aws_kms_info - Gracefully Handle Keys That Don't Allow kms:GetKeyRota…

…tionStatus API Calls (ansible-collections#199)

* Gracefully handle keys that don't allow kms:GetKeyRotationStatus API calls

Some AWS KMS keys (e.g. aws/acm) do not allow permissions to call the API
kms:GetKeyRotationStatus. As a result, module execution fails, even if the
user execuing it has full admin privileges.

Example: https://forums.aws.amazon.com/thread.jspa?threadID=312992

* change log fragment

* Return None if key rotation status can't be determined

Update documentation to reflect this use case.

Use helper to track the exception.

* Add integration tests

changelogs/fragments/199-aws_kms_info-key-rotation-status.yaml

@@ -0,0 +1,5 @@
+bugfixes:
+- aws_kms_info - fixes issue where module execution fails because certain AWS KMS keys (e.g. aws/acm)
+  do not permit the calling the API kms:GetKeyRotationStatus
+  (example - https://forums.aws.amazon.com/thread.jspa?threadID=312992)
+  (https://github.com/ansible-collections/community.aws/pull/199)

plugins/modules/aws_kms_info.py

@@ -105,7 +105,7 @@
       returned: always
       sample: false
     enable_key_rotation:
-      description: Whether the automatically key rotation every year is enabled.
+      description: Whether the automatically key rotation every year is enabled. Returns None if key rotation status can't be determined.
       type: bool
       returned: always
       sample: false
@@ -223,6 +223,7 @@
     pass  # Handled by AnsibleAWSModule
 
 from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
+from ansible_collections.amazon.aws.plugins.module_utils.core import is_boto3_error_code
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import boto3_conn
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import get_aws_connection_info
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import AWSRetry
@@ -290,7 +291,11 @@ def get_key_policy_with_backoff(connection, key_id, policy_name):
 
 @AWSRetry.backoff(tries=5, delay=5, backoff=2.0)
 def get_enable_key_rotation_with_backoff(connection, key_id):
-    current_rotation_status = connection.get_key_rotation_status(KeyId=key_id)
+    try:
+        current_rotation_status = connection.get_key_rotation_status(KeyId=key_id)
+    except is_boto3_error_code('AccessDeniedException') as e:
+        return None
+
     return current_rotation_status.get('KeyRotationEnabled')
 
 

tests/integration/targets/aws_kms/tasks/main.yml

@@ -344,6 +344,22 @@
           - update_key.key_state == "Disabled"
           - update_key.changed
 
+    - name: update policy to remove access to key rotation status
+      aws_kms:
+        alias: "alias/{{ resource_prefix }}-kms"
+        policy: "{{ lookup('template', 'console-policy-no-key-rotation.j2') | to_json }}"
+
+    - name: find facts about the key without key rotation status
+      aws_kms_info:
+        filters:
+          alias: "{{ resource_prefix }}-kms"
+      register: update_key
+
+    - name: assert that key rotation status is set to None
+      assert:
+        that:
+          - update_key.enable_key_rotation is undefined
+
     - name: delete the key
       aws_kms:
         alias: "{{ resource_prefix }}-kms"

tests/integration/targets/aws_kms/templates/console-policy-no-key-rotation.j2

@@ -0,0 +1,81 @@
+{
+    "Id": "key-consolepolicy-3",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::{{ aws_caller_info.account }}:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow access for Key Administrators",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "{{ aws_caller_info.arn }}"
+            },
+            "Action": [
+                "kms:Create*",
+                "kms:Describe*",
+                "kms:Enable*",
+                "kms:List*",
+                "kms:Put*",
+                "kms:Update*",
+                "kms:Revoke*",
+                "kms:Disable*",
+                "kms:Get*",
+                "kms:Delete*",
+                "kms:TagResource",
+                "kms:UntagResource",
+                "kms:ScheduleKeyDeletion",
+                "kms:CancelKeyDeletion"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow use of the key",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "{{ aws_caller_info.arn }}"
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistent resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "{{ aws_caller_info.arn }}"
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        },
+        {
+            "Sid": "Disable access to key rotation status",
+            "Effect": "Deny",
+            "Principal": {
+                "AWS": "{{ aws_caller_info.arn }}"
+            },
+            "Action": "kms:GetKeyRotationStatus",
+            "Resource": "*"
+        }
+    ]
+}