コード例 #1
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).
                        get_role_policy_result.policy_document) == pdoc:
        policy_match = True
        if policy_match:
          msg=("The policy document you specified already exists "
               "under the name %s." % pol)
    if state == 'present' and skip:
      if policy_name not in current_policies and not policy_match:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'present' and not skip:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError, err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
コード例 #2
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).
                        get_role_policy_result.policy_document) == pdoc:
        policy_match = True
        if policy_match:
          msg=("The policy document you specified already exists "
               "under the name %s." % pol)
    if state == 'present' and skip:
      if policy_name not in current_policies and not policy_match:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'present' and not skip:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError, err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
コード例 #3
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
    policy_match = False
    changed = False
    try:
        current_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
    except boto.exception.BotoServerError as e:
        if e.error_code == "NoSuchEntity":
            # Role doesn't exist so it's safe to assume the policy doesn't either
            module.exit_json(changed=False,
                             msg="No such role, policy will be skipped.")
        else:
            module.fail_json(msg=e.message)

    try:
        matching_policies = []
        for pol in current_policies:
            if urllib.parse.unquote(
                    iam.get_role_policy(
                        name,
                        pol).get_role_policy_result.policy_document) == pdoc:
                policy_match = True
                matching_policies.append(pol)

        if state == 'present':
            # If policy document does not already exist (either it's changed
            # or the policy is not present) or if we're not skipping dupes then
            # make the put call.  Note that the put call does a create or update.
            if not policy_match or (not skip
                                    and policy_name not in matching_policies):
                changed = True
                iam.put_role_policy(name, policy_name, pdoc)
        elif state == 'absent':
            try:
                iam.delete_role_policy(name, policy_name)
                changed = True
            except boto.exception.BotoServerError as err:
                error_msg = boto_exception(err)
                if 'cannot be found.' in error_msg:
                    changed = False
                    module.exit_json(changed=changed,
                                     msg="%s policy is already absent" %
                                     policy_name)
                else:
                    module.fail_json(msg=err.message)

        updated_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
    except boto.exception.BotoServerError as err:
        error_msg = boto_exception(err)
        module.fail_json(changed=changed, msg=error_msg)

    return changed, name, updated_policies
コード例 #4
0
ファイル: components.py プロジェクト: grassator/senza
def get_merged_policies(roles: list, region: str):
    iam = boto.iam.connect_to_region(region)
    policies = []
    for role in roles:
        policy_names = iam.list_role_policies(role)
        for policy_name in policy_names['list_role_policies_response']['list_role_policies_result']['policy_names']:
            policy = iam.get_role_policy(role, policy_name)['get_role_policy_response']['get_role_policy_result']
            document = urllib.parse.unquote(policy['policy_document'])
            policies.append({'PolicyName': policy_name,
                             'PolicyDocument': json.loads(document)})
    return policies
コード例 #5
0
def main():
    argument_spec = ec2_argument_spec()    
    argument_spec.update(dict(
            role_name = dict(default=None,required=True),
            policy_name =  dict(default=None,required=True),
            policy_document = dict(default=None,required=False),
            state = dict(default='present', choices=['present', 'absent']),
        )
    )

    module = AnsibleModule(
        argument_spec=argument_spec
    )

    role_name = module.params.get('role_name')
    policy_name = module.params.get('policy_name')
    policy_document = module.params.get('policy_document')

    if type(policy_document) == type(dict()):
        policy_document = json.dumps(policy_document)

    region, ec2_url, aws_connect_params = get_aws_connection_info(module)
    iam = connect_to_aws(boto.iam, region, **aws_connect_params)

    state = module.params.get('state')

    missing = False
    try:
        iam.get_role_policy(role_name, policy_name)
    except boto.exception.BotoServerError as e:
       if e.status == 404:
         missing = True

    if state == 'present':
        iam.put_role_policy(role_name, policy_name, policy_document)
        module.exit_json(changed = True)
    elif state == 'absent':
        if not missing:
          iam.delete_role_policy(role_name, policy_name)
        module.exit_json(changed = not missing)
コード例 #6
0
def main():
    argument_spec = ec2_argument_spec()
    argument_spec.update(
        dict(
            role_name=dict(default=None, required=True),
            policy_name=dict(default=None, required=True),
            policy_document=dict(default=None, required=False),
            state=dict(default='present', choices=['present', 'absent']),
        ))

    module = AnsibleModule(argument_spec=argument_spec)

    role_name = module.params.get('role_name')
    policy_name = module.params.get('policy_name')
    policy_document = module.params.get('policy_document')

    if type(policy_document) == type(dict()):
        policy_document = json.dumps(policy_document)

    region, ec2_url, aws_connect_params = get_aws_connection_info(module)
    iam = connect_to_aws(boto.iam, region, **aws_connect_params)

    state = module.params.get('state')

    missing = False
    try:
        iam.get_role_policy(role_name, policy_name)
    except boto.exception.BotoServerError as e:
        if e.status == 404:
            missing = True

    if state == 'present':
        iam.put_role_policy(role_name, policy_name, policy_document)
        module.exit_json(changed=True)
    elif state == 'absent':
        if not missing:
            iam.delete_role_policy(role_name, policy_name)
        module.exit_json(changed=not missing)
コード例 #7
0
ファイル: iam_policy.py プロジェクト: GSA/catalog-deploy
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
  except boto.exception.BotoServerError as e:
    if e.error_code == "NoSuchEntity":
      # Role doesn't exist so it's safe to assume the policy doesn't either
      module.exit_json(changed=False, msg="No such role, policy will be skipped.")
    else:
      module.fail_json(msg=e.message)

  try:
    pol = ""
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).
                        get_role_policy_result.policy_document) == pdoc:
        policy_match = True
        break

    if state == 'present':
      # If policy document does not already exist (either it's changed
      # or the policy is not present) or if we're not skipping dupes then
      # make the put call.  Note that the put call does a create or update.
      if (not policy_match or not skip) and pol != name:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError as err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)
        else:
          module.fail_json(msg=err.message)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
  except boto.exception.BotoServerError as err:
    error_msg = boto_exception(err)
    module.fail_json(changed=changed, msg=error_msg)

  return changed, name, updated_policies
コード例 #8
0
ファイル: iam_role.py プロジェクト: mindis/senza
def get_merged_policies(roles: list, region: str):
    iam = boto.iam.connect_to_region(region)
    policies = []
    for role in roles:
        policy_names = iam.list_role_policies(role)
        for policy_name in policy_names['list_role_policies_response'][
                'list_role_policies_result']['policy_names']:
            policy = iam.get_role_policy(
                role, policy_name
            )['get_role_policy_response']['get_role_policy_result']
            document = urllib.parse.unquote(policy['policy_document'])
            policies.append({
                'PolicyName': policy_name,
                'PolicyDocument': json.loads(document)
            })
    return policies
def role_action(module, iam, name, policy_name, skip, pdoc, state):
    policy_match = False
    changed = False
    try:
        current_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
    except boto.exception.BotoServerError as e:
        if e.error_code == "NoSuchEntity":
            # Role doesn't exist so it's safe to assume the policy doesn't either
            module.exit_json(changed=False)
        else:
            module.fail_json(msg=e.message)

    try:
        for pol in current_policies:
            if urllib.unquote(
                    iam.get_role_policy(
                        name,
                        pol).get_role_policy_result.policy_document) == pdoc:
                policy_match = True
        if state == 'present' and skip:
            if policy_name not in current_policies and not policy_match:
                changed = True
                iam.put_role_policy(name, policy_name, pdoc)
        elif state == 'present' and not skip:
            changed = True
            iam.put_role_policy(name, policy_name, pdoc)
        elif state == 'absent':
            try:
                iam.delete_role_policy(name, policy_name)
                changed = True
            except boto.exception.BotoServerError, err:
                error_msg = boto_exception(err)
                if 'cannot be found.' in error_msg:
                    changed = False
                    module.exit_json(changed=changed,
                                     msg="%s policy is already absent" %
                                     policy_name)

        updated_policies = [
            cp for cp in iam.list_role_policies(
                name).list_role_policies_result.policy_names
        ]
コード例 #10
0
def role_action(module, iam, name, policy_name, skip, pdoc, state):
  policy_match = False
  changed = False
  try:
    current_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]
  except boto.exception.BotoServerError as e:
    if e.error_code == "NoSuchEntity":
      # Role doesn't exist so it's safe to assume the policy doesn't either
      module.exit_json(changed=False)
    else:
      module.fail_json(msg=e.message)

  try:
    for pol in current_policies:
      if urllib.unquote(iam.get_role_policy(name, pol).get_role_policy_result.policy_document) == pdoc:
        policy_match = True
    if state == 'present' and skip:
      if policy_name not in current_policies and not policy_match:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'present' and not skip:
        changed = True
        iam.put_role_policy(name, policy_name, pdoc)
    elif state == 'absent':
      try:
        iam.delete_role_policy(name, policy_name)
        changed = True
      except boto.exception.BotoServerError, err:
        error_msg = boto_exception(err)
        if 'cannot be found.' in error_msg:
          changed = False
          module.exit_json(changed=changed,
                           msg="%s policy is already absent" % policy_name)

    updated_policies = [cp for cp in iam.list_role_policies(name).
                                        list_role_policies_result.
                                        policy_names]