diff --git a/changelogs/fragments/67651-aws-kms-key-rotation.yml b/changelogs/fragments/67651-aws-kms-key-rotation.yml new file mode 100644 index 00000000000..542223fdf30 --- /dev/null +++ b/changelogs/fragments/67651-aws-kms-key-rotation.yml @@ -0,0 +1,2 @@ +minor_changes: + - aws_kms - Adds the ``enable_key_rotation`` option to enable or disable automatically key rotation. diff --git a/lib/ansible/modules/cloud/amazon/aws_kms.py b/lib/ansible/modules/cloud/amazon/aws_kms.py index 185a6f75532..8a906a9f3d5 100644 --- a/lib/ansible/modules/cloud/amazon/aws_kms.py +++ b/lib/ansible/modules/cloud/amazon/aws_kms.py @@ -38,6 +38,12 @@ options: aliases: - key_arn type: str + enable_key_rotation: + description: + - Whether the key should be automatically rotated every year. + required: false + type: bool + version_added: '2.10' policy_mode: description: - (deprecated) Grant or deny access. @@ -527,6 +533,8 @@ def get_key_details(connection, module, key_id): except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: module.fail_json_aws(e, msg="Failed to obtain aliases") + current_rotation_status = connection.get_key_rotation_status(KeyId=key_id) + result['enable_key_rotation'] = current_rotation_status.get('KeyRotationEnabled') result['aliases'] = aliases.get(result['KeyId'], []) result = camel_dict_to_snake_dict(result) @@ -755,6 +763,21 @@ def update_policy(connection, module, key, policy): return True +def update_key_rotation(connection, module, key, enable_key_rotation): + if enable_key_rotation is None: + return False + key_id = key['key_arn'] + current_rotation_status = connection.get_key_rotation_status(KeyId=key_id) + if current_rotation_status.get('KeyRotationEnabled') == enable_key_rotation: + return False + + if enable_key_rotation: + connection.enable_key_rotation(KeyId=key_id) + else: + connection.disable_key_rotation(KeyId=key_id) + return True + + def update_grants(connection, module, key, desired_grants, purge_grants): existing_grants = key['grants'] @@ -789,6 +812,7 @@ def update_key(connection, module, key): changed |= update_tags(connection, module, key, module.params['tags'], module.params.get('purge_tags')) changed |= update_policy(connection, module, key, module.params.get('policy')) changed |= update_grants(connection, module, key, module.params.get('grants'), module.params.get('purge_grants')) + changed |= update_key_rotation(connection, module, key, module.params.get('enable_key_rotation')) # make results consistent with kms_facts before returning result = get_key_details(connection, module, key['key_arn']) @@ -813,6 +837,7 @@ def create_key(connection, module): key = get_key_details(connection, module, result['KeyId']) update_alias(connection, module, key, module.params['alias']) + update_key_rotation(connection, module, key, module.params.get('enable_key_rotation')) ensure_enabled_disabled(connection, module, key, module.params.get('enabled')) update_grants(connection, module, key, module.params.get('grants'), False) @@ -1004,6 +1029,7 @@ def main(): policy=dict(), purge_grants=dict(type='bool', default=False), state=dict(default='present', choices=['present', 'absent']), + enable_key_rotation=(dict(type='bool')) ) module = AnsibleAWSModule( diff --git a/test/integration/targets/aws_kms/tasks/main.yml b/test/integration/targets/aws_kms/tasks/main.yml index 7bada3eef0c..52489611d66 100644 --- a/test/integration/targets/aws_kms/tasks/main.yml +++ b/test/integration/targets/aws_kms/tasks/main.yml @@ -43,6 +43,24 @@ that: - create_kms.key_state == "Enabled" - create_kms.tags['Hello'] == 'World' + - create_kms.enable_key_rotation == false + + - name: enable key rotation + aws_kms: + alias: "{{ resource_prefix }}-kms" + tags: + Hello: World + state: present + enabled: yes + enable_key_rotation: yes + register: create_kms + + - name: assert that key rotation is enabled + assert: + that: + - create_kms.key_state == "Enabled" + - create_kms.tags['Hello'] == 'World' + - create_kms.enable_key_rotation == true - name: find facts about the key aws_kms_info: