From e8e7c2e71df30084e85b5ae2b82963baea5af470 Mon Sep 17 00:00:00 2001
From: Maxime Froment <maxime.froment@flatiron.com>
Date: Mon, 18 Oct 2021 18:11:27 +0900
Subject: [PATCH] aws_ssm connection / SSE parameters: Add changelog fragment,
 style fixes.

---
 ...-aws_ssm_connection-add-sse-parameters.yml |  2 ++
 plugins/connection/aws_ssm.py                 | 25 +++++++++----------
 2 files changed, 14 insertions(+), 13 deletions(-)
 create mode 100644 changelogs/fragments/763-aws_ssm_connection-add-sse-parameters.yml

diff --git a/changelogs/fragments/763-aws_ssm_connection-add-sse-parameters.yml b/changelogs/fragments/763-aws_ssm_connection-add-sse-parameters.yml
new file mode 100644
index 00000000000..9074a5e6862
--- /dev/null
+++ b/changelogs/fragments/763-aws_ssm_connection-add-sse-parameters.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - aws_ssm connection plugin - add parameters to explicitly specify SSE mode and KMS key id for uploads on the file transfer bucket. (https://github.com/ansible-collections/community.aws/pull/763)
diff --git a/plugins/connection/aws_ssm.py b/plugins/connection/aws_ssm.py
index 05ce7b4fd5c..58c139f81be 100644
--- a/plugins/connection/aws_ssm.py
+++ b/plugins/connection/aws_ssm.py
@@ -516,12 +516,13 @@ def _flush_stderr(self, subprocess):
 
         return stderr
 
-    def _get_url(self, client_method, bucket_name, out_path, http_method, profile_name, extra_args={}):
+    def _get_url(self, client_method, bucket_name, out_path, http_method, profile_name, extra_args=None):
         ''' Generate URL for get_object / put_object '''
         region_name = self.get_option('region') or 'us-east-1'
         client = self._get_boto_client('s3', region_name=region_name, profile_name=profile_name)
         params = {'Bucket': bucket_name, 'Key': out_path}
-        params.update(extra_args)
+        if extra_args is not None:
+            params.update(extra_args)
         return client.generate_presigned_url(client_method, Params=params, ExpiresIn=3600, HttpMethod=http_method)
 
     def _get_boto_client(self, service, region_name=None, profile_name=None):
@@ -568,29 +569,27 @@ def _file_transport_command(self, in_path, out_path, ssm_action):
 
         put_args = dict()
         put_headers = dict()
-        if self.get_option('bucket_sse_mode') and self.get_option('bucket_sse_mode') in {'AES256', 'aws:kms'}:
+        if self.get_option('bucket_sse_mode'):
             put_args['ServerSideEncryption'] = self.get_option('bucket_sse_mode')
             put_headers['x-amz-server-side-encryption'] = self.get_option('bucket_sse_mode')
             if self.get_option('bucket_sse_mode') == 'aws:kms' and self.get_option('bucket_sse_kms_key_id'):
                 put_args['SSEKMSKeyId'] = self.get_option('bucket_sse_kms_key_id')
                 put_headers['x-amz-server-side-encryption-aws-kms-key-id'] = self.get_option('bucket_sse_kms_key_id')
-        put_command_headers = ""
 
         if self.is_windows:
-            if put_args:
-                put_command_headers = "-Headers @{" + \
-                                      "; ".join(["'%s' = '%s'" % (h, v) for h, v in put_headers.items()]) + "} "
-            put_command = "Invoke-WebRequest -Method PUT %s-InFile '%s' -Uri '%s' -UseBasicParsing" % (
+            put_command_headers = "; ".join(["'%s' = '%s'" % (h, v) for h, v in put_headers.items()])
+            put_command = "Invoke-WebRequest -Method PUT -Headers @{%s} -InFile '%s' -Uri '%s' -UseBasicParsing" % (
                 put_command_headers, in_path,
-                self._get_url('put_object', self.get_option('bucket_name'), s3_path, 'PUT', profile_name, put_args))
+                self._get_url('put_object', self.get_option('bucket_name'), s3_path, 'PUT', profile_name,
+                              extra_args=put_args))
             get_command = "Invoke-WebRequest '%s' -OutFile '%s'" % (
                 self._get_url('get_object', self.get_option('bucket_name'), s3_path, 'GET', profile_name), out_path)
         else:
-            if put_args:
-                put_command_headers = "".join(["-H '%s: %s' " % (h, v) for h, v in put_headers.items()])
+            put_command_headers = "".join(["-H '%s: %s' " % (h, v) for h, v in put_headers.items()])
             put_command = "curl --request PUT %s--upload-file '%s' '%s'" % (
                 put_command_headers, in_path,
-                self._get_url('put_object', self.get_option('bucket_name'), s3_path, 'PUT', profile_name))
+                self._get_url('put_object', self.get_option('bucket_name'), s3_path, 'PUT', profile_name,
+                              extra_args=put_args))
             get_command = "curl '%s' -o '%s'" % (
                 self._get_url('get_object', self.get_option('bucket_name'), s3_path, 'GET', profile_name), out_path)
 
@@ -601,7 +600,7 @@ def _file_transport_command(self, in_path, out_path, ssm_action):
                 client.download_fileobj(self.get_option('bucket_name'), s3_path, data)
         else:
             with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as data:
-                client.upload_fileobj(data, self.get_option('bucket_name'), s3_path, put_args)
+                client.upload_fileobj(data, self.get_option('bucket_name'), s3_path, ExtraArgs=put_args)
             (returncode, stdout, stderr) = self.exec_command(get_command, in_data=None, sudoable=False)
 
         # Remove the files from the bucket after they've been transferred