From 3adf08e10f23cdb005ac2c9812456740e068e89e Mon Sep 17 00:00:00 2001
From: Will Rouesnel <w.rouesnel@gmail.com>
Date: Tue, 20 Jun 2017 22:01:56 +1000
Subject: [PATCH] [cloud] iam_cert return arn and allow use with ansible vault
 (#20787)

* iam_cert.py Fix duplicate certificate detection with included chains.

The iam_cert module would fail to detect certificates as duplicates
if the certificate body included the authority chain directly.

This commit fixes the problem by checking if a given certificate
matches the start of the data returned by AWS, since in all cases
where they would match the certificate will come first.

* iam_cert.py Return certificate ARN in all success cases.

When uploading certificates or interacting with IAM, the certificate ARN
is needed for other operations with AWS such as provisioning elastic load
balancers.

This commit returns the certificate ARN in all success cases, which allows
it to be used to idempotently provision other Amazon services depending on
it (ELBs being an immediate example).
---
 lib/ansible/modules/cloud/amazon/iam_cert.py | 23 +++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/lib/ansible/modules/cloud/amazon/iam_cert.py b/lib/ansible/modules/cloud/amazon/iam_cert.py
index 676fafb904..767c7e03b4 100644
--- a/lib/ansible/modules/cloud/amazon/iam_cert.py
+++ b/lib/ansible/modules/cloud/amazon/iam_cert.py
@@ -138,7 +138,11 @@ def cert_meta(iam, name):
                                                  server_certificate.\
                                                  server_certificate_metadata.\
                                                  expiration
-    return opath, ocert, ocert_id, upload_date, exp
+    arn         = iam.get_server_certificate(name).get_server_certificate_result.\
+                                                 server_certificate.\
+                                                 server_certificate_metadata.\
+                                                 arn
+    return opath, ocert, ocert_id, upload_date, exp, arn
 
 def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodies, dup_ok):
     update=False
@@ -159,6 +163,9 @@ def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodi
                     if slug_orig_cert_bodies == slug_cert:
                         update=True
                         break
+                    elif slug_cert.startswith(slug_orig_cert_bodies):
+                        update=True
+                        break
                     elif slug_orig_cert_bodies != slug_cert:
                         module.fail_json(changed=False, msg='A cert with the name %s already exists and'
                                                            ' has a different certificate body associated'
@@ -181,34 +188,34 @@ def cert_action(module, iam, name, cpath, new_name, new_path, state,
         update = dup_check(module, iam, name, new_name, cert, orig_cert_names,
                            orig_cert_bodies, dup_ok)
         if update:
-            opath, ocert, ocert_id, upload_date, exp = cert_meta(iam, name)
+            opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
             changed=True
             if new_name and new_path:
                 iam.update_server_cert(name, new_cert_name=new_name, new_path=new_path)
                 module.exit_json(changed=changed, original_name=name, new_name=new_name,
                                  original_path=opath, new_path=new_path, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
             elif new_name and not new_path:
                 iam.update_server_cert(name, new_cert_name=new_name)
                 module.exit_json(changed=changed, original_name=name, new_name=new_name,
                                  cert_path=opath, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
             elif not new_name and new_path:
                 iam.update_server_cert(name, new_path=new_path)
                 module.exit_json(changed=changed, name=new_name,
                                  original_path=opath, new_path=new_path, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
             else:
                 changed=False
                 module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp,
+                                 upload_date=upload_date, expiration_date=exp, arn=arn,
                                  msg='No new path or name specified. No changes made')
         else:
             changed=True
             iam.upload_server_cert(name, cert, key, cert_chain=chain, path=cpath)
-            opath, ocert, ocert_id, upload_date, exp = cert_meta(iam, name)
+            opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
             module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
-                                 upload_date=upload_date, expiration_date=exp)
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
     elif state == 'absent':
         if name in orig_cert_names:
             changed=True