diff options
author | Pascal Bach <pasci.bach@gmail.com> | 2017-01-18 16:02:54 +0100 |
---|---|---|
committer | Ryan Brown <sb@ryansb.com> | 2017-01-18 10:02:54 -0500 |
commit | c6621aa0ae24b652e8eb5300d4481b39634d891e (patch) | |
tree | 03b968493df1829afee9168c0335ec1b47439b63 | |
parent | aa6ce16aa46aa5a5b689110dd3ba0c1b3a50018e (diff) | |
download | ansible-c6621aa0ae24b652e8eb5300d4481b39634d891e.tar.gz |
ec2_vol: Add key selection support for EBS volume encryption. (#19570)
* Fixes: #3217 - Add a new parameter for the kms_key_id to the ec2_vol module.
* Fixes: #3217 - Correcting comment string as requested.
* Fixes: #3217 - Adding boto version when kms_key_id is used. Also re-adding accidentally removed comment line.
* Cleanup of EBS volume key pull request
-rw-r--r-- | lib/ansible/modules/cloud/amazon/ec2_vol.py | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/lib/ansible/modules/cloud/amazon/ec2_vol.py b/lib/ansible/modules/cloud/amazon/ec2_vol.py index b6ea9fa598..a89b218f3a 100644 --- a/lib/ansible/modules/cloud/amazon/ec2_vol.py +++ b/lib/ansible/modules/cloud/amazon/ec2_vol.py @@ -65,6 +65,11 @@ options: - Enable encryption at rest for this volume. default: false version_added: "1.8" + kms_key_id: + description: + - Specify the id of the KMS key to use. + default: null + version_added: "2.3" device_name: description: - device id to override device mapping. Assumes /dev/sdf for Linux/UNIX and /dev/xvdf for Windows. @@ -318,12 +323,21 @@ def boto_supports_volume_encryption(): """ return hasattr(boto, 'Version') and LooseVersion(boto.Version) >= LooseVersion('2.29.0') +def boto_supports_kms_key_id(): + """ + Check if Boto library supports kms_key_ids (added in 2.39.0) + + Returns: + True if version is equal to or higher then the version needed, else False + """ + return hasattr(boto, 'Version') and LooseVersion(boto.Version) >= LooseVersion('2.39.0') def create_volume(module, ec2, zone): changed = False name = module.params.get('name') iops = module.params.get('iops') encrypted = module.params.get('encrypted') + kms_key_id = module.params.get('kms_key_id') volume_size = module.params.get('volume_size') volume_type = module.params.get('volume_type') snapshot = module.params.get('snapshot') @@ -335,7 +349,10 @@ def create_volume(module, ec2, zone): if volume is None: try: if boto_supports_volume_encryption(): - volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted) + if kms_key_id is not None: + volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted, kms_key_id) + else: + volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted) changed = True else: volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops) @@ -486,6 +503,7 @@ def main(): volume_type = dict(choices=['standard', 'gp2', 'io1', 'st1', 'sc1'], default='standard'), iops = dict(), encrypted = dict(type='bool', default=False), + kms_key_id = dict(), device_name = dict(), delete_on_termination = dict(type='bool', default=False), zone = dict(aliases=['availability_zone', 'aws_zone', 'ec2_zone']), @@ -503,6 +521,7 @@ def main(): instance = module.params.get('instance') volume_size = module.params.get('volume_size') encrypted = module.params.get('encrypted') + kms_key_id = module.params.get('kms_key_id') device_name = module.params.get('device_name') zone = module.params.get('zone') snapshot = module.params.get('snapshot') @@ -546,6 +565,9 @@ def main(): if encrypted and not boto_supports_volume_encryption(): module.fail_json(msg="You must use boto >= v2.29.0 to use encrypted volumes") + if kms_key_id is not None and not boto_supports_kms_key_id(): + module.fail_json(msg="You must use boto >= v2.39.0 to use kms_key_id") + # Here we need to get the zone info for the instance. This covers situation where # instance is specified but zone isn't. # Useful for playbooks chaining instance launch with volume create + attach and where the |