugins/modules/secretsmanager_secret.py                     | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/1628-secretsmanager_secret-overwrite.yml

diff --git a/changelogs/fragments/1628-secretsmanager_secret-overwrite.yml b/changelogs/fragments/1628-secretsmanager_secret-overwrite.yml
new file mode 100644
index 00000000000..1062a27ff6d
--- /dev/null
+++ b/changelogs/fragments/1628-secretsmanager_secret-overwrite.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- secretsmanager_secret - added the ``overwrite`` parameter to support only setting the secret if it doesn't exist (https://github.com/ansible-collections/community.aws/pull/1628).
diff --git a/plugins/modules/secretsmanager_secret.py b/plugins/modules/secretsmanager_secret.py
index d05f71521ac..870ed89059e 100644
--- a/plugins/modules/secretsmanager_secret.py
+++ b/plugins/modules/secretsmanager_secret.py
@@ -32,10 +32,11 @@
   overwrite:
     description:
     - Whether to overwrite an existing secret with the same name.
-    - If set to True, an existing secret with the same I(name) will be overwritten.
-    - If set to False, a secret with the given I(name) will only be created if none exists.
+    - If set to C(True), an existing secret with the same I(name) will be overwritten.
+    - If set to C(False), a secret with the given I(name) will only be created if none exists.
     type: bool
     default: True
+    version_added: 5.3.0
   recovery_window:
     description:
     - Only used if state is absent.

From ca18c50fc5c902d821384d73cede272b411660b7 Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Wed, 8 Feb 2023 12:46:46 +0100
Subject: [PATCH 3/3] Integration test

---
 .../secretsmanager_secret/tasks/basic.yml     | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/tests/integration/targets/secretsmanager_secret/tasks/basic.yml b/tests/integration/targets/secretsmanager_secret/tasks/basic.yml
index 82b420515ae..5d1fb071e04 100644
--- a/tests/integration/targets/secretsmanager_secret/tasks/basic.yml
+++ b/tests/integration/targets/secretsmanager_secret/tasks/basic.yml
@@ -688,6 +688,68 @@
       that:
         - result is not changed
 
+  # ============================================================
+  # Overwrite testing
+  # ============================================================
+
+  - name: Create secret with overwrite = False (Check mode)
+    aws_secret:
+      name: "{{ secret_name }}-2"
+      state: present
+      secret_type: 'string'
+      secret: "{{ super_secret_string }}"
+      overwrite: False
+    register: result
+    check_mode: True
+
+  - name: assert key is changed
+    assert:
+      that:
+        - result is changed
+
+  - name: Create secret with overwrite = False
+    aws_secret:
+      name: "{{ secret_name }}-2"
+      state: present
+      secret_type: 'string'
+      secret: "{{ super_secret_string }}"
+      overwrite: False
+    register: result
+
+  - name: assert key is changed
+    assert:
+      that:
+        - result is changed
+
+  - name: Update secret with overwrite = False (Check mode)
+    aws_secret:
+      name: "{{ secret_name }}-2"
+      state: present
+      secret_type: 'string'
+      secret: "{{ super_secret_string }}-2"
+      overwrite: False
+    register: result
+    check_mode: True
+
+  - name: assert key is not changed
+    assert:
+      that:
+        - result is not changed
+
+  - name: Create secret with overwrite = False
+    aws_secret:
+      name: "{{ secret_name }}-2"
+      state: present
+      secret_type: 'string'
+      secret: "{{ super_secret_string }}-2"
+      overwrite: False
+    register: result
+
+  - name: assert key is not changed
+    assert:
+      that:
+        - result is not changed
+
   # ============================================================
   # Removal testing
   # ============================================================
@@ -749,3 +811,10 @@
       state: absent
       recovery_window: 0
     ignore_errors: yes
+
+  - name: remove secret 2
+    aws_secret:
+      name: "{{ secret_name }}-2"
+      state: absent
+      recovery_window: 0
+    ignore_errors: yes