New Module: gcp_kms_crypto_key (#61096)

This commit is contained in:
The Magician 2019-08-23 10:27:46 -07:00 committed by ansibot
parent bf514b5717
commit d3b493020d
5 changed files with 458 additions and 0 deletions

View file

@ -0,0 +1,381 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2017 Google
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file at
# https://www.github.com/GoogleCloudPlatform/magic-modules
#
# ----------------------------------------------------------------------------
from __future__ import absolute_import, division, print_function
__metaclass__ = type
################################################################################
# Documentation
################################################################################
ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'}
DOCUMENTATION = '''
---
module: gcp_kms_crypto_key
description:
- A `CryptoKey` represents a logical key that can be used for cryptographic operations.
short_description: Creates a GCP CryptoKey
version_added: 2.9
author: Google Inc. (@googlecloudplatform)
requirements:
- python >= 2.6
- requests >= 2.18.4
- google-auth >= 1.3.0
options:
state:
description:
- Whether the given object should exist in GCP
choices:
- present
- absent
default: present
type: str
name:
description:
- The resource name for the CryptoKey.
required: true
type: str
labels:
description:
- Labels with user-defined metadata to apply to this resource.
required: false
type: dict
purpose:
description:
- Immutable purpose of CryptoKey. See U(https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose)
for inputs.
- 'Some valid choices include: "ENCRYPT_DECRYPT", "ASYMMETRIC_SIGN", "ASYMMETRIC_DECRYPT"'
required: false
default: ENCRYPT_DECRYPT
type: str
rotation_period:
description:
- Every time this period passes, generate a new CryptoKeyVersion and set it as
the primary.
- The first rotation will take place after the specified period. The rotation
period has the format of a decimal number with up to 9 fractional digits, followed
by the letter `s` (seconds). It must be greater than a day (ie, 86400).
required: false
type: str
version_template:
description:
- A template describing settings for new crypto key versions.
required: false
type: dict
suboptions:
algorithm:
description:
- The algorithm to use when creating a version based on this template.
- See the [algorithm reference](U(https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm))
for possible inputs.
required: true
type: str
protection_level:
description:
- The protection level to use when creating a version based on this template.
- 'Some valid choices include: "SOFTWARE", "HSM"'
required: false
type: str
key_ring:
description:
- The KeyRing that this key belongs to.
- 'Format: `''projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}''`.'
required: true
type: str
extends_documentation_fragment: gcp
notes:
- 'API Reference: U(https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys)'
- 'Creating a key: U(https://cloud.google.com/kms/docs/creating-keys#create_a_key)'
'''
EXAMPLES = '''
- name: create a key ring
gcp_kms_key_ring:
name: key-key-ring
location: us-central1
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
state: present
register: keyring
- name: create a crypto key
gcp_kms_crypto_key:
name: test_object
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: test_project
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
'''
RETURN = '''
name:
description:
- The resource name for the CryptoKey.
returned: success
type: str
creationTime:
description:
- The time that this resource was created on the server.
- This is in RFC3339 text format.
returned: success
type: str
labels:
description:
- Labels with user-defined metadata to apply to this resource.
returned: success
type: dict
purpose:
description:
- Immutable purpose of CryptoKey. See U(https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys#CryptoKeyPurpose)
for inputs.
returned: success
type: str
rotationPeriod:
description:
- Every time this period passes, generate a new CryptoKeyVersion and set it as the
primary.
- The first rotation will take place after the specified period. The rotation period
has the format of a decimal number with up to 9 fractional digits, followed by
the letter `s` (seconds). It must be greater than a day (ie, 86400).
returned: success
type: str
versionTemplate:
description:
- A template describing settings for new crypto key versions.
returned: success
type: complex
contains:
algorithm:
description:
- The algorithm to use when creating a version based on this template.
- See the [algorithm reference](U(https://cloud.google.com/kms/docs/reference/rest/v1/CryptoKeyVersionAlgorithm))
for possible inputs.
returned: success
type: str
protectionLevel:
description:
- The protection level to use when creating a version based on this template.
returned: success
type: str
keyRing:
description:
- The KeyRing that this key belongs to.
- 'Format: `''projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}''`.'
returned: success
type: str
'''
################################################################################
# Imports
################################################################################
from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, remove_nones_from_dict, replace_resource_dict
import json
################################################################################
# Main
################################################################################
def main():
"""Main function"""
module = GcpModule(
argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'),
name=dict(required=True, type='str'),
labels=dict(type='dict'),
purpose=dict(default='ENCRYPT_DECRYPT', type='str'),
rotation_period=dict(type='str'),
version_template=dict(type='dict', options=dict(algorithm=dict(required=True, type='str'), protection_level=dict(type='str'))),
key_ring=dict(required=True, type='str'),
)
)
if not module.params['scopes']:
module.params['scopes'] = ['https://www.googleapis.com/auth/cloudkms']
state = module.params['state']
fetch = fetch_resource(module, self_link(module))
changed = False
if fetch:
if state == 'present':
if is_different(module, fetch):
update(module, self_link(module), fetch)
fetch = fetch_resource(module, self_link(module))
changed = True
else:
delete(module, self_link(module))
fetch = {}
changed = True
else:
if state == 'present':
fetch = create(module, create_link(module))
changed = True
else:
fetch = {}
fetch.update({'changed': changed})
module.exit_json(**fetch)
def create(module, link):
auth = GcpSession(module, 'kms')
return return_if_object(module, auth.post(link, resource_to_request(module)))
def update(module, link, fetch):
auth = GcpSession(module, 'kms')
params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))}
request = resource_to_request(module)
return return_if_object(module, auth.patch(link, request, params=params))
def updateMask(request, response):
update_mask = []
if request.get('labels') != response.get('labels'):
update_mask.append('labels')
if request.get('rotationPeriod') != response.get('rotationPeriod'):
update_mask.append('rotationPeriod')
if request.get('versionTemplate') != response.get('versionTemplate'):
update_mask.append('versionTemplate')
return ','.join(update_mask)
def delete(module, link):
module.fail_json(msg="KeyRings cannot be deleted")
def resource_to_request(module):
request = {
u'labels': module.params.get('labels'),
u'purpose': module.params.get('purpose'),
u'rotationPeriod': module.params.get('rotation_period'),
u'versionTemplate': CryptoKeyVersiontemplate(module.params.get('version_template', {}), module).to_request(),
}
return_vals = {}
for k, v in request.items():
if v or v is False:
return_vals[k] = v
return return_vals
def fetch_resource(module, link, allow_not_found=True):
auth = GcpSession(module, 'kms')
return return_if_object(module, auth.get(link), allow_not_found)
def self_link(module):
return "https://cloudkms.googleapis.com/v1/{key_ring}/cryptoKeys/{name}".format(**module.params)
def collection(module):
return "https://cloudkms.googleapis.com/v1/{key_ring}/cryptoKeys".format(**module.params)
def create_link(module):
return "https://cloudkms.googleapis.com/v1/{key_ring}/cryptoKeys?cryptoKeyId={name}".format(**module.params)
def return_if_object(module, response, allow_not_found=False):
# If not found, return nothing.
if allow_not_found and response.status_code == 404:
return None
# If no content, return nothing.
if response.status_code == 204:
return None
try:
module.raise_for_status(response)
result = response.json()
except getattr(json.decoder, 'JSONDecodeError', ValueError):
module.fail_json(msg="Invalid JSON response with error: %s" % response.text)
result = decode_response(result, module)
if navigate_hash(result, ['error', 'errors']):
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
return result
def is_different(module, response):
request = resource_to_request(module)
response = response_to_hash(module, response)
request = decode_response(request, module)
# Remove all output-only from response.
response_vals = {}
for k, v in response.items():
if k in request:
response_vals[k] = v
request_vals = {}
for k, v in request.items():
if k in response:
request_vals[k] = v
return GcpRequest(request_vals) != GcpRequest(response_vals)
# Remove unnecessary properties from the response.
# This is for doing comparisons with Ansible's current parameters.
def response_to_hash(module, response):
return {
u'name': module.params.get('name'),
u'creationTime': response.get(u'creationTime'),
u'labels': response.get(u'labels'),
u'purpose': module.params.get('purpose'),
u'rotationPeriod': response.get(u'rotationPeriod'),
u'versionTemplate': CryptoKeyVersiontemplate(response.get(u'versionTemplate', {}), module).from_response(),
}
def decode_response(response, module):
if 'name' in response:
response['name'] = response['name'].split('/')[-1]
return response
class CryptoKeyVersiontemplate(object):
def __init__(self, request, module):
self.module = module
if request:
self.request = request
else:
self.request = {}
def to_request(self):
return remove_nones_from_dict({u'algorithm': self.request.get('algorithm'), u'protectionLevel': self.request.get('protection_level')})
def from_response(self):
return remove_nones_from_dict({u'algorithm': self.request.get(u'algorithm'), u'protectionLevel': self.module.params.get('protection_level')})
if __name__ == '__main__':
main()

View file

@ -0,0 +1,2 @@
cloud/gcp
unsupported

View file

@ -0,0 +1,2 @@
---
resource_name: "{{ resource_prefix }}"

View file

@ -0,0 +1,73 @@
# Copyright 2019 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Pre-test setup
- name: create a key ring
gcp_kms_key_ring:
name: key-key-ring
location: us-central1
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
state: present
register: keyring
- name: delete a crypto key
gcp_kms_crypto_key:
name: "{{ resource_name }}"
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
state: absent
#----------------------------------------------------------
- name: create a crypto key
gcp_kms_crypto_key:
name: "{{ resource_name }}"
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
state: present
register: result
- name: assert changed is true
assert:
that:
- result.changed == true
- name: verify that crypto_key was created
gcp_kms_crypto_key_info:
key_ring: "projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
scopes:
- https://www.googleapis.com/auth/cloudkms
register: results
- name: verify that command succeeded
assert:
that:
- results['resources'] | map(attribute='name') | select("match", ".*{{ resource_name }}.*") | list | length == 1
# ----------------------------------------------------------------------------
- name: create a crypto key that already exists
gcp_kms_crypto_key:
name: "{{ resource_name }}"
key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file }}"
state: present
register: result
- name: assert changed is false
assert:
that:
- result.changed == false