From 8122c1e1dea5910961864ad6bf35f14d1b2cff76 Mon Sep 17 00:00:00 2001
From: Andrew Roth <andrew@andrewjroth.com>
Date: Tue, 13 Aug 2024 10:54:15 -0400
Subject: [PATCH] removed password length from terms; updated tests to not
 check default length; updated documentation

---
 .../lookup/secretsmanager_random_password.py  | 30 ++++++++-----------
 .../tasks/main.yaml                           |  3 +-
 2 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/plugins/lookup/secretsmanager_random_password.py b/plugins/lookup/secretsmanager_random_password.py
index 0953b2c633f..664d3eaaac0 100644
--- a/plugins/lookup/secretsmanager_random_password.py
+++ b/plugins/lookup/secretsmanager_random_password.py
@@ -11,16 +11,15 @@
 short_description: Generate a random password using AWS Secrets Manager
 description:
   - Look up (really generate) a random password using AWS Secrets Manager's
-    `secretsmanager:GetRandomPassword` API.
-  - Optional parameters can be passed into this lookup; I(password_length) and I(exclude_characters)
+    C(secretsmanager:GetRandomPassword) API.
+  - See U(https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html#API_GetRandomPassword_RequestParameters)
+    for information about the API for GetRandomPassword and how it can be used.
 
 options:
-  _terms:
-    description: As a shortcut, the password_length parameter can be specified as a term instead of using the keyword.
-    required: False
-    type: integer
   password_length:
-    description: The length of the password. If you do not include this parameter, the default length is 32 characters.
+    description: |-
+      The length of the password. If you do not include this parameter,
+      AWS will use a default value according to the API documentation (see link in description above).
     required: False
     type: integer
   exclude_characters:
@@ -34,7 +33,7 @@
   exclude_punctuation:
     description: |-
       Specifies whether to exclude punctuation characters from the password:
-      `! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~` (included by default).
+      C(! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~) (included by default).
     required: False
     type: boolean
   exclude_uppercase:
@@ -73,7 +72,7 @@
     debug: msg="{{ lookup('secretsmanager_random_password') }}"
 
   - name: generate random 12-character password without punctuation
-    debug: msg="{{ lookup('secretsmanager_random_password', 12, exclude_punctuation=True) }}"
+    debug: msg="{{ lookup('secretsmanager_random_password', password_length=12, exclude_punctuation=True) }}"
 
   - name: create a secret using a random password
     community.aws.secretsmanager_secret:
@@ -107,8 +106,7 @@
 class LookupModule(AWSLookupBase):
     def run(self, terms, variables=None, **kwargs):
         """
-        :param terms: a list containing the password length
-            e.g. ['example_secret_name', 'example_secret_too' ]
+        :param terms: an empty list (does not use)
         :param variables: ansible variables active at the time of the lookup
         :returns: A list of parameter values or a list of dictionaries if bypath=True.
         """
@@ -116,8 +114,8 @@ def run(self, terms, variables=None, **kwargs):
         super().run(terms, variables, **kwargs)
 
         # validate argument terms
-        if len(terms) > 1:
-            raise AnsibleLookupError("secretsmanager_random_password must have zero or one argument")
+        if len(terms) > 0:
+            raise AnsibleLookupError("secretsmanager_random_password does not accept positional arguments")
 
         on_denied = self.get_option("on_denied")
 
@@ -130,13 +128,9 @@ def run(self, terms, variables=None, **kwargs):
             )
 
         params = {}
-        # validate password length argument or option
+        # validate password length option
         self.debug(f"Options: {self.get_options()}")
         password_length = self.get_option("password_length")
-        if len(terms) == 1:
-            if password_length is not None:
-                raise AnsibleLookupError('"password_length" should be provided as argument or keyword, not both')
-            password_length = terms[0]
         if password_length is not None:
             if not isinstance(password_length, integer_types) or password_length < 1:
                 raise AnsibleLookupError('"password_length" must be an integer greater than zero, if provided')
diff --git a/tests/integration/targets/lookup_secretsmanager_random_password/tasks/main.yaml b/tests/integration/targets/lookup_secretsmanager_random_password/tasks/main.yaml
index 79c5f1fa8e8..e40f1f1eced 100644
--- a/tests/integration/targets/lookup_secretsmanager_random_password/tasks/main.yaml
+++ b/tests/integration/targets/lookup_secretsmanager_random_password/tasks/main.yaml
@@ -31,11 +31,10 @@
       that:
         - gen_pass is defined
         - gen_pass is string
-        - gen_pass|length == 32
 
   - name: generate random password length 12
     set_fact:
-      gen_pass: "{{ lookup('community.aws.secretsmanager_random_password', 12, **connection_args) }}"
+      gen_pass: "{{ lookup('community.aws.secretsmanager_random_password', password_length=12, **connection_args) }}"
 
   - name: assert that random password length 12 was successfully retrieved
     assert: