[cloud] iam_cert return arn and allow use with ansible vault (#20787)

* iam_cert.py Fix duplicate certificate detection with included chains. The iam_cert module would fail to detect certificates as duplicates if the certificate body included the authority chain directly. This commit fixes the problem by checking if a given certificate matches the start of the data returned by AWS, since in all cases where they would match the certificate will come first. * iam_cert.py Return certificate ARN in all success cases. When uploading certificates or interacting with IAM, the certificate ARN is needed for other operations with AWS such as provisioning elastic load balancers. This commit returns the certificate ARN in all success cases, which allows it to be used to idempotently provision other Amazon services depending on it (ELBs being an immediate example).
2024-09-14 20:13:21 +02:00 · 2017-06-20 22:01:56 +10:00 · 2017-06-20 22:01:56 +10:00 · 3adf08e10f
commit 3adf08e10f
parent 947e9aba45
1 changed files with 15 additions and 8 deletions
--- a/lib/ansible/modules/cloud/amazon/iam_cert.py
+++ b/lib/ansible/modules/cloud/amazon/iam_cert.py
@ -138,7 +138,11 @@ def cert_meta(iam, name):
                                                 server_certificate.\
                                                 server_certificate_metadata.\
                                                 expiration
-    return opath, ocert, ocert_id, upload_date, exp
+    arn         = iam.get_server_certificate(name).get_server_certificate_result.\
+                                                 server_certificate.\
+                                                 server_certificate_metadata.\
+                                                 arn
+    return opath, ocert, ocert_id, upload_date, exp, arn

 def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodies, dup_ok):
    update=False
@ -159,6 +163,9 @@ def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodi
                    if slug_orig_cert_bodies == slug_cert:
                        update=True
                        break
+                    elif slug_cert.startswith(slug_orig_cert_bodies):
+                        update=True
+                        break
                    elif slug_orig_cert_bodies != slug_cert:
                        module.fail_json(changed=False, msg='A cert with the name %s already exists and'
                                                           ' has a different certificate body associated'
@ -181,34 +188,34 @@ def cert_action(module, iam, name, cpath, new_name, new_path, state,
        update = dup_check(module, iam, name, new_name, cert, orig_cert_names,
                           orig_cert_bodies, dup_ok)
        if update:
-            opath, ocert, ocert_id, upload_date, exp = cert_meta(iam, name)
+            opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
            changed=True
            if new_name and new_path:
                iam.update_server_cert(name, new_cert_name=new_name, new_path=new_path)
                module.exit_json(changed=changed, original_name=name, new_name=new_name,
                                 original_path=opath, new_path=new_path, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
            elif new_name and not new_path:
                iam.update_server_cert(name, new_cert_name=new_name)
                module.exit_json(changed=changed, original_name=name, new_name=new_name,
                                 cert_path=opath, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
            elif not new_name and new_path:
                iam.update_server_cert(name, new_path=new_path)
                module.exit_json(changed=changed, name=new_name,
                                 original_path=opath, new_path=new_path, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
            else:
                changed=False
                module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp,
+                                 upload_date=upload_date, expiration_date=exp, arn=arn,
                                 msg='No new path or name specified. No changes made')
        else:
            changed=True
            iam.upload_server_cert(name, cert, key, cert_chain=chain, path=cpath)
-            opath, ocert, ocert_id, upload_date, exp = cert_meta(iam, name)
+            opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
            module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
    elif state == 'absent':
        if name in orig_cert_names:
            changed=True