[cloud] Allow IAM certificate secrets, body, chains to be strings (e.g. sourced from ansible-vault) (#24206)

* Allow cert and private pem information to be passed in via string, eg when obtaining sensitive key details from anisble-vault at runtime * Allow cert chain body to be passed as a string * Ensure the new options are set in parameters * Dont publish the private key in logs * Set the version_added documentation * Update documentation inline with review * Removes file based certificates in favour of string only as suggested in feature review * Documentation changes as suggested by review
2024-09-14 20:13:21 +02:00 · 2017-06-09 16:32:22 +01:00 · 2017-06-09 16:32:22 +01:00 · 62fa2019c6
commit 62fa2019c6
parent b376bde4d7
1 changed files with 28 additions and 37 deletions
--- a/lib/ansible/modules/cloud/amazon/iam_cert.py
+++ b/lib/ansible/modules/cloud/amazon/iam_cert.py
@ -30,63 +30,46 @@ options:
    description:
      - Name of certificate to add, update or remove.
    required: true
    aliases: []
  new_name:
    description:
      - When present, this will update the name of the cert with the value passed here.
    required: false
    aliases: []
  new_path:
    description:
      - When present, this will update the path of the cert with the value passed here.
    required: false
    aliases: []
  state:
    description:
      - Whether to create, delete certificate. When present is specified it will attempt to make an update if new_path or new_name is specified.
    required: true
    default: null
    choices: [ "present", "absent" ]
    aliases: []
  path:
    description:
      - When creating or updating, specify the desired path of the certificate
    required: false
    default: "/"
    aliases: []
  cert_chain:
    description:
-      - The path to the CA certificate chain in PEM encoded format.
+      - The CA certificate chain in PEM encoded format.
      - Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
    required: false
    default: null
    aliases: []
  cert:
    description:
-      - The path to the certificate body in PEM encoded format.
+      - The certificate body in PEM encoded format.
      - Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
    required: false
    aliases: []
  key:
    description:
-      - The path to the private key of the certificate in PEM encoded format.
+      - The key of the certificate in PEM encoded format.
      - Note that prior to 2.4, this parameter expected a path to a file. Since 2.4 this is now accomplished using a lookup plugin. See examples for detail
  dup_ok:
    description:
      - By default the module will not upload a certificate that is already uploaded into AWS. If set to True, it will upload the certificate as
        long as the name is unique.
    required: false
    default: False
    aliases: []
  aws_secret_key:
    description:
      - AWS secret key. If not set then the value of the AWS_SECRET_KEY environment variable is used.
    required: false
    default: null
    aliases: [ 'ec2_secret_key', 'secret_key' ]
  aws_access_key:
    description:
      - AWS access key. If not set then the value of the AWS_ACCESS_KEY environment variable is used.
    required: false
    default: null
    aliases: [ 'ec2_access_key', 'access_key' ]
 requirements: [ "boto" ]
@ -97,16 +80,22 @@ extends_documentation_fragment:
 '''
 EXAMPLES = '''
-# Basic server certificate upload
+# Basic server certificate upload from local file
-tasks:
+- iam_cert:
 - name: Upload Certificate
  iam_cert:
    name: very_ssl
    state: present
-    cert: somecert.pem
+    cert: "{{ lookup('file', 'path/to/cert') }}"
-    key: privcertkey
+    key: "{{ lookup('file', 'path/to/key') }}"
-    cert_chain: myverytrustedchain
+    cert_chain: "{{ lookup('file', 'path/to/certchain') }}"
 # Server certificate upload using key string
 - iam_cert:
    name: very_ssl
    state: present
    path: "/a/cert/path/"
    cert: body_of_somecert
    key: vault_body_of_privcertkey
    cert_chain: body_of_myverytrustedchain
 '''
 import json
 import sys
@ -235,9 +224,9 @@ def main():
        state=dict(
            default=None, required=True, choices=['present', 'absent']),
        name=dict(default=None, required=False),
-        cert=dict(default=None, required=False, type='path'),
+        cert=dict(default=None, required=False),
-        key=dict(default=None, required=False, type='path'),
+        key=dict(default=None, required=False, no_log=True),
-        cert_chain=dict(default=None, required=False, type='path'),
+        cert_chain=dict(default=None, required=False),
        new_name=dict(default=None, required=False),
        path=dict(default='/', required=False),
        new_path=dict(default=None, required=False),
@ -271,10 +260,12 @@ def main():
    cert_chain = module.params.get('cert_chain')
    dup_ok = module.params.get('dup_ok')
    if state == 'present':
-        cert = open(module.params.get('cert'), 'r').read().rstrip()
+        if module.params.get('cert') is not None:
-        key = open(module.params.get('key'), 'r').read().rstrip()
+            cert = module.params.get('cert')
-        if cert_chain is not None:
+        if module.params.get('key') is not None:
-            cert_chain = open(module.params.get('cert_chain'), 'r').read()
+            key = module.params.get('key')
        if module.params.get('cert_chain') is not None:
            cert_chain = module.params.get('cert_chain')
    else:
        key=cert=chain=None