def instance_profile(name, role_name=None):
try:
profile = iam.get_instance_profile(name)
except boto.exception.BotoServerError:
profile = None
if profile is None:
iam.create_instance_profile(name)
profile = iam.get_instance_profile(name)
roles = profile['get_instance_profile_response'][
'get_instance_profile_result']['instance_profile']['roles']
should_add = False
should_remove = False
if role_name is None:
if len(roles) != 0:
should_remove = True
if role_name is not None:
if len(roles) == 0:
should_add = True
elif roles['member']['role_name'] != role_name:
should_remove = True
should_add = True
if should_remove:
iam.remove_role_from_instance_profile(name,
roles['member']['role_name'])
if should_add:
iam.add_role_to_instance_profile(name, role_name)
if role_name is not None and len(roles) != 0:
should_add = True
def create_role(module, iam, name, path, role_list, prof_list,
trust_policy_doc):
changed = False
iam_role_result = None
instance_profile_result = None
try:
if name not in role_list:
changed = True
iam_role_result = iam.create_role(
name, assume_role_policy_document=trust_policy_doc,
path=path).create_role_response.create_role_result.role
if name not in prof_list:
instance_profile_result = iam.create_instance_profile(name, path=path) \
.create_instance_profile_response.create_instance_profile_result.instance_profile
iam.add_role_to_instance_profile(name, name)
else:
instance_profile_result = iam.get_instance_profile(
name
).get_instance_profile_response.get_instance_profile_result.instance_profile
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = list_all_roles(iam)
iam_role_result = iam.get_role(
name).get_role_response.get_role_result.role
return changed, updated_role_list, iam_role_result, instance_profile_result
def update_iam_role(iam, role_name, assume_role_policy_file,
permission_policy_file):
try:
iam.get_role(role_name)
except:
print role_name + ' role not found. Creating role '
iam.create_role(role_name)
print 'Updating assume role policy of ' + role_name
with open(assume_role_policy_file, "r") as myfile:
policy = myfile.read()
iam.update_assume_role_policy(role_name, policy)
print 'Updating attached permission policies of ' + role_name
for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'):
iam.delete_role_policy(role_name, rp)
with open(permission_policy_file, "r") as myfile:
policy = myfile.read()
iam.put_role_policy(role_name, role_name + '_permission_policy', policy)
try:
iam.get_instance_profile(role_name)
except:
print role_name + ' instance profile not found. Creating instance profile'
iam.create_instance_profile(role_name)
print 'Updating role and instance profile association of ' + role_name
for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'):
iam.remove_role_from_instance_profile(role_name, role_name)
iam.add_role_to_instance_profile(role_name, role_name)
def create_role(module, iam, name, path, role_list, prof_list):
changed = False
try:
if name not in role_list:
changed = True
iam.create_role(
name, path=path).create_role_response.create_role_result.role.role_name
if name not in prof_list:
iam.create_instance_profile(name, path=path)
iam.add_role_to_instance_profile(name, name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
def create_role(module, iam, name, path, role_list, prof_list):
changed = False
try:
if name not in role_list:
changed = True
iam.create_role(
name, path=path).create_role_response.create_role_result.role.role_name
if name not in prof_list:
iam.create_instance_profile(name, path=path)
iam.add_role_to_instance_profile(name, name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
def create_role(iam, name, path, role_list, prof_list):
changed = False
if name not in role_list:
changed = True
iam.create_role(
name, path=path).create_role_response.create_role_result.role.role_name
if name not in prof_list:
iam.create_instance_profile(name, path=path)
iam.add_role_to_instance_profile(name, name)
updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response.
list_roles_result.roles]
return changed, updated_role_list
def create_role(module, iam, name, path, role_list, prof_list, trust_policy_doc):
changed = False
iam_role_result = None
instance_profile_result = None
try:
if name not in role_list:
changed = True
iam_role_result = iam.create_role(name,
assume_role_policy_document=trust_policy_doc,
path=path).create_role_response.create_role_result.role.role_name
if name not in prof_list:
instance_profile_result = iam.create_instance_profile(name,
path=path).create_instance_profile_response.create_instance_profile_result.instance_profile
iam.add_role_to_instance_profile(name, name)
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = list_all_roles(iam)
return changed, updated_role_list, iam_role_result, instance_profile_result
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
profile_name = dict(default=None,required=True),
role_name = dict(default=None,required=True),
state = dict(default='present', choices=['present', 'absent']),
)
)
module = AnsibleModule(
argument_spec=argument_spec
)
profile_name = module.params.get('profile_name')
role_name = module.params.get('role_name')
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
missing = True
try:
response = iam.get_instance_profile(profile_name)
# todo: does not verify the role is what we want
missing = len(response.get_instance_profile_result.instance_profile.roles) == 0
except boto.exception.BotoServerError as e:
if e.status == 404:
missing = True
state = module.params.get('state')
if state == 'present':
if missing:
response = iam.add_role_to_instance_profile(profile_name, role_name)
module.exit_json(changed = missing)
elif state == 'absent':
if not missing:
response = iam.remove_role_from_instance_profile(profile_name, role_name)
module.exit_json(changed = not missing)
