def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] for pol in current_policies: if urllib.unquote(iam.get_role_policy(name, pol). get_role_policy_result.policy_document) == pdoc: policy_match = True if policy_match: msg=("The policy document you specified already exists " "under the name %s." % pol) if state == 'present' and skip: if policy_name not in current_policies and not policy_match: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'present' and not skip: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) updated_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names]
def update_iam_role(iam, role_name, assume_role_policy_file, permission_policy_file): try: iam.get_role(role_name) except: print role_name + ' role not found. Creating role ' iam.create_role(role_name) print 'Updating assume role policy of ' + role_name with open(assume_role_policy_file, "r") as myfile: policy = myfile.read() iam.update_assume_role_policy(role_name, policy) print 'Updating attached permission policies of ' + role_name for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'): iam.delete_role_policy(role_name, rp) with open(permission_policy_file, "r") as myfile: policy = myfile.read() iam.put_role_policy(role_name, role_name + '_permission_policy', policy) try: iam.get_instance_profile(role_name) except: print role_name + ' instance profile not found. Creating instance profile' iam.create_instance_profile(role_name) print 'Updating role and instance profile association of ' + role_name for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'): iam.remove_role_from_instance_profile(role_name, role_name) iam.add_role_to_instance_profile(role_name, role_name)
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False, msg="No such role, policy will be skipped.") else: module.fail_json(msg=e.message) try: matching_policies = [] for pol in current_policies: if urllib.parse.unquote( iam.get_role_policy( name, pol).get_role_policy_result.policy_document) == pdoc: policy_match = True matching_policies.append(pol) if state == 'present': # If policy document does not already exist (either it's changed # or the policy is not present) or if we're not skipping dupes then # make the put call. Note that the put call does a create or update. if not policy_match or (not skip and policy_name not in matching_policies): changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) else: module.fail_json(msg=err.message) updated_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ] except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=changed, msg=error_msg) return changed, name, updated_policies
def iam_role(name, policy_name='managedpolicy'): policy = json.dumps(policies[name], sort_keys=True, indent=4, separators=(',', ': ')) try: role = iam.get_role(name) except boto.exception.BotoServerError: role = None if role is None: iam.create_role(name) role = iam.get_role(name) # ...someday, maybe support for multiple policies via iam.list_role_policies() iam.put_role_policy(name, policy_name, policy)
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False, msg="No such role, policy will be skipped.") else: module.fail_json(msg=e.message) try: pol = "" for pol in current_policies: if urllib.unquote(iam.get_role_policy(name, pol). get_role_policy_result.policy_document) == pdoc: policy_match = True break if state == 'present': # If policy document does not already exist (either it's changed # or the policy is not present) or if we're not skipping dupes then # make the put call. Note that the put call does a create or update. if (not policy_match or not skip) and pol != name: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) else: module.fail_json(msg=err.message) updated_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=changed, msg=error_msg) return changed, name, updated_policies
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False) else: module.fail_json(msg=e.message) try: for pol in current_policies: if urllib.unquote( iam.get_role_policy( name, pol).get_role_policy_result.policy_document) == pdoc: policy_match = True if state == 'present' and skip: if policy_name not in current_policies and not policy_match: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'present' and not skip: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) updated_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ]
def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( role_name = dict(default=None,required=True), policy_name = dict(default=None,required=True), policy_document = dict(default=None,required=False), state = dict(default='present', choices=['present', 'absent']), ) ) module = AnsibleModule( argument_spec=argument_spec ) role_name = module.params.get('role_name') policy_name = module.params.get('policy_name') policy_document = module.params.get('policy_document') if type(policy_document) == type(dict()): policy_document = json.dumps(policy_document) region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) state = module.params.get('state') missing = False try: iam.get_role_policy(role_name, policy_name) except boto.exception.BotoServerError as e: if e.status == 404: missing = True if state == 'present': iam.put_role_policy(role_name, policy_name, policy_document) module.exit_json(changed = True) elif state == 'absent': if not missing: iam.delete_role_policy(role_name, policy_name) module.exit_json(changed = not missing)
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False) else: module.fail_json(msg=e.message) try: for pol in current_policies: if urllib.unquote(iam.get_role_policy(name, pol).get_role_policy_result.policy_document) == pdoc: policy_match = True if state == 'present' and skip: if policy_name not in current_policies and not policy_match: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'present' and not skip: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) updated_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names]
def main(): argument_spec = ec2_argument_spec() argument_spec.update( dict( role_name=dict(default=None, required=True), policy_name=dict(default=None, required=True), policy_document=dict(default=None, required=False), state=dict(default='present', choices=['present', 'absent']), )) module = AnsibleModule(argument_spec=argument_spec) role_name = module.params.get('role_name') policy_name = module.params.get('policy_name') policy_document = module.params.get('policy_document') if type(policy_document) == type(dict()): policy_document = json.dumps(policy_document) region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) state = module.params.get('state') missing = False try: iam.get_role_policy(role_name, policy_name) except boto.exception.BotoServerError as e: if e.status == 404: missing = True if state == 'present': iam.put_role_policy(role_name, policy_name, policy_document) module.exit_json(changed=True) elif state == 'absent': if not missing: iam.delete_role_policy(role_name, policy_name) module.exit_json(changed=not missing)