def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path ).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path ).update_user_response.response_metadata user['updates'] = dict(old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError, err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError, err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True
def main(): """The main function.""" parser = argparse.ArgumentParser(description="Rotate Access Keys.") parser.add_argument( "-a", "--access_key_id", help="The access key to rotate and use for authentication." ) parser.add_argument( "-s", "--secret_access_key", help="The secret key to rotate and use for authentication." ) args = parser.parse_args() if not args.access_key_id: args.access_key_id = raw_input("Enter Access Key: ") if not args.secret_access_key: args.secret_access_key = raw_input("Enter Secret Key: ") iam = boto.iam.connection.IAMConnection( aws_access_key_id=args.access_key_id, aws_secret_access_key=args.secret_access_key ) get_user_response = iam.get_user()['get_user_response'] get_user_result = get_user_response['get_user_result'] user = get_user_result['user'] user_name = user['user_name'] try: response = iam.create_access_key(user_name) except boto.exception.BotoServerError as exception: print "Cannot create new keys: %s" % exception raise ak_response = response['create_access_key_response'] access_key = ak_response['create_access_key_result']['access_key'] print """Access Key:\t%s\nSecret Key:\t%s""" % ( access_key['access_key_id'], access_key['secret_access_key'] ) ans = raw_input( "Ready to delete Access Key %s? (yes/no) " % args.access_key_id ) if ans == "yes": try: iam.delete_access_key(args.access_key_id, user_name) except boto.exception.BotoServerError as exception: print "Cannot remove old key: %s" % exception raise else: print "Warning: your old Access Key was kept.", print " Be sure to clean up the mess."
def get_user_info(): prompt = "Enter AWS Secret Access Key for Access Key ID %s: " % TARGET_ACCESS_KEY TARGET_SECRET_KEY = raw_input(prompt) iam = boto.connect_iam(aws_access_key_id = TARGET_ACCESS_KEY, aws_secret_access_key = TARGET_SECRET_KEY) if(iam): user = iam.get_user() if(user): print user return True else: print 'No AWS IAM User information found associated with supplied AWS credentials.' else: print 'Unable to connect to AWS account with supplied AWS credentials.' return False
def main(): """The main function.""" parser = argparse.ArgumentParser(description="Rotate Access Keys.") parser.add_argument( "-a", "--access_key_id", help="The access key to rotate and use for authentication.") parser.add_argument( "-s", "--secret_access_key", help="The secret key to rotate and use for authentication.") args = parser.parse_args() if not args.access_key_id: args.access_key_id = raw_input("Enter Access Key: ") if not args.secret_access_key: args.secret_access_key = raw_input("Enter Secret Key: ") iam = boto.iam.connection.IAMConnection( aws_access_key_id=args.access_key_id, aws_secret_access_key=args.secret_access_key) get_user_response = iam.get_user()['get_user_response'] get_user_result = get_user_response['get_user_result'] user = get_user_result['user'] user_name = user['user_name'] try: response = iam.create_access_key(user_name) except boto.exception.BotoServerError as exception: print "Cannot create new keys: %s" % exception raise ak_response = response['create_access_key_response'] access_key = ak_response['create_access_key_result']['access_key'] print """Access Key:\t%s\nSecret Key:\t%s""" % ( access_key['access_key_id'], access_key['secret_access_key']) ans = raw_input("Ready to delete Access Key %s? (yes/no) " % args.access_key_id) if ans == "yes": try: iam.delete_access_key(args.access_key_id, user_name) except boto.exception.BotoServerError as exception: print "Cannot remove old key: %s" % exception raise else: print "Warning: your old Access Key was kept.", print " Be sure to clean up the mess."
def get_user_info(): prompt = "Enter AWS Secret Access Key for Access Key ID %s: " % TARGET_ACCESS_KEY TARGET_SECRET_KEY = raw_input(prompt) iam = boto.connect_iam(aws_access_key_id=TARGET_ACCESS_KEY, aws_secret_access_key=TARGET_SECRET_KEY) if (iam): user = iam.get_user() if (user): print user return True else: print 'No AWS IAM User information found associated with supplied AWS credentials.' else: print 'Unable to connect to AWS account with supplied AWS credentials.' return False
def update_user(module, iam, name, new_name, new_path, key_state, keys, pwd): changed = False name_change = False current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata] updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True user = iam.update_user( name, new_name, new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) name = new_name name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: changed = True iam.create_login_profile(name, pwd) else: try: iam.delete_login_profile(name) changed = True except boto.exception.BotoServerError: changed = False if key_state == 'Create': try: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key changed = True except boto.exception.BotoServerError, e: module.fail_json(msg=str(e))
except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError, err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else:
def main(): argument_spec = ec2_argument_spec() argument_spec.update( dict(iam_type=dict(required=True, choices=['user', 'group', 'role']), groups=dict(type='list', default=None, required=False), state=dict(required=True, choices=['present', 'absent', 'update']), password=dict(default=None, required=False, no_log=True), update_password=dict(default='always', required=False, choices=['always', 'on_create']), access_key_state=dict(default=None, required=False, choices=[ 'active', 'inactive', 'create', 'remove', 'Active', 'Inactive', 'Create', 'Remove' ]), access_key_ids=dict(type='list', default=None, required=False), key_count=dict(type='int', default=1, required=False), name=dict(required=True), trust_policy_filepath=dict(default=None, required=False), trust_policy=dict(type='dict', default=None, required=False), new_name=dict(default=None, required=False), path=dict(default='/', required=False), new_path=dict(default=None, required=False))) module = AnsibleModule( argument_spec=argument_spec, mutually_exclusive=[['trust_policy', 'trust_policy_filepath']], ) if not HAS_BOTO: module.fail_json(msg='This module requires boto, please install it') state = module.params.get('state').lower() iam_type = module.params.get('iam_type').lower() groups = module.params.get('groups') name = module.params.get('name') new_name = module.params.get('new_name') password = module.params.get('password') update_pw = module.params.get('update_password') path = module.params.get('path') new_path = module.params.get('new_path') key_count = module.params.get('key_count') key_state = module.params.get('access_key_state') trust_policy = module.params.get('trust_policy') trust_policy_filepath = module.params.get('trust_policy_filepath') key_ids = module.params.get('access_key_ids') if key_state: key_state = key_state.lower() if any([n in key_state for n in ['active', 'inactive']]) and not key_ids: module.fail_json( changed=False, msg="At least one access key has to be defined in order" " to use 'active' or 'inactive'") if iam_type == 'user' and module.params.get('password') is not None: pwd = module.params.get('password') elif iam_type != 'user' and module.params.get('password') is not None: module.fail_json(msg="a password is being specified when the iam_type " "is not user. Check parameters") else: pwd = None if iam_type != 'user' and ( module.params.get('access_key_state') is not None or module.params.get('access_key_id') is not None): module.fail_json(msg="the IAM type must be user, when IAM access keys " "are being modified. Check parameters") if iam_type == 'role' and state == 'update': module.fail_json(changed=False, msg="iam_type: role, cannot currently be updated, " "please specify present or absent") # check if trust_policy is present -- it can be inline JSON or a file path to a JSON file if trust_policy_filepath: try: with open(trust_policy_filepath, 'r') as json_data: trust_policy_doc = json.dumps(json.load(json_data)) except Exception as e: module.fail_json(msg=str(e) + ': ' + trust_policy_filepath) elif trust_policy: try: trust_policy_doc = json.dumps(trust_policy) except Exception as e: module.fail_json(msg=str(e) + ': ' + trust_policy) else: trust_policy_doc = None region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module) try: if region: iam = connect_to_aws(boto.iam, region, **aws_connect_kwargs) else: iam = boto.iam.connection.IAMConnection(**aws_connect_kwargs) except boto.exception.NoAuthHandlerFound as e: module.fail_json(msg=str(e)) result = {} changed = False try: orig_group_list = list_all_groups(iam) orig_user_list = list_all_users(iam) orig_role_list = list_all_roles(iam) orig_prof_list = list_all_instance_profiles(iam) except boto.exception.BotoServerError as err: module.fail_json(msg=err.message) if iam_type == 'user': been_updated = False user_groups = None user_exists = any([n in [name, new_name] for n in orig_user_list]) if user_exists: current_path = iam.get_user(name).get_user_result.user['path'] if not new_path and current_path != path: new_path = path path = current_path if state == 'present' and not user_exists and not new_name: (meta, changed) = create_user(module, iam, name, password, path, key_state, key_count) keys = iam.get_all_access_keys(name).list_access_keys_result.\ access_key_metadata if groups: (user_groups, changed) = set_users_groups(module, iam, name, groups, been_updated, new_name) module.exit_json(user_meta=meta, groups=user_groups, keys=keys, changed=changed) elif state in ['present', 'update'] and user_exists: if update_pw == 'on_create': password = None if name not in orig_user_list and new_name in orig_user_list: been_updated = True name_change, key_list, user_changed, new_key = update_user( module, iam, name, new_name, new_path, key_state, key_count, key_ids, password, been_updated) if new_key: user_meta = {'access_keys': list(new_key)} user_meta['access_keys'].extend( [{ 'access_key_id': key, 'status': value } for key, value in key_list.items() if key not in [it['access_key_id'] for it in new_key]]) else: user_meta = { 'access_keys': [{ 'access_key_id': key, 'status': value } for key, value in key_list.items()] } if name_change and new_name: orig_name = name name = new_name if isinstance(groups, list): user_groups, groups_changed = set_users_groups( module, iam, name, groups, been_updated, new_name) if groups_changed == user_changed: changed = groups_changed else: changed = True else: changed = user_changed if new_name and new_path: module.exit_json(changed=changed, groups=user_groups, old_user_name=orig_name, new_user_name=new_name, old_path=path, new_path=new_path, keys=key_list, created_keys=new_key, user_meta=user_meta) elif new_name and not new_path and not been_updated: module.exit_json(changed=changed, groups=user_groups, old_user_name=orig_name, new_user_name=new_name, keys=key_list, created_keys=new_key, user_meta=user_meta) elif new_name and not new_path and been_updated: module.exit_json(changed=changed, groups=user_groups, user_name=new_name, keys=key_list, key_state=key_state, created_keys=new_key, user_meta=user_meta) elif not new_name and new_path: module.exit_json(changed=changed, groups=user_groups, user_name=name, old_path=path, new_path=new_path, keys=key_list, created_keys=new_key, user_meta=user_meta) else: module.exit_json(changed=changed, groups=user_groups, user_name=name, keys=key_list, created_keys=new_key, user_meta=user_meta) elif state == 'update' and not user_exists: module.fail_json( msg="The user %s does not exist. No update made." % name) elif state == 'absent': if user_exists: try: set_users_groups(module, iam, name, '') name, changed = delete_user(module, iam, name) module.exit_json(deleted_user=name, changed=changed) except Exception as ex: module.fail_json(changed=changed, msg=str(ex)) else: module.exit_json( changed=False, msg="User %s is already absent from your AWS IAM users" % name) elif iam_type == 'group': group_exists = name in orig_group_list if state == 'present' and not group_exists: new_group, changed = create_group(module=module, iam=iam, name=name, path=path) module.exit_json(changed=changed, group_name=new_group) elif state in ['present', 'update'] and group_exists: changed, updated_name, updated_path, cur_path = update_group( module=module, iam=iam, name=name, new_name=new_name, new_path=new_path) if new_path and new_name: module.exit_json(changed=changed, old_group_name=name, new_group_name=updated_name, old_path=cur_path, new_group_path=updated_path) if new_path and not new_name: module.exit_json(changed=changed, group_name=name, old_path=cur_path, new_group_path=updated_path) if not new_path and new_name: module.exit_json(changed=changed, old_group_name=name, new_group_name=updated_name, group_path=cur_path) if not new_path and not new_name: module.exit_json(changed=changed, group_name=name, group_path=cur_path) elif state == 'update' and not group_exists: module.fail_json( changed=changed, msg="Update Failed. Group %s doesn't seem to exist!" % name) elif state == 'absent': if name in orig_group_list: removed_group, changed = delete_group(module=module, iam=iam, name=name) module.exit_json(changed=changed, delete_group=removed_group) else: module.exit_json(changed=changed, msg="Group already absent") elif iam_type == 'role': role_list = [] if state == 'present': changed, role_list, role_result, instance_profile_result = create_role( module, iam, name, path, orig_role_list, orig_prof_list, trust_policy_doc) elif state == 'absent': changed, role_list, role_result, instance_profile_result = delete_role( module, iam, name, orig_role_list, orig_prof_list) elif state == 'update': module.fail_json( changed=False, msg='Role update not currently supported by boto.') module.exit_json(changed=changed, roles=role_list, role_result=role_result, instance_profile_result=instance_profile_result)
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name try: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path ).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path ).update_user_response.response_metadata user['updates'] = dict(old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Password doesn't conform to policy") else: module.fail_json(msg=error_msg) try: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( name).list_access_keys_result.access_key_metadata ] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys = [ ck['access_key_id'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] status = [ ck['status'] for ck in iam.get_all_access_keys( new_name).list_access_keys_result.access_key_metadata ] name = new_name else: module.fail_json(changed=False, msg=str(err)) new_keys = [] if key_state == 'create': try: while key_count > key_qty: new_keys.append( iam.create_access_key( user_name=name).create_access_key_response. create_access_key_result.access_key) key_qty += 1 changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if key_state in ('active', 'inactive'): if access_key in current_keys: for current_key, current_key_state in zip( current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key(access_key, key_state.capitalize(), user_name=name) changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: module.fail_json(msg="Supplied keys not found for %s. " "Current keys: %s. " "Supplied key(s): %s" % (name, current_keys, keys)) if key_state == 'remove': if access_key in current_keys: try: iam.delete_access_key(access_key, user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True try: final_keys, final_key_status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata] except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) for fk, fks in zip(final_keys, final_key_status): updated_key_list.update({fk: fks}) return name_change, updated_key_list, changed, new_keys
def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( iam_type=dict( default=None, required=True, choices=['user', 'group', 'role']), groups=dict(type='list', default=None, required=False), state=dict( default=None, required=True, choices=['present', 'absent', 'update']), password=dict(default=None, required=False, no_log=True), update_password=dict(default='always', required=False, choices=['always', 'on_create']), access_key_state=dict(default=None, required=False, choices=[ 'active', 'inactive', 'create', 'remove', 'Active', 'Inactive', 'Create', 'Remove']), access_key_ids=dict(type='list', default=None, required=False), key_count=dict(type='int', default=1, required=False), name=dict(default=None, required=False), trust_policy_filepath=dict(default=None, required=False), trust_policy=dict(type='dict', default=None, required=False), new_name=dict(default=None, required=False), path=dict(default='/', required=False), new_path=dict(default=None, required=False) ) ) module = AnsibleModule( argument_spec=argument_spec, mutually_exclusive=[['trust_policy', 'trust_policy_filepath']], ) if not HAS_BOTO: module.fail_json(msg='This module requires boto, please install it') state = module.params.get('state').lower() iam_type = module.params.get('iam_type').lower() groups = module.params.get('groups') name = module.params.get('name') new_name = module.params.get('new_name') password = module.params.get('password') update_pw = module.params.get('update_password') path = module.params.get('path') new_path = module.params.get('new_path') key_count = module.params.get('key_count') key_state = module.params.get('access_key_state') trust_policy = module.params.get('trust_policy') trust_policy_filepath = module.params.get('trust_policy_filepath') key_ids = module.params.get('access_key_ids') if key_state: key_state = key_state.lower() if any([n in key_state for n in ['active', 'inactive']]) and not key_ids: module.fail_json(changed=False, msg="At least one access key has to be defined in order" " to use 'active' or 'inactive'") if iam_type == 'user' and module.params.get('password') is not None: pwd = module.params.get('password') elif iam_type != 'user' and module.params.get('password') is not None: module.fail_json(msg="a password is being specified when the iam_type " "is not user. Check parameters") else: pwd = None if iam_type != 'user' and (module.params.get('access_key_state') is not None or module.params.get('access_key_id') is not None): module.fail_json(msg="the IAM type must be user, when IAM access keys " "are being modified. Check parameters") if iam_type == 'role' and state == 'update': module.fail_json(changed=False, msg="iam_type: role, cannot currently be updated, " "please specify present or absent") # check if trust_policy is present -- it can be inline JSON or a file path to a JSON file if trust_policy_filepath: try: with open(trust_policy_filepath, 'r') as json_data: trust_policy_doc = json.dumps(json.load(json_data)) except Exception as e: module.fail_json(msg=str(e) + ': ' + trust_policy_filepath) elif trust_policy: try: trust_policy_doc = json.dumps(trust_policy) except Exception as e: module.fail_json(msg=str(e) + ': ' + trust_policy) else: trust_policy_doc = None region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module) try: if region: iam = connect_to_aws(boto.iam, region, **aws_connect_kwargs) else: iam = boto.iam.connection.IAMConnection(**aws_connect_kwargs) except boto.exception.NoAuthHandlerFound as e: module.fail_json(msg=str(e)) result = {} changed = False try: orig_group_list = list_all_groups(iam) orig_user_list = list_all_users(iam) orig_role_list = list_all_roles(iam) orig_prof_list = list_all_instance_profiles(iam) except boto.exception.BotoServerError as err: module.fail_json(msg=err.message) if iam_type == 'user': been_updated = False user_groups = None user_exists = any([n in [name, new_name] for n in orig_user_list]) if user_exists: current_path = iam.get_user(name).get_user_result.user['path'] if not new_path and current_path != path: new_path = path path = current_path if state == 'present' and not user_exists and not new_name: (meta, changed) = create_user( module, iam, name, password, path, key_state, key_count) keys = iam.get_all_access_keys(name).list_access_keys_result.\ access_key_metadata if groups: (user_groups, changed) = set_users_groups( module, iam, name, groups, been_updated, new_name) module.exit_json( user_meta=meta, groups=user_groups, keys=keys, changed=changed) elif state in ['present', 'update'] and user_exists: if update_pw == 'on_create': password = None if name not in orig_user_list and new_name in orig_user_list: been_updated = True name_change, key_list, user_changed = update_user( module, iam, name, new_name, new_path, key_state, key_count, key_ids, password, been_updated) if name_change and new_name: orig_name = name name = new_name if groups: user_groups, groups_changed = set_users_groups( module, iam, name, groups, been_updated, new_name) if groups_changed == user_changed: changed = groups_changed else: changed = True else: changed = user_changed if new_name and new_path: module.exit_json(changed=changed, groups=user_groups, old_user_name=orig_name, new_user_name=new_name, old_path=path, new_path=new_path, keys=key_list) elif new_name and not new_path and not been_updated: module.exit_json( changed=changed, groups=user_groups, old_user_name=orig_name, new_user_name=new_name, keys=key_list) elif new_name and not new_path and been_updated: module.exit_json( changed=changed, groups=user_groups, user_name=new_name, keys=key_list, key_state=key_state) elif not new_name and new_path: module.exit_json( changed=changed, groups=user_groups, user_name=name, old_path=path, new_path=new_path, keys=key_list) else: module.exit_json( changed=changed, groups=user_groups, user_name=name, keys=key_list) elif state == 'update' and not user_exists: module.fail_json( msg="The user %s does not exist. No update made." % name) elif state == 'absent': if user_exists: try: set_users_groups(module, iam, name, '') del_meta, name, changed = delete_user(module, iam, name) module.exit_json(deleted_user=name, changed=changed) except Exception as ex: module.fail_json(changed=changed, msg=str(ex)) else: module.exit_json( changed=False, msg="User %s is already absent from your AWS IAM users" % name) elif iam_type == 'group': group_exists = name in orig_group_list if state == 'present' and not group_exists: new_group, changed = create_group(module=module, iam=iam, name=name, path=path) module.exit_json(changed=changed, group_name=new_group) elif state in ['present', 'update'] and group_exists: changed, updated_name, updated_path, cur_path = update_group( module=module, iam=iam, name=name, new_name=new_name, new_path=new_path) if new_path and new_name: module.exit_json(changed=changed, old_group_name=name, new_group_name=updated_name, old_path=cur_path, new_group_path=updated_path) if new_path and not new_name: module.exit_json(changed=changed, group_name=name, old_path=cur_path, new_group_path=updated_path) if not new_path and new_name: module.exit_json(changed=changed, old_group_name=name, new_group_name=updated_name, group_path=cur_path) if not new_path and not new_name: module.exit_json( changed=changed, group_name=name, group_path=cur_path) elif state == 'update' and not group_exists: module.fail_json( changed=changed, msg="Update Failed. Group %s doesn't seem to exist!" % name) elif state == 'absent': if name in orig_group_list: removed_group, changed = delete_group(module=module, iam=iam, name=name) module.exit_json(changed=changed, delete_group=removed_group) else: module.exit_json(changed=changed, msg="Group already absent") elif iam_type == 'role': role_list = [] if state == 'present': changed, role_list, role_result, instance_profile_result = create_role( module, iam, name, path, orig_role_list, orig_prof_list, trust_policy_doc) elif state == 'absent': changed, role_list, role_result, instance_profile_result = delete_role( module, iam, name, orig_role_list, orig_prof_list) elif state == 'update': module.fail_json( changed=False, msg='Role update not currently supported by boto.') module.exit_json(changed=changed, roles=role_list, role_result=role_result, instance_profile_result=instance_profile_result)
def update_user(module, iam, name, new_name, new_path, key_state, key_count, keys, pwd, updated): changed = False name_change = False if updated and new_name: name = new_name try: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name).list_access_keys_result.access_key_metadata] key_qty = len(current_keys) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found' in error_msg and updated: current_keys, status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(new_name).list_access_keys_result.access_key_metadata] name = new_name else: module.fail_json(changed=False, msg=str(err)) updated_key_list = {} if new_name or new_path: c_path = iam.get_user(name).get_user_result.user['path'] if (name != new_name) or (c_path != new_path): changed = True try: if not updated: user = iam.update_user( name, new_user_name=new_name, new_path=new_path).update_user_response.response_metadata else: user = iam.update_user( name, new_path=new_path).update_user_response.response_metadata user['updates'] = dict( old_username=name, new_username=new_name, old_path=c_path, new_path=new_path) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=False, msg=str(err)) else: if not updated: name_change = True if pwd: try: iam.update_login_profile(name, pwd) changed = True except boto.exception.BotoServerError: try: iam.create_login_profile(name, pwd) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(str(err)) if 'Password does not conform to the account password policy' in error_msg: module.fail_json(changed=False, msg="Password doesn't conform to policy") else: module.fail_json(msg=error_msg) if key_state == 'create': try: while key_count > key_qty: new_key = iam.create_access_key( user_name=name).create_access_key_response.create_access_key_result.access_key key_qty += 1 changed = True except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) if keys and key_state: for access_key in keys: if access_key in current_keys: for current_key, current_key_state in zip(current_keys, status): if key_state != current_key_state.lower(): try: iam.update_access_key( access_key, key_state.capitalize(), user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True if key_state == 'remove': try: iam.delete_access_key(access_key, user_name=name) except boto.exception.BotoServerError as err: module.fail_json(changed=False, msg=str(err)) else: changed = True try: final_keys, final_key_status = \ [ck['access_key_id'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata],\ [ck['status'] for ck in iam.get_all_access_keys(name). list_access_keys_result. access_key_metadata] except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) for fk, fks in zip(final_keys, final_key_status): updated_key_list.update({fk: fks}) return name_change, updated_key_list, changed