diff --git a/changelogs/fragments/1384-cloudtrail-disable_encryption.yml b/changelogs/fragments/1384-cloudtrail-disable_encryption.yml new file mode 100644 index 00000000000..f493df8feda --- /dev/null +++ b/changelogs/fragments/1384-cloudtrail-disable_encryption.yml @@ -0,0 +1,2 @@ +bugfixes: +- cloudtrail - support to disabling encryption using ´´kms_key_id´´ (https://github.com/ansible-collections/amazon.aws/pull/1384). diff --git a/plugins/modules/cloudtrail.py b/plugins/modules/cloudtrail.py index 8ad1cd8bdbf..af48e7ea8ed 100644 --- a/plugins/modules/cloudtrail.py +++ b/plugins/modules/cloudtrail.py @@ -87,6 +87,7 @@ description: - Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. This also has the effect of enabling log file encryption. - The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. + - Encryption can be disabled by setting I(kms_key_id=""). - See U(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html). type: str notes: @@ -490,8 +491,8 @@ def main(): if module.params['enable_log_file_validation'] is not None: ct_params['EnableLogFileValidation'] = module.params['enable_log_file_validation'] - if module.params['kms_key_id']: - ct_params['KmsKeyId'] = module.params['kms_key_id'] + if module.params["kms_key_id"] is not None: + ct_params["KmsKeyId"] = module.params["kms_key_id"] client = module.client('cloudtrail') region = module.region @@ -595,7 +596,7 @@ def main(): results['exists'] = True if not module.check_mode: if tags: - ct_params['TagsList'] = ansible_dict_to_boto3_tag_list(tags) + ct_params["TagsList"] = ansible_dict_to_boto3_tag_list(tags) # If we aren't in check_mode then actually create it created_trail = create_trail(module, client, ct_params) # Get the trail status diff --git a/tests/integration/targets/cloudtrail/tasks/main.yml b/tests/integration/targets/cloudtrail/tasks/main.yml index 65254b8f0b8..e35136d5d4c 100644 --- a/tests/integration/targets/cloudtrail/tasks/main.yml +++ b/tests/integration/targets/cloudtrail/tasks/main.yml @@ -179,7 +179,7 @@ - name: pause to ensure role exists before attaching policy pause: seconds: 15 - + - name: 'Add inline policy to CloudWatch Role' iam_policy: state: present @@ -213,8 +213,6 @@ - output.exists == True - output.trail.name == cloudtrail_name - - - name: 'No-op update to trail' cloudtrail: state: present @@ -248,13 +246,12 @@ trail_arn: '{{ item.resource_id }}' when: item.name == cloudtrail_name loop: "{{ info.trail_list }}" - + - name: 'Assert that the trail name is present in the info' assert: that: - trail_present is defined - trail_present == True - # ============================================================ @@ -1361,38 +1358,38 @@ # when using check_mode, with no kms permissions, and not giving kms_key_id as a key arn # output will always be marked as changed. - #- name: 'Disable logging encryption (CHECK MODE)' - # cloudtrail: - # state: present - # name: '{{ cloudtrail_name }}' - # kms_key_id: '' - # register: output - # check_mode: yes - #- assert: - # that: - # - output is changed + - name: 'Disable logging encryption (CHECK MODE)' + cloudtrail: + state: present + name: '{{ cloudtrail_name }}' + kms_key_id: '' + register: output + check_mode: yes + - assert: + that: + - output is changed - #- name: 'Disable logging encryption' - # cloudtrail: - # state: present - # name: '{{ cloudtrail_name }}' - # kms_key_id: '' - # register: output - #- assert: - # that: - # - output.trail.kms_key_id == None - # - output is changed + - name: 'Disable logging encryption' + cloudtrail: + state: present + name: '{{ cloudtrail_name }}' + kms_key_id: '' + register: output + - assert: + that: + - output.trail.kms_key_id == "" + - output is changed - #- name: 'Disable logging encryption (no change)' - # cloudtrail: - # state: present - # name: '{{ cloudtrail_name }}' - # kms_key_id: '' - # register: output - #- assert: - # that: - # - output.kms_key_id == None - # - output is not changed + - name: 'Disable logging encryption (no change)' + cloudtrail: + state: present + name: '{{ cloudtrail_name }}' + kms_key_id: '' + register: output + - assert: + that: + - output.kms_key_id == "" + - output is not changed # ============================================================