search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
188 stars 397 forks source link

secretsmanager_secret module should not overwrite an existing Secret #1626

Closed brsolomon-deloitte closed 1 year ago

brsolomon-deloitte commented 1 year ago

Summary

The community.aws.secretsmanager_secret module currently offers no option to not overwrite a Secret if it exists with the same name but a different value. This forces the user to first try to check if the Secret exists and then skip the task if it does. It will simply call secrets_mgr.update_secret(secret) and overwrite the existing one. If the intended Secret value itself is, for example, a random password, the option to only lookup that the Secret exists (but not that its values match) would be a nice feature.

Relevant code: https://github.com/ansible-collections/community.aws/blob/99978ef51ce1372d2f36b501b084b2bf54381073/plugins/modules/secretsmanager_secret.py#L479

Issue Type

Feature Idea

Component Name

secretsmanager_secret

Additional Information

- name: Try to retrive existing elastic secrets from AWS Secrets Manager
  ansible.builtin.set_fact:
    elastic_user_password: "{{ lookup('amazon.aws.aws_secret', clustername + '/' + elastic_namespace + '.elastic-user-password', nested=true, region=region, on_missing='error') }}"
    kibana_client_secret: "{{ lookup('amazon.aws.aws_secret', clustername + '/' + elastic_namespace + '.keycloak-secret', nested=true, region=region, on_missing='error') }}"
  register: secrets_found
  ignore_errors: true

- name: Create elastic user password and Keycloak AWS secrets if necessary
  community.aws.secretsmanager_secret:
    name: "{{ clustername }}/{{ elastic_namespace }}"
    description: Elastic secrets for {{ elastic_namespace }}
    state: present
    secret_type: "string"
    json_secret: {
      "elastic-user-password": "{{ lookup('community.general.random_string', length=16, special=false) }}",
      "keycloak-secret": "{{ lookup('community.general.random_string', length=16, special=false) }}"
    }
    region: "{{ region }}"
  when: secrets_found is failed

Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @jillr @markuman @rrey @s-hertel @tremble click here for bot help