mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-23 05:10:22 -07:00
ec2_vol: Add key selection support for EBS volume encryption. (#19570)
* Fixes: #3217 - Add a new parameter for the kms_key_id to the ec2_vol module. * Fixes: #3217 - Correcting comment string as requested. * Fixes: #3217 - Adding boto version when kms_key_id is used. Also re-adding accidentally removed comment line. * Cleanup of EBS volume key pull request
This commit is contained in:
parent
aa6ce16aa4
commit
c6621aa0ae
1 changed files with 23 additions and 1 deletions
|
@ -65,6 +65,11 @@ options:
|
||||||
- Enable encryption at rest for this volume.
|
- Enable encryption at rest for this volume.
|
||||||
default: false
|
default: false
|
||||||
version_added: "1.8"
|
version_added: "1.8"
|
||||||
|
kms_key_id:
|
||||||
|
description:
|
||||||
|
- Specify the id of the KMS key to use.
|
||||||
|
default: null
|
||||||
|
version_added: "2.3"
|
||||||
device_name:
|
device_name:
|
||||||
description:
|
description:
|
||||||
- device id to override device mapping. Assumes /dev/sdf for Linux/UNIX and /dev/xvdf for Windows.
|
- device id to override device mapping. Assumes /dev/sdf for Linux/UNIX and /dev/xvdf for Windows.
|
||||||
|
@ -318,12 +323,21 @@ def boto_supports_volume_encryption():
|
||||||
"""
|
"""
|
||||||
return hasattr(boto, 'Version') and LooseVersion(boto.Version) >= LooseVersion('2.29.0')
|
return hasattr(boto, 'Version') and LooseVersion(boto.Version) >= LooseVersion('2.29.0')
|
||||||
|
|
||||||
|
def boto_supports_kms_key_id():
|
||||||
|
"""
|
||||||
|
Check if Boto library supports kms_key_ids (added in 2.39.0)
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
True if version is equal to or higher then the version needed, else False
|
||||||
|
"""
|
||||||
|
return hasattr(boto, 'Version') and LooseVersion(boto.Version) >= LooseVersion('2.39.0')
|
||||||
|
|
||||||
def create_volume(module, ec2, zone):
|
def create_volume(module, ec2, zone):
|
||||||
changed = False
|
changed = False
|
||||||
name = module.params.get('name')
|
name = module.params.get('name')
|
||||||
iops = module.params.get('iops')
|
iops = module.params.get('iops')
|
||||||
encrypted = module.params.get('encrypted')
|
encrypted = module.params.get('encrypted')
|
||||||
|
kms_key_id = module.params.get('kms_key_id')
|
||||||
volume_size = module.params.get('volume_size')
|
volume_size = module.params.get('volume_size')
|
||||||
volume_type = module.params.get('volume_type')
|
volume_type = module.params.get('volume_type')
|
||||||
snapshot = module.params.get('snapshot')
|
snapshot = module.params.get('snapshot')
|
||||||
|
@ -335,7 +349,10 @@ def create_volume(module, ec2, zone):
|
||||||
if volume is None:
|
if volume is None:
|
||||||
try:
|
try:
|
||||||
if boto_supports_volume_encryption():
|
if boto_supports_volume_encryption():
|
||||||
volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted)
|
if kms_key_id is not None:
|
||||||
|
volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted, kms_key_id)
|
||||||
|
else:
|
||||||
|
volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops, encrypted)
|
||||||
changed = True
|
changed = True
|
||||||
else:
|
else:
|
||||||
volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops)
|
volume = ec2.create_volume(volume_size, zone, snapshot, volume_type, iops)
|
||||||
|
@ -486,6 +503,7 @@ def main():
|
||||||
volume_type = dict(choices=['standard', 'gp2', 'io1', 'st1', 'sc1'], default='standard'),
|
volume_type = dict(choices=['standard', 'gp2', 'io1', 'st1', 'sc1'], default='standard'),
|
||||||
iops = dict(),
|
iops = dict(),
|
||||||
encrypted = dict(type='bool', default=False),
|
encrypted = dict(type='bool', default=False),
|
||||||
|
kms_key_id = dict(),
|
||||||
device_name = dict(),
|
device_name = dict(),
|
||||||
delete_on_termination = dict(type='bool', default=False),
|
delete_on_termination = dict(type='bool', default=False),
|
||||||
zone = dict(aliases=['availability_zone', 'aws_zone', 'ec2_zone']),
|
zone = dict(aliases=['availability_zone', 'aws_zone', 'ec2_zone']),
|
||||||
|
@ -503,6 +521,7 @@ def main():
|
||||||
instance = module.params.get('instance')
|
instance = module.params.get('instance')
|
||||||
volume_size = module.params.get('volume_size')
|
volume_size = module.params.get('volume_size')
|
||||||
encrypted = module.params.get('encrypted')
|
encrypted = module.params.get('encrypted')
|
||||||
|
kms_key_id = module.params.get('kms_key_id')
|
||||||
device_name = module.params.get('device_name')
|
device_name = module.params.get('device_name')
|
||||||
zone = module.params.get('zone')
|
zone = module.params.get('zone')
|
||||||
snapshot = module.params.get('snapshot')
|
snapshot = module.params.get('snapshot')
|
||||||
|
@ -546,6 +565,9 @@ def main():
|
||||||
if encrypted and not boto_supports_volume_encryption():
|
if encrypted and not boto_supports_volume_encryption():
|
||||||
module.fail_json(msg="You must use boto >= v2.29.0 to use encrypted volumes")
|
module.fail_json(msg="You must use boto >= v2.29.0 to use encrypted volumes")
|
||||||
|
|
||||||
|
if kms_key_id is not None and not boto_supports_kms_key_id():
|
||||||
|
module.fail_json(msg="You must use boto >= v2.39.0 to use kms_key_id")
|
||||||
|
|
||||||
# Here we need to get the zone info for the instance. This covers situation where
|
# Here we need to get the zone info for the instance. This covers situation where
|
||||||
# instance is specified but zone isn't.
|
# instance is specified but zone isn't.
|
||||||
# Useful for playbooks chaining instance launch with volume create + attach and where the
|
# Useful for playbooks chaining instance launch with volume create + attach and where the
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue