[cloud] iam_cert return arn and allow use with ansible vault (#20787)
* iam_cert.py Fix duplicate certificate detection with included chains. The iam_cert module would fail to detect certificates as duplicates if the certificate body included the authority chain directly. This commit fixes the problem by checking if a given certificate matches the start of the data returned by AWS, since in all cases where they would match the certificate will come first. * iam_cert.py Return certificate ARN in all success cases. When uploading certificates or interacting with IAM, the certificate ARN is needed for other operations with AWS such as provisioning elastic load balancers. This commit returns the certificate ARN in all success cases, which allows it to be used to idempotently provision other Amazon services depending on it (ELBs being an immediate example).
This commit is contained in:
parent
947e9aba45
commit
3adf08e10f
1 changed files with 15 additions and 8 deletions
|
@ -138,7 +138,11 @@ def cert_meta(iam, name):
|
|||
server_certificate.\
|
||||
server_certificate_metadata.\
|
||||
expiration
|
||||
return opath, ocert, ocert_id, upload_date, exp
|
||||
arn = iam.get_server_certificate(name).get_server_certificate_result.\
|
||||
server_certificate.\
|
||||
server_certificate_metadata.\
|
||||
arn
|
||||
return opath, ocert, ocert_id, upload_date, exp, arn
|
||||
|
||||
def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodies, dup_ok):
|
||||
update=False
|
||||
|
@ -159,6 +163,9 @@ def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodi
|
|||
if slug_orig_cert_bodies == slug_cert:
|
||||
update=True
|
||||
break
|
||||
elif slug_cert.startswith(slug_orig_cert_bodies):
|
||||
update=True
|
||||
break
|
||||
elif slug_orig_cert_bodies != slug_cert:
|
||||
module.fail_json(changed=False, msg='A cert with the name %s already exists and'
|
||||
' has a different certificate body associated'
|
||||
|
@ -181,34 +188,34 @@ def cert_action(module, iam, name, cpath, new_name, new_path, state,
|
|||
update = dup_check(module, iam, name, new_name, cert, orig_cert_names,
|
||||
orig_cert_bodies, dup_ok)
|
||||
if update:
|
||||
opath, ocert, ocert_id, upload_date, exp = cert_meta(iam, name)
|
||||
opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
|
||||
changed=True
|
||||
if new_name and new_path:
|
||||
iam.update_server_cert(name, new_cert_name=new_name, new_path=new_path)
|
||||
module.exit_json(changed=changed, original_name=name, new_name=new_name,
|
||||
original_path=opath, new_path=new_path, cert_body=ocert,
|
||||
upload_date=upload_date, expiration_date=exp)
|
||||
upload_date=upload_date, expiration_date=exp, arn=arn)
|
||||
elif new_name and not new_path:
|
||||
iam.update_server_cert(name, new_cert_name=new_name)
|
||||
module.exit_json(changed=changed, original_name=name, new_name=new_name,
|
||||
cert_path=opath, cert_body=ocert,
|
||||
upload_date=upload_date, expiration_date=exp)
|
||||
upload_date=upload_date, expiration_date=exp, arn=arn)
|
||||
elif not new_name and new_path:
|
||||
iam.update_server_cert(name, new_path=new_path)
|
||||
module.exit_json(changed=changed, name=new_name,
|
||||
original_path=opath, new_path=new_path, cert_body=ocert,
|
||||
upload_date=upload_date, expiration_date=exp)
|
||||
upload_date=upload_date, expiration_date=exp, arn=arn)
|
||||
else:
|
||||
changed=False
|
||||
module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
|
||||
upload_date=upload_date, expiration_date=exp,
|
||||
upload_date=upload_date, expiration_date=exp, arn=arn,
|
||||
msg='No new path or name specified. No changes made')
|
||||
else:
|
||||
changed=True
|
||||
iam.upload_server_cert(name, cert, key, cert_chain=chain, path=cpath)
|
||||
opath, ocert, ocert_id, upload_date, exp = cert_meta(iam, name)
|
||||
opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
|
||||
module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
|
||||
upload_date=upload_date, expiration_date=exp)
|
||||
upload_date=upload_date, expiration_date=exp, arn=arn)
|
||||
elif state == 'absent':
|
||||
if name in orig_cert_names:
|
||||
changed=True
|
||||
|
|
Loading…
Reference in a new issue