def instance_profile(name, role_name=None): try: profile = iam.get_instance_profile(name) except boto.exception.BotoServerError: profile = None if profile is None: iam.create_instance_profile(name) profile = iam.get_instance_profile(name) roles = profile['get_instance_profile_response'][ 'get_instance_profile_result']['instance_profile']['roles'] should_add = False should_remove = False if role_name is None: if len(roles) != 0: should_remove = True if role_name is not None: if len(roles) == 0: should_add = True elif roles['member']['role_name'] != role_name: should_remove = True should_add = True if should_remove: iam.remove_role_from_instance_profile(name, roles['member']['role_name']) if should_add: iam.add_role_to_instance_profile(name, role_name) if role_name is not None and len(roles) != 0: should_add = True
def update_iam_role(iam, role_name, assume_role_policy_file, permission_policy_file): try: iam.get_role(role_name) except: print role_name + ' role not found. Creating role ' iam.create_role(role_name) print 'Updating assume role policy of ' + role_name with open(assume_role_policy_file, "r") as myfile: policy = myfile.read() iam.update_assume_role_policy(role_name, policy) print 'Updating attached permission policies of ' + role_name for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'): iam.delete_role_policy(role_name, rp) with open(permission_policy_file, "r") as myfile: policy = myfile.read() iam.put_role_policy(role_name, role_name + '_permission_policy', policy) try: iam.get_instance_profile(role_name) except: print role_name + ' instance profile not found. Creating instance profile' iam.create_instance_profile(role_name) print 'Updating role and instance profile association of ' + role_name for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'): iam.remove_role_from_instance_profile(role_name, role_name) iam.add_role_to_instance_profile(role_name, role_name)
def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( profile_name = dict(default=None,required=True), state = dict(default='present', choices=['present', 'absent']), ) ) module = AnsibleModule( argument_spec=argument_spec ) profile_name = module.params.get('profile_name') region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) state = module.params.get('state') missing = False try: iam.get_instance_profile(profile_name) except boto.exception.BotoServerError as e: if e.status == 404: missing = True if state == 'present': if missing: iam.create_instance_profile(profile_name) module.exit_json(changed = missing) elif state == 'absent': if not missing: iam.delete_instance_profile(profile_name) module.exit_json(changed = not missing)
def create_role(module, iam, name, path, role_list, prof_list, trust_policy_doc): changed = False iam_role_result = None instance_profile_result = None try: if name not in role_list: changed = True iam_role_result = iam.create_role( name, assume_role_policy_document=trust_policy_doc, path=path).create_role_response.create_role_result.role if name not in prof_list: instance_profile_result = iam.create_instance_profile(name, path=path) \ .create_instance_profile_response.create_instance_profile_result.instance_profile iam.add_role_to_instance_profile(name, name) else: instance_profile_result = iam.get_instance_profile( name ).get_instance_profile_response.get_instance_profile_result.instance_profile except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = list_all_roles(iam) iam_role_result = iam.get_role( name).get_role_response.get_role_result.role return changed, updated_role_list, iam_role_result, instance_profile_result
def build_opsworks_stack(): print '------------------------------------' print 'Building Vulnpryer Opsworks Stack' print '------------------------------------' # Connect to AWS Opsworks ow = boto.opsworks.connect_to_region(region_name=config.get('general', 'opsworks_aws_region'), aws_access_key_id=config.get('general', 'aws_access_key_id'), aws_secret_access_key=config.get('general', 'aws_secret_access_key')) # Check if stack exists for stack in ow.describe_stacks().get('Stacks'): if stack.get('Name') == config.get('opsworks', 'stack_name'): print 'Stack ' + config.get('opsworks', 'stack_name') + ' exists. Deleting stack with Stack ID ' + stack.get('StackId') # Delete instances for instance in ow.describe_instances(stack_id=stack.get('StackId')).get('Instances'): ow.delete_instance(instance_id=instance.get('InstanceId')) ow.delete_stack(stack.get('StackId')) # Retrieve IAM ARNs iam = boto.iam.connect_to_region(region_name=config.get('general', 'opsworks_aws_region'), aws_access_key_id=config.get('general', 'aws_access_key_id'), aws_secret_access_key=config.get('general', 'aws_secret_access_key')) service_arn = iam.get_role(config.get('opsworks', 'opsworks_role')).get('get_role_response').get('get_role_result').get('role').get('arn') ip_arn = iam.get_instance_profile(config.get('opsworks', 'opsworks_resource_role')).get('get_instance_profile_response').get('get_instance_profile_result').get('instance_profile').get('arn') # Creating new Opworks Stack try: new_stack = ow.create_stack(config.get('opsworks', 'stack_name'), config.get('general', 'vpc_aws_region'), service_arn, ip_arn, vpc_id=config.get('opsworks', 'vpc_id'), default_os=config.get('opsworks', 'default_os'), default_subnet_id=config.get('opsworks', 'default_subnet_id'), custom_json=config.get('opsworks', 'custom_json'), configuration_manager=ast.literal_eval(config.get('opsworks', 'configuration_manager')), chef_configuration=ast.literal_eval(config.get('opsworks', 'chef_configuration')), use_custom_cookbooks=config.getboolean('opsworks', 'use_custom_cookbooks'), use_opsworks_security_groups=config.getboolean('opsworks', 'use_opsworks_security_groups'), custom_cookbooks_source=ast.literal_eval(config.get('opsworks', 'custom_cookbooks_source')), default_ssh_key_name=config.get('opsworks', 'default_ssh_key_name'), attributes={'Color':'rgb(45, 114, 184)'}) new_layer = ow.create_layer(new_stack.get('StackId'), 'custom', config.get('opsworks', 'layer_name'), config.get('opsworks', 'layer_short_name'), attributes=None, custom_instance_profile_arn=ip_arn, custom_security_group_ids=[config.get('opsworks', 'layer_security_group')], packages=None, volume_configurations=None, enable_auto_healing=True, auto_assign_elastic_ips=False, auto_assign_public_ips=True, custom_recipes=ast.literal_eval(config.get('opsworks', 'layer_custom_recipes')), install_updates_on_boot=True, use_ebs_optimized_instances=False) except: print "New stack failed to create. Check keys and configuration before proceeding." return False new_instance = ow.create_instance(new_stack.get('StackId'), [new_layer.get('LayerId')], config.get('opsworks', 'instance_type'), hostname=config.get('opsworks', 'instance_name')) print 'Successfully built Opsworks Stack ' + config.get('opsworks', 'stack_name') + ' with stack id ' + new_stack.get('StackId') return new_instance.get('InstanceId')
def create_role(module, iam, name, path, role_list, prof_list, trust_policy_doc): changed = False iam_role_result = None instance_profile_result = None try: if name not in role_list: changed = True iam_role_result = iam.create_role(name, assume_role_policy_document=trust_policy_doc, path=path).create_role_response.create_role_result.role.role_name if name not in prof_list: instance_profile_result = iam.create_instance_profile(name, path=path).create_instance_profile_response.create_instance_profile_result.instance_profile iam.add_role_to_instance_profile(name, name) else: instance_profile_result = iam.get_instance_profile(name).get_instance_profile_response.get_instance_profile_result.instance_profile except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = list_all_roles(iam) return changed, updated_role_list, iam_role_result, instance_profile_result
def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( profile_name = dict(default=None,required=True), role_name = dict(default=None,required=True), state = dict(default='present', choices=['present', 'absent']), ) ) module = AnsibleModule( argument_spec=argument_spec ) profile_name = module.params.get('profile_name') role_name = module.params.get('role_name') region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) missing = True try: response = iam.get_instance_profile(profile_name) # todo: does not verify the role is what we want missing = len(response.get_instance_profile_result.instance_profile.roles) == 0 except boto.exception.BotoServerError as e: if e.status == 404: missing = True state = module.params.get('state') if state == 'present': if missing: response = iam.add_role_to_instance_profile(profile_name, role_name) module.exit_json(changed = missing) elif state == 'absent': if not missing: response = iam.remove_role_from_instance_profile(profile_name, role_name) module.exit_json(changed = not missing)