Complete 8.0.0 deprecations and assign deprecations to release 9.0.0 …

…instead of by date (ansible-collections#2040) Complete 8.0.0 deprecations and assign deprecations to release 9.0.0 instead of by date SUMMARY Completes deprecations for 8.0.0 ISSUE TYPE Feature Pull Request COMPONENT NAME plugins/inventory/aws_ec2.py plugins/module_utils/ec2.py plugins/module_utils/iam.py plugins/module_utils/policy.py plugins/modules/iam_policy.py plugins/modules/iam_role.py plugins/modules/iam_role_info.py plugins/modules/kms_key.py plugins/modules/kms_key_info.py ADDITIONAL INFORMATION Reviewed-by: Alina Buzachis
alinabuzachis · Apr 12, 2024 · 94f733f · 94f733f
1 parent 3ca3f0a
commit 94f733f
Show file tree

Hide file tree

Showing 41 changed files with 240 additions and 328 deletions.
diff --git a/changelogs/fragments/8.0.0-deprecation-removal.yml b/changelogs/fragments/8.0.0-deprecation-removal.yml
@@ -0,0 +1,13 @@
+deprecated_features:
+- aws_ec2 inventory plugin - removal of the previously deprecated ``include_extra_api_calls`` option has been assigned to release 9.0.0 (https://github.com/ansible-collections/amazon.aws/pull/2040).
+- iam_policy - removal of the previously deprecated ``policies`` return key has been assigned to release 9.0.0.  Use the ``policy_names`` return key instead (https://github.com/ansible-collections/amazon.aws/pull/2040).
+
+removed_features:
+- iam_role - the ``iam_role.assume_role_policy_document_raw`` return value has been deprecated.  ``iam_role.assume_role_policy_document`` now returns the same format as ``iam_role.assume_role_policy_document_raw`` (https://github.com/ansible-collections/amazon.aws/pull/2040).
+- iam_role_info - the ``iam_role.assume_role_policy_document_raw`` return value has been deprecated.  ``iam_role.assume_role_policy_document`` now returns the same format as ``iam_role.assume_role_policy_document_raw`` (https://github.com/ansible-collections/amazon.aws/pull/2040).
+
+breaking_changes:
+- iam_role - ``iam_role.assume_role_policy_document`` is no longer converted from CamelCase to snake_case (https://github.com/ansible-collections/amazon.aws/pull/2040).
+- iam_role_info - ``iam_role.assume_role_policy_document`` is no longer converted from CamelCase to snake_case (https://github.com/ansible-collections/amazon.aws/pull/2040).
+- kms_key - the ``policies`` return value has been renamed to ``key_policies`` the contents has not been changed (https://github.com/ansible-collections/amazon.aws/pull/2040).
+- kms_key_info - the ``policies`` return value has been renamed to ``key_policies`` the contents has not been changed (https://github.com/ansible-collections/amazon.aws/pull/2040).
diff --git a/plugins/inventory/aws_ec2.py b/plugins/inventory/aws_ec2.py
@@ -805,8 +805,8 @@ def parse(self, inventory, loader, path, cache=True):
 
         if self.get_option("include_extra_api_calls"):
             self.display.deprecate(
-                "The include_extra_api_calls option has been deprecated and will be removed in release 6.0.0.",
-                date="2024-09-01",
+                "The include_extra_api_calls option has been deprecated and will be removed in release 9.0.0.",
+                version="9.0.0",
                 collection_name="amazon.aws",
             )
 

diff --git a/plugins/module_utils/iam.py b/plugins/module_utils/iam.py
@@ -446,8 +446,6 @@ def normalize_iam_access_keys(access_keys: BotoResourceList) -> AnsibleAWSResour
 def normalize_iam_instance_profile(profile: BotoResource) -> AnsibleAWSResource:
     """
     Converts a boto3 format IAM instance profile into "Ansible" format
-
-    _v7_compat is deprecated and will be removed in release after 2025-05-01 DO NOT USE.
     """
     transforms = {"Roles": _normalize_iam_roles}
     transformed_profile = boto3_resource_to_ansible_dict(profile, nested_transforms=transforms)
@@ -458,10 +456,10 @@ def normalize_iam_role(role: BotoResource, _v7_compat: bool = False) -> AnsibleA
     """
     Converts a boto3 format IAM instance role into "Ansible" format
 
-    _v7_compat is deprecated and will be removed in release after 2025-05-01 DO NOT USE.
+    _v7_compat is deprecated and will be removed in release after 2026-05-01 DO NOT USE.
     """
     transforms = {"InstanceProfiles": _normalize_iam_instance_profiles}
-    ignore_list = [] if _v7_compat else ["AssumeRolePolicyDocument"]
+    ignore_list = ["AssumeRolePolicyDocument"]
     transformed_role = boto3_resource_to_ansible_dict(role, nested_transforms=transforms, ignore_list=ignore_list)
     if _v7_compat and role.get("AssumeRolePolicyDocument"):
         transformed_role["assume_role_policy_document_raw"] = role["AssumeRolePolicyDocument"]

diff --git a/plugins/modules/iam_policy.py b/plugins/modules/iam_policy.py
@@ -340,7 +340,7 @@ def main():
                 "The 'policies' return key is deprecated and will be replaced by 'policy_names'. Both values are"
                 " returned for now."
             ),
-            date="2024-08-01",
+            version="9.0.0",
             collection_name="amazon.aws",
         )
 

diff --git a/plugins/modules/iam_role.py b/plugins/modules/iam_role.py
@@ -174,8 +174,8 @@
             description:
               - the policy that grants an entity permission to assume the role
               - |
-                note: the case of keys in this dictionary are currently converted from CamelCase to
-                snake_case.  In a release after 2023-12-01 this behaviour will change
+                Note: the case of keys in this dictionary are no longer converted from CamelCase to
+                snake_case.  This behaviour changed in release 8.0.0.
             type: dict
             returned: always
             sample: {
@@ -192,23 +192,14 @@
                         'version': '2012-10-17'
                     }
         assume_role_policy_document_raw:
-            description: the policy that grants an entity permission to assume the role
+            description:
+              - |
+                Note: this return value has been deprecated and will be removed in a release after
+                2026-05-01.  assume_role_policy_document and assume_role_policy_document_raw now use
+                the same format.
             type: dict
             returned: always
             version_added: 5.3.0
-            sample: {
-                        'Statement': [
-                            {
-                                'Action': 'sts:AssumeRole',
-                                'Effect': 'Allow',
-                                'Principal': {
-                                    'Service': 'ec2.amazonaws.com'
-                                },
-                                'Sid': ''
-                            }
-                        ],
-                        'Version': '2012-10-17'
-                    }
 
         attached_policies:
             description: a list of dicts containing the name and ARN of the managed IAM policies attached to the role
@@ -504,7 +495,7 @@ def create_or_update_role(module, client):
     role["AttachedPolicies"] = list_iam_role_attached_policies(client, role_name)
     camel_role = normalize_iam_role(role, _v7_compat=True)
 
-    module.exit_json(changed=changed, iam_role=camel_role, **camel_role)
+    module.exit_json(changed=changed, iam_role=camel_role)
 
 
 def create_instance_profiles(client, check_mode, role_name, path):
@@ -658,17 +649,10 @@ def main():
     )
 
     module.deprecate(
-        "All return values other than iam_role and changed have been deprecated and "
-        "will be removed in a release after 2023-12-01.",
-        date="2023-12-01",
-        collection_name="amazon.aws",
-    )
-    module.deprecate(
-        "In a release after 2023-12-01 the contents of iam_role.assume_role_policy_document "
-        "will no longer be converted from CamelCase to snake_case.  The "
-        "iam_role.assume_role_policy_document_raw return value already returns the "
-        "policy document in this future format.",
-        date="2023-12-01",
+        "In a release after 2026-05-01 iam_role.assume_role_policy_document_raw "
+        "will no longer be returned.  Since release 8.0.0 assume_role_policy_document "
+        "has been returned with the same format as iam_role.assume_role_policy_document_raw",
+        date="2026-05-01",
         collection_name="amazon.aws",
     )
 

diff --git a/plugins/modules/iam_role_info.py b/plugins/modules/iam_role_info.py
@@ -67,12 +67,16 @@
       description:
         - The policy that grants an entity permission to assume the role
         - |
-          Note: the case of keys in this dictionary are currently converted from CamelCase to
-          snake_case.  In a release after 2023-12-01 this behaviour will change.
+          Note: the case of keys in this dictionary are no longer converted from CamelCase to
+          snake_case.  This behaviour changed in release 8.0.0.
       returned: always
       type: dict
     assume_role_policy_document_raw:
-      description: The policy document describing what can assume the role.
+      description:
+        - |
+          Note: this return value has been deprecated and will be removed in a release after
+          2026-05-01.  assume_role_policy_document and assume_role_policy_document_raw now use
+          the same format.
       returned: always
       type: dict
       version_added: 5.3.0
@@ -208,11 +212,10 @@ def main():
     path_prefix = module.params["path_prefix"]
 
     module.deprecate(
-        "In a release after 2023-12-01 the contents of assume_role_policy_document "
-        "will no longer be converted from CamelCase to snake_case.  The "
-        ".assume_role_policy_document_raw return value already returns the "
-        "policy document in this future format.",
-        date="2023-12-01",
+        "In a release after 2026-05-01 iam_role.assume_role_policy_document_raw "
+        "will no longer be returned.  Since release 8.0.0 assume_role_policy_document "
+        "has been returned with the same format as iam_role.assume_role_policy_document_raw",
+        date="2026-05-01",
         collection_name="amazon.aws",
     )
 

diff --git a/plugins/modules/kms_key.py b/plugins/modules/kms_key.py
@@ -156,6 +156,7 @@
     This can cause issues when running duplicate tasks in succession or using the M(amazon.aws.kms_key_info) module to fetch key metadata
     shortly after modifying keys.
     For this reason, it is recommended to use the return data from this module (M(amazon.aws.kms_key)) to fetch a key's metadata.
+  - The C(policies) return key was removed in amazon.aws release 8.0.0.
 """
 
 EXAMPLES = r"""
@@ -281,41 +282,6 @@
   sample:
     - aws/acm
     - aws/ebs
-policies:
-  description: List of policy documents for the key. Empty when access is denied even if there are policies.
-  type: list
-  returned: always
-  elements: str
-  sample:
-    Version: "2012-10-17"
-    Id: "auto-ebs-2"
-    Statement:
-    - Sid: "Allow access through EBS for all principals in the account that are authorized to use EBS"
-      Effect: "Allow"
-      Principal:
-        AWS: "*"
-      Action:
-      - "kms:Encrypt"
-      - "kms:Decrypt"
-      - "kms:ReEncrypt*"
-      - "kms:GenerateDataKey*"
-      - "kms:CreateGrant"
-      - "kms:DescribeKey"
-      Resource: "*"
-      Condition:
-        StringEquals:
-          kms:CallerAccount: "123456789012"
-          kms:ViaService: "ec2.ap-southeast-2.amazonaws.com"
-    - Sid: "Allow direct access to key metadata to the account"
-      Effect: "Allow"
-      Principal:
-        AWS: "arn:aws:iam::123456789012:root"
-      Action:
-      - "kms:Describe*"
-      - "kms:Get*"
-      - "kms:List*"
-      - "kms:RevokeGrant"
-      Resource: "*"
 key_policies:
   description: List of policy documents for the key. Empty when access is denied even if there are policies.
   type: list
@@ -584,8 +550,8 @@ def get_key_details(connection, module, key_id):
         module.fail_json_aws(e, msg="Failed to obtain key grants")
     tags = get_kms_tags(connection, module, key_id)
     result["tags"] = boto3_tag_list_to_ansible_dict(tags, "TagKey", "TagValue")
-    result["policies"] = get_kms_policies(connection, module, key_id)
-    result["key_policies"] = [json.loads(policy) for policy in result["policies"]]
+    policies = get_kms_policies(connection, module, key_id)
+    result["key_policies"] = [json.loads(policy) for policy in policies]
     return result
 
 
@@ -1007,15 +973,6 @@ def main():
 
     kms = module.client("kms")
 
-    module.deprecate(
-        (
-            "The 'policies' return key is deprecated and will be replaced by 'key_policies'. Both values are returned"
-            " for now."
-        ),
-        date="2024-05-01",
-        collection_name="amazon.aws",
-    )
-
     key_metadata = fetch_key_metadata(kms, module, module.params.get("key_id"), module.params.get("alias"))
     validate_params(module, key_metadata)
 

diff --git a/plugins/modules/kms_key_info.py b/plugins/modules/kms_key_info.py
@@ -49,6 +49,8 @@
     description: Whether to get full details (tags, grants etc.) of keys pending deletion.
     default: False
     type: bool
+notes:
+  - The C(policies) return key was removed in amazon.aws release 8.0.0.
 extends_documentation_fragment:
   - amazon.aws.common.modules
   - amazon.aws.region.modules
@@ -154,41 +156,6 @@
       sample:
         Name: myKey
         Purpose: protecting_stuff
-    policies:
-      description: List of policy documents for the key. Empty when access is denied even if there are policies.
-      type: list
-      returned: always
-      elements: str
-      sample:
-        Version: "2012-10-17"
-        Id: "auto-ebs-2"
-        Statement:
-        - Sid: "Allow access through EBS for all principals in the account that are authorized to use EBS"
-          Effect: "Allow"
-          Principal:
-            AWS: "*"
-          Action:
-          - "kms:Encrypt"
-          - "kms:Decrypt"
-          - "kms:ReEncrypt*"
-          - "kms:GenerateDataKey*"
-          - "kms:CreateGrant"
-          - "kms:DescribeKey"
-          Resource: "*"
-          Condition:
-            StringEquals:
-              kms:CallerAccount: "123456789012"
-              kms:ViaService: "ec2.ap-southeast-2.amazonaws.com"
-        - Sid: "Allow direct access to key metadata to the account"
-          Effect: "Allow"
-          Principal:
-            AWS: "arn:aws:iam::123456789012:root"
-          Action:
-          - "kms:Describe*"
-          - "kms:Get*"
-          - "kms:List*"
-          - "kms:RevokeGrant"
-          Resource: "*"
     key_policies:
       description: List of policy documents for the key. Empty when access is denied even if there are policies.
       type: list
@@ -480,8 +447,8 @@ def get_key_details(connection, module, key_id, tokens=None):
 
     result = camel_dict_to_snake_dict(result)
     result["tags"] = boto3_tag_list_to_ansible_dict(tags, "TagKey", "TagValue")
-    result["policies"] = get_kms_policies(connection, module, key_id)
-    result["key_policies"] = [json.loads(policy) for policy in result["policies"]]
+    policies = get_kms_policies(connection, module, key_id)
+    result["key_policies"] = [json.loads(policy) for policy in policies]
     return result
 
 
@@ -523,15 +490,6 @@ def main():
     except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
         module.fail_json_aws(e, msg="Failed to connect to AWS")
 
-    module.deprecate(
-        (
-            "The 'policies' return key is deprecated and will be replaced by 'key_policies'. Both values are returned"
-            " for now."
-        ),
-        date="2024-05-01",
-        collection_name="amazon.aws",
-    )
-
     all_keys = get_kms_info(connection, module)
     filtered_keys = [key for key in all_keys if key_matches_filters(key, module.params["filters"])]
     ret_params = dict(kms_keys=filtered_keys)

diff --git a/tests/integration/targets/aws_region_info/tasks/main.yml b/tests/integration/targets/aws_region_info/tasks/main.yml
@@ -7,7 +7,7 @@
       region: "{{ aws_region }}"
   block:
     - name: List available Regions
-      community.aws.aws_region_info:
+      amazon.aws.aws_region_info:
       register: regions
     - name: check task return attributes
       vars:
@@ -22,7 +22,7 @@
           - '"region_name" in first_region'
 
     - name: List available Regions - check_mode
-      community.aws.aws_region_info:
+      amazon.aws.aws_region_info:
       register: check_regions
     - name: check task return attributes - check_mode
       vars:
@@ -37,7 +37,7 @@
           - '"region_name" in first_region'
 
     - name: Filter available Regions using - ("region-name")
-      community.aws.aws_region_info:
+      amazon.aws.aws_region_info:
         filters:
           region-name: us-west-1
       register: us_west_1
@@ -58,7 +58,7 @@
           - first_region.region_name == 'us-west-1'
 
     - name: Filter available Regions using _ ("region_name")
-      community.aws.aws_region_info:
+      amazon.aws.aws_region_info:
         filters:
           region_name: us-west-2
       register: us_west_2
@@ -79,7 +79,7 @@
           - first_region.region_name == 'us-west-2'
 
     - name: Filter available Regions using _ and - to check precedence
-      community.aws.aws_region_info:
+      amazon.aws.aws_region_info:
         filters:
           region-name: eu-west-1
           region_name: eu-central-1

diff --git a/tests/integration/targets/backup_selection/tasks/main.yml b/tests/integration/targets/backup_selection/tasks/main.yml
@@ -12,7 +12,7 @@
   # ============================================================
 
     - name: Create an IAM Role
-      community.aws.iam_role:
+      amazon.aws.iam_role:
         name: "{{ backup_iam_role_name }}"
         assume_role_policy_document: '{{ lookup("file", "backup-policy.json") }}'
         create_instance_profile: false
@@ -745,7 +745,7 @@
       ignore_errors: true
 
     - name: Delete IAM role created during this test
-      community.aws.iam_role:
+      amazon.aws.iam_role:
         name: "{{ backup_iam_role_name }}"
         state: absent
       ignore_errors: true