Make example AWS UUIDS follow a specific pattern (ansible-collections…

…#1070) Make example AWS UUIDS follow a specific pattern SUMMARY Various AWS IAM resources have UUID which follow a specific pattern. Similarly AWS accounts are all 12 digit numbers (text aliases in a couple of cases). To minimize the risk of accidental data leaks use a consistent Account ID in examples (123456789012), and a specific format for the UUIDS: (AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)12345EXAMPLE54321 While this does nothing about historic data, having consistency makes it easier to prevent future leaks. Note: We should follow this up with an update to the developer docs, however I'd like to get this in prior to 5.0.0 ISSUE TYPE Docs Pull Request COMPONENT NAME plugins/modules/autoscaling_group_info.py plugins/modules/cloudformation.py plugins/modules/ec2_ami.py plugins/modules/ec2_ami_info.py plugins/modules/ec2_eni_info.py plugins/modules/ec2_instance.py plugins/modules/ec2_instance_info.py plugins/modules/ec2_metadata_facts.py plugins/modules/ec2_security_group.py plugins/modules/ec2_security_group_info.py plugins/modules/ec2_snapshot_info.py plugins/modules/elb_application_lb.py plugins/modules/elb_application_lb_info.py plugins/modules/iam_user_info.py plugins/modules/kms_key.py plugins/modules/kms_key_info.py plugins/modules/lambda.py plugins/modules/rds_instance_info.py plugins/modules/rds_option_group.py plugins/modules/rds_option_group_info.py plugins/modules/rds_snapshot_info.py plugins/modules/rds_subnet_group.py ADDITIONAL INFORMATION While the 'secret' nature of these UUIDs is debatable (they're closer to user names than passwords), deliberately mangling them makes it easier for InfoSec teams to spot when their secret counterparts may have been leaked in combination with a real 'public' part. Reviewed-by: Alina Buzachis <None>
abikouo · Sep 29, 2022 · 156f977 · 156f977
1 parent e0aeafd
commit 156f977
Show file tree

Hide file tree

Showing 44 changed files with 116 additions and 91 deletions.
diff --git a/changelogs/fragments/1070-gitleaks-1.yml b/changelogs/fragments/1070-gitleaks-1.yml
@@ -0,0 +1,2 @@
+trivial:
+- various modules - Update example Account IDs and IAM UUIDs for consistency (https://github.com/ansible-collections/amazon.aws/pull/1070).
diff --git a/plugins/modules/autoscaling_group_info.py b/plugins/modules/autoscaling_group_info.py
@@ -81,7 +81,7 @@
     description: The Amazon Resource Name of the ASG
     returned: success
     type: str
-    sample: "arn:aws:autoscaling:us-west-2:1234567890:autoScalingGroup:10787c52-0bcb-427d-82ba-c8e4b008ed2e:autoScalingGroupName/public-webapp-production-1"
+    sample: "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:10787c52-0bcb-427d-82ba-c8e4b008ed2e:autoScalingGroupName/public-webapp-production-1"
 auto_scaling_group_name:
     description: Name of autoscaling group
     returned: success
@@ -279,7 +279,7 @@ def find_asgs(conn, module, name=None, tags=None):
         [
             {
                 "auto_scaling_group_arn": (
-                    "arn:aws:autoscaling:us-west-2:275977225706:autoScalingGroup:58abc686-9783-4528-b338-3ad6f1cbbbaf:"
+                    "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:58abc686-9783-4528-b338-3ad6f1cbbbaf:"
                     "autoScalingGroupName/public-webapp-production"
                 ),
                 "auto_scaling_group_name": "public-webapp-production",

diff --git a/plugins/modules/cloudformation.py b/plugins/modules/cloudformation.py
@@ -244,7 +244,7 @@
     template_parameters:
       DBSnapshotIdentifier:
         use_previous_value: True
-        value: arn:aws:rds:es-east-1:000000000000:snapshot:rds:my-db-snapshot
+        value: arn:aws:rds:es-east-1:123456789012:snapshot:rds:my-db-snapshot
       DBName:
         use_previous_value: True
     tags:
@@ -296,7 +296,7 @@
   description: The ID of the stack change set if one was created
   returned:  I(state=present) and I(create_changeset=true)
   type: str
-  sample: "arn:aws:cloudformation:us-east-1:012345678901:changeSet/Ansible-StackName-f4496805bd1b2be824d1e315c6884247ede41eb0"
+  sample: "arn:aws:cloudformation:us-east-1:123456789012:changeSet/Ansible-StackName-f4496805bd1b2be824d1e315c6884247ede41eb0"
 stack_resources:
   description: AWS stack resources and their status. List of dictionaries, one dict per resource.
   returned: state == present

diff --git a/plugins/modules/ec2_ami.py b/plugins/modules/ec2_ami.py
@@ -295,7 +295,7 @@
     description: Location of image.
     returned: when AMI is created or already exists
     type: str
-    sample: "315210894379/nat-server"
+    sample: "123456789012/nat-server"
 name:
     description: AMI name of image.
     returned: when AMI is created or already exists
@@ -305,7 +305,7 @@
     description: Owner of image.
     returned: when AMI is created or already exists
     type: str
-    sample: "435210894375"
+    sample: "123456789012"
 platform:
     description: Platform of image.
     returned: when AMI is created or already exists

diff --git a/plugins/modules/ec2_ami_info.py b/plugins/modules/ec2_ami_info.py
@@ -132,7 +132,7 @@
       description: The location of the AMI.
       returned: always
       type: str
-      sample: 408466080000/Webapp
+      sample: 123456789012/Webapp
     image_type:
       description: The type of image.
       returned: always
@@ -150,7 +150,7 @@
         user_id:
             description: An AWS account ID with permissions to launch the AMI.
             type: str
-      sample: [{"group": "all"}, {"user_id": "408466080000"}]
+      sample: [{"group": "all"}, {"user_id": "123456789012"}]
     name:
       description: The name of the AMI that was provided during image creation.
       returned: always
@@ -160,7 +160,7 @@
       description: The AWS account ID of the image owner.
       returned: always
       type: str
-      sample: '408466080000'
+      sample: '123456789012'
     public:
       description: Whether the image has public launch permissions.
       returned: always

diff --git a/plugins/modules/ec2_eni_info.py b/plugins/modules/ec2_eni_info.py
@@ -59,7 +59,7 @@
       sample: {
           allocation_id: "eipalloc-5sdf123",
           association_id: "eipassoc-8sdf123",
-          ip_owner_id: "4415120123456",
+          ip_owner_id: "123456789012",
           public_dns_name: "ec2-52-1-0-63.compute-1.amazonaws.com",
           public_ip: "52.1.0.63"
         }
@@ -73,7 +73,7 @@
         delete_on_termination: false,
         device_index: 1,
         instance_id: "i-15b8d3cadbafa1234",
-        instance_owner_id: "4415120123456",
+        instance_owner_id: "123456789012",
         status: "attached"
       }
     availability_zone:
@@ -130,7 +130,7 @@
       description: AWS account id of the owner of the ENI.
       returned: always
       type: str
-      sample: "4415120123456"
+      sample: "123456789012"
     private_dns_name:
       description: Private DNS name for the ENI.
       returned: always
@@ -150,7 +150,7 @@
       description: The ID of the entity that launched the ENI.
       returned: always
       type: str
-      sample: "AIDAIONYVJQNIAZFT3ABC"
+      sample: "AIDA12345EXAMPLE54321"
     requester_managed:
       description:  Indicates whether the network interface is being managed by an AWS service.
       returned: always

diff --git a/plugins/modules/ec2_instance.py b/plugins/modules/ec2_instance.py
@@ -588,7 +588,7 @@
                     description: The Amazon Resource Name (ARN) of the instance profile.
                     returned: always
                     type: str
-                    sample: "arn:aws:iam::000012345678:instance-profile/myprofile"
+                    sample: "arn:aws:iam::123456789012:instance-profile/myprofile"
                 id:
                     description: The ID of the instance profile
                     returned: always

diff --git a/plugins/modules/ec2_instance_info.py b/plugins/modules/ec2_instance_info.py
@@ -172,7 +172,7 @@
                     description: The Amazon Resource Name (ARN) of the instance profile.
                     returned: always
                     type: str
-                    sample: "arn:aws:iam::000012345678:instance-profile/myprofile"
+                    sample: "arn:aws:iam::123456789012:instance-profile/myprofile"
                 id:
                     description: The ID of the instance profile.
                     returned: always

diff --git a/plugins/modules/ec2_metadata_facts.py b/plugins/modules/ec2_metadata_facts.py
@@ -119,7 +119,7 @@
         ansible_ec2_iam_info_instanceprofilearn:
             description: The IAM instance profile ARN.
             type: str
-            sample: "arn:aws:iam::<account id>:instance-profile/role_name"
+            sample: "arn:aws:iam::123456789012:instance-profile/role_name"
         ansible_ec2_iam_info_instanceprofileid:
             description: IAM instance profile ID.
             type: str
@@ -181,7 +181,7 @@
         ansible_ec2_instance_identity_document_accountid:
             description: ""
             type: str
-            sample: "012345678901"
+            sample: "123456789012"
         ansible_ec2_instance_identity_document_architecture:
             description: Instance system architecture.
             type: str
@@ -315,7 +315,7 @@
                 - In multiple-interface environments, an interface can be attached by a third party, such as Elastic Load Balancing.
                 - Traffic on an interface is always billed to the interface owner.
             type: str
-            sample: "01234567890"
+            sample: "123456789012"
         ansible_ec2_network_interfaces_macs_mac_address_public_hostname:
             description:
                 - The interface's public DNS (IPv4). If the instance is in a VPC,

diff --git a/plugins/modules/ec2_security_group.py b/plugins/modules/ec2_security_group.py
@@ -301,7 +301,7 @@
       - proto: tcp
         from_port: 3306
         to_port: 3306
-        group_id: 123412341234/sg-87654321/exact-name-of-sg
+        group_id: 123456789012/sg-87654321/exact-name-of-sg
       - proto: udp
         from_port: 10050
         to_port: 10050

diff --git a/plugins/modules/ec2_security_group_info.py b/plugins/modules/ec2_security_group_info.py
@@ -242,7 +242,7 @@
                     "user_id_group_pairs": []
                 }
             ],
-            "owner_id": "721066863947",
+            "owner_id": "123456789012",
             "tags": {},
             "vpc_id": "vpc-0bc3bb03f97405435"
         }

diff --git a/plugins/modules/ec2_snapshot_info.py b/plugins/modules/ec2_snapshot_info.py
@@ -80,15 +80,15 @@
 # Gather information about all snapshots, including public ones
 - amazon.aws.ec2_snapshot_info:
 
-# Gather information about all snapshots owned by the account 0123456789
+# Gather information about all snapshots owned by the account 123456789012
 - amazon.aws.ec2_snapshot_info:
     filters:
-      owner-id: 0123456789
+      owner-id: 123456789012
 
 # Or alternatively...
 - amazon.aws.ec2_snapshot_info:
     owner_ids:
-      - 0123456789
+      - 123456789012
 
 # Gather information about a particular snapshot using ID
 - amazon.aws.ec2_snapshot_info:
@@ -156,7 +156,7 @@
             description: The AWS account ID of the EBS snapshot owner.
             type: str
             returned: always
-            sample: "099720109477"
+            sample: "123456789012"
         description:
             description: The description for the snapshot.
             type: str
@@ -171,7 +171,7 @@
             description: The AWS account alias (for example, amazon, self) or AWS account ID that owns the snapshot.
             type: str
             returned: always
-            sample: "033440102211"
+            sample: "123456789012"
         tags:
             description: Any tags assigned to the snapshot.
             type: dict
@@ -195,7 +195,7 @@
                 corresponds to the data encryption key that was used to encrypt the original volume or snapshot copy.
             type: str
             returned: always
-            sample: "arn:aws:kms:ap-southeast-2:012345678900:key/74c9742a-a1b2-45cb-b3fe-abcdef123456"
+            sample: "arn:aws:kms:ap-southeast-2:123456789012:key/74c9742a-a1b2-45cb-b3fe-abcdef123456"
 next_token_id:
     description:
     - Contains the value returned from a previous paginated request where C(max_results) was used and the results exceeded the value of that parameter.

diff --git a/plugins/modules/elb_application_lb.py b/plugins/modules/elb_application_lb.py
@@ -241,7 +241,7 @@
         # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.
         SslPolicy: ELBSecurityPolicy-2015-05
         Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
-          - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
+          - CertificateArn: arn:aws:iam::123456789012:server-certificate/test.domain.com
         DefaultActions:
           - Type: forward # Required.
             TargetGroupName: # Required. The name of the target group
@@ -265,7 +265,7 @@
         # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.
         SslPolicy: ELBSecurityPolicy-2015-05
         Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
-          - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
+          - CertificateArn: arn:aws:iam::123456789012:server-certificate/test.domain.com
         DefaultActions:
           - Type: forward # Required.
             TargetGroupName: # Required. The name of the target group
@@ -287,7 +287,7 @@
           - Type: forward
             TargetGroupName: test-target-group
         Certificates:
-          - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
+          - CertificateArn: arn:aws:iam::123456789012:server-certificate/test.domain.com
         SslPolicy: ELBSecurityPolicy-2015-05
         Rules:
           - Conditions:
@@ -456,7 +456,7 @@
     description: The Amazon Resource Name (ARN) of the load balancer.
     returned: when state is present
     type: str
-    sample: "arn:aws:elasticloadbalancing:ap-southeast-2:0123456789:loadbalancer/app/my-alb/001122334455"
+    sample: "arn:aws:elasticloadbalancing:ap-southeast-2:123456789012:loadbalancer/app/my-alb/001122334455"
 load_balancer_name:
     description: The name of the load balancer.
     returned: when state is present

diff --git a/plugins/modules/elb_application_lb_info.py b/plugins/modules/elb_application_lb_info.py
@@ -43,7 +43,7 @@
 - name: Gather information about a particular ALB given its ARN
   amazon.aws.elb_application_lb_info:
     load_balancer_arns:
-      - "arn:aws:elasticloadbalancing:ap-southeast-2:001122334455:loadbalancer/app/my-alb/aabbccddeeff"
+      - "arn:aws:elasticloadbalancing:ap-southeast-2:123456789012:loadbalancer/app/my-alb/aabbccddeeff"
 
 - name: Gather information about ALBs named 'alb1' and 'alb2'
   amazon.aws.elb_application_lb_info:
@@ -153,7 +153,7 @@
         load_balancer_arn:
             description: The Amazon Resource Name (ARN) of the load balancer.
             type: str
-            sample: "arn:aws:elasticloadbalancing:ap-southeast-2:0123456789:loadbalancer/app/my-alb/001122334455"
+            sample: "arn:aws:elasticloadbalancing:ap-southeast-2:123456789012:loadbalancer/app/my-alb/001122334455"
         load_balancer_name:
             description: The name of the load balancer.
             type: str

diff --git a/plugins/modules/iam_user.py b/plugins/modules/iam_user.py
@@ -143,15 +143,15 @@
         arn:
             description: the Amazon Resource Name (ARN) specifying the user
             type: str
-            sample: "arn:aws:iam::1234567890:user/testuser1"
+            sample: "arn:aws:iam::123456789012:user/testuser1"
         create_date:
             description: the date and time, in ISO 8601 date-time format, when the user was created
             type: str
             sample: "2017-02-08T04:36:28+00:00"
         user_id:
             description: the stable and unique string identifying the user
             type: str
-            sample: "AGPAIDBWE12NSFINE55TM"
+            sample: "AGPA12345EXAMPLE54321"
         user_name:
             description: the friendly name that identifies the user
             type: str

diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py
@@ -70,7 +70,7 @@
             description: the ARN of the user
             returned: if user exists
             type: str
-            sample: "arn:aws:iam::156360693172:user/dev/test_user"
+            sample: "arn:aws:iam::123456789012:user/dev/test_user"
         create_date:
             description: the datetime user was created
             returned: if user exists

diff --git a/plugins/modules/kms_key.py b/plugins/modules/kms_key.py
@@ -171,7 +171,7 @@
     key_id: abcd1234-abcd-1234-5678-ef1234567890
     grants:
       - name: billing_prod
-        grantee_principal: arn:aws:iam::1234567890123:role/billing_prod
+        grantee_principal: arn:aws:iam::123456789012:role/billing_prod
         constraints:
           encryption_context_equals:
             environment: production
@@ -285,12 +285,12 @@
       Resource: "*"
       Condition:
         StringEquals:
-          kms:CallerAccount: "111111111111"
+          kms:CallerAccount: "123456789012"
           kms:ViaService: "ec2.ap-southeast-2.amazonaws.com"
     - Sid: "Allow direct access to key metadata to the account"
       Effect: "Allow"
       Principal:
-        AWS: "arn:aws:iam::111111111111:root"
+        AWS: "arn:aws:iam::123456789012:root"
       Action:
       - "kms:Describe*"
       - "kms:Get*"
@@ -320,12 +320,12 @@
       Resource: "*"
       Condition:
         StringEquals:
-          kms:CallerAccount: "111111111111"
+          kms:CallerAccount: "123456789012"
           kms:ViaService: "ec2.ap-southeast-2.amazonaws.com"
     - Sid: "Allow direct access to key metadata to the account"
       Effect: "Allow"
       Principal:
-        AWS: "arn:aws:iam::111111111111:root"
+        AWS: "arn:aws:iam::123456789012:root"
       Action:
       - "kms:Describe*"
       - "kms:Get*"
@@ -353,7 +353,7 @@
       returned: always
       sample:
         encryption_context_equals:
-           "aws:lambda:_function_arn": "arn:aws:lambda:ap-southeast-2:012345678912:function:xyz"
+           "aws:lambda:_function_arn": "arn:aws:lambda:ap-southeast-2:123456789012:function:xyz"
     creation_date:
       description: Date of creation of the grant.
       type: str
@@ -368,12 +368,12 @@
       description: The principal that receives the grant's permissions.
       type: str
       returned: always
-      sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz
+      sample: arn:aws:sts::123456789012:assumed-role/lambda_xyz/xyz
     issuing_account:
       description: The AWS account under which the grant was issued.
       type: str
       returned: always
-      sample: arn:aws:iam::01234567890:root
+      sample: arn:aws:iam::123456789012:root
     key_id:
       description: The key ARN to which the grant applies.
       type: str
@@ -395,7 +395,7 @@
       description: The principal that can retire the grant.
       type: str
       returned: always
-      sample: arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz
+      sample: arn:aws:sts::123456789012:assumed-role/lambda_xyz/xyz
 changes_needed:
   description: Grant types that would be changed/were changed.
   type: dict
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		trivial:
		- various modules - Update example Account IDs and IAM UUIDs for consistency (https://github.com/ansible-collections/amazon.aws/pull/1070).