def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).
                        get_role_policy_result.policy_document) == pdoc:
        policy_match = True
        if policy_match:
          msg=("The policy document you specified already exists "
               "under the name %s." % pol)
    if state == 'present' and skip:
      if policy_name not in current_policies and not policy_match:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'present' and not skip:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError, err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
Example #2
0
def update_iam_role(iam, role_name, assume_role_policy_file,
                    permission_policy_file):

    try:
        iam.get_role(role_name)
    except:
        print role_name + ' role not found. Creating role '
        iam.create_role(role_name)

    print 'Updating assume role policy of ' + role_name
    with open(assume_role_policy_file, "r") as myfile:
        policy = myfile.read()
        iam.update_assume_role_policy(role_name, policy)

    print 'Updating attached permission policies of ' + role_name
    for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'):
        iam.delete_role_policy(role_name, rp)
    with open(permission_policy_file, "r") as myfile:
        policy = myfile.read()
        iam.put_role_policy(role_name, role_name + '_permission_policy', policy)

    try:
        iam.get_instance_profile(role_name)
    except:
        print role_name + ' instance profile not found. Creating instance profile'
        iam.create_instance_profile(role_name)
    print 'Updating role and instance profile association of ' + role_name
    for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'):
        iam.remove_role_from_instance_profile(role_name, role_name)
    iam.add_role_to_instance_profile(role_name, role_name)
Example #3
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).
                        get_role_policy_result.policy_document) == pdoc:
        policy_match = True
        if policy_match:
          msg=("The policy document you specified already exists "
               "under the name %s." % pol)
    if state == 'present' and skip:
      if policy_name not in current_policies and not policy_match:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'present' and not skip:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError, err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
Example #4
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
    policy_match = False
    changed = False
    try:
        current_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
    except boto.exception.BotoServerError as e:
        if e.error_code == "NoSuchEntity":
            # Role doesn't exist so it's safe to assume the policy doesn't either
            module.exit_json(changed=False,
                             msg="No such role, policy will be skipped.")
        else:
            module.fail_json(msg=e.message)

    try:
        matching_policies = []
        for pol in current_policies:
            if urllib.parse.unquote(
                    iam.get_role_policy(
                        name,
                        pol).get_role_policy_result.policy_document) == pdoc:
                policy_match = True
                matching_policies.append(pol)

        if state == 'present':
            # If policy document does not already exist (either it's changed
            # or the policy is not present) or if we're not skipping dupes then
            # make the put call.  Note that the put call does a create or update.
            if not policy_match or (not skip
                                    and policy_name not in matching_policies):
                changed = True
                iam.put_role_policy(name, policy_name, pdoc)
        elif state == 'absent':
            try:
                iam.delete_role_policy(name, policy_name)
                changed = True
            except boto.exception.BotoServerError as err:
                error_msg = boto_exception(err)
                if 'cannot be found.' in error_msg:
                    changed = False
                    module.exit_json(changed=changed,
                                     msg="%s policy is already absent" %
                                     policy_name)
                else:
                    module.fail_json(msg=err.message)

        updated_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
    except boto.exception.BotoServerError as err:
        error_msg = boto_exception(err)
        module.fail_json(changed=changed, msg=error_msg)

    return changed, name, updated_policies
Example #5
0
def iam_role(name, policy_name='managedpolicy'):
    policy = json.dumps(policies[name],
                        sort_keys=True,
                        indent=4,
                        separators=(',', ': '))
    try:
        role = iam.get_role(name)
    except boto.exception.BotoServerError:
        role = None
    if role is None:
        iam.create_role(name)
        role = iam.get_role(name)
    # ...someday, maybe support for multiple policies via iam.list_role_policies()
    iam.put_role_policy(name, policy_name, policy)
Example #6
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
  except boto.exception.BotoServerError as e:
    if e.error_code == "NoSuchEntity":
      # Role doesn't exist so it's safe to assume the policy doesn't either
      module.exit_json(changed=False, msg="No such role, policy will be skipped.")
    else:
      module.fail_json(msg=e.message)

  try:
    pol = ""
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).
                        get_role_policy_result.policy_document) == pdoc:
        policy_match = True
        break

    if state == 'present':
      # If policy document does not already exist (either it's changed
      # or the policy is not present) or if we're not skipping dupes then
      # make the put call.  Note that the put call does a create or update.
      if (not policy_match or not skip) and pol != name:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError as err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)
        else:
          module.fail_json(msg=err.message)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
  except boto.exception.BotoServerError as err:
    error_msg = boto_exception(err)
    module.fail_json(changed=changed, msg=error_msg)

  return changed, name, updated_policies
def role_action(module, iam, name, policy_name, skip, pdoc, state):
    policy_match = False
    changed = False
    try:
        current_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
    except boto.exception.BotoServerError as e:
        if e.error_code == "NoSuchEntity":
            # Role doesn't exist so it's safe to assume the policy doesn't either
            module.exit_json(changed=False)
        else:
            module.fail_json(msg=e.message)

    try:
        for pol in current_policies:
            if urllib.unquote(
                    iam.get_role_policy(
                        name,
                        pol).get_role_policy_result.policy_document) == pdoc:
                policy_match = True
        if state == 'present' and skip:
            if policy_name not in current_policies and not policy_match:
                changed = True
                iam.put_role_policy(name, policy_name, pdoc)
        elif state == 'present' and not skip:
            changed = True
            iam.put_role_policy(name, policy_name, pdoc)
        elif state == 'absent':
            try:
                iam.delete_role_policy(name, policy_name)
                changed = True
            except boto.exception.BotoServerError, err:
                error_msg = boto_exception(err)
                if 'cannot be found.' in error_msg:
                    changed = False
                    module.exit_json(changed=changed,
                                     msg="%s policy is already absent" %
                                     policy_name)

        updated_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
def main():
    argument_spec = ec2_argument_spec()    
    argument_spec.update(dict(
            role_name = dict(default=None,required=True),
            policy_name =  dict(default=None,required=True),
            policy_document = dict(default=None,required=False),
            state = dict(default='present', choices=['present', 'absent']),
        )
    )

    module = AnsibleModule(
        argument_spec=argument_spec
    )

    role_name = module.params.get('role_name')
    policy_name = module.params.get('policy_name')
    policy_document = module.params.get('policy_document')

    if type(policy_document) == type(dict()):
        policy_document = json.dumps(policy_document)

    region, ec2_url, aws_connect_params = get_aws_connection_info(module)
    iam = connect_to_aws(boto.iam, region, **aws_connect_params)

    state = module.params.get('state')

    missing = False
    try:
        iam.get_role_policy(role_name, policy_name)
    except boto.exception.BotoServerError as e:
       if e.status == 404:
         missing = True

    if state == 'present':
        iam.put_role_policy(role_name, policy_name, policy_document)
        module.exit_json(changed = True)
    elif state == 'absent':
        if not missing:
          iam.delete_role_policy(role_name, policy_name)
        module.exit_json(changed = not missing)
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
  except boto.exception.BotoServerError as e:
    if e.error_code == "NoSuchEntity":
      # Role doesn't exist so it's safe to assume the policy doesn't either
      module.exit_json(changed=False)
    else:
      module.fail_json(msg=e.message)

  try:
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).get_role_policy_result.policy_document) == pdoc:
        policy_match = True
    if state == 'present' and skip:
      if policy_name not in current_policies and not policy_match:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'present' and not skip:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError, err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
Example #10
0
def main():
    argument_spec = ec2_argument_spec()
    argument_spec.update(
        dict(
            role_name=dict(default=None, required=True),
            policy_name=dict(default=None, required=True),
            policy_document=dict(default=None, required=False),
            state=dict(default='present', choices=['present', 'absent']),
        ))

    module = AnsibleModule(argument_spec=argument_spec)

    role_name = module.params.get('role_name')
    policy_name = module.params.get('policy_name')
    policy_document = module.params.get('policy_document')

    if type(policy_document) == type(dict()):
        policy_document = json.dumps(policy_document)

    region, ec2_url, aws_connect_params = get_aws_connection_info(module)
    iam = connect_to_aws(boto.iam, region, **aws_connect_params)

    state = module.params.get('state')

    missing = False
    try:
        iam.get_role_policy(role_name, policy_name)
    except boto.exception.BotoServerError as e:
        if e.status == 404:
            missing = True

    if state == 'present':
        iam.put_role_policy(role_name, policy_name, policy_document)
        module.exit_json(changed=True)
    elif state == 'absent':
        if not missing:
            iam.delete_role_policy(role_name, policy_name)
        module.exit_json(changed=not missing)