VhUdZdZdZddlZddlZddlmZ ddlZddl m Z ddl m Z ddl mZdd l mZdd l mZdd lmZd Zd ZdZej.dZdZdZdZdZdZdZedk(reyy#e$rYfwxYw)aX --- module: acm_certificate short_description: Upload and delete certificates in the AWS Certificate Manager service version_added: 1.0.0 description: - > Import and delete certificates in Amazon Web Service's Certificate Manager (AWS ACM). - > This module does not currently interact with AWS-provided certificates. It currently only manages certificates provided to AWS by the user. - The ACM API allows users to upload multiple certificates for the same domain name, and even multiple identical certificates. This module attempts to restrict such freedoms, to be idempotent, as per the Ansible philosophy. It does this through applying AWS resource "Name" tags to ACM certificates. - > When I(state=present), if there is one certificate in ACM with a C(Name) tag equal to the I(name_tag) parameter, and an identical body and chain, this task will succeed without effect. - > When I(state=present), if there is one certificate in ACM a I(Name) tag equal to the I(name_tag) parameter, and a different body, this task will overwrite that certificate. - > When I(state=present), if there are multiple certificates in ACM with a I(Name) tag equal to the I(name_tag) parameter, this task will fail. - > When I(state=absent) and I(certificate_arn) is defined, this module will delete the ACM resource with that ARN if it exists in this region, and succeed without effect if it doesn't exist. - > When I(state=absent) and I(domain_name) is defined, this module will delete all ACM resources in this AWS region with a corresponding domain name. If there are none, it will succeed without effect. - > When I(state=absent) and I(certificate_arn) is not defined, and I(domain_name) is not defined, this module will delete all ACM resources in this AWS region with a corresponding I(Name) tag. If there are none, it will succeed without effect. - > Note that this may not work properly with keys of size 4096 bits, due to a limitation of the ACM API. - Prior to release 5.0.0 this module was called C(community.aws.aws_acm). The usage did not change. options: certificate: description: - The body of the PEM encoded public certificate. - Required when I(state) is not C(absent) and the certificate does not exist. - > If your certificate is in a file, use C(lookup('file', 'path/to/cert.pem')). type: str certificate_arn: description: - The ARN of a certificate in ACM to modify or delete. - > If I(state=present), the certificate with the specified ARN can be updated. For example, this can be used to add/remove tags to an existing certificate. - > If I(state=absent), you must provide one of I(certificate_arn), I(domain_name) or I(name_tag). - > If I(state=absent) and no resource exists with this ARN in this region, the task will succeed with no effect. - > If I(state=absent) and the corresponding resource exists in a different region, this task may report success without deleting that resource. type: str aliases: [arn] certificate_chain: description: - The body of the PEM encoded chain for your certificate. - > If your certificate chain is in a file, use C(lookup('file', 'path/to/chain.pem')). - Ignored when I(state=absent) type: str domain_name: description: - The domain name of the certificate. - > If I(state=absent) and I(domain_name) is specified, this task will delete all ACM certificates with this domain. - > Exactly one of I(domain_name), I(name_tag) and I(certificate_arn) must be provided. - > If I(state=present) this must not be specified. (Since the domain name is encoded within the public certificate's body.) type: str aliases: [domain] name_tag: description: - > The unique identifier for tagging resources using AWS tags, with key I(Name). - This can be any set of characters accepted by AWS for tag values. - > This is to ensure Ansible can treat certificates idempotently, even though the ACM API allows duplicate certificates. - If I(state=preset), this must be specified. - > If I(state=absent) and I(name_tag) is specified, this task will delete all ACM certificates with this Name tag. - > If I(state=absent), you must provide exactly one of I(certificate_arn), I(domain_name) or I(name_tag). - > If both I(name_tag) and the 'Name' tag in I(tags) are set, the values must be the same. - > If the 'Name' tag in I(tags) is not set and I(name_tag) is set, the I(name_tag) value is copied to I(tags). type: str aliases: [name] private_key: description: - The body of the PEM encoded private key. - Required when I(state=present) and the certificate does not exist. - Ignored when I(state=absent). - > If your private key is in a file, use C(lookup('file', 'path/to/key.pem')). type: str state: description: - > If I(state=present), the specified public certificate and private key will be uploaded, with I(Name) tag equal to I(name_tag). - > If I(state=absent), any certificates in this region with a corresponding I(domain_name), I(name_tag) or I(certificate_arn) will be deleted. choices: [present, absent] default: present type: str notes: - Support for I(tags) and I(purge_tags) was added in release 3.2.0 author: - Matthew Davis (@matt-telstra) on behalf of Telstra Corporation Limited extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.tags - amazon.aws.boto3 a[ - name: upload a self-signed certificate community.aws.acm_certificate: certificate: "{{ lookup('file', 'cert.pem' ) }}" privateKey: "{{ lookup('file', 'key.pem' ) }}" name_tag: my_cert # to be applied through an AWS tag as "Name":"my_cert" region: ap-southeast-2 # AWS region - name: create/update a certificate with a chain community.aws.acm_certificate: certificate: "{{ lookup('file', 'cert.pem' ) }}" private_key: "{{ lookup('file', 'key.pem' ) }}" name_tag: my_cert certificate_chain: "{{ lookup('file', 'chain.pem' ) }}" state: present region: ap-southeast-2 register: cert_create - name: print ARN of cert we just created ansible.builtin.debug: var: cert_create.certificate.arn - name: delete the cert we just created community.aws.acm_certificate: name_tag: my_cert state: absent region: ap-southeast-2 - name: delete a certificate with a particular ARN community.aws.acm_certificate: certificate_arn: "arn:aws:acm:ap-southeast-2:123456789012:certificate/01234567-abcd-abcd-abcd-012345678901" state: absent region: ap-southeast-2 - name: delete all certificates with a particular domain name community.aws.acm_certificate: domain_name: acm.ansible.com state: absent region: ap-southeast-2 - name: add tags to an existing certificate with a particular ARN community.aws.acm_certificate: certificate_arn: "arn:aws:acm:ap-southeast-2:123456789012:certificate/01234567-abcd-abcd-abcd-012345678901" tags: Name: my_certificate Application: search Environment: development purge_tags: true a/ certificate: description: Information about the certificate which was uploaded type: complex returned: when I(state=present) contains: arn: description: The ARN of the certificate in ACM type: str returned: when I(state=present) and not in check mode sample: "arn:aws:acm:ap-southeast-2:123456789012:certificate/01234567-abcd-abcd-abcd-012345678901" domain_name: description: The domain name encoded within the public certificate type: str returned: when I(state=present) sample: acm.ansible.com arns: description: A list of the ARNs of the certificates in ACM which were deleted type: list elements: str returned: when I(state=absent) sample: - "arn:aws:acm:ap-southeast-2:123456789012:certificate/01234567-abcd-abcd-abcd-012345678901" N)deepcopy)to_text)ACMServiceManager)ansible_dict_to_boto3_tag_list)boto3_tag_list_to_ansible_dict)compare_aws_tags)AnsibleCommunityAWSModulec |d|fSt|||\}}t|xs|}|r)|js |j|t ||rA|js5|D cgc]} | |j| d} } |j|| t|} |jD] \} } | | | < |D]} | j| d|| fS#t j jt j jf$r} |j| d|Yd} ~ d} ~ wwxYwcc} w#t j jt j jf$r} |j| d|Yd} ~ d} ~ wwxYw)NF)CertificateArnTagsz!Couldn't add tags to certificate )KeyValuez&Couldn't remove tags from certificate )rbool check_modeadd_tags_to_certificaterbotocore exceptions ClientError BotoCoreError fail_json_awsgetremove_tags_from_certificateritemspop)clientmodule resource_arn existing_tagstags purge_tags tags_to_addtags_to_removechangedekey tags_listnew_tagsvalues q/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/aws/plugins/modules/acm_certificate.py ensure_tagsr*s |}%%"2=$ "SK;0.1G6,, X  * *+3K@ + f//N\]sS=+<+  c tjt|}|S#ttf$r}|j |dYd}~Sd}~wwxYw)Nz"Unable to decode certificate chainmsg)base64 b64decoder ValueError TypeErrorr)rpemderr$s r)r/r/EsXJws|, J  "JQ$HII JJs"AA  Azg------?BEGIN [A-Z0-9. ]*CERTIFICATE------?([a-zA-Z0-9\+\/=\s]+)------?END [A-Z0-9. ]*CERTIFICATE------?ctjtt|}t |dk(r|j d|S)Nrz>Unable to split certificate chain. Possibly zero-length chain?r;)refindallpem_chain_split_regexrr- fail_json)rrApem_arrs r)r,r,Ws:jj. =G 7|q]^ Nr9c |jdd|vsd|dvr|jd||jjd7|dd|jjdk7r|jd|d |vr|jd |d}d }|jjd p|t ||d |jd z}|jd r!|t ||d |jd z}n |t ||d |jd z}|r|jd |d}d}||fSgd}t |D cgc]} |j| duc} dkr|jd|jdd }|j r |d}||fS|j|||jd |jd|jd |d|}||fScc} w)zN Update the existing certificate that was previously imported in ACM. z!Existing certificate found in ACMrNamez2Internal error, unsure which certificate to update)r< certificatename_tagNz'Internal error, Name tag does not matchrKz7Internal error, unsure what the existing cert in ACM isTcertificate_chainz'Existing certificate in ACM is the samecertificate_arnFrKrL private_keyzbWhen importing a certificate, all of 'name_tag', 'certificate' and 'private_key' must be specifiedr;z5Existing certificate in ACM is different, overwritingrP)rKrPrMarnr)debugrGparamsrr8sumrimport_certificate) rracmold_cert desired_tagscert_arnsamer# absent_argsr0s r)update_imported_certificater]asE LL45hF(62B$BQ_gh }}$0hv6Fv6NRXR_R_RcRcdnRo6o FT\]H$VdlmH D }}'3 fh}&=v}}]?[\\ ==, - M&(3F*GWjIkl lD M&(3F*GWdIef fD  >?-.. X +A  D1q!-D E I   x    LM    12H X --"MM-8"MM-8"(--0C"D./!.H X )EsG5cgd}d}t|Dcgc]}|j|duc}dkr|jd|jdd}|jr#d}|j t | d ||fS|j|||jd |jd |jd |}||fScc}w)z& Import a certificate to ACM. rONrQzfWhen importing a new certificate, all of 'name_tag', 'certificate' and 'private_key' must be specifiedr;z(No certificate in ACM. Creating new one.Tz example.com) domain_namerKr#rKrPrM)rKrPrMr)rUrTrGrSr exit_jsondictrV) rrrWrYr\rZr0r#domains r)rVrVs =KH K @qV]]1 T ) @AAEx   LL;<G Tf%=tL X ))   m4 m4$mm,?@ *  X % AsCcd}d}t|dkDr'd|jdd}|j||n5t|dk(rt||||d|\}}nt ||||\}} t |j |d } |jjd } t||| || \} } || z}|j||| }|jt!||| |y#tjjtjjf$r} |j| d Yd} ~ d} ~ wwxYw)NFz$More than one certificate with Name=rLz exists in ACM in this region)r< certificatesr)r r z!Couldn't get tags for certificater )rrrR)r_rRrr`)r-rTrGr]rVrlist_tags_for_certificaterrrrrrr*get_domain_of_certrarb)rrrWrfrY filter_tagsrZr#r<rr$r cr'rcs r)ensure_certificates_presentrks]HG <14V]]:5N4OOlmS|< \ a 9&&#|\]`lm(1lS(E6  , ,H , Ef M ""<0J-WabMQ qLG  # #6&h # OF &hX!V`gh    + +X-@-@-N-N OEQ CDDEs0C557E,EEc|D]%}|jr|j|||d'|j|Dcgc]}|d c}t|dkDycc}w)NrNr)arnsr#)rdelete_certificaterar-)rrrWrfcerts r)ensure_certificates_absentrpsjL   " "6648I3J KL |Lt4 12LWZ[gWhklWlnLs Actttdgttdgtdgtdtddg td d td d d g }t|d}t|}|jdd k(rlgd}t |Dcgc]}|j|duc}dkr|D]%}|j |d|j|'|j dnkgd}t |Dcgc]}|j|duc}dk7r<|D]%}|j |d|j|'|j dd}d}|jjd|jd}nd|jd<|jjdet|jd}|?d|vr(|d|jdk7r1|j dn|jd|d<n t|}|jd}|j|||jd |jd!|"}|j d#t|d$|jdd k(rt||||||yt||||ycc}wcc}w)%NrR)aliasesrcnameT)no_logrb resource_tags)typerrr)rvdefaultpresentabsent)rwchoices) rKrNrMr_rLrPrr state) argument_specsupports_check_moder{)rNr_rLrez is zzIf 'state' is specified as 'present' then at least one of 'name_tag', 'certificate_arn' or 'domain_name' must be specifiedr;zxIf 'state' is specified as 'absent' then exactly one of 'name_tag', 'certificate_arn' or 'domain_name' must be specifiedrFr rL)rJrJz7Value of 'name_tag' conflicts with value of 'tags.Name'rWr_rN)rrr_rR only_tagszFound z" corresponding certificates in ACM)rbAnsibleAWSModulerrTrUrSrGrrrget_certificatesr-rkrp) r|rrWr\r0rirYrrfs r)mainrsFeW-&(,vh'% v'8 9VT29y(.CD M# F F #C}}W*D  D1q!-D E I  ; s$v}}Q'7&89: ;   Q   E  D1q!-D E J  ; s$v}}Q'7&89: ;   O  KL }} ,}}V, ', l# }}$0  j 9:  #%'6==+DD$$)b$c'-}}Z'@ V$#K0L ]]5 !F''MM-0 MM+ , (L LL6#l+,,NOP }}W*#FFC|U`a #663 EmEEs +KK __main__) DOCUMENTATIONEXAMPLESRETURNr=rDcopyrr ImportErroransible.module_utils._textr7ansible_collections.amazon.aws.plugins.module_utils.acmr;ansible_collections.amazon.aws.plugins.module_utils.taggingrrr>ansible_collections.community.aws.plugins.module_utils.modulesr rr*r8r/compilerFr,r]rVrkrpr__name__r9r)rsZ x1 f 4  /UffXx#V&# n8v8i8oLF^ zFa   sA99BB