aws_secrets module tries to remove system tags.

[SantiRaposo]

Summary

When using the aws_secrets to modify a secret created using AWS CloudFormation and not specifying any tags the tag argument the module tries to remove the reserved system tags (all tags starting with aws:, the stack id the resource belongs to for instance).

These tags cannot be modified or deleted, so the module should ignore them when processing tags.

Issue Type

Bug Report

Component Name

community.aws.aws_secret module

Ansible Version

$ ansible --version
ansible [core 2.12.4]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.4 (main, Apr  7 2022, 03:26:33) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
Collection           Version
-------------------- -------
amazon.aws           3.2.0
ansible.utils        2.6.1
community.aws        3.2.1

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto3
Version: 1.21.46
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.24.46
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
""

OS / Environment

Debian Bullseye

Steps to Reproduce

---
- name: test
  hosts: localhost
  gather_facts: true
  tasks:
  - name: "test"
    aws_secret:
      name: "secretname"
      state: present
      secret_type: 'string'
      secret: '{"test": "hola"}'
      region: "eu-west-1"

Expected Results

I expected the module to not attempt to modify system tags. Instead, the module attempts to remove system tags and fails with an error.

Actual Results

test@aa4d13fa304b:~/ansible$ ansible-playbook -vv test.yaml
ansible-playbook [core 2.12.4]
  config file = /test/ansible/ansible.cfg
  configured module search path = ['/test/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/site-packages/ansible
  ansible collection location = /test/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.10.4 (main, Apr  7 2022, 03:26:33) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True
Using /test/ansible/ansible.cfg as config file
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: callback) ansible.builtin.unixy to community.general.unixy
redirecting (type: callback) ansible.builtin.unixy to community.general.unixy
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Executing playbook test.yaml
1 plays in test.yaml

- test on hosts: localhost -
Gathering Facts...
  localhost ok
META: ran handlers
test...
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.errorfactory.InvalidParameterException: An error occurred (InvalidParameterException) when calling the UntagResource operation: You can't modify system tags. Tag key: 'aws:cloudformation:stack-name'.
  localhost failed: {
    "boto3_version": "1.21.46",
    "botocore_version": "1.24.46",
    "changed": false,
    "error": {
        "code": "InvalidParameterException",
        "message": "You can't modify system tags. Tag key: 'aws:cloudformation:stack-name'."
    },
    "message": "You can't modify system tags. Tag key: 'aws:cloudformation:stack-name'.",
    "msg": "Failed to remove tag(s) from secret: An error occurred (InvalidParameterException) when calling the UntagResource operation: You can't modify system tags. Tag key: 'aws:cloudformation:stack-name'.",
    "response_metadata": {
        "http_headers": {
            "connection": "close",
            "content-length": "122",
            "content-type": "application/x-amz-json-1.1",
            "date": "Thu, 12 May 2022 15:54:15 GMT",
            "x-amzn-requestid": "XXXXXXX"
        },
        "http_status_code": 400,
        "request_id": "XXXXXX",
        "retry_attempts": 0
    }
}

- Play recap -
  localhost                  : ok=1    changed=0    unreachable=0    failed=1    rescued=0    ignored=0

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[markuman]

The module needs a purge_tags: default(False) parameter.
https://github.com/ansible-collections/community.aws/blob/main/plugins/modules/aws_secret.py#L456-L463

[markuman]

The module needs a purge_tags: default(False) parameter. https://github.com/ansible-collections/community.aws/blob/main/plugins/modules/aws_secret.py#L456-L463

That's a quick fix.
But it won't fix the reserved tag handling

System created tags that begin with aws: are reserved for AWS use, and do not count against this limit. You can't edit or delete a tag that begins with the aws: prefix.

[markuman]

ansible-collections/amazon.aws#817

[tremble]

I've got a half written PR, which leaves purge_tags: True, but requires the tags parameter to have been set first. That combined with ansible-collections/amazon.aws#817 is probably our best solution.

[tremble]

@SantiRaposo thanks for the report here. #1150, which will hopefully be included in release 4.0.0, should mitigate the issue for your example: if you don't explicitly set tags, then it won't try to update them (which is our usual behaviour). Separately I've opened ansible-collections/amazon.aws#817 to update our helper code so that it doesn't try to manage the 'aws:' tags (unless someone explicitly passes them).

[tremble]

With release 4.0.0 of the amazon.aws collection we will ignore aws:* / system tags for the purposes of purge_tags on all modules. We hope to release 4.0.0 in late June.

However, because the change necessary to ignore tags prefixed with 'aws:' has the potential to break playbooks running on "AWS compatible" platforms we won't be backporting a fix for this to the 2.x and 3.x releases.