def group_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
msg = ''
try:
current_policies = [
cp for cp in iam.get_all_group_policies(
name).list_group_policies_result.policy_names
]
matching_policies = []
for pol in current_policies:
if urllib.parse.unquote(
iam.get_group_policy(
name,
pol).get_group_policy_result.policy_document) == pdoc:
policy_match = True
matching_policies.append(pol)
msg = ("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present':
# If policy document does not already exist (either it's changed
# or the policy is not present) or if we're not skipping dupes then
# make the put call. Note that the put call does a create or update.
if not policy_match or (not skip
and policy_name not in matching_policies):
changed = True
iam.put_group_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_group_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" %
policy_name)
updated_policies = [
cp for cp in iam.get_all_group_policies(
name).list_group_policies_result.policy_names
]
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=changed, msg=error_msg)
return changed, name, updated_policies, msg
def group_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
msg=''
try:
current_policies = [cp for cp in iam.get_all_group_policies(name).
list_group_policies_result.
policy_names]
pol = ""
for pol in current_policies:
if urllib.unquote(iam.get_group_policy(name, pol).
get_group_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg=("The policy document you specified already exists "
"under the name %s." % pol)
break
if state == 'present':
# If policy document does not already exist (either it's changed
# or the policy is not present) or if we're not skipping dupes then
# make the put call. Note that the put call does a create or update.
if (not policy_match or not skip) and pol != name:
changed = True
iam.put_group_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_group_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.get_all_group_policies(name).
list_group_policies_result.
policy_names]
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=changed, msg=error_msg)
return changed, name, updated_policies, msg
def create_users():
try:
iam.create_group(group)
except boto.exception.BotoServerError as e:
if e.code == 'EntityAlreadyExists':
print e.message + " Will overwrite."
else:
print "Exception: %s" % str(e)
exit(1)
# attach policy to group
# security policy: allows access to everything but IAM
# if the IAM lab is included in the day, then remove the line "NotAction": "iam:*",
policy = '''{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}'''
iam.put_group_policy(group, policy_name, policy)
# add users to group
with open(DATA_FILE_NAME, 'rU') as data_file:
user_reader = csv.reader(data_file)
for row in user_reader:
user, password = row[0], row[1]
try:
iam.create_user(user)
iam.create_login_profile(user, password)
iam.add_user_to_group(group, user)
print("Added " + user)
except boto.exception.BotoServerError as e:
print "Problems creating %s. Exiting due to error: %s" % (
user, str(e.message))
exit(1)
print "Users created. They can login to the AWS Console using this link: " + iam.get_signin_url(
)
def group_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
msg = ''
try:
current_policies = [
cp for cp in iam.get_all_group_policies(
name).list_group_policies_result.policy_names
]
for pol in current_policies:
if urllib.unquote(
iam.get_group_policy(
name,
pol).get_group_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg = ("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_group_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_group_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_group_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" %
policy_name)
updated_policies = [
cp for cp in iam.get_all_group_policies(
name).list_group_policies_result.policy_names
]
def create_users():
try:
iam.create_group(group)
except boto.exception.BotoServerError as e:
if e.code == 'EntityAlreadyExists':
print e.message + " Will overwrite."
else:
print "Exception: %s" % str(e)
exit(1)
# attach policy to group
# security policy: allows access to everything but IAM
# if the IAM lab is included in the day, then remove the line "NotAction": "iam:*",
policy = '''{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}'''
iam.put_group_policy(group, policy_name, policy)
# add users to group
with open(DATA_FILE_NAME, 'rU') as data_file:
user_reader = csv.reader(data_file)
for row in user_reader:
user, password = row[0], row[1]
try:
iam.create_user(user)
iam.create_login_profile(user, password)
iam.add_user_to_group(group, user)
print("Added " + user)
except boto.exception.BotoServerError as e:
print "Problems creating %s. Exiting due to error: %s" % (user, str(e.message))
exit(1)
print "Users created. They can login to the AWS Console using this link: " + iam.get_signin_url()
def group_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
msg=''
try:
current_policies = [cp for cp in iam.get_all_group_policies(name).
list_group_policies_result.
policy_names]
for pol in current_policies:
if urllib.unquote(iam.get_group_policy(name, pol).
get_group_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg=("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_group_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_group_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_group_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.get_all_group_policies(name).
list_group_policies_result.
policy_names]
