def validate_group(self, client, mem_group, aws_group):
if mem_group["GroupName"] != aws_group["GroupName"]:
print("Cannot validate different Groups: {} and {}".format(mem_group["GroupName"], aws_group["GroupName"]))
return
if mem_group["Path"] != aws_group["Path"]:
print("WARNING Paths differ for group {}: Path_In_File={} Path_In_AWS={}".format(mem_group["GroupName"],
mem_group["Path"],
aws_group["Path"]))
print("You will need to manually delete the old group for the Path to be changed.")
for inline_pol in mem_group["GroupPolicyList"]:
aws_inline_pol = utils.find_dict_with(aws_group["GroupPolicyList"], "PolicyName", inline_pol["PolicyName"])
if aws_inline_pol is None:
self.iw.put_group_policy(mem_group["GroupName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
continue
aws_doc_str = json.dumps(aws_inline_pol["PolicyDocument"], indent=2, sort_keys=True)
mem_doc_str = json.dumps(inline_pol["PolicyDocument"], indent=2, sort_keys=True)
if mem_doc_str != aws_doc_str:
self.iw.put_group_policy(mem_group["GroupName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
for aws_inline_pol in aws_group["GroupPolicyList"]:
matching_mem_pol = utils.find_dict_with(mem_group["GroupPolicyList"], "PolicyName", aws_inline_pol["PolicyName"])
if matching_mem_pol is None:
# AWS has a policy that is not in memory version, it should be deleted.
self.iw.delete_group_policy(mem_group["GroupName"], aws_inline_pol["PolicyName"])
for mngd_pol_arn in mem_group["AttachedManagedPolicies"]:
self.iw.attach_group_policy(mem_group["GroupName"], mngd_pol_arn)
for aws_mngd_pol in aws_group["AttachedManagedPolicies"]:
if aws_mngd_pol["PolicyArn"] not in mem_group["AttachedManagedPolicies"]:
# AWS has a mngd policy that is not in memory version, it should be deleted.
self.iw.detach_group_policy(mem_group["GroupName"], aws_mngd_pol["PolicyArn"])
def validate_group(self, client, mem_group, aws_group):
if mem_group["GroupName"] != aws_group["GroupName"]:
print("Cannot validate different Groups: {} and {}".format(mem_group["GroupName"], aws_group["GroupName"]))
return
if mem_group["Path"] != aws_group["Path"]:
print("WARNING Paths differ for group {}: Path_In_File={} Path_In_AWS={}".format(mem_group["GroupName"],
mem_group["Path"],
aws_group["Path"]))
print("You will need to manually delete the old group for the Path to be changed.")
for inline_pol in mem_group["GroupPolicyList"]:
aws_inline_pol = utils.find_dict_with(aws_group["GroupPolicyList"], "PolicyName", inline_pol["PolicyName"])
if aws_inline_pol is None:
self.iw.put_group_policy(mem_group["GroupName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
continue
aws_doc_str = json.dumps(aws_inline_pol["PolicyDocument"], indent=2, sort_keys=True)
mem_doc_str = json.dumps(inline_pol["PolicyDocument"], indent=2, sort_keys=True)
if mem_doc_str != aws_doc_str:
self.iw.put_group_policy(mem_group["GroupName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
for aws_inline_pol in aws_group["GroupPolicyList"]:
matching_mem_pol = utils.find_dict_with(mem_group["GroupPolicyList"], "PolicyName", aws_inline_pol["PolicyName"])
if matching_mem_pol is None:
# AWS has a policy that is not in memory version, it should be deleted.
self.iw.delete_group_policy(mem_group["GroupName"], aws_inline_pol["PolicyName"])
for mngd_pol_arn in mem_group["AttachedManagedPolicies"]:
self.iw.attach_group_policy(mem_group["GroupName"], mngd_pol_arn)
for aws_mngd_pol in aws_group["AttachedManagedPolicies"]:
if aws_mngd_pol["PolicyArn"] not in mem_group["AttachedManagedPolicies"]:
# AWS has a mngd policy that is not in memory version, it should be deleted.
self.iw.detach_group_policy(mem_group["GroupName"], aws_mngd_pol["PolicyArn"])
def validate_role(self, client, mem_role, aws_role):
if mem_role["RoleName"] != aws_role["RoleName"]:
print("Cannot validate different Roles: {} and {}".format(mem_role["RoleName"], aws_role["RoleName"]))
return
if mem_role["Path"] != aws_role["Path"]:
print("WARNING Paths differ for role {}: Path_In_File={} Path_In_AWS={}".format(mem_role["RoleName"],
mem_role["Path"],
aws_role["Path"]))
print("You will need to manually delete the old role for the Path to be changed.")
mem_assume_pol_str = json.dumps(mem_role["AssumeRolePolicyDocument"], indent=2, sort_keys=True)
aws_assume_pol_str = json.dumps(aws_role["AssumeRolePolicyDocument"], indent=2, sort_keys=True)
if mem_assume_pol_str != aws_assume_pol_str:
self.iw.update_assume_role_policy(mem_role["RoleName"], mem_role["AssumeRolePolicyDocument"])
for inline_pol in mem_role["RolePolicyList"]:
aws_inline_pol = utils.find_dict_with(aws_role["RolePolicyList"], "PolicyName", inline_pol["PolicyName"])
if aws_inline_pol is None:
self.iw.put_role_policy(mem_role["RoleName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
continue
aws_doc_str = json.dumps(aws_inline_pol["PolicyDocument"], indent=2, sort_keys=True)
mem_doc_str = json.dumps(inline_pol["PolicyDocument"], indent=2, sort_keys=True)
if mem_doc_str != aws_doc_str:
self.iw.put_role_policy(mem_role["RoleName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
for aws_inline_pol in aws_role["RolePolicyList"]:
matching_mem_pol = utils.find_dict_with(mem_role["RolePolicyList"], "PolicyName", aws_inline_pol["PolicyName"])
if matching_mem_pol is None:
# AWS has a policy that is not in memory version, it should be deleted.
self.iw.delete_role_policy(mem_role["RoleName"], aws_inline_pol["PolicyName"])
for mngd_pol_arn in mem_role["AttachedManagedPolicies"]:
self.iw.attach_role_policy(mem_role["RoleName"], mngd_pol_arn)
for aws_mngd_pol in aws_role["AttachedManagedPolicies"]:
if aws_mngd_pol["PolicyArn"] not in mem_role["AttachedManagedPolicies"]:
# AWS has a mngd policy that is not in memory version, it should be deleted.
self.iw.detach_role_policy(mem_role["RoleName"], aws_mngd_pol["PolicyArn"])
for inst_pro in mem_role["InstanceProfileList"]:
aws_inst_pro = utils.find_dict_with(aws_role["InstanceProfileList"], "InstanceProfileName",
inst_pro["InstanceProfileName"])
if aws_inst_pro is None:
self.iw.create_instance_profile(inst_pro["InstanceProfileName"], inst_pro["Path"])
self.iw.add_role_to_instance_profile(mem_role["RoleName"], inst_pro["InstanceProfileName"])
else:
if inst_pro["Path"] != aws_inst_pro["Path"]:
print("WARNING Paths differ for Instance Profile {}: Path_In_File={} Path_In_AWS={}".format(
inst_pro["InstanceProfileName"], inst_pro["Path"], aws_inst_pro["Path"]))
print("You will need to manually delete the old instance profile for the Path to be changed.")
for aws_ip in aws_role["InstanceProfileList"]:
mem_ip = utils.find_dict_with(mem_role["InstanceProfileList"], "InstanceProfileName", aws_ip["InstanceProfileName"])
if mem_ip is None:
# AWS has an instance profile that is not in memory version, it should be deleted.
self.iw.remove_role_from_instance_profile(mem_role["RoleName"], aws_ip["InstanceProfileName"])
self.iw.delete_instance_profile(aws_ip["InstanceProfileName"])
def validate_role(self, client, mem_role, aws_role):
if mem_role["RoleName"] != aws_role["RoleName"]:
print("Cannot validate different Roles: {} and {}".format(mem_role["RoleName"], aws_role["RoleName"]))
return
if mem_role["Path"] != aws_role["Path"]:
print("WARNING Paths differ for role {}: Path_In_File={} Path_In_AWS={}".format(mem_role["RoleName"],
mem_role["Path"],
aws_role["Path"]))
print("You will need to manually delete the old role for the Path to be changed.")
mem_assume_pol_str = json.dumps(mem_role["AssumeRolePolicyDocument"], indent=2, sort_keys=True)
aws_assume_pol_str = json.dumps(aws_role["AssumeRolePolicyDocument"], indent=2, sort_keys=True)
if mem_assume_pol_str != aws_assume_pol_str:
self.iw.update_assume_role_policy(mem_role["RoleName"], mem_role["AssumeRolePolicyDocument"])
for inline_pol in mem_role["RolePolicyList"]:
aws_inline_pol = utils.find_dict_with(aws_role["RolePolicyList"], "PolicyName", inline_pol["PolicyName"])
if aws_inline_pol is None:
self.iw.put_role_policy(mem_role["RoleName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
continue
aws_doc_str = json.dumps(aws_inline_pol["PolicyDocument"], indent=2, sort_keys=True)
mem_doc_str = json.dumps(inline_pol["PolicyDocument"], indent=2, sort_keys=True)
if mem_doc_str != aws_doc_str:
self.iw.put_role_policy(mem_role["RoleName"], inline_pol["PolicyName"], inline_pol["PolicyDocument"])
for aws_inline_pol in aws_role["RolePolicyList"]:
matching_mem_pol = utils.find_dict_with(mem_role["RolePolicyList"], "PolicyName", aws_inline_pol["PolicyName"])
if matching_mem_pol is None:
# AWS has a policy that is not in memory version, it should be deleted.
self.iw.delete_role_policy(mem_role["RoleName"], aws_inline_pol["PolicyName"])
for mngd_pol_arn in mem_role["AttachedManagedPolicies"]:
self.iw.attach_role_policy(mem_role["RoleName"], mngd_pol_arn)
for aws_mngd_pol in aws_role["AttachedManagedPolicies"]:
if aws_mngd_pol["PolicyArn"] not in mem_role["AttachedManagedPolicies"]:
# AWS has a mngd policy that is not in memory version, it should be deleted.
self.iw.detach_role_policy(mem_role["RoleName"], aws_mngd_pol["PolicyArn"])
for inst_pro in mem_role["InstanceProfileList"]:
aws_inst_pro = utils.find_dict_with(aws_role["InstanceProfileList"], "InstanceProfileName",
inst_pro["InstanceProfileName"])
if aws_inst_pro is None:
self.iw.create_instance_profile(inst_pro["InstanceProfileName"], inst_pro["Path"])
self.iw.add_role_to_instance_profile(mem_role["RoleName"], inst_pro["InstanceProfileName"])
else:
if inst_pro["Path"] != aws_inst_pro["Path"]:
print("WARNING Paths differ for Instance Profile {}: Path_In_File={} Path_In_AWS={}".format(
inst_pro["InstanceProfileName"], inst_pro["Path"], aws_inst_pro["Path"]))
print("You will need to manually delete the old instance profile for the Path to be changed.")
for aws_ip in aws_role["InstanceProfileList"]:
mem_ip = utils.find_dict_with(mem_role["InstanceProfileList"], "InstanceProfileName", aws_ip["InstanceProfileName"])
if mem_ip is None:
# AWS has an instance profile that is not in memory version, it should be deleted.
self.iw.remove_role_from_instance_profile(mem_role["RoleName"], aws_ip["InstanceProfileName"])
self.iw.delete_instance_profile(aws_ip["InstanceProfileName"])
def adjust_groups_in_aws(self, use_assume_role=False):
'''
Adjusts the AWS groups to match the current in memory groups. It creates the groups if
they do not exist in AWS. Also adjusts attached managed policies and inline policies associated with the group
It will not delete any groups.
Args:
use_assume_role: set to True if using developer account credentials and plan to assume production credentials
Returns:
'''
if use_assume_role:
import_session = assume_production_role(self.session)
else:
import_session = self.session
if self.iam_details == None:
print("iam_details must be imported first.")
return
for group in self.groups:
client = import_session.client('iam')
aws_group = utils.find_dict_with(self.iam_details["GroupDetailList"], "GroupName", group["GroupName"])
if aws_group is None:
self.create_full_group(group)
else:
self.validate_group(client, group, aws_group)
def adjust_roles_in_aws(self, use_assume_role=False):
'''
Adjusts the AWS roles to match the current in memory roles. It creates the roles if
they do not exist in AWS. Also adjusts attached managed policies and inline policies associated with the role
and the Assume Policy Document.
It will not delete any roles.
Args:
use_assume_role: set to True if using developer account credentials and plan to assume production credentials
Returns:
'''
if use_assume_role:
import_session = assume_production_role(self.session)
else:
import_session = self.session
if self.iam_details == None:
print("iam_details must be imported first.")
return
for role in self.roles:
client = import_session.client('iam')
aws_role = utils.find_dict_with(self.iam_details["RoleDetailList"], "RoleName", role["RoleName"])
if aws_role is None:
self.create_full_role(role)
else:
self.validate_role(client, role, aws_role)
def adjust_groups_in_aws(self, use_assume_role=False):
'''
Adjusts the AWS groups to match the current in memory groups. It creates the groups if
they do not exist in AWS. Also adjusts attached managed policies and inline policies associated with the group
It will not delete any groups.
Args:
use_assume_role: set to True if using developer account credentials and plan to assume production credentials
Returns:
'''
if use_assume_role:
import_session = assume_production_role(self.session)
else:
import_session = self.session
if self.iam_details == None:
print("iam_details must be imported first.")
return
for group in self.groups:
client = import_session.client('iam')
aws_group = utils.find_dict_with(self.iam_details["GroupDetailList"], "GroupName", group["GroupName"])
if aws_group is None:
self.create_full_group(group)
else:
self.validate_group(client, group, aws_group)
def adjust_roles_in_aws(self, use_assume_role=False):
'''
Adjusts the AWS roles to match the current in memory roles. It creates the roles if
they do not exist in AWS. Also adjusts attached managed policies and inline policies associated with the role
and the Assume Policy Document.
It will not delete any roles.
Args:
use_assume_role: set to True if using developer account credentials and plan to assume production credentials
Returns:
'''
if use_assume_role:
import_session = assume_production_role(self.session)
else:
import_session = self.session
if self.iam_details == None:
print("iam_details must be imported first.")
return
for role in self.roles:
client = import_session.client('iam')
aws_role = utils.find_dict_with(self.iam_details["RoleDetailList"], "RoleName", role["RoleName"])
if aws_role is None:
self.create_full_role(role)
else:
self.validate_role(client, role, aws_role)
def adjust_policies_in_aws(self, use_assume_role=False):
'''
Adjusts the AWS policies to match the current in memory policies. It creates the polices if
they do not exist in AWS and updates the policy version active policy version to match the
loaded policy version. It will not delete any policies. It cannot not adjust the policy path but
will inform if the policy path is different.
Args:
use_assume_role: set to True if using developer account credentials and plan to assume production credentials
Returns:
'''
if use_assume_role:
import_session = assume_production_role(self.session)
else:
import_session = self.session
if self.iam_details == None:
print("iam_details must be imported first.")
return
for policy in self.policies:
client = import_session.client('iam')
boto3_policy = policy.copy()
aws_policy = utils.find_dict_with(self.iam_details["Policies"], "PolicyName", boto3_policy["PolicyName"])
if aws_policy is None:
try:
boto3_policy["PolicyDocument"] = json.dumps(boto3_policy["PolicyDocument"], indent=2, sort_keys=True)
client.create_policy(**boto3_policy)
except ClientError as e:
if e.response['Error']['Code'] == 'EntityAlreadyExists':
print("Policy {} already exists cannot load again.".format(boto3_policy["PolicyName"]))
else:
print("error occur creating policy: {}".format(boto3_policy["PolicyName"]))
print(" Details: {}".format(str(e)))
else:
self.validate_policy(client, boto3_policy, aws_policy)
def adjust_policies_in_aws(self, use_assume_role=False):
'''
Adjusts the AWS policies to match the current in memory policies. It creates the polices if
they do not exist in AWS and updates the policy version active policy version to match the
loaded policy version. It will not delete any policies. It cannot not adjust the policy path but
will inform if the policy path is different.
Args:
use_assume_role: set to True if using developer account credentials and plan to assume production credentials
Returns:
'''
if use_assume_role:
import_session = assume_production_role(self.session)
else:
import_session = self.session
if self.iam_details == None:
print("iam_details must be imported first.")
return
for policy in self.policies:
client = import_session.client('iam')
boto3_policy = policy.copy()
aws_policy = utils.find_dict_with(self.iam_details["Policies"], "PolicyName", boto3_policy["PolicyName"])
if aws_policy is None:
try:
boto3_policy["PolicyDocument"] = json.dumps(boto3_policy["PolicyDocument"], indent=2, sort_keys=True)
client.create_policy(**boto3_policy)
except ClientError as e:
if e.response['Error']['Code'] == 'EntityAlreadyExists':
print("Policy {} already exists cannot load again.".format(boto3_policy["PolicyName"]))
else:
print("error occur creating policy: {}".format(boto3_policy["PolicyName"]))
print(" Details: {}".format(str(e)))
else:
self.validate_policy(client, boto3_policy, aws_policy)
def get_default_policy_version(policy):
return utils.find_dict_with(policy["PolicyVersionList"], "VersionId", policy["DefaultVersionId"])
def get_default_policy_version(policy):
return utils.find_dict_with(policy["PolicyVersionList"], "VersionId", policy["DefaultVersionId"])