From 5bb54ede4241a9904dc101bfde654f9b800562fd Mon Sep 17 00:00:00 2001 From: GomathiselviS Date: Wed, 21 Sep 2022 15:19:30 -0400 Subject: [PATCH] Remove collection reference inside the tests --- tests/integration/targets/kms_key/main.yml | 3 +- .../kms_key/roles/aws_kms/defaults/main.yml | 4 +- .../kms_key/roles/aws_kms/tasks/main.yml | 8 +- .../roles/aws_kms/tasks/test_grants.yml | 680 ++++++----- .../roles/aws_kms/tasks/test_modify.yml | 543 +++++---- .../roles/aws_kms/tasks/test_states.yml | 1015 ++++++++--------- .../roles/aws_kms/tasks/test_tagging.yml | 364 +++--- 7 files changed, 1258 insertions(+), 1359 deletions(-) diff --git a/tests/integration/targets/kms_key/main.yml b/tests/integration/targets/kms_key/main.yml index 3cbf14f7bf7..0f248fc013a 100644 --- a/tests/integration/targets/kms_key/main.yml +++ b/tests/integration/targets/kms_key/main.yml @@ -1,4 +1,3 @@ ---- # Beware: most of our tests here are run in parallel. # To add new tests you'll need to add a new host to the inventory and a matching # '{{ inventory_hostname }}'.yml file in roles/aws_kms/tasks/ @@ -7,4 +6,4 @@ gather_facts: no strategy: free roles: - - aws_kms + - aws_kms diff --git a/tests/integration/targets/kms_key/roles/aws_kms/defaults/main.yml b/tests/integration/targets/kms_key/roles/aws_kms/defaults/main.yml index 3e5e6c895ee..af2b9609ae0 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/defaults/main.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/defaults/main.yml @@ -1,2 +1,2 @@ ---- -kms_key_alias: "ansible-test-{{ inventory_hostname | replace('_','-') }}{{ tiny_prefix }}" +kms_key_alias: ansible-test-{{ inventory_hostname | replace('_','-') }}{{ tiny_prefix + }} diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/main.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/main.yml index 81f3e009899..2dcdcc7578a 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/tasks/main.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/tasks/main.yml @@ -1,8 +1,6 @@ ---- -- name: 'aws_kms integration tests' +- name: aws_kms integration tests collections: - - amazon.aws - - community.aws + - community.aws module_defaults: group/aws: aws_access_key: '{{ aws_access_key }}' @@ -10,4 +8,4 @@ security_token: '{{ security_token | default(omit) }}' region: '{{ aws_region }}' block: - - include: './test_{{ inventory_hostname }}.yml' + - include: ./test_{{ inventory_hostname }}.yml diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml index cb6fd22d040..071b36417fd 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_grants.yml @@ -4,369 +4,347 @@ # # Get some information about who we are before starting our tests # we'll need this as soon as we start working on the policies - - name: get ARN of calling user - aws_caller_info: - register: aws_caller_info - - # IAM Roles completes before the Role is fully instantiated, create it here - # to ensure it exists when we need it for updating the policies - - name: create an IAM role that can do nothing - iam_role: - name: '{{ kms_key_alias }}' - state: present - assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": "Deny"} }' - register: iam_role_result - - # ============================================================ - # TESTS - # Note - there are waits placed after each action to account for inconsistencies in what - # is being returned when fetching key metadata. - # Combinations of manual waiters, checking expecting key values to actual key value, and static sleeps - # have all been tried, but none of those available options have solved the problem. - - - name: create a key - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: no - register: key - - - name: assert that state is enabled - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: get ARN of calling user + aws_caller_info: + register: aws_caller_info + - name: create an IAM role that can do nothing + iam_role: + name: '{{ kms_key_alias }}' + state: present + assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": + "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": + "Deny"} }' + register: iam_role_result + - name: create a key + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: no + register: key + - name: assert that state is enabled + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Add grant - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_grants: yes - grants: - - name: test_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - environment: test - application: testapp - operations: - - Decrypt - - RetireGrant - register: key - check_mode: yes - - - name: assert grant would have been added - assert: - that: - - key.changed + - name: Add grant - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_grants: yes + grants: + - name: test_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + environment: test + application: testapp + operations: + - Decrypt + - RetireGrant + register: key + check_mode: yes + - name: assert grant would have been added + assert: + that: + - key.changed # Roles can take a little while to get ready, pause briefly to give it chance - - wait_for: - timeout: 20 - - - name: Add grant - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_grants: yes - grants: - - name: test_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - environment: test - application: testapp - operations: - - Decrypt - - RetireGrant - register: key - - - name: assert grant added - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 1 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 + - wait_for: + timeout: 20 + - name: Add grant + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_grants: yes + grants: + - name: test_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + environment: test + application: testapp + operations: + - Decrypt + - RetireGrant + register: key + - name: assert grant added + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 1 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' - - name: Add grant (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_grants: yes - grants: - - name: test_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - environment: test - application: testapp - operations: - - Decrypt - - RetireGrant - register: key - check_mode: yes + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Add grant (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_grants: yes + grants: + - name: test_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + environment: test + application: testapp + operations: + - Decrypt + - RetireGrant + register: key + check_mode: yes + - assert: + that: + - not key.changed - - assert: - that: - - not key.changed + - name: Add grant (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_grants: yes + grants: + - name: test_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + environment: test + application: testapp + operations: + - Decrypt + - RetireGrant + register: key + - assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 1 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' - - name: Add grant (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_grants: yes - grants: - - name: test_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - environment: test - application: testapp - operations: - - Decrypt - - RetireGrant - register: key + - name: Add a second grant + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + grants: + - name: another_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + Environment: second + Application: anotherapp + operations: + - Decrypt + - RetireGrant + register: key + - name: Assert grant added + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 2 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' - - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 1 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Add a second grant again + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + grants: + - name: another_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + Environment: second + Application: anotherapp + operations: + - Decrypt + - RetireGrant + register: key + - name: Assert grant added + assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 2 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' - - name: Add a second grant - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - grants: - - name: another_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - Environment: second - Application: anotherapp - operations: - - Decrypt - - RetireGrant - register: key + - name: Update the grants with purge_grants set + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_grants: yes + grants: + - name: third_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_equals: + environment: third + application: onemoreapp + operations: + - Decrypt + - RetireGrant + register: key + - name: Assert grants replaced + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 1 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' - - name: Assert grant added - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 2 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Add a second grant again - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - grants: - - name: another_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - Environment: second - Application: anotherapp - operations: - - Decrypt - - RetireGrant - register: key - - - name: Assert grant added - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 2 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Update the grants with purge_grants set - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_grants: yes - grants: - - name: third_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_equals: - environment: third - application: onemoreapp - operations: - - Decrypt - - RetireGrant - register: key - - - name: Assert grants replaced - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 1 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Update third grant to change encryption context equals to subset - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - grants: - - name: third_grant - grantee_principal: "{{ iam_role_result.iam_role.arn }}" - retiring_principal: "{{ aws_caller_info.arn }}" - constraints: - encryption_context_subset: - environment: third - application: onemoreapp - operations: - - Decrypt - - RetireGrant - register: key - - - name: Assert grants replaced - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 1 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - "'encryption_context_equals' not in key.grants[0].constraints" - - "'encryption_context_subset' in key.grants[0].constraints" + - name: Update third grant to change encryption context equals to subset + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + grants: + - name: third_grant + grantee_principal: '{{ iam_role_result.iam_role.arn }}' + retiring_principal: '{{ aws_caller_info.arn }}' + constraints: + encryption_context_subset: + environment: third + application: onemoreapp + operations: + - Decrypt + - RetireGrant + register: key + - name: Assert grants replaced + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 1 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + - "'encryption_context_equals' not in key.grants[0].constraints" + - "'encryption_context_subset' in key.grants[0].constraints" always: # ============================================================ # CLEAN-UP - - name: finish off by deleting keys - aws_kms: - state: absent - alias: "{{ kms_key_alias }}" - pending_window: 7 - ignore_errors: True - - - name: remove the IAM role - iam_role: - name: '{{ kms_key_alias }}' - state: absent - ignore_errors: True + - name: finish off by deleting keys + aws_kms: + state: absent + alias: '{{ kms_key_alias }}' + pending_window: 7 + ignore_errors: true + - name: remove the IAM role + iam_role: + name: '{{ kms_key_alias }}' + state: absent + ignore_errors: true diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_modify.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_modify.yml index c144de0bb72..223074a3e49 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_modify.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_modify.yml @@ -4,299 +4,276 @@ # # Get some information about who we are before starting our tests # we'll need this as soon as we start working on the policies - - name: get ARN of calling user - aws_caller_info: - register: aws_caller_info - - # IAM Roles completes before the Role is fully instantiated, create it here - # to ensure it exists when we need it for updating the policies - - name: create an IAM role that can do nothing - iam_role: - name: '{{ kms_key_alias }}' - state: present - assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": "Deny"} }' - register: iam_role_result - - # ============================================================ - # TESTS - # Note - there are waits placed after each action to account for inconsistencies in what - # is being returned when fetching key metadata. - # Combinations of manual waiters, checking expecting key values to actual key value, and static sleeps - # have all been tried, but none of those available options have solved the problem. - - - name: create a key - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: no - register: key - - - name: assert that state is enabled - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: get ARN of calling user + aws_caller_info: + register: aws_caller_info + - name: create an IAM role that can do nothing + iam_role: + name: '{{ kms_key_alias }}' + state: present + assume_role_policy_document: '{"Version": "2012-10-17", "Statement": {"Action": + "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": + "Deny"} }' + register: iam_role_result + - name: create a key + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: no + register: key + - name: assert that state is enabled + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Save IDs for later - set_fact: - kms_key_id: '{{ key.key_id }}' - kms_key_arn: '{{ key.key_arn }}' - - - name: find facts about the key (by ID) - aws_kms_info: - key_id: '{{ kms_key_id }}' - register: new_key - - - name: check that a key was found - assert: - that: - - '"key_id" in new_key.kms_keys[0]' - - new_key.kms_keys[0].key_id | length >= 36 - - not new_key.kms_keys[0].key_id.startswith("arn:aws") - - '"key_arn" in new_key.kms_keys[0]' - - new_key.kms_keys[0].key_arn.endswith(new_key.kms_keys[0].key_id) - - new_key.kms_keys[0].key_arn.startswith("arn:aws") - - new_key.kms_keys[0].key_state == "Enabled" - - new_key.kms_keys[0].enabled == True - - new_key.kms_keys[0].tags | length == 1 - - new_key.kms_keys[0].tags['Hello'] == 'World' - - new_key.kms_keys[0].enable_key_rotation == False - - new_key.kms_keys[0].key_usage == 'ENCRYPT_DECRYPT' - - new_key.kms_keys[0].customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - new_key.kms_keys[0].grants | length == 0 - - new_key.kms_keys[0].key_policies | length == 1 - - new_key.kms_keys[0].key_policies[0].Id == 'key-default-1' - - new_key.kms_keys[0].description == '' - - - name: Update policy - check mode - aws_kms: - key_id: '{{ kms_key_id }}' - policy: "{{ lookup('template', 'console-policy.j2') }}" - register: key - check_mode: yes - - - assert: - that: - - key is changed - - - name: Update policy - aws_kms: - key_id: '{{ kms_key_id }}' - policy: "{{ lookup('template', 'console-policy.j2') }}" - register: key - - - name: Policy should have been changed - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-consolepolicy-3' - - key.description == '' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Update policy (idempotence) - check mode - aws_kms: - alias: "alias/{{ kms_key_alias }}" - policy: "{{ lookup('template', 'console-policy.j2') }}" - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Update policy (idempotence) - aws_kms: - alias: "alias/{{ kms_key_alias }}" - policy: "{{ lookup('template', 'console-policy.j2') }}" - register: key - - - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-consolepolicy-3' - - key.description == '' + - name: Save IDs for later + set_fact: + kms_key_id: '{{ key.key_id }}' + kms_key_arn: '{{ key.key_arn }}' + - name: find facts about the key (by ID) + aws_kms_info: + key_id: '{{ kms_key_id }}' + register: new_key + - name: check that a key was found + assert: + that: + - '"key_id" in new_key.kms_keys[0]' + - new_key.kms_keys[0].key_id | length >= 36 + - not new_key.kms_keys[0].key_id.startswith("arn:aws") + - '"key_arn" in new_key.kms_keys[0]' + - new_key.kms_keys[0].key_arn.endswith(new_key.kms_keys[0].key_id) + - new_key.kms_keys[0].key_arn.startswith("arn:aws") + - new_key.kms_keys[0].key_state == "Enabled" + - new_key.kms_keys[0].enabled == True + - new_key.kms_keys[0].tags | length == 1 + - new_key.kms_keys[0].tags['Hello'] == 'World' + - new_key.kms_keys[0].enable_key_rotation == False + - new_key.kms_keys[0].key_usage == 'ENCRYPT_DECRYPT' + - new_key.kms_keys[0].customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - new_key.kms_keys[0].grants | length == 0 + - new_key.kms_keys[0].key_policies | length == 1 + - new_key.kms_keys[0].key_policies[0].Id == 'key-default-1' + - new_key.kms_keys[0].description == '' + + - name: Update policy - check mode + aws_kms: + key_id: '{{ kms_key_id }}' + policy: "{{ lookup('template', 'console-policy.j2') }}" + register: key + check_mode: yes + - assert: + that: + - key is changed + + - name: Update policy + aws_kms: + key_id: '{{ kms_key_id }}' + policy: "{{ lookup('template', 'console-policy.j2') }}" + register: key + - name: Policy should have been changed + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-consolepolicy-3' + - key.description == '' + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Update policy (idempotence) - check mode + aws_kms: + alias: alias/{{ kms_key_alias }} + policy: "{{ lookup('template', 'console-policy.j2') }}" + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Update policy (idempotence) + aws_kms: + alias: alias/{{ kms_key_alias }} + policy: "{{ lookup('template', 'console-policy.j2') }}" + register: key + - assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-consolepolicy-3' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Update description - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - description: test key for testing - register: key - check_mode: yes - - - assert: - that: - - key.changed - - - name: Update description - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - description: test key for testing - register: key - - - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-consolepolicy-3' - - key.description == 'test key for testing' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Update description (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - description: test key for testing - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Update description (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - description: test key for testing - register: key - - - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-consolepolicy-3' - - key.description == 'test key for testing' + - name: Update description - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + description: test key for testing + register: key + check_mode: yes + - assert: + that: + - key.changed + + - name: Update description + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + description: test key for testing + register: key + - assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-consolepolicy-3' + - key.description == 'test key for testing' + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Update description (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + description: test key for testing + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Update description (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + description: test key for testing + register: key + - assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-consolepolicy-3' + - key.description == 'test key for testing' # ------------------------------------------------------------------------------------------ - - name: update policy to remove access to key rotation status - aws_kms: - alias: 'alias/{{ kms_key_alias }}' - policy: "{{ lookup('template', 'console-policy-no-key-rotation.j2') }}" - register: key - - - assert: - that: - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation is none - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-consolepolicy-3' - - key.description == 'test key for testing' - - "'Disable access to key rotation status' in {{ key.key_policies[0].Statement | map(attribute='Sid') }}" + - name: update policy to remove access to key rotation status + aws_kms: + alias: alias/{{ kms_key_alias }} + policy: "{{ lookup('template', 'console-policy-no-key-rotation.j2') }}" + register: key + - assert: + that: + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation is none + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-consolepolicy-3' + - key.description == 'test key for testing' + - "'Disable access to key rotation status' in {{ key.key_policies[0].Statement\ + \ | map(attribute='Sid') }}" always: # ============================================================ # CLEAN-UP - - name: finish off by deleting keys - aws_kms: - state: absent - alias: "{{ kms_key_alias }}" - pending_window: 7 - ignore_errors: True - - - name: remove the IAM role - iam_role: - name: '{{ kms_key_alias }}' - state: absent - ignore_errors: True + - name: finish off by deleting keys + aws_kms: + state: absent + alias: '{{ kms_key_alias }}' + pending_window: 7 + ignore_errors: true + - name: remove the IAM role + iam_role: + name: '{{ kms_key_alias }}' + state: absent + ignore_errors: true diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_states.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_states.yml index 31e91d5921d..ea11b233d61 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_states.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_states.yml @@ -4,554 +4,517 @@ # # Get some information about who we are before starting our tests # we'll need this as soon as we start working on the policies - - name: get ARN of calling user - aws_caller_info: - register: aws_caller_info - - # ============================================================ - # TESTS - # Note - there are waits placed after each action to account for inconsistencies in what - # is being returned when fetching key metadata. - # Combinations of manual waiters, checking expecting key values to actual key value, and static sleeps - # have all been tried, but none of those available options have solved the problem. - - - name: See whether key exists and its current state - aws_kms_info: - alias: '{{ kms_key_alias }}' - - - name: create a key - check mode - aws_kms: - alias: '{{ kms_key_alias }}-check' - tags: - Hello: World - state: present - enabled: yes - register: key_check - check_mode: yes - - - name: find facts about the check mode key - aws_kms_info: - alias: '{{ kms_key_alias }}-check' - register: check_key - - - name: ensure that check mode worked as expected - assert: - that: - - check_key.kms_keys | length == 0 - - key_check is changed - - - name: create a key - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: no - register: key - - - name: assert that state is enabled - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: create a key (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - register: key - check_mode: yes - - - assert: - that: - - key is not changed - - - name: create a key (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - register: key - check_mode: yes - - - assert: - that: - - key is not changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: get ARN of calling user + aws_caller_info: + register: aws_caller_info + - name: See whether key exists and its current state + aws_kms_info: + alias: '{{ kms_key_alias }}' + - name: create a key - check mode + aws_kms: + alias: '{{ kms_key_alias }}-check' + tags: + Hello: World + state: present + enabled: yes + register: key_check + check_mode: yes + - name: find facts about the check mode key + aws_kms_info: + alias: '{{ kms_key_alias }}-check' + register: check_key + - name: ensure that check mode worked as expected + assert: + that: + - check_key.kms_keys | length == 0 + - key_check is changed + + - name: create a key + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: no + register: key + - name: assert that state is enabled + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: create a key (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + register: key + check_mode: yes + - assert: + that: + - key is not changed + + - name: create a key (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + register: key + check_mode: yes + - assert: + that: + - key is not changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Save IDs for later - set_fact: - kms_key_id: '{{ key.key_id }}' - kms_key_arn: '{{ key.key_arn }}' - - - name: Enable key rotation - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: yes - register: key - check_mode: yes - - - assert: - that: - - key.changed - - - name: Enable key rotation - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: yes - register: key - - - name: assert that key rotation is enabled - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == True - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Enable key rotation (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: yes - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Enable key rotation (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: yes - register: key - - - assert: - that: - - not key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == True - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: Save IDs for later + set_fact: + kms_key_id: '{{ key.key_id }}' + kms_key_arn: '{{ key.key_arn }}' + - name: Enable key rotation - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: yes + register: key + check_mode: yes + - assert: + that: + - key.changed + + - name: Enable key rotation + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: yes + register: key + - name: assert that key rotation is enabled + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == True + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Enable key rotation (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: yes + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Enable key rotation (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: yes + register: key + - assert: + that: + - not key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == True + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Disable key - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - enabled: no - register: key - check_mode: yes - - - assert: - that: - - key.changed - - - name: Disable key - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - enabled: no - register: key - - - name: assert that state is disabled - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Disabled" - - key.enabled == False - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == True - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Disable key (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - enabled: no - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Disable key (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - enabled: no - register: key - - - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Disabled" - - key.enabled == False - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == True - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: Disable key - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + enabled: no + register: key + check_mode: yes + - assert: + that: + - key.changed + + - name: Disable key + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + enabled: no + register: key + - name: assert that state is disabled + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Disabled" + - key.enabled == False + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == True + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Disable key (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + enabled: no + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Disable key (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + enabled: no + register: key + - assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Disabled" + - key.enabled == False + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == True + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Delete key - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: absent - register: key - check_mode: yes - - - assert: - that: - - key is changed - - - name: Delete key - aws_kms: - alias: '{{ kms_key_alias }}' - state: absent - register: key - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Assert that state is pending deletion - vars: - now_time: '{{ lookup("pipe", "date -u +%Y-%m-%d\ %H:%M:%S") }}' - deletion_time: '{{ key.deletion_date[:19] | to_datetime("%Y-%m-%dT%H:%M:%S") }}' - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "PendingDeletion" - - key.enabled == False - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == False - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: Delete key - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: absent + register: key + check_mode: yes + - assert: + that: + - key is changed + + - name: Delete key + aws_kms: + alias: '{{ kms_key_alias }}' + state: absent + register: key + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Assert that state is pending deletion + vars: + now_time: '{{ lookup("pipe", "date -u +%Y-%m-%d\ %H:%M:%S") }}' + deletion_time: '{{ key.deletion_date[:19] | to_datetime("%Y-%m-%dT%H:%M:%S") + }}' + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "PendingDeletion" + - key.enabled == False + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == False + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # Times won't be perfect, allow a 24 hour window - - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 30 - - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 29 - - - name: Delete key (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: absent - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Delete key (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - state: absent - register: key - - - vars: - now_time: '{{ lookup("pipe", "date -u +%Y-%m-%d\ %H:%M:%S") }}' - deletion_time: '{{ key.deletion_date[:19] | to_datetime("%Y-%m-%dT%H:%M:%S") }}' - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "PendingDeletion" - - key.enabled == False - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == False - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 30 + - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 29 + + - name: Delete key (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: absent + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Delete key (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + state: absent + register: key + - vars: + now_time: '{{ lookup("pipe", "date -u +%Y-%m-%d\ %H:%M:%S") }}' + deletion_time: '{{ key.deletion_date[:19] | to_datetime("%Y-%m-%dT%H:%M:%S") + }}' + assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "PendingDeletion" + - key.enabled == False + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == False + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # Times won't be perfect, allow a 24 hour window - - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 30 - - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 29 + - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 30 + - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 29 # ------------------------------------------------------------------------------------------ - - name: Cancel key deletion - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - register: key - check_mode: yes - - - assert: - that: - - key.changed - - - name: Cancel key deletion - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - register: key - - - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == True - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - "'deletion_date' not in key" - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Cancel key deletion (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Cancel key deletion (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - register: key - - - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == True - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - "'deletion_date' not in key" + - name: Cancel key deletion - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + register: key + check_mode: yes + - assert: + that: + - key.changed + + - name: Cancel key deletion + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + register: key + - assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == True + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + - "'deletion_date' not in key" + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Cancel key deletion (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Cancel key deletion (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + register: key + - assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == True + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + - "'deletion_date' not in key" # ------------------------------------------------------------------------------------------ - - name: delete the key with a specific deletion window - aws_kms: - alias: '{{ kms_key_alias }}' - state: absent - pending_window: 7 - register: delete_kms - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: assert that state is pending deletion - vars: - now_time: '{{ lookup("pipe", "date -u +%Y-%m-%d\ %H:%M:%S") }}' - deletion_time: '{{ delete_kms.deletion_date[:19] | to_datetime("%Y-%m-%dT%H:%M:%S") }}' - assert: - that: - - delete_kms.key_state == "PendingDeletion" - - delete_kms.changed + - name: delete the key with a specific deletion window + aws_kms: + alias: '{{ kms_key_alias }}' + state: absent + pending_window: 7 + register: delete_kms + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: assert that state is pending deletion + vars: + now_time: '{{ lookup("pipe", "date -u +%Y-%m-%d\ %H:%M:%S") }}' + deletion_time: '{{ delete_kms.deletion_date[:19] | to_datetime("%Y-%m-%dT%H:%M:%S") + }}' + assert: + that: + - delete_kms.key_state == "PendingDeletion" + - delete_kms.changed # Times won't be perfect, allow a 24 hour window - - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 7 - - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 6 + - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days <= 7 + - (( deletion_time | to_datetime ) - ( now_time | to_datetime )).days >= 6 # ============================================================ # test different key usage and specs - - name: create kms key with different specs - aws_kms: - alias: '{{ kms_key_alias }}-diff-spec-usage' - purge_grants: yes - key_spec: ECC_NIST_P256 - key_usage: SIGN_VERIFY - register: create_diff_kms - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: verify different specs on kms key - assert: - that: - - '"key_id" in create_diff_kms' - - create_diff_kms.key_id | length >= 36 - - not create_diff_kms.key_id.startswith("arn:aws") - - '"key_arn" in create_diff_kms' - - create_diff_kms.key_arn.endswith(create_diff_kms.key_id) - - create_diff_kms.key_arn.startswith("arn:aws") - - create_diff_kms.key_usage == 'SIGN_VERIFY' - - create_diff_kms.customer_master_key_spec == 'ECC_NIST_P256' + - name: create kms key with different specs + aws_kms: + alias: '{{ kms_key_alias }}-diff-spec-usage' + purge_grants: yes + key_spec: ECC_NIST_P256 + key_usage: SIGN_VERIFY + register: create_diff_kms + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: verify different specs on kms key + assert: + that: + - '"key_id" in create_diff_kms' + - create_diff_kms.key_id | length >= 36 + - not create_diff_kms.key_id.startswith("arn:aws") + - '"key_arn" in create_diff_kms' + - create_diff_kms.key_arn.endswith(create_diff_kms.key_id) + - create_diff_kms.key_arn.startswith("arn:aws") + - create_diff_kms.key_usage == 'SIGN_VERIFY' + - create_diff_kms.customer_master_key_spec == 'ECC_NIST_P256' always: # ============================================================ # CLEAN-UP - - name: finish off by deleting keys - aws_kms: - state: absent - alias: "{{ item }}" - pending_window: 7 - ignore_errors: True - loop: - - "{{ kms_key_alias }}" - - "{{ kms_key_alias }}-diff-spec-usage" - - "{{ kms_key_alias }}-check" + - name: finish off by deleting keys + aws_kms: + state: absent + alias: '{{ item }}' + pending_window: 7 + ignore_errors: true + loop: + - '{{ kms_key_alias }}' + - '{{ kms_key_alias }}-diff-spec-usage' + - '{{ kms_key_alias }}-check' diff --git a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_tagging.yml b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_tagging.yml index 3a51b23a5da..7d53b1dadd6 100644 --- a/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_tagging.yml +++ b/tests/integration/targets/kms_key/roles/aws_kms/tasks/test_tagging.yml @@ -4,200 +4,184 @@ # # Get some information about who we are before starting our tests # we'll need this as soon as we start working on the policies - - name: get ARN of calling user - aws_caller_info: - register: aws_caller_info - - # ============================================================ - # TESTS - # Note - there are waits placed after each action to account for inconsistencies in what - # is being returned when fetching key metadata. - # Combinations of manual waiters, checking expecting key values to actual key value, and static sleeps - # have all been tried, but none of those available options have solved the problem. - - - name: create a key - aws_kms: - alias: '{{ kms_key_alias }}' - tags: - Hello: World - state: present - enabled: yes - enable_key_rotation: no - register: key - - - name: assert that state is enabled - assert: - that: - - key is changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 1 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' + - name: get ARN of calling user + aws_caller_info: + register: aws_caller_info + - name: create a key + aws_kms: + alias: '{{ kms_key_alias }}' + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: no + register: key + - name: assert that state is enabled + assert: + that: + - key is changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 1 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' # ------------------------------------------------------------------------------------------ - - name: Tag encryption key - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - tags: - tag_one: tag_one - tag_two: tag_two - purge_tags: no - register: key - - - name: Assert tags added - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 3 - - key.tags['Hello'] == 'World' - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - "'tag_one' in key.tags" - - "'tag_two' in key.tags" - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Modify tags - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_tags: yes - tags: - tag_two: tag_two_updated - Tag Three: '{{ resource_prefix }}' - register: key - check_mode: yes - - - assert: - that: - - key.changed - - - name: Modify tags - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_tags: yes - tags: - tag_two: tag_two_updated - Tag Three: '{{ resource_prefix }}' - register: key - - - name: Assert tags correctly changed - assert: - that: - - key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 2 - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - "'tag_one' not in key.tags" - - "'tag_two' in key.tags" - - "key.tags.tag_two == 'tag_two_updated'" - - "'Tag Three' in key.tags" - - "key.tags['Tag Three'] == resource_prefix" - - - name: Sleep to wait for updates to propagate - wait_for: - timeout: 45 - - - name: Modify tags (idempotence) - check mode - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_tags: yes - tags: - tag_two: tag_two_updated - Tag Three: '{{ resource_prefix }}' - register: key - check_mode: yes - - - assert: - that: - - not key.changed - - - name: Modify tags (idempotence) - aws_kms: - alias: '{{ kms_key_alias }}' - state: present - purge_tags: yes - tags: - tag_two: tag_two_updated - Tag Three: '{{ resource_prefix }}' - register: key - - - assert: - that: - - not key.changed - - '"key_id" in key' - - key.key_id | length >= 36 - - not key.key_id.startswith("arn:aws") - - '"key_arn" in key' - - key.key_arn.endswith(key.key_id) - - key.key_arn.startswith("arn:aws") - - key.key_state == "Enabled" - - key.enabled == True - - key.tags | length == 2 - - key.enable_key_rotation == false - - key.key_usage == 'ENCRYPT_DECRYPT' - - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' - - key.grants | length == 0 - - key.key_policies | length == 1 - - key.key_policies[0].Id == 'key-default-1' - - key.description == '' - - "'tag_one' not in key.tags" - - "'tag_two' in key.tags" - - "key.tags.tag_two == 'tag_two_updated'" - - "'Tag Three' in key.tags" - - "key.tags['Tag Three'] == resource_prefix" + - name: Tag encryption key + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + tags: + tag_one: tag_one + tag_two: tag_two + purge_tags: no + register: key + - name: Assert tags added + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 3 + - key.tags['Hello'] == 'World' + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + - "'tag_one' in key.tags" + - "'tag_two' in key.tags" + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Modify tags - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_tags: yes + tags: + tag_two: tag_two_updated + Tag Three: '{{ resource_prefix }}' + register: key + check_mode: yes + - assert: + that: + - key.changed + + - name: Modify tags + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_tags: yes + tags: + tag_two: tag_two_updated + Tag Three: '{{ resource_prefix }}' + register: key + - name: Assert tags correctly changed + assert: + that: + - key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 2 + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + - "'tag_one' not in key.tags" + - "'tag_two' in key.tags" + - key.tags.tag_two == 'tag_two_updated' + - "'Tag Three' in key.tags" + - key.tags['Tag Three'] == resource_prefix + + - name: Sleep to wait for updates to propagate + wait_for: + timeout: 45 + - name: Modify tags (idempotence) - check mode + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_tags: yes + tags: + tag_two: tag_two_updated + Tag Three: '{{ resource_prefix }}' + register: key + check_mode: yes + - assert: + that: + - not key.changed + + - name: Modify tags (idempotence) + aws_kms: + alias: '{{ kms_key_alias }}' + state: present + purge_tags: yes + tags: + tag_two: tag_two_updated + Tag Three: '{{ resource_prefix }}' + register: key + - assert: + that: + - not key.changed + - '"key_id" in key' + - key.key_id | length >= 36 + - not key.key_id.startswith("arn:aws") + - '"key_arn" in key' + - key.key_arn.endswith(key.key_id) + - key.key_arn.startswith("arn:aws") + - key.key_state == "Enabled" + - key.enabled == True + - key.tags | length == 2 + - key.enable_key_rotation == false + - key.key_usage == 'ENCRYPT_DECRYPT' + - key.customer_master_key_spec == 'SYMMETRIC_DEFAULT' + - key.grants | length == 0 + - key.key_policies | length == 1 + - key.key_policies[0].Id == 'key-default-1' + - key.description == '' + - "'tag_one' not in key.tags" + - "'tag_two' in key.tags" + - key.tags.tag_two == 'tag_two_updated' + - "'Tag Three' in key.tags" + - key.tags['Tag Three'] == resource_prefix always: # ============================================================ # CLEAN-UP - - name: finish off by deleting keys - aws_kms: - state: absent - alias: "{{ kms_key_alias }}" - pending_window: 7 - ignore_errors: True + - name: finish off by deleting keys + aws_kms: + state: absent + alias: '{{ kms_key_alias }}' + pending_window: 7 + ignore_errors: true