diff options
author | Jill R <4121322+jillr@users.noreply.github.com> | 2019-10-21 16:45:41 -0700 |
---|---|---|
committer | ansibot <ansibot@users.noreply.github.com> | 2019-10-21 19:45:41 -0400 |
commit | aa68f728fdd9b2b93da3da6a6b18a00b24cfe7e3 (patch) | |
tree | f0df1f46729d086e389f309dc08d05f798842261 | |
parent | 2e81b813ddfdd0b37c0d5fad34ec061c6f0eb079 (diff) | |
download | ansible-aa68f728fdd9b2b93da3da6a6b18a00b24cfe7e3.tar.gz |
s3_bucket: Allow empty encryption_key_id with aws:kms (#62031)
* s3_bucket: Allow empty encryption_key_id with aws:kms to use KMS master key
* Add idempotency check and cleanup example, dont require encryption_key_id
-rw-r--r-- | lib/ansible/modules/cloud/amazon/s3_bucket.py | 21 | ||||
-rw-r--r-- | test/integration/targets/s3_bucket/tasks/main.yml | 28 |
2 files changed, 47 insertions, 2 deletions
diff --git a/lib/ansible/modules/cloud/amazon/s3_bucket.py b/lib/ansible/modules/cloud/amazon/s3_bucket.py index 48e5471142..38b21a7e84 100644 --- a/lib/ansible/modules/cloud/amazon/s3_bucket.py +++ b/lib/ansible/modules/cloud/amazon/s3_bucket.py @@ -133,6 +133,24 @@ EXAMPLES = ''' name: mydobucket s3_url: 'https://nyc3.digitaloceanspaces.com' +# Create a bucket with AES256 encryption +- s3_bucket: + name: mys3bucket + state: present + encryption: "AES256" + +# Create a bucket with aws:kms encryption, KMS key +- s3_bucket: + name: mys3bucket + state: present + encryption: "aws:kms" + encryption_key_id: "arn:aws:kms:us-east-1:1234/5678example" + +# Create a bucket with aws:kms encryption, default key +- s3_bucket: + name: mys3bucket + state: present + encryption: "aws:kms" ''' import json @@ -326,7 +344,7 @@ def create_or_update_bucket(s3_client, module, location): changed = True elif encryption != 'none' and (encryption != current_encryption_algorithm) or (encryption == 'aws:kms' and current_encryption_key != encryption_key_id): expected_encryption = {'SSEAlgorithm': encryption} - if encryption == 'aws:kms': + if encryption == 'aws:kms' and encryption_key_id is not None: expected_encryption.update({'KMSMasterKeyID': encryption_key_id}) try: put_bucket_encryption(s3_client, name, expected_encryption) @@ -660,7 +678,6 @@ def main(): module = AnsibleAWSModule( argument_spec=argument_spec, - required_if=[['encryption', 'aws:kms', ['encryption_key_id']]] ) region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module, boto3=True) diff --git a/test/integration/targets/s3_bucket/tasks/main.yml b/test/integration/targets/s3_bucket/tasks/main.yml index 89e26e1335..472859eca8 100644 --- a/test/integration/targets/s3_bucket/tasks/main.yml +++ b/test/integration/targets/s3_bucket/tasks/main.yml @@ -394,6 +394,34 @@ - output.changed - not output.encryption + - name: Enable aws:kms encryption with KMS master key + s3_bucket: + name: "{{ resource_prefix }}-testbucket-encrypt-ansible" + state: present + encryption: "aws:kms" + <<: *aws_connection_info + register: output + + - assert: + that: + - output.changed + - output.encryption + - output.encryption.SSEAlgorithm == 'aws:kms' + + - name: Enable aws:kms encryption with KMS master key (idempotent) + s3_bucket: + name: "{{ resource_prefix }}-testbucket-encrypt-ansible" + state: present + encryption: "aws:kms" + <<: *aws_connection_info + register: output + + - assert: + that: + - not output.changed + - output.encryption + - output.encryption.SSEAlgorithm == 'aws:kms' + # ============================================================ - name: Pause to help with s3 bucket eventual consistency pause: |