def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).
get_role_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg=("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).
get_role_policy_result.policy_document) == pdoc:
policy_match = True
if policy_match:
msg=("The policy document you specified already exists "
"under the name %s." % pol)
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False,
msg="No such role, policy will be skipped.")
else:
module.fail_json(msg=e.message)
try:
matching_policies = []
for pol in current_policies:
if urllib.parse.unquote(
iam.get_role_policy(
name,
pol).get_role_policy_result.policy_document) == pdoc:
policy_match = True
matching_policies.append(pol)
if state == 'present':
# If policy document does not already exist (either it's changed
# or the policy is not present) or if we're not skipping dupes then
# make the put call. Note that the put call does a create or update.
if not policy_match or (not skip
and policy_name not in matching_policies):
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" %
policy_name)
else:
module.fail_json(msg=err.message)
updated_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=changed, msg=error_msg)
return changed, name, updated_policies
def get_merged_policies(roles: list, region: str):
iam = boto.iam.connect_to_region(region)
policies = []
for role in roles:
policy_names = iam.list_role_policies(role)
for policy_name in policy_names['list_role_policies_response']['list_role_policies_result']['policy_names']:
policy = iam.get_role_policy(role, policy_name)['get_role_policy_response']['get_role_policy_result']
document = urllib.parse.unquote(policy['policy_document'])
policies.append({'PolicyName': policy_name,
'PolicyDocument': json.loads(document)})
return policies
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
role_name = dict(default=None,required=True),
policy_name = dict(default=None,required=True),
policy_document = dict(default=None,required=False),
state = dict(default='present', choices=['present', 'absent']),
)
)
module = AnsibleModule(
argument_spec=argument_spec
)
role_name = module.params.get('role_name')
policy_name = module.params.get('policy_name')
policy_document = module.params.get('policy_document')
if type(policy_document) == type(dict()):
policy_document = json.dumps(policy_document)
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
missing = False
try:
iam.get_role_policy(role_name, policy_name)
except boto.exception.BotoServerError as e:
if e.status == 404:
missing = True
if state == 'present':
iam.put_role_policy(role_name, policy_name, policy_document)
module.exit_json(changed = True)
elif state == 'absent':
if not missing:
iam.delete_role_policy(role_name, policy_name)
module.exit_json(changed = not missing)
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(
dict(
role_name=dict(default=None, required=True),
policy_name=dict(default=None, required=True),
policy_document=dict(default=None, required=False),
state=dict(default='present', choices=['present', 'absent']),
))
module = AnsibleModule(argument_spec=argument_spec)
role_name = module.params.get('role_name')
policy_name = module.params.get('policy_name')
policy_document = module.params.get('policy_document')
if type(policy_document) == type(dict()):
policy_document = json.dumps(policy_document)
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
missing = False
try:
iam.get_role_policy(role_name, policy_name)
except boto.exception.BotoServerError as e:
if e.status == 404:
missing = True
if state == 'present':
iam.put_role_policy(role_name, policy_name, policy_document)
module.exit_json(changed=True)
elif state == 'absent':
if not missing:
iam.delete_role_policy(role_name, policy_name)
module.exit_json(changed=not missing)
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False, msg="No such role, policy will be skipped.")
else:
module.fail_json(msg=e.message)
try:
pol = ""
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).
get_role_policy_result.policy_document) == pdoc:
policy_match = True
break
if state == 'present':
# If policy document does not already exist (either it's changed
# or the policy is not present) or if we're not skipping dupes then
# make the put call. Note that the put call does a create or update.
if (not policy_match or not skip) and pol != name:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
else:
module.fail_json(msg=err.message)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
module.fail_json(changed=changed, msg=error_msg)
return changed, name, updated_policies
def get_merged_policies(roles: list, region: str):
iam = boto.iam.connect_to_region(region)
policies = []
for role in roles:
policy_names = iam.list_role_policies(role)
for policy_name in policy_names['list_role_policies_response'][
'list_role_policies_result']['policy_names']:
policy = iam.get_role_policy(
role, policy_name
)['get_role_policy_response']['get_role_policy_result']
document = urllib.parse.unquote(policy['policy_document'])
policies.append({
'PolicyName': policy_name,
'PolicyDocument': json.loads(document)
})
return policies
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False)
else:
module.fail_json(msg=e.message)
try:
for pol in current_policies:
if urllib.unquote(
iam.get_role_policy(
name,
pol).get_role_policy_result.policy_document) == pdoc:
policy_match = True
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" %
policy_name)
updated_policies = [
cp for cp in iam.list_role_policies(
name).list_role_policies_result.policy_names
]
def role_action(module, iam, name, policy_name, skip, pdoc, state):
policy_match = False
changed = False
try:
current_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]
except boto.exception.BotoServerError as e:
if e.error_code == "NoSuchEntity":
# Role doesn't exist so it's safe to assume the policy doesn't either
module.exit_json(changed=False)
else:
module.fail_json(msg=e.message)
try:
for pol in current_policies:
if urllib.unquote(iam.get_role_policy(name, pol).get_role_policy_result.policy_document) == pdoc:
policy_match = True
if state == 'present' and skip:
if policy_name not in current_policies and not policy_match:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'present' and not skip:
changed = True
iam.put_role_policy(name, policy_name, pdoc)
elif state == 'absent':
try:
iam.delete_role_policy(name, policy_name)
changed = True
except boto.exception.BotoServerError, err:
error_msg = boto_exception(err)
if 'cannot be found.' in error_msg:
changed = False
module.exit_json(changed=changed,
msg="%s policy is already absent" % policy_name)
updated_policies = [cp for cp in iam.list_role_policies(name).
list_role_policies_result.
policy_names]