def delete_role(module, iam, name, role_list, prof_list):
changed = False
try:
if name in role_list:
cur_ins_prof = [rp['instance_profile_name'] for rp in
iam.list_instance_profiles_for_role(name).
list_instance_profiles_for_role_result.
instance_profiles]
for profile in cur_ins_prof:
iam.remove_role_from_instance_profile(profile, name)
try:
iam.delete_role(name)
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
for policy in iam.list_role_policies(name).list_role_policies_result.policy_names:
iam.delete_role_policy(name, policy)
try:
iam.delete_role(name)
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).
get_role_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg=("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
def delete_role(module, iam, name, role_list, prof_list):
changed = False
try:
if name in role_list:
cur_ins_prof = [rp['instance_profile_name'] for rp in
iam.list_instance_profiles_for_role(name).
list_instance_profiles_for_role_result.
instance_profiles]
for profile in cur_ins_prof:
iam.remove_role_from_instance_profile(profile, name)
try:
iam.delete_role(name)
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
for policy in iam.list_role_policies(name).list_role_policies_result.policy_names:
iam.delete_role_policy(name, policy)
try:
iam.delete_role(name)
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
def update_iam_role(iam, role_name, assume_role_policy_file,
permission_policy_file):
try:
iam.get_role(role_name)
except:
print role_name + ' role not found. Creating role '
iam.create_role(role_name)
print 'Updating assume role policy of ' + role_name
with open(assume_role_policy_file, "r") as myfile:
policy = myfile.read()
iam.update_assume_role_policy(role_name, policy)
print 'Updating attached permission policies of ' + role_name
for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'):
iam.delete_role_policy(role_name, rp)
with open(permission_policy_file, "r") as myfile:
policy = myfile.read()
iam.put_role_policy(role_name, role_name + '_permission_policy', policy)
try:
iam.get_instance_profile(role_name)
except:
print role_name + ' instance profile not found. Creating instance profile'
iam.create_instance_profile(role_name)
print 'Updating role and instance profile association of ' + role_name
for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'):
iam.remove_role_from_instance_profile(role_name, role_name)
iam.add_role_to_instance_profile(role_name, role_name)
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).
get_role_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg=("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False,
msg="No such role, policy will be skipped.")
else:
module.fail_json(msg=e.message)
try:
matching_policies = []
for pol in current_policies:
if urllib.parse.unquote(
iam.get_role_policy(
name,
pol).get_role_policy_result.policy_document) == pdoc:
policy_match = True
matching_policies.append(pol)
if state == 'present':
# If policy document does not already exist (either it's changed
# or the policy is not present) or if we're not skipping dupes then
# make the put call. Note that the put call does a create or update.
if not policy_match or (not skip
and policy_name not in matching_policies):
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" %
policy_name)
else:
module.fail_json(msg=err.message)
updated_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=changed, msg=error_msg)
return changed, name, updated_policies
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False, msg="No such role, policy will be skipped.")
else:
module.fail_json(msg=e.message)
try:
pol = ""
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).
get_role_policy_result.policy_document) == pdoc:
policy_match = True
break
if state == 'present':
# If policy document does not already exist (either it's changed
# or the policy is not present) or if we're not skipping dupes then
# make the put call. Note that the put call does a create or update.
if (not policy_match or not skip) and pol != name:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
else:
module.fail_json(msg=err.message)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=changed, msg=error_msg)
return changed, name, updated_policies
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False)
else:
module.fail_json(msg=e.message)
try:
for pol in current_policies:
if urllib.unquote(
iam.get_role_policy(
name,
pol).get_role_policy_result.policy_document) == pdoc:
policy_match = True
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" %
policy_name)
updated_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
role_name = dict(default=None,required=True),
policy_name = dict(default=None,required=True),
policy_document = dict(default=None,required=False),
state = dict(default='present', choices=['present', 'absent']),
)
)
module = AnsibleModule(
argument_spec=argument_spec
)
role_name = module.params.get('role_name')
policy_name = module.params.get('policy_name')
policy_document = module.params.get('policy_document')
if type(policy_document) == type(dict()):
policy_document = json.dumps(policy_document)
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
missing = False
try:
iam.get_role_policy(role_name, policy_name)
except boto.exception.BotoServerError as e:
if e.status == 404:
missing = True
if state == 'present':
iam.put_role_policy(role_name, policy_name, policy_document)
module.exit_json(changed = True)
elif state == 'absent':
if not missing:
iam.delete_role_policy(role_name, policy_name)
module.exit_json(changed = not missing)
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False)
else:
module.fail_json(msg=e.message)
try:
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).get_role_policy_result.policy_document) == pdoc:
policy_match = True
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(
dict(
role_name=dict(default=None, required=True),
policy_name=dict(default=None, required=True),
policy_document=dict(default=None, required=False),
state=dict(default='present', choices=['present', 'absent']),
))
module = AnsibleModule(argument_spec=argument_spec)
role_name = module.params.get('role_name')
policy_name = module.params.get('policy_name')
policy_document = module.params.get('policy_document')
if type(policy_document) == type(dict()):
policy_document = json.dumps(policy_document)
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
missing = False
try:
iam.get_role_policy(role_name, policy_name)
except boto.exception.BotoServerError as e:
if e.status == 404:
missing = True
if state == 'present':
iam.put_role_policy(role_name, policy_name, policy_document)
module.exit_json(changed=True)
elif state == 'absent':
if not missing:
iam.delete_role_policy(role_name, policy_name)
module.exit_json(changed=not missing)
def delete_role(module, iam, name, prof_list, max_attempts=10, max_wait=32):
changed = False
iam_role_result = None
instance_profile_result = None
try:
# Follow the official AWS docs for deleting a IAM role:
# http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-api
# Step 1: Remove this role from any instance profiles
for profile in get_instance_profiles_for_role(iam, name):
iam.remove_role_from_instance_profile(profile, name)
changed = True
# Check to see of the role is actually removed
wait_for_aws(
lambda: profile not in get_instance_profiles_for_role(
iam, name), changed,
"Timeout waiting for role in profile deletion", max_attempts,
max_wait)
# Step 2: Remove all policies from the role
for policy in get_policies_in_role(iam, name):
iam.delete_role_policy(name, policy)
changed = True
# Check to see of the policy is actually removed
wait_for_aws(lambda: policy not in get_policies_in_role(iam, name),
changed, "Timeout waiting for role policy deletion",
max_attempts, max_wait)
# Step 3: Delete the role
iam_role_result = iam.delete_role(name)
if iam_role_result:
changed = True
# Check to see if the role has been removed
wait_for_aws(lambda: name not in get_iam_roles(iam), changed,
"Timeout waiting for IAM role deltion", max_attempts,
max_wait)
# Delete any instance profiles matching the IAM role name
for prof in prof_list:
if name == prof:
instance_profile_result = iam.delete_instance_profile(name)
wait_for_aws(lambda: prof not in get_instance_profiles(iam),
changed,
"Timeout waiting for instance profile deletion",
max_attempts, max_wait)
except boto.exception.BotoServerError as err:
# Catch the case where a non-existent role is deleted.
error_msg = boto_exception(err)
if ('The role with name %s cannot be found.' % (name)) in error_msg:
changed = False
else:
module.fail_json(changed=changed, msg=str(err))
return changed, get_iam_roles(
iam), iam_role_result, instance_profile_result