def aws_assume_role(session, assertion, role_arn, principal_arn, duration=3600):
client = aws_client('sts')
return client.assume_role_with_saml(
RoleArn=role_arn,
PrincipalArn=principal_arn,
SAMLAssertion=b64encode(assertion).decode(),
DurationSeconds=duration)
def get_args():
ap = ArgumentParser()
m = ap.add_mutually_exclusive_group(required=True)
m.add_argument('--symbol',
help='The official symbol (as written in UNBIS)')
m.add_argument('--list', help='Text file with a list of symbols')
ap.add_argument(
'--ods_symbol',
help='The symbol used by ODS if it differs from the official symbol')
ap.add_argument('--language', help='ODS language code')
ap.add_argument('--overwrite', action='store_true')
ap.add_argument('--skip_check', action='store_true')
# get from AWS if not provided
ssm = aws_client('ssm', region_name='us-east-1')
def param(name):
return None if os.environ.get('DLX_DL_TESTING') else ssm.get_parameter(
Name=name)['Parameter']['Value']
c = ap.add_argument_group(
'credentials',
description=
'these arguments are automatically supplied by AWS SSM if AWS credentials are configured'
)
c.add_argument('--dlx_connect',
default=param('connect-string'),
help='MongoDB connection string')
c.add_argument('--s3_bucket',
default=param('dlx-s3-bucket'),
help='S3 bucket')
return ap.parse_args()
def __init__(self, access_key: str, access_secret: str,
region: str, bucket: str,
url_prefix: str = None, public: bool = False):
super().__init__(public)
self.bucket = bucket
self.region = region
self.url_prefix = url_prefix
self.client = aws_client('s3',
aws_access_key_id=access_key,
aws_secret_access_key=access_secret,
region_name=region)
def __init__(self, access_key: str, access_secret: str,
region: str, bucket: str,
url_prefix: str = None, public: bool = False):
super().__init__(public)
self.bucket = bucket
self.region = region
self.url_prefix = url_prefix
self.client = aws_client('s3',
aws_access_key_id=access_key,
aws_secret_access_key=access_secret,
region_name=region)
def setUp(self):
self.aws_account_alias = ""
self.aws_account_state = "present"
self.aws_access_key = "test-key"
self.aws_secret_key = "test-secret"
# Set `test-alias` as an alias value
# which is already being used by some
# other user
self.existing_alias = "test-alias"
self.module = self._get_module()
self.client = aws_client("iam",
aws_access_key_id=self.aws_access_key,
aws_secret_access_key=self.aws_secret_key)
self.stubber = Stubber(self.client)
def main():
argument_spec = dict(
aws_account_alias=dict(default=None, required=False),
aws_account_state=dict(default=None,
required=True,
choices=["present", "absent"]),
aws_access_key=dict(default=None, required=True),
aws_secret_key=dict(default=None, required=True),
)
module = AnsibleModule(argument_spec=argument_spec)
if not HAS_BOTO:
module.fail_json(msg='This module requires boto3, please install it')
aws_account_alias = module.params.get('aws_account_alias')
aws_account_state = module.params.get('aws_account_state')
aws_access_key_id = module.params.get('aws_access_key')
aws_secret_key = module.params.get('aws_secret_key')
# Test for empty string values not covered by
# required=True parameter condition
if not aws_access_key_id:
try:
aws_access_key_id = os.environ["AWS_ACCESS_KEY_ID"]
except:
module.fail_json(
msg="empty value for required argument: aws_access_key_id")
if not aws_secret_key:
try:
aws_secret_access_key = os.environ["AWS_SECRET_ACCESS_KEY"]
except:
module.fail_json(
msg="empty value for required argument: aws_secret_key")
client = aws_client(SERVICE,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_key)
# Initialize variables to track module exit state
changed = False
user_id = get_user_id(module, client)
current_account_alias = get_account_alias(module, client)
# Module need to make changes only if 'aws_account_alias' is set
if aws_account_alias:
# Module should only set alias if 'aws_account_alias'
# is not already set to the required value
if aws_account_alias != current_account_alias and aws_account_state == "present":
changed = set_account_alias(module, client, aws_account_alias)
current_account_alias = aws_account_alias
# Module should only delete alias if 'current_account_alias'
# is already set to the given 'aws_account_alias' value
elif aws_account_alias == current_account_alias and aws_account_state == "absent":
changed = delete_account_alias(module, client, aws_account_alias)
current_account_alias = get_account_alias(module, client)
# Set module exit state
module.exit_json(changed=changed,
aws_account_id=user_id,
aws_account_alias=current_account_alias)