Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PR #1384/200392e0 backport][stable-5] Allow to disable encryption on cloudtrail #1385

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/1384-cloudtrail-disable_encryption.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
bugfixes:
- cloudtrail - support to disabling encryption using ´´kms_key_id´´ (https://github.com/ansible-collections/amazon.aws/pull/1384).
7 changes: 4 additions & 3 deletions plugins/modules/cloudtrail.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@
description:
- Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. This also has the effect of enabling log file encryption.
- The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
- Encryption can be disabled by setting I(kms_key_id="").
- See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html).
type: str
notes:
Expand Down Expand Up @@ -490,8 +491,8 @@ def main():
if module.params['enable_log_file_validation'] is not None:
ct_params['EnableLogFileValidation'] = module.params['enable_log_file_validation']

if module.params['kms_key_id']:
ct_params['KmsKeyId'] = module.params['kms_key_id']
if module.params["kms_key_id"] is not None:
ct_params["KmsKeyId"] = module.params["kms_key_id"]

client = module.client('cloudtrail')
region = module.region
Expand Down Expand Up @@ -595,7 +596,7 @@ def main():
results['exists'] = True
if not module.check_mode:
if tags:
ct_params['TagsList'] = ansible_dict_to_boto3_tag_list(tags)
ct_params["TagsList"] = ansible_dict_to_boto3_tag_list(tags)
# If we aren't in check_mode then actually create it
created_trail = create_trail(module, client, ct_params)
# Get the trail status
Expand Down
67 changes: 32 additions & 35 deletions tests/integration/targets/cloudtrail/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@
- name: pause to ensure role exists before attaching policy
pause:
seconds: 15

- name: 'Add inline policy to CloudWatch Role'
iam_policy:
state: present
Expand Down Expand Up @@ -213,8 +213,6 @@
- output.exists == True
- output.trail.name == cloudtrail_name



- name: 'No-op update to trail'
cloudtrail:
state: present
Expand Down Expand Up @@ -248,13 +246,12 @@
trail_arn: '{{ item.resource_id }}'
when: item.name == cloudtrail_name
loop: "{{ info.trail_list }}"

- name: 'Assert that the trail name is present in the info'
assert:
that:
- trail_present is defined
- trail_present == True


# ============================================================

Expand Down Expand Up @@ -1361,38 +1358,38 @@
# when using check_mode, with no kms permissions, and not giving kms_key_id as a key arn
# output will always be marked as changed.

#- name: 'Disable logging encryption (CHECK MODE)'
# cloudtrail:
# state: present
# name: '{{ cloudtrail_name }}'
# kms_key_id: ''
# register: output
# check_mode: yes
#- assert:
# that:
# - output is changed
- name: 'Disable logging encryption (CHECK MODE)'
cloudtrail:
state: present
name: '{{ cloudtrail_name }}'
kms_key_id: ''
register: output
check_mode: yes
- assert:
that:
- output is changed

#- name: 'Disable logging encryption'
# cloudtrail:
# state: present
# name: '{{ cloudtrail_name }}'
# kms_key_id: ''
# register: output
#- assert:
# that:
# - output.trail.kms_key_id == None
# - output is changed
- name: 'Disable logging encryption'
cloudtrail:
state: present
name: '{{ cloudtrail_name }}'
kms_key_id: ''
register: output
- assert:
that:
- output.trail.kms_key_id == ""
- output is changed

#- name: 'Disable logging encryption (no change)'
# cloudtrail:
# state: present
# name: '{{ cloudtrail_name }}'
# kms_key_id: ''
# register: output
#- assert:
# that:
# - output.kms_key_id == None
# - output is not changed
- name: 'Disable logging encryption (no change)'
cloudtrail:
state: present
name: '{{ cloudtrail_name }}'
kms_key_id: ''
register: output
- assert:
that:
- output.kms_key_id == ""
- output is not changed

# ============================================================

Expand Down