add key rotation option to aws_kms (#67651)

* add key rotation option * add changelog fragment * provide version added as string * change changelog to minor_changes * Update changelogs/fragments/67651-aws-kms-key-rotation.yml Co-Authored-By: Mark Chappell <mchappel@redhat.com> * Update lib/ansible/modules/cloud/amazon/aws_kms.py Co-Authored-By: Mark Chappell <mchappel@redhat.com> * prevent key upgrade if key rotation was enabled manually. In that case, the key rotation would be disabled, if not mentioned in the playbook * Update lib/ansible/modules/cloud/amazon/aws_kms.py Co-Authored-By: Mark Chappell <mchappel@redhat.com> * Update lib/ansible/modules/cloud/amazon/aws_kms.py Co-Authored-By: Mark Chappell <mchappel@redhat.com> * Update lib/ansible/modules/cloud/amazon/aws_kms.py Co-Authored-By: Mark Chappell <mchappel@redhat.com> Co-authored-by: Mark Chappell <mchappel@redhat.com>
2020-02-25 21:30:45 +01:00 · 2020-02-25 21:30:45 +01:00 · 99f6f0c832
commit 99f6f0c832
parent f0159b8870
3 changed files with 46 additions and 0 deletions
--- a/changelogs/fragments/67651-aws-kms-key-rotation.yml
+++ b/changelogs/fragments/67651-aws-kms-key-rotation.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - aws_kms - Adds the ``enable_key_rotation`` option to enable or disable automatically key rotation.
--- a/lib/ansible/modules/cloud/amazon/aws_kms.py
+++ b/lib/ansible/modules/cloud/amazon/aws_kms.py
@ -38,6 +38,12 @@ options:
    aliases:
      - key_arn
    type: str
+  enable_key_rotation:
+    description:
+    - Whether the key should be automatically rotated every year.
+    required: false
+    type: bool
+    version_added: '2.10'
  policy_mode:
    description:
    - (deprecated) Grant or deny access.
@ -527,6 +533,8 @@ def get_key_details(connection, module, key_id):
    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
        module.fail_json_aws(e, msg="Failed to obtain aliases")

+    current_rotation_status = connection.get_key_rotation_status(KeyId=key_id)
+    result['enable_key_rotation'] = current_rotation_status.get('KeyRotationEnabled')
    result['aliases'] = aliases.get(result['KeyId'], [])

    result = camel_dict_to_snake_dict(result)
@ -755,6 +763,21 @@ def update_policy(connection, module, key, policy):
    return True


+def update_key_rotation(connection, module, key, enable_key_rotation):
+    if enable_key_rotation is None:
+        return False
+    key_id = key['key_arn']
+    current_rotation_status = connection.get_key_rotation_status(KeyId=key_id)
+    if current_rotation_status.get('KeyRotationEnabled') == enable_key_rotation:
+        return False
+
+    if enable_key_rotation:
+        connection.enable_key_rotation(KeyId=key_id)
+    else:
+        connection.disable_key_rotation(KeyId=key_id)
+    return True
+
+
 def update_grants(connection, module, key, desired_grants, purge_grants):
    existing_grants = key['grants']

@ -789,6 +812,7 @@ def update_key(connection, module, key):
    changed |= update_tags(connection, module, key, module.params['tags'], module.params.get('purge_tags'))
    changed |= update_policy(connection, module, key, module.params.get('policy'))
    changed |= update_grants(connection, module, key, module.params.get('grants'), module.params.get('purge_grants'))
+    changed |= update_key_rotation(connection, module, key, module.params.get('enable_key_rotation'))

    # make results consistent with kms_facts before returning
    result = get_key_details(connection, module, key['key_arn'])
@ -813,6 +837,7 @@ def create_key(connection, module):
    key = get_key_details(connection, module, result['KeyId'])

    update_alias(connection, module, key, module.params['alias'])
+    update_key_rotation(connection, module, key, module.params.get('enable_key_rotation'))

    ensure_enabled_disabled(connection, module, key, module.params.get('enabled'))
    update_grants(connection, module, key, module.params.get('grants'), False)
@ -1004,6 +1029,7 @@ def main():
        policy=dict(),
        purge_grants=dict(type='bool', default=False),
        state=dict(default='present', choices=['present', 'absent']),
+        enable_key_rotation=(dict(type='bool'))
    )

    module = AnsibleAWSModule(
--- a/test/integration/targets/aws_kms/tasks/main.yml
+++ b/test/integration/targets/aws_kms/tasks/main.yml
@ -43,6 +43,24 @@
        that:
          - create_kms.key_state == "Enabled"
          - create_kms.tags['Hello'] == 'World'
+          - create_kms.enable_key_rotation == false
+
+    - name: enable key rotation
+      aws_kms:
+        alias: "{{ resource_prefix }}-kms"
+        tags:
+          Hello: World
+        state: present
+        enabled: yes
+        enable_key_rotation: yes
+      register: create_kms
+
+    - name: assert that key rotation is enabled
+      assert:
+        that:
+          - create_kms.key_state == "Enabled"
+          - create_kms.tags['Hello'] == 'World'
+          - create_kms.enable_key_rotation == true

    - name: find facts about the key
      aws_kms_info: