community.crypto.openssh_cert regenerate: full_idempotence acts the same as regenerate: always

[AntonAttano]

SUMMARY

When using "regenerate: full_idempotence" the openssh_cert module generates a new certificate even if nothing changed.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.crypto.openssh_cert

ANSIBLE VERSION

ansible [core 2.12.2]
  config file = /home/stephan/git/infrastructure/ansible/ansible.cfg
  configured module search path = ['/home/stephan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/stephan/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/stephan/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/stephan/.local/bin/ansible
  python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]
  jinja version = 2.10.1
  libyaml = True

COLLECTION VERSION

# /home/stephan/.local/lib/python3.8/site-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.2.0

CONFIGURATION

DEFAULT_HOST_LIST(/home/stephan/git/infrastructure/ansible/ansible.cfg) = ['/home/stephan/git/infrastructure/ansible/hosts']
DEFAULT_LOCAL_TMP(/home/stephan/git/infrastructure/ansible/ansible.cfg) = /tmp/ansible-local-9384grtmsmvc
DIFF_ALWAYS(/home/stephan/git/infrastructure/ansible/ansible.cfg) = True
INVENTORY_ENABLED(/home/stephan/git/infrastructure/ansible/ansible.cfg) = ['ini']
RETRY_FILES_ENABLED(/home/stephan/git/infrastructure/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Ansible runs on Ubuntu 20.04 inside WSL2 on Windows 11.

STEPS TO REPRODUCE

Use the openssh_cert module to sign a host certificate using the same files and same parameters. Set regenerate to full_idempotence. The module will create a new certificate on every run, just like regenerate: always

The default partial_idempotence does not create a new certificate.

The full_idempotence options looks at these additional attributes when deciding to regenerate a certificate:

• identifier (is empty, but setting this to the same string each time still regenerates the certificate)
• options (are empty, there are no options for host certificates)
• public_key (is the same file on disk every run, it is even in a git repo so I can see that no changes are taking place)
• signing_key (is the same file on disk every run, it is even in a git repo so I can see that no changes are taking place)

- name: sign ssh kost key
  delegate_to: localhost
  become: False
  community.crypto.openssh_cert:
    type: host
    signing_key: "{{ role_path }}/files/ssh/ca_ssh_key"
    public_key: "{{ role_path }}/files/ssh/host_key_certificates/{{ inventory_hostname }}_key.pub"
    path: "{{ role_path }}/files/ssh/host_key_certificates/{{ inventory_hostname }}_key-cert.pub"
    valid_from: always
    valid_to: forever
    regenerate: full_idempotence

EXPECTED RESULTS

The certificate should not be regenerated.

ACTUAL RESULTS

The certificate is regenerated on every run. The "sign ssh kost key" task is the only task that I ran, all others a commented out. Inthe output you can see that the after and before sections are identical.

TASK [default : sign ssh kost key] *******************************************************************************************************************************************************************************************************************************************
task path: /home/stephan/git/infrastructure/ansible/roles/default/tasks/ssh.yml:51
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: stephan
<localhost> EXEC /bin/bash -c '( umask 77 && mkdir -p "` echo /tmp/ `"&& mkdir "` echo /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210 `" && echo ansible-tmp-1643980701.2909524-10299-48301125834210="` echo /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210 `" ) && sleep 0'
Using module file /home/stephan/.local/lib/python3.8/site-packages/ansible_collections/community/crypto/plugins/modules/openssh_cert.py
<localhost> PUT /tmp/ansible-local-1028128as1oc4/tmpspb2vsgl TO /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210/AnsiballZ_openssh_cert.py
<localhost> EXEC /bin/bash -c 'chmod u+x /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210/ /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210/AnsiballZ_openssh_cert.py && sleep 0'
<localhost> EXEC /bin/bash -c '/usr/bin/python3 /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210/AnsiballZ_openssh_cert.py && sleep 0'
<localhost> EXEC /bin/bash -c 'rm -f -r /tmp/ansible-tmp-1643980701.2909524-10299-48301125834210/ > /dev/null 2>&1 && sleep 0'
changed: [corvo -> localhost] => {
    "changed": true,
    "diff": {
        "after": {
            "cert_type": "host",
            "critical_options": [],
            "extensions": [],
            "identifier": "",
            "principals": [],
            "public_key": "SHA256:u5FM17LUrzRlz1BVrwK1OLnCBMyRXOr13+1ZfjIdw/g",
            "reserved": "",
            "serial": 0,
            "signature_algorithm": "ssh-ed25519",
            "signing_key": "SHA256:bwdUT+4PxAdnH3jWCRhQvg96JyuvvVCaF/Rzw8C9hKA",
            "type_string": "ssh-ed25519-cert-v01@openssh.com",
            "valid_after": "always",
            "valid_before": "forever"
        },
        "before": {
            "cert_type": "host",
            "critical_options": [],
            "extensions": [],
            "identifier": "",
            "principals": [],
            "public_key": "SHA256:u5FM17LUrzRlz1BVrwK1OLnCBMyRXOr13+1ZfjIdw/g",
            "reserved": "",
            "serial": 0,
            "signature_algorithm": "ssh-ed25519",
            "signing_key": "SHA256:bwdUT+4PxAdnH3jWCRhQvg96JyuvvVCaF/Rzw8C9hKA",
            "type_string": "ssh-ed25519-cert-v01@openssh.com",
            "valid_after": "always",
            "valid_before": "forever"
        }
    },
    "filename": "/home/stephan/git/infrastructure/ansible/roles/default/files/ssh/host_key_certificates/corvo_key-cert.pub",
    "info": [
        "Type: ssh-ed25519-cert-v01@openssh.com host certificate",
        "Public key: ED25519-CERT SHA256:u5FM17LUrzRlz1BVrwK1OLnCBMyRXOr13+1ZfjIdw/g",
        "Signing CA: ED25519 SHA256:bwdUT+4PxAdnH3jWCRhQvg96JyuvvVCaF/Rzw8C9hKA (using ssh-ed25519)",
        "Key ID: \"\"",
        "Serial: 0",
        "Valid: forever",
        "Principals: (none)",
        "Critical Options: (none)",
        "Extensions: (none)"
    ],
    "invocation": {
        "module_args": {
            "attributes": null,
            "force": false,
            "group": null,
            "identifier": null,
            "ignore_timestamps": false,
            "mode": null,
            "options": null,
            "owner": null,
            "path": "/home/stephan/git/infrastructure/ansible/roles/default/files/ssh/host_key_certificates/corvo_key-cert.pub",
            "pkcs11_provider": null,
            "principals": null,
            "public_key": "/home/stephan/git/infrastructure/ansible/roles/default/files/ssh/host_key_certificates/corvo_key.pub",
            "regenerate": "full_idempotence",
            "selevel": null,
            "serial_number": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "signature_algorithm": null,
            "signing_key": "/home/stephan/git/infrastructure/ansible/roles/default/files/ssh/ca_ssh_key",
            "state": "present",
            "type": "host",
            "unsafe_writes": false,
            "use_agent": false,
            "valid_at": null,
            "valid_from": "always",
            "valid_to": "forever"
        }
    },
    "type": "host"
}