VhϒdZdZdZddlZ ddlZddlmZddlm Z ddl m Z ddl m Z dd lmZdd lmZdd lmZdd lmZej(d d ddZej(d d ddZdZej(d d ddZej(d d ddZej(d d ddZej(d d ddZej(d d ddZdZdZdZdZ dZ!dZ"d0dZ#dZ$d Z%d!Z&d"Z'd#Z(d$Z)d%Z*d&Z+d'Z,d(Z-d)Z.d*Z/d+Z0d,Z1d-Z2d.Z3e4d/k(re3yy#e$rYLwxYw)1aq --- module: kms_key version_added: 5.0.0 short_description: Perform various KMS key management tasks description: - Manage role/user access to a KMS key. - Not designed for encrypting/decrypting. - Prior to release 5.0.0 this module was called M(community.aws.aws_kms). The usage did not change. - This module was originally added to C(community.aws) in release 1.0.0. options: alias: description: - An alias for a key. - For safety, even though KMS does not require keys to have an alias, this module expects all new keys to be given an alias to make them easier to manage. Existing keys without an alias may be referred to by O(key_id). Use M(amazon.aws.kms_key_info) to find key ids. - Note that passing a O(key_id) and O(alias) will only cause a new alias to be added, an alias will never be renamed. - The V(alias/) prefix is optional. - Required if O(key_id) is not given. required: false aliases: - key_alias type: str key_id: description: - Key ID or ARN of the key. - One of O(alias) or O(key_id) are required. required: false aliases: - key_arn type: str enable_key_rotation: description: - Whether the key should be automatically rotated every year. required: false type: bool state: description: - Whether a key should be present or absent. - Note that making an existing key V(absent) only schedules a key for deletion. - Passing a key that is scheduled for deletion with O(state=present) will cancel key deletion. required: false choices: - present - absent default: present type: str enabled: description: Whether or not a key is enabled. default: true type: bool description: description: - A description of the CMK. - Use a description that helps you decide whether the CMK is appropriate for a task. type: str multi_region: description: - Whether to create a multi-Region primary key or not. default: false type: bool version_added: 5.5.0 pending_window: description: - The number of days between requesting deletion of the CMK and when it will actually be deleted. - Only used when O(state=absent) and the CMK has not yet been deleted. - Valid values are between V(7) and V(30) (inclusive). - 'See also: U(https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html#KMS-ScheduleKeyDeletion-request-PendingWindowInDays)' type: int aliases: ['deletion_delay'] version_added: 1.4.0 version_added_collection: community.aws purge_grants: description: - Whether the O(grants) argument should cause grants not in the list to be removed. default: false type: bool grants: description: - A list of grants to apply to the key. Each item must contain O(grants.grantee_principal). Each item can optionally contain O(grants.retiring_principal), O(grants.operations), O(grants.constraints), O(grants.name). - O(grants.grantee_principal) and O(grants.retiring_principal) must be ARNs. - 'For full documentation of suboptions see the boto3 documentation:' - 'U(https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.create_grant)' type: list elements: dict default: [] suboptions: grantee_principal: description: The full ARN of the principal being granted permissions. required: true type: str retiring_principal: description: The full ARN of the principal permitted to revoke/retire the grant. type: str operations: type: list elements: str description: - A list of operations that the grantee may perform using the CMK. choices: ['Decrypt', 'Encrypt', 'GenerateDataKey', 'GenerateDataKeyWithoutPlaintext', 'ReEncryptFrom', 'ReEncryptTo', 'CreateGrant', 'RetireGrant', 'DescribeKey', 'Verify', 'Sign'] constraints: description: - Constraints is a dict containing V(encryption_context_subset) or V(encryption_context_equals), either or both being a dict specifying an encryption context match. See U(https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html) or U(https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.create_grant) type: dict name: description: - A friendly name for the grant. - Use this value to prevent the unintended creation of duplicate grants when retrying this request. type: str policy: description: - Policy to apply to the KMS key. - See U(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) type: json key_spec: aliases: - customer_master_key_spec description: - Specifies the type of KMS key to create. - The specification is not changeable once the key is created. type: str default: SYMMETRIC_DEFAULT choices: ['SYMMETRIC_DEFAULT', 'RSA_2048', 'RSA_3072', 'RSA_4096', 'ECC_NIST_P256', 'ECC_NIST_P384', 'ECC_NIST_P521', 'ECC_SECG_P256K1'] version_added: 2.1.0 version_added_collection: community.aws key_usage: description: - Determines the cryptographic operations for which you can use the KMS key. - The usage is not changeable once the key is created. type: str default: ENCRYPT_DECRYPT choices: ['ENCRYPT_DECRYPT', 'SIGN_VERIFY'] version_added: 2.1.0 version_added_collection: community.aws author: - Ted Timmons (@tedder) - Will Thames (@willthames) - Mark Chappell (@tremble) extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.tags - amazon.aws.boto3 notes: - There are known inconsistencies in the amount of time required for updates of KMS keys to be fully reflected on AWS. This can cause issues when running duplicate tasks in succession or using the M(amazon.aws.kms_key_info) module to fetch key metadata shortly after modifying keys. For this reason, it is recommended to use the return data from this module (M(amazon.aws.kms_key)) to fetch a key's metadata. - The C(policies) return key was removed in amazon.aws release 8.0.0. a # Create a new KMS key - amazon.aws.kms_key: alias: mykey tags: Name: myKey Purpose: protect_stuff # Create a new multi-region KMS key - amazon.aws.kms_key: alias: mykey multi_region: true tags: Name: myKey Purpose: protect_stuff # Update previous key with more tags - amazon.aws.kms_key: alias: mykey tags: Name: myKey Purpose: protect_stuff Owner: security_team # Update a known key with grants allowing an instance with the billing-prod IAM profile # to decrypt data encrypted with the environment: production, application: billing # encryption context - amazon.aws.kms_key: key_id: abcd1234-abcd-1234-5678-ef1234567890 grants: - name: billing_prod grantee_principal: arn:aws:iam::123456789012:role/billing_prod constraints: encryption_context_equals: environment: production application: billing operations: - Decrypt - RetireGrant - name: Update IAM policy on an existing KMS key amazon.aws.kms_key: alias: my-kms-key policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' state: present - name: Example using lookup for policy json amazon.aws.kms_key: alias: my-kms-key policy: "{{ lookup('template', 'kms_iam_policy_template.json.j2') }}" state: present a| key_id: description: ID of key. type: str returned: always sample: "abcd1234-abcd-1234-5678-ef1234567890" key_arn: description: ARN of key. type: str returned: always sample: "arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890" key_state: description: - The state of the key. - Will be one of C('Creating'), C('Enabled'), C('Disabled'), C('PendingDeletion'), C('PendingImport'), C('PendingReplicaDeletion'), C('Unavailable'), or C('Updating'). type: str returned: always sample: "PendingDeletion" key_usage: description: The cryptographic operations for which you can use the key. type: str returned: always sample: "ENCRYPT_DECRYPT" origin: description: The source of the key's key material. When this value is C(AWS_KMS), AWS KMS created the key material. When this value is C(EXTERNAL), the key material was imported or the CMK lacks key material. type: str returned: always sample: "AWS_KMS" aws_account_id: description: The AWS Account ID that the key belongs to. type: str returned: always sample: "1234567890123" creation_date: description: Date and time of creation of the key. type: str returned: always sample: "2017-04-18T15:12:08.551000+10:00" deletion_date: description: Date and time after which KMS deletes this KMS key. type: str returned: when RV(key_state) is PendingDeletion sample: "2017-04-18T15:12:08.551000+10:00" version_added: 3.3.0 version_added_collection: community.aws description: description: Description of the key. type: str returned: always sample: "My Key for Protecting important stuff" enabled: description: Whether the key is enabled. True if RV(key_state) is V(Enabled). type: bool returned: always sample: false enable_key_rotation: description: Whether the automatic annual key rotation is enabled. Returns None if key rotation status can't be determined. type: bool returned: always sample: false aliases: description: List of aliases associated with the key. type: list returned: always sample: - aws/acm - aws/ebs key_policies: description: List of policy documents for the key. Empty when access is denied even if there are policies. type: list returned: always elements: dict sample: Version: "2012-10-17" Id: "auto-ebs-2" Statement: - Sid: "Allow access through EBS for all principals in the account that are authorized to use EBS" Effect: "Allow" Principal: AWS: "*" Action: - "kms:Encrypt" - "kms:Decrypt" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:CreateGrant" - "kms:DescribeKey" Resource: "*" Condition: StringEquals: kms:CallerAccount: "123456789012" kms:ViaService: "ec2.ap-southeast-2.amazonaws.com" - Sid: "Allow direct access to key metadata to the account" Effect: "Allow" Principal: AWS: "arn:aws:iam::123456789012:root" Action: - "kms:Describe*" - "kms:Get*" - "kms:List*" - "kms:RevokeGrant" Resource: "*" version_added: 3.3.0 version_added_collection: community.aws tags: description: Dictionary of tags applied to the key. Empty when access is denied even if there are tags. type: dict returned: always sample: Name: myKey Purpose: protecting_stuff grants: description: List of grants associated with a key. type: list elements: dict returned: always contains: constraints: description: Constraints on the encryption context that the grant allows. See U(https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html) for further details type: dict returned: always sample: encryption_context_equals: "aws:lambda:_function_arn": "arn:aws:lambda:ap-southeast-2:123456789012:function:xyz" creation_date: description: Date of creation of the grant. type: str returned: always sample: "2017-04-18T15:12:08+10:00" grant_id: description: The unique ID for the grant. type: str returned: always sample: "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234" grantee_principal: description: The principal that receives the grant's permissions. type: str returned: always sample: "arn:aws:sts::123456789012:assumed-role/lambda_xyz/xyz" issuing_account: description: The AWS account under which the grant was issued. type: str returned: always sample: "arn:aws:iam::123456789012:root" key_id: description: The key ARN to which the grant applies. type: str returned: always sample: "arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890" name: description: The friendly name that identifies the grant. type: str returned: always sample: "xyz" operations: description: The list of operations permitted by the grant. type: list returned: always sample: - Decrypt - RetireGrant retiring_principal: description: The principal that can retire the grant. type: str returned: always sample: "arn:aws:sts::123456789012:assumed-role/lambda_xyz/xyz" changes_needed: description: Grant types that would be changed/were changed. type: dict returned: always sample: { "role": "add", "role grant": "add" } had_invalid_entries: description: Whether there are invalid (non-ARN) entries in the KMS entry. These don't count as a change, but will be removed if any changes are being made. type: bool returned: always multi_region: description: - Indicates whether the CMK is a multi-Region C(True) or regional C(False) key. - This value is True for multi-Region primary and replica CMKs and False for regional CMKs. type: bool version_added: 5.5.0 returned: always sample: False customer_master_key_spec: description: Specifies the type of KMS key to create. type: str returned: always sample: "SYMMETRIC_DEFAULT" encryption_algorithms: description: The encryption algorithms that the KMS key supports. type: list elements: str returned: always sample: ["SYMMETRIC_DEFAULT"] key_manager: description: The manager of the KMS key. type: str returned: always sample: "AWS" key_spec: description: Specifies the type of KMS key to create. type: str returned: always sample: "SYMMETRIC_DEFAULT" N)camel_dict_to_snake_dict)is_boto3_error_code)AnsibleAWSModule)compare_policies)AWSRetry)ansible_dict_to_boto3_tag_list)boto3_tag_list_to_ansible_dict)compare_aws_tagsg@)retriesdelaybackoffc`|jd}|jjS)N list_keys get_paginatorpaginatebuild_full_result connection paginators f/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/modules/kms_key.pyget_kms_keys_with_backoffrs*((5I     1 1 33c`|jd}|jjS)N list_aliasesrrs rget_kms_aliases_with_backoffrs*((8I     1 1 33rct}t|dD];}d|vs|d|vr||dj|ddd-|dddg||d<=|S)NAliases TargetKeyId AliasName)dictrappend)r_aliasesaliass rget_kms_aliases_lookupr'svH-j9)DJ E !]#x/}-.55eK6H6LM27 2DQR2H1I}-.J Orc *|jdd|i|S)NKeyId)list_resource_tags)rkey_idkwargss rget_kms_tags_with_backoffr.s (: ( ( @v @ @@rc|t|}|jd}|jdi|jS)Nr) list_grantsr*)r#rrr)rr,paramsrs rget_kms_grants_with_backoffr3s;  F((7I 9   ' ' 9 9 ;;rc&|j|S)Nr0) describe_key)rr,s rget_kms_metadata_with_backoffr6s  " " " 00rcd|jd}|j|jS)Nlist_key_policiesr0r)rr,rs rlist_key_policies_with_backoffr9s0(()<=I   F  + = = ??rc(|j||S)Nr) PolicyName)get_key_policy)rr, policy_names rget_key_policy_with_backoffr?s  $ $6k $ JJrchi}g}d}|rA t||fi|}|j|djdr |d|d<nd}|rA|S#td$ri}Y3tjj tjj f$r}|j|dYd}~d}~wwxYw) NTTagsAccessDeniedExceptionzFailed to obtain key tagsmsg NextMarkerMarkerF) r.extendrbotocore exceptions ClientError BotoCoreError fail_json_awsget)rmoduler,r-tagsmore tag_responsees r get_kms_tagsrSsF D D  E4ZR6RL KK V, -   L )+L9F8 D  K##:; L    + +    - -  E  (C D D  Es!A B16B1B,,B1c8 t||d}|Dcgc]}t|||dc}Scc}w#td$rgcYStjj tjj f$r}|j|dYd}~yd}~wwxYw)N PolicyNamesPolicyrBzFailed to obtain key policiesrC)r9r?rrHrIrJrKrL)rrNr,policiespolicyrRs rget_kms_policiesrY s E1*fEmT`hiV\+JGQiii 6 7 '')) E Q$CDD Es'4/44B6B<BBc||jdi}t|}d|vr |d|dd<d|vr |d|dd<|S)zGcamel_to_snake_grant snakifies everything except the encryption context ConstraintsEncryptionContextEquals constraintsencryption_context_equalsEncryptionContextSubsetencryption_context_subset)rMr)grantr]results rcamel_to_snake_grantrcs]))M2.K %e ,F K/=HIb=c}9: K/=HIb=c}9: MrcJ t||d}j d|d< t|} |j|}|jd|d <j|d g|d <t|} t||dDcgc] }t|c}|d<t|||}t|dd|d<t!|||} | D cgc]} t#j$| c} |d<|S#tjjtjjf$r}|j |dYd}~6d}~wwxYw#tjjtjjf$r}|j |dYd}~nd}~wwxYw#td d g$r d|d <YgwxYwcc}w#tjjtjjf$r}|j |dYd}~sd}~wwxYwcc} w)N KeyMetadatazFailed to obtain key metadatarCArnKeyArnzFailed to obtain aliasesr0KeyRotationEnabledenable_key_rotationrBUnsupportedOperationExceptionr)aliasesGrantsgrantszFailed to obtain key grantsTagKeyTagValuerO key_policies)r6rHrIrJrKrLpopr'get_key_rotation_statusrMrrr3rcrSr rYjsonloads) rrNr,rbrRrkcurrent_rotation_statusrarOrWrXs rget_key_detailsrv%s"E.z6B=Qzz%(F8@(4-","D"D6"D"R(?(C(CDX(Y$% F7OR8F9 %f -FC5PQ[]c5dem5n ,1  ' x  FF 3D3D(JOF6N FF;H?GHVdjj0HF> M;    + +X-@-@-N-N OEQ$CDDE    + +X-@-@-N-N O@Q$>??@  79XY Z-(,$%-     + +X-@-@-N-N OCQ$ABBC IsoC7 E&F'<G GGH 77E .EE 7F$FF$'G?GG7H?HHct|d|d}|jdr|d|d<|jdr|d|d<|jdr|d|d <|jd rQt|d <|d jd r|d d |d d <|d jdr|d d|d d<|S)Nkey_arngrantee_principal)r)GranteePrincipal operations Operationsretiring_principalRetiringPrincipalnameNamer]r[r`r_r^r\)r#rM)rakey grant_paramss rconvert_grant_paramsrHsc)nuEX?YZL yy%*<%8 \" yy%&,12F,G () yy$V} V yy&*f ]#   # #$? @EJ=EYZuEvL '(A B   # #$? @EJ=EYZuEvL '(A B rcJ|jd|jdk7ry|jd|jdk7ryt|jdgt|jdk7ry|jd|jdk7ryy)NryTr}r{r]F)rMset)existing_grant desired_grants rdifferent_grantrYs-.-2C2CDW2XX./=3D3DEY3ZZ >  lB /0C 8I8I,8W4XX-(M,=,=m,LL rctd|D}td|D}t|jt|jz }|r4t|jt|jz }n t}t|jt|jz}|D]7}t||||s|j ||j |9g} g} |D]} || } | j | |D]} || } | j | | | fS)Nc3*K|] }|d|f ywrNr*).0egs r z!compare_grants..fsDb"V*b)Dc3*K|] }|d|f ywrr*)rdgs rrz!compare_grants..gsBRFR(Br)r#rkeysraddr$) existing_grantsdesired_grants purge_grants existing_dict desired_dict to_add_keysto_remove_keysto_change_candidates candidateto_add to_removerras rcompare_grantsresCDODDMB>BBLl'')*S1C1C1E-FFK]//12S9J9J9L5MM}1134s<;L;L;N7OO)* =3\)5L M OOI &   y )* FIS! e c"  9 rc|ddk(ry|jryd|di}|jjdr|jjd|d< |jd i|y#tj j tj jf$r}|j|d Yd}~yd}~wwxYw) NKeyStatePendingDeletionFTr)rfpending_windowPendingWindowInDaysz#Failed to schedule key for deletionrCr*) check_moder2rMschedule_key_deletionrHrIrJrKrL)rrN key_metadatadeletion_paramsrRs rstart_key_deletionr~sJ#44  U 34O }})*171B1BCS1T-.K( ((;?;    + +X-@-@-N-N OKQ$IJJKsA++7B?"B::B?c|d}|ddk7ry|jry |j|d|d<y#tjjtjj f$r}|j |d Yd}~yd}~wwxYw) Nrx key_staterFTr0DisabledzFailed to cancel key deletionrC)rcancel_key_deletionrHrIrJrKrL)rrNrr,rRs rrrs ^F ;,, E&&V&4&K     + +X-@-@-N-N OEQ$CDD Es57B ,BB cd}|sd}|d|k(ry|d}|js*|r |j|y |j|y y #tjjtjj f$r}|j |dYd}~y d}~wwxYw#tjjtjj f$r}|j |d Yd}~y d}~wwxYw) NEnabledrrFrxr0zFailed to enable keyrCzFailed to disable keyT)r enable_keyrHrIrJrKrL disable_key)rrNrenabled desired_stater,rRs rensure_enabled_disabledrsM "  ;=( ^F     D%%F%3   E&&V&4 ''33X5H5H5V5VW D$$Q,B$CC  D ''33X5H5H5V5VW E$$Q,C$DD  Es.A B# 7B BB #7C7C22C7clt|}|y|d}t|d}||Dcgc]}|d c}vry|js |j||yycc}w#tj j tj jf$r}|j|dYd}~yd}~wwxYw) NFrxrr!)r r!zFailed create key aliasrCT) canonicalize_alias_namerr create_aliasrHrIrJrKrL)rrNrr&r,rk_aliasrRs r update_aliasrs #E *E } ^F*:6yAG 7; $;;    C  # #% # H < ##//1D1D1R1RS C  (A B B  Cs AA7B3B..B3c|y|d|k(ry|d}|js |j||yy#tjjtjj f$r}|j |dYd}~yd}~wwxYw)NF descriptionrx)r) Descriptionz Failed to update key descriptionrCT)rupdate_key_descriptionrHrIrJrKrL)rrNrrr,rRs rupdate_descriptionrs =[( ^F    L  - -F - T ##//1D1D1R1RS L  (J K K  Ls47B+BBcl|yt|d||\}}t|s t|sy|d}|jsH|r |j|||r0 t|jddd } |j|| y y #tj j tj jf$r}|j|dYd}~d}~wwxYw#tj j tj jf$r}|j|d Yd}~y d}~wwxYw) NFrOrx)r)TagKeyszUnable to remove tagrCrnrotag_name_key_nametag_value_key_name)r)rAzUnable to add tag to keyT) r boolruntag_resourcerHrIrJrKrLrr2 tag_resource) rrNr desired_tags purge_tagsrrr,rRrOs r update_tagsrs3(VlJOFI LDO ^F     D)) )J  H5MM&)&.'1 ''f4'@ ''33X5H5H5V5VW D$$Q,B$CC D''33X5H5H5V5VW H$$Q,F$GG  Hs0B.C7C?CC7D3D..D3ct|y tj|}|d} |j |d}tj|d}t|sy|js |j|d|y y #t$r}|j|dYd}~d}~wwxYw#t j jt j jf$ri}YwxYw#t j jt j jf$r}|j|d Yd}~y d}~wwxYw) NFz"Unable to parse new policy as JSONrCrxdefaultr;rV)r)r<rVzUnable to update key policyT) rsrt ValueErrorrLr=rHrIrJrKrrput_key_policy) rrNrrX new_policyrRr,keyretoriginal_policys r update_policyrs8 ~JZZ' ^F**I*N**VH%56 OZ 8    G  % %FyQW % X + JQ$HIIJ    + +X-@-@-N-N O##//1D1D1R1RS G  (E F F  Gs@A;+B$%C#; B!BB!$9C C #7D7D22D7cL|y|d} |j|}|jd|k(ry |js* |r|j|y |j| y y #td$rYGtjj tjj f$r}|j|dYd}~d}~wwxYw#tjj tjj f$r}|j|dYd}~y d}~wwxYw) NFrxr0rhrBz)Unable to get current key rotation statusrCz%Failed to enable/disable key rotationT) rrrMrrHrIrJrKrLrridisable_key_rotation)rrNrrir,rurRs rupdate_key_rotationrs6" ^F Q","D"D6"D"R " & &'; <@S S T    Q"..V.<  //f/= # 6 7  '')) Q Q$OPP Q##//1D1D1R1RS Q  (O P P  Qs:&A)CC)C 96C /CC 7D#DD#cb|d}t|||\}}t|s t|sy|d}|jsD|D]} |j|| d|D]!} t| |} |jd i| #y #tj j tj jf$r} |j| dYd} ~ d} ~ wwxYw#tj j tj jf$r} |j| dYd} ~ d} ~ wwxYw) NrmFrxgrant_id)r)GrantIdzUnable to retire grantrCzUnable to create grantTr*) rrr retire_grantrHrIrJrKrLr create_grant) rrNrrrrrrr,rarRrs r update_grantsr7s;(mO& UFI LDO ^F    FE F''feJ>O'P F  FE/s;L F' ''7,7 F ''33X5H5H5V5VW F$$Q,D$EE F ''33X5H5H5V5VW F$$Q,D$EE Fs0B.C7C:CC7D.D))D.c d}|t|||z}|t||||jdz}|t||||jdz}|t ||||jdz}|t ||||jd|jj dz}|t||||jj dz}|t||||jj d|jj d z}|t||||jj d z}t|||d }||d <|S) NFrr&rrOrrXrmrrirxchanged) rrr2rrrrMrrrrv)rrNrrrbs r update_keyrOsMG ":vs;;G &z63 i@XYYG |JV]]75KLLG !*fc6==;WXXG {:vsFMM&4I6==K\K\]iKjkkG }Zfmm6G6G6QRRG }Zfmm6G6G6QSYS`S`SdSdesStuuG ":vsFMMCVS&--*@A FC1B1BCX1YZJV]]5F5Fy5QR*fc6==+<+ ?E A 0VD]S S,Z? NN  2 2    + +X-@-@-N-N OAQ ?@@As"AAB3!6B3B..B3cx|jjddk(rL|jjdr1|s/|jd|jjdd|jjdr5|r2|jjddk(r|jdyyyy) Nstatepresentr,zCould not find key with id z to updaterCrz?You cannot change the multi-region property on an existing key.)r2rM fail_json)rNrs rvalidate_paramsrs }}!Y.6==3D3DX3NWc:6==;L;LX;V:WWabc }}(\fmm>O>OPW>X\e>e^_?f\(rcttdgtdgdtdgttdd tdd td d g tdd tdgd tdtdd tdddgtdtdddggdtddddg}td|ddgg }|jd!}t|||jj d|jj d}t |||jj d"dk(r3||jd #t|||}|jd%i||r/t|||d$}t|||}|jd%i|t||}|jd%i|y)&N key_alias)rkdeletion_delayint)rktyperxrT)rrFr# resource_tags)rrklist)rrelementsrs)rrabsent)rchoicesstrSYMMETRIC_DEFAULTcustomer_master_key_spec)rRSA_2048RSA_3072RSA_4096 ECC_NIST_P256 ECC_NIST_P384 ECC_NIST_P521ECC_SECG_P256K1)rrrkrENCRYPT_DECRYPT SIGN_VERIFY)rrr)r&rr,rrrrOrrmrXrrrirrr&r,)supports_check_mode argument_specrequired_one_ofkmsr)rrfr*) r#rclientrr2rMr exit_jsonrrvrr)r rNrrrb key_detailss rmainrsK=)%5$6UCYK(F&$/vu5 v'8 9VT2f= vu59y(.CD!v.'/0   %& 6 ;"MH #!8,-F -- C%c66==3D3DX3NPVP]P]PaPabiPjkLFL) }}!X-     U  +C6"6"%c6<3FG C5"6" V $FFvr__main__)F)5 DOCUMENTATIONEXAMPLESRETURNrsrH ImportError0ansible.module_utils.common.dict_transformationsrr!s^ @3 jP d  V\XWPffX1As;4<4 1As;4<4 1As;A<A1As;<<< 1As;1<11As;@<@ 1As;K<K0 E F" 2K$&0*  :::0$)XA,`<~ zFU  sEEE