community.aws
community.aws copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
Secret replication when 3 or more regions being set does not work correctly
Summary
Everything Seems to work fine when replicating to 2 or fewer regions, but when 3 or more, a bizarre toggling situation occurs.
On the first addition of replica regions to a secret, regardless of the secret being a new or pre-existing secret without regional replication, the addition of the replica regions works as expected.
When you run that same task with the same values a second time, the first region in your replica remains, and all the other regions get removed.
Run a third time and it will remove the 1st region in your replica and add all the other remaining regions.
From here it will just keep toggling either between pushing the first replica, and all the others each time you run the task.
Issue Type
Bug Report
Component Name
secretsmanager_secret
Ansible Version
$ ansible --version
ansible [core 2.14.5]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.9.16 (main, Apr 12 2023, 14:54:44) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
Collection Versions
$ ansible-galaxy collection list
# /root/.ansible/collections/ansible_collections
Collection Version
------------------ -------
amazon.aws 5.4.0
azure.azcollection 1.15.0
# /usr/local/lib/python3.9/site-packages/ansible_collections
Collection Version
----------------------------- -------
amazon.aws 5.4.0
ansible.netcommon 4.1.0
ansible.posix 1.5.1
ansible.utils 2.9.0
ansible.windows 1.13.0
arista.eos 6.0.0
awx.awx 21.14.0
azure.azcollection 1.15.0
check_point.mgmt 4.0.0
chocolatey.chocolatey 1.4.0
cisco.aci 2.4.0
cisco.asa 4.0.0
cisco.dnac 6.6.4
cisco.intersight 1.0.24
cisco.ios 4.4.0
cisco.iosxr 4.1.0
cisco.ise 2.5.12
cisco.meraki 2.15.1
cisco.mso 2.2.1
cisco.nso 1.0.3
cisco.nxos 4.1.0
cisco.ucs 1.8.0
cloud.common 2.1.3
cloudscale_ch.cloud 2.2.4
community.aws 5.4.0
community.azure 2.0.0
community.ciscosmb 1.0.5
community.crypto 2.11.1
community.digitalocean 1.23.0
community.dns 2.5.2
community.docker 3.4.3
community.fortios 1.0.0
community.general 6.5.0
community.google 1.0.0
community.grafana 1.5.4
community.hashi_vault 4.2.0
community.hrobot 1.8.0
community.libvirt 1.2.0
community.mongodb 1.5.1
community.mysql 3.6.0
community.network 5.0.0
community.okd 2.3.0
community.postgresql 2.3.2
community.proxysql 1.5.1
community.rabbitmq 1.2.3
community.routeros 2.8.0
community.sap 1.0.0
community.sap_libs 1.4.1
community.skydive 1.0.0
community.sops 1.6.1
community.vmware 3.5.0
community.windows 1.12.0
community.zabbix 1.9.2
containers.podman 1.10.1
cyberark.conjur 1.2.0
cyberark.pas 1.0.17
dellemc.enterprise_sonic 2.0.0
dellemc.openmanage 6.3.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
dellemc.powerflex 1.5.0
dellemc.unity 1.5.0
f5networks.f5_modules 1.23.0
fortinet.fortimanager 2.1.7
fortinet.fortios 2.2.3
frr.frr 2.0.0
gluster.gluster 1.0.2
google.cloud 1.1.3
grafana.grafana 1.1.1
hetzner.hcloud 1.10.0
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.11.0
infinidat.infinibox 1.3.12
infoblox.nios_modules 1.4.1
inspur.ispim 1.3.0
inspur.sm 2.3.0
junipernetworks.junos 4.1.0
kubernetes.core 2.4.0
lowlydba.sqlserver 1.3.1
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.22.0
netapp.elementsw 21.7.0
netapp.ontap 22.4.1
netapp.storagegrid 21.11.1
netapp.um_info 21.8.0
netapp_eseries.santricity 1.4.0
netbox.netbox 3.11.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.3
openstack.cloud 1.10.0
openvswitch.openvswitch 2.1.0
ovirt.ovirt 2.4.1
purestorage.flasharray 1.17.2
purestorage.flashblade 1.10.0
purestorage.fusion 1.4.1
sensu.sensu_go 1.13.2
splunk.es 2.1.0
t_systems_mms.icinga_director 1.32.2
theforeman.foreman 3.9.0
vmware.vmware_rest 2.3.1
vultr.cloud 1.7.0
vyos.vyos 4.0.1
wti.remote 1.0.4
AWS SDK versions
$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.26.118
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: aws-sam-translator
---
Name: botocore
Version: 1.29.118
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /usr/local/lib/python3.9/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: awscli, boto3, s3transfer
Configuration
$ ansible-config dump --only-changed
CONFIG_FILE() = None
OS / Environment
Python 3.9 docker image latest
Steps to Reproduce
---
- hosts: 127.0.0.1
connection: local
vars:
secrets:
- name: /shared/replica
description: Testing replication
region: us-east-1
replica:
- region: us-west-2
- region: eu-central-1
- region: eu-west-1
- region: ap-southeast-1
- region: ap-southeast-2
content:
test_value: foobar
tasks:
- name: Creating AWS Secrets
aws_secret:
name: "{{ secret.name }}"
description: "{{ secret.description }}"
region: "{{ secret.region }}"
replica: "{{ secret.replica }}"
state: present
secret_type: string
secret: "{{ secret.content | to_json() }}"
with_items: "{{ secrets }}"
loop_control:
loop_var: secret
label: "{{ secret.name }}: {{ secret.description }}"
Expected Results
I expect that when I run that task multiple times that the secret does not change with a subset of the desired replication regions functioning
Actual Results
1st Run
Works as expected. all 5 regional replications are in place
root@3c5246c9a208:~/s/1# ansible-playbook playbooks/sync-secrets-playbook.yml -vvv
ansible-playbook [core 2.14.5]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.9.16 (main, Apr 12 2023, 14:54:44) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
No config file found; using defaults
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: sync-secrets-playbook.yml ************************************************************************************************************************************************************
1 plays in playbooks/sync-secrets-playbook.yml
PLAY [127.0.0.1] *******************************************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567 `" && echo ansible-tmp-1682374313.337086-3411-21455598508567="` echo /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567 `" ) && sleep 0'
Using module file /usr/local/lib/python3.9/site-packages/ansible/modules/setup.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3405g4quqebd/tmp2ct7v48c TO /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567/ /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374313.337086-3411-21455598508567/ > /dev/null 2>&1 && sleep 0'
ok: [127.0.0.1]
TASK [Creating AWS Secrets] ********************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:21
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048 `" && echo ansible-tmp-1682374314.7325656-3451-15162840059048="` echo /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Using module file /usr/local/lib/python3.9/site-packages/ansible_collections/community/aws/plugins/modules/secretsmanager_secret.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3405g4quqebd/tmp0606h43k TO /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048/AnsiballZ_secretsmanager_secret.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048/ /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374314.7325656-3451-15162840059048/ > /dev/null 2>&1 && sleep 0'
changed: [127.0.0.1] => (item=/shared/replica: Testing replication) => {
"ansible_loop_var": "secret",
"changed": true,
"invocation": {
"module_args": {
"access_key": null,
"aws_ca_bundle": null,
"aws_config": null,
"debug_botocore_endpoint_logs": false,
"description": "Testing replication",
"endpoint_url": null,
"json_secret": null,
"kms_key_id": null,
"name": "/shared/replica",
"overwrite": true,
"profile": null,
"purge_tags": true,
"recovery_window": 30,
"region": "us-east-1",
"replica": [
{
"kms_key_id": null,
"region": "us-west-2"
},
{
"kms_key_id": null,
"region": "eu-central-1"
},
{
"kms_key_id": null,
"region": "eu-west-1"
},
{
"kms_key_id": null,
"region": "ap-southeast-1"
},
{
"kms_key_id": null,
"region": "ap-southeast-2"
}
],
"resource_policy": null,
"rotation_interval": 30,
"rotation_lambda": null,
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret_key": null,
"secret_type": "string",
"session_token": null,
"state": "present",
"tags": null,
"validate_certs": true
}
},
"secret": {
"content": {
"test_value": "foobar"
},
"description": "Testing replication",
"name": "/shared/replica",
"region": "us-east-1",
"replica": [
{
"region": "us-west-2"
},
{
"region": "eu-central-1"
},
{
"region": "eu-west-1"
},
{
"region": "ap-southeast-1"
},
{
"region": "ap-southeast-2"
}
]
}
}
PLAY RECAP *************************************************************************************************************************************************************************************
127.0.0.1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
2nd Run
Removes all but the 1st region in the replica, aka us-west-2
root@3c5246c9a208:~/s/1# ansible-playbook playbooks/sync-secrets-playbook.yml -vvv
ansible-playbook [core 2.14.5]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.9.16 (main, Apr 12 2023, 14:54:44) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
No config file found; using defaults
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: sync-secrets-playbook.yml ************************************************************************************************************************************************************
1 plays in playbooks/sync-secrets-playbook.yml
PLAY [127.0.0.1] *******************************************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158 `" && echo ansible-tmp-1682374457.3889425-3484-35818295809158="` echo /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158 `" ) && sleep 0'
Using module file /usr/local/lib/python3.9/site-packages/ansible/modules/setup.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3478u08mp3cn/tmpik3o9kgc TO /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158/ /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374457.3889425-3484-35818295809158/ > /dev/null 2>&1 && sleep 0'
ok: [127.0.0.1]
TASK [Creating AWS Secrets] ********************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:21
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733 `" && echo ansible-tmp-1682374458.7218146-3524-147707662750733="` echo /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Using module file /usr/local/lib/python3.9/site-packages/ansible_collections/community/aws/plugins/modules/secretsmanager_secret.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3478u08mp3cn/tmp13f9ogt6 TO /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733/AnsiballZ_secretsmanager_secret.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733/ /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374458.7218146-3524-147707662750733/ > /dev/null 2>&1 && sleep 0'
changed: [127.0.0.1] => (item=/shared/replica: Testing replication) => {
"ansible_loop_var": "secret",
"changed": true,
"invocation": {
"module_args": {
"access_key": null,
"aws_ca_bundle": null,
"aws_config": null,
"debug_botocore_endpoint_logs": false,
"description": "Testing replication",
"endpoint_url": null,
"json_secret": null,
"kms_key_id": null,
"name": "/shared/replica",
"overwrite": true,
"profile": null,
"purge_tags": true,
"recovery_window": 30,
"region": "us-east-1",
"replica": [],
"resource_policy": null,
"rotation_interval": 30,
"rotation_lambda": null,
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret_key": null,
"secret_type": "string",
"session_token": null,
"state": "present",
"tags": null,
"validate_certs": true
}
},
"secret": {
"content": {
"test_value": "foobar"
},
"description": "Testing replication",
"name": "/shared/replica",
"region": "us-east-1",
"replica": [
{
"region": "us-west-2"
},
{
"region": "eu-central-1"
},
{
"region": "eu-west-1"
},
{
"region": "ap-southeast-1"
},
{
"region": "ap-southeast-2"
}
]
}
}
PLAY RECAP *************************************************************************************************************************************************************************************
127.0.0.1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
3rd Run
Removes the 1st region in the replica us-west-2 and adds the other 4
root@3c5246c9a208:~/s/1# ansible-playbook playbooks/sync-secrets-playbook.yml -vvv
ansible-playbook [core 2.14.5]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.9.16 (main, Apr 12 2023, 14:54:44) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
No config file found; using defaults
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: sync-secrets-playbook.yml ************************************************************************************************************************************************************
1 plays in playbooks/sync-secrets-playbook.yml
PLAY [127.0.0.1] *******************************************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555 `" && echo ansible-tmp-1682374536.5270638-3557-234961134340555="` echo /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555 `" ) && sleep 0'
Using module file /usr/local/lib/python3.9/site-packages/ansible/modules/setup.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-35519zr8m_4k/tmp989r9xm4 TO /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555/ /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374536.5270638-3557-234961134340555/ > /dev/null 2>&1 && sleep 0'
ok: [127.0.0.1]
TASK [Creating AWS Secrets] ********************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:21
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885 `" && echo ansible-tmp-1682374537.8492842-3597-218672037715885="` echo /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Using module file /usr/local/lib/python3.9/site-packages/ansible_collections/community/aws/plugins/modules/secretsmanager_secret.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-35519zr8m_4k/tmp4pl9_1vy TO /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885/AnsiballZ_secretsmanager_secret.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885/ /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374537.8492842-3597-218672037715885/ > /dev/null 2>&1 && sleep 0'
changed: [127.0.0.1] => (item=/shared/replica: Testing replication) => {
"ansible_loop_var": "secret",
"changed": true,
"invocation": {
"module_args": {
"access_key": null,
"aws_ca_bundle": null,
"aws_config": null,
"debug_botocore_endpoint_logs": false,
"description": "Testing replication",
"endpoint_url": null,
"json_secret": null,
"kms_key_id": null,
"name": "/shared/replica",
"overwrite": true,
"profile": null,
"purge_tags": true,
"recovery_window": 30,
"region": "us-east-1",
"replica": [
{
"kms_key_id": null,
"region": "eu-central-1"
},
{
"kms_key_id": null,
"region": "eu-west-1"
},
{
"kms_key_id": null,
"region": "ap-southeast-1"
},
{
"kms_key_id": null,
"region": "ap-southeast-2"
}
],
"resource_policy": null,
"rotation_interval": 30,
"rotation_lambda": null,
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret_key": null,
"secret_type": "string",
"session_token": null,
"state": "present",
"tags": null,
"validate_certs": true
}
},
"secret": {
"content": {
"test_value": "foobar"
},
"description": "Testing replication",
"name": "/shared/replica",
"region": "us-east-1",
"replica": [
{
"region": "us-west-2"
},
{
"region": "eu-central-1"
},
{
"region": "eu-west-1"
},
{
"region": "ap-southeast-1"
},
{
"region": "ap-southeast-2"
}
]
}
}
PLAY RECAP *************************************************************************************************************************************************************************************
127.0.0.1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
4th Run
Removes the other 4 regions, and puts us-west-2 back in
root@3c5246c9a208:~/s/1# ansible-playbook playbooks/sync-secrets-playbook.yml -vvv
ansible-playbook [core 2.14.5]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.9.16 (main, Apr 12 2023, 14:54:44) [GCC 10.2.1 20210110] (/usr/local/bin/python)
jinja version = 3.1.2
libyaml = True
No config file found; using defaults
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: sync-secrets-playbook.yml ************************************************************************************************************************************************************
1 plays in playbooks/sync-secrets-playbook.yml
PLAY [127.0.0.1] *******************************************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591 `" && echo ansible-tmp-1682374602.3616471-3630-177391949361591="` echo /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591 `" ) && sleep 0'
Using module file /usr/local/lib/python3.9/site-packages/ansible/modules/setup.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3624v83gqjvp/tmpy4e5ia1q TO /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591/ /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374602.3616471-3630-177391949361591/ > /dev/null 2>&1 && sleep 0'
ok: [127.0.0.1]
TASK [Creating AWS Secrets] ********************************************************************************************************************************************************************
task path: /root/s/1/playbooks/sync-secrets-playbook.yml:21
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441 `" && echo ansible-tmp-1682374603.7614083-3670-14710496522441="` echo /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441 `" ) && sleep 0'
redirecting (type: modules) ansible.builtin.aws_secret to community.aws.aws_secret
redirecting (type: modules) community.aws.aws_secret to community.aws.secretsmanager_secret
Using module file /usr/local/lib/python3.9/site-packages/ansible_collections/community/aws/plugins/modules/secretsmanager_secret.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-3624v83gqjvp/tmp6acmmb53 TO /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441/AnsiballZ_secretsmanager_secret.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441/ /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/bin/python /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441/AnsiballZ_secretsmanager_secret.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1682374603.7614083-3670-14710496522441/ > /dev/null 2>&1 && sleep 0'
changed: [127.0.0.1] => (item=/shared/replica: Testing replication) => {
"ansible_loop_var": "secret",
"changed": true,
"invocation": {
"module_args": {
"access_key": null,
"aws_ca_bundle": null,
"aws_config": null,
"debug_botocore_endpoint_logs": false,
"description": "Testing replication",
"endpoint_url": null,
"json_secret": null,
"kms_key_id": null,
"name": "/shared/replica",
"overwrite": true,
"profile": null,
"purge_tags": true,
"recovery_window": 30,
"region": "us-east-1",
"replica": [
{
"kms_key_id": null,
"region": "us-west-2"
}
],
"resource_policy": null,
"rotation_interval": 30,
"rotation_lambda": null,
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret_key": null,
"secret_type": "string",
"session_token": null,
"state": "present",
"tags": null,
"validate_certs": true
}
},
"secret": {
"content": {
"test_value": "foobar"
},
"description": "Testing replication",
"name": "/shared/replica",
"region": "us-east-1",
"replica": [
{
"region": "us-west-2"
},
{
"region": "eu-central-1"
},
{
"region": "eu-west-1"
},
{
"region": "ap-southeast-1"
},
{
"region": "ap-southeast-2"
}
]
}
}
PLAY RECAP *************************************************************************************************************************************************************************************
127.0.0.1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Rince and repeat forever
toggle between the exact results of runs 3 and 4 indefinitely. We've tried from multiple machines and build containers and got the same results.
If at any time you go back to only 1 or 2 regions, it doesn't matter which, it will stabilize and not do this toggling behavior. As soon as you add a third region this toggling behavior will start back up.
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
