[PR #1972/08e7d700 backport][stable-7] lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn

changelogs/fragments/20240212-lookup-secretsmanager_secret-fix-issue-when-nested-is-missing-and-on_missing-is-set-to-warn.yaml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - lookup/secretsmanager_secret - fix the issue when the nested secret is missing and on_missing is set to warn, the lookup was raising an error instead of a warning message (https://github.com/ansible-collections/amazon.aws/issues/1781).

plugins/lookup/secretsmanager_secret.py

@@ -136,6 +136,11 @@
 from ansible_collections.amazon.aws.plugins.plugin_utils.lookup import AWSLookupBase
 
 
+def _list_secrets(client, term):
+    paginator = client.get_paginator("list_secrets")
+    return paginator.paginate(Filters=[{"Key": "name", "Values": [term]}])
+
+
 class LookupModule(AWSLookupBase):
     def run(self, terms, variables, **kwargs):
         """
@@ -177,9 +182,7 @@ def run(self, terms, variables, **kwargs):
             secrets = {}
             for term in terms:
                 try:
-                    paginator = client.get_paginator("list_secrets")
-                    paginator_response = paginator.paginate(Filters=[{"Key": "name", "Values": [term]}])
-                    for object in paginator_response:
+                    for object in _list_secrets(client, term):
                         if "SecretList" in object:
                             for secret_obj in object["SecretList"]:
                                 secrets.update(
@@ -247,14 +250,22 @@ def get_secret_value(
             if "SecretString" in response:
                 if nested:
                     query = term.split(".")[1:]
+                    path = None
                     secret_string = json.loads(response["SecretString"])
                     ret_val = secret_string
-                    for key in query:
+                    while query:
+                        key = query.pop(0)
+                        path = key if not path else path + "." + key
                         if key in ret_val:
                             ret_val = ret_val[key]
-                        else:
+                        elif on_missing == "warn":
+                            self._display.warning(
+                                f"Skipping, Successfully retrieved secret but there exists no key {path} in the secret"
+                            )
+                            return None
+                        elif on_missing == "error":
                             raise AnsibleLookupError(
-                                f"Successfully retrieved secret but there exists no key {key} in the secret"
+                                f"Successfully retrieved secret but there exists no key {path} in the secret"
                             )
                     return str(ret_val)
                 else:

tests/integration/targets/lookup_secretsmanager_secret/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+json_secret: '{"resource_prefix": "{{ resource_prefix }}"}'

tests/integration/targets/lookup_secretsmanager_secret/tasks/main.yaml

@@ -110,6 +110,9 @@
         that:
           - get_deleted_secret is failed
 
+    # Test with nested secrets
+    - include_tasks: tasks/nested.yaml
+
   always:
   # delete secret created
     - name: delete secret

tests/integration/targets/lookup_secretsmanager_secret/tasks/nested.yaml

@@ -0,0 +1,59 @@
+---
+- vars:
+    json_secret_name: "ansible-test-{{ tiny_prefix }}-secret-json"
+    json_secret_value: "{{ json_secret | to_json }}"
+  block:
+    - name: create secret "{{ json_secret_name }}"
+      community.aws.secretsmanager_secret:
+        name: "{{ json_secret_name }}"
+        secret: "{{ json_secret_value }}"
+        state: present
+
+    - name: Validate nested secret value
+      assert:
+        that:
+          - lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.resource_prefix', nested=True, **connection_args) == resource_prefix
+
+    - name: Read missing secret variable using 'on_missing==error' 
+      set_fact:
+        missing_err_secret: "{{ lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.missing_err_secret', nested=True, on_missing='error', **connection_args) }}"
+      register: on_missing_error
+      ignore_errors: true
+
+    - name: Ensure the lookup raised an error
+      assert:
+        that:
+          - on_missing_error is failed
+          - on_missing_error.msg == "Successfully retrieved secret but there exists no key missing_err_secret in the secret"
+          - missing_err_secret is undefined
+
+    - name: Read missing secret variable using 'on_missing==error' 
+      set_fact:
+        resource_prefix_child: "{{ lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.resource_prefix.child', nested=True, on_missing='error', **connection_args) }}"
+      register: nested_child
+      ignore_errors: true
+
+    - name: Ensure the lookup raised an error
+      assert:
+        that:
+          - nested_child is failed
+          - nested_child.msg == "Successfully retrieved secret but there exists no key resource_prefix.child in the secret"
+          - resource_prefix_child is undefined
+
+    - name: Read missing secret variable using 'on_missing==warn' 
+      set_fact:
+        missing_wrn_secret: "{{ lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.missing_wrn_secret', nested=True, on_missing='warn', **connection_args) }}"
+
+    - name: Ensure that the variable has not been defined
+      assert:
+        that:
+          - missing_wrn_secret == []
+
+  always:
+    # delete secret created
+    - name: Delete secret '{{ json_secret_name }}'
+      community.aws.secretsmanager_secret:
+        name: "{{ json_secret_name }}"
+        state: absent
+        recovery_window: 0
+      ignore_errors: true