def template(basedir, varname, vars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True):
''' templates a data structure by traversing it and substituting for other data structures '''
from ansible import utils
try:
if convert_bare and isinstance(varname, basestring):
first_part = varname.split(".")[0].split("[")[0]
if first_part in vars and '{{' not in varname and '$' not in varname:
varname = "{{%s}}" % varname
if isinstance(varname, basestring):
if '{{' in varname or '{%' in varname:
varname = template_from_string(basedir, varname, vars, fail_on_undefined)
if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["):
eval_results = utils.safe_eval(varname, locals=vars, include_exceptions=True)
if eval_results[1] is None:
varname = eval_results[0]
return varname
elif isinstance(varname, (list, tuple)):
return [template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined) for v in varname]
elif isinstance(varname, dict):
d = {}
for (k, v) in varname.iteritems():
d[k] = template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined)
return d
else:
return varname
except errors.AnsibleFilterError:
if filter_fatal:
raise
else:
return varname
def template(basedir, varname, templatevars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True):
''' templates a data structure by traversing it and substituting for other data structures '''
from ansible import utils
try:
if convert_bare and isinstance(varname, basestring):
first_part = varname.split(".")[0].split("[")[0]
if first_part in templatevars and '{{' not in varname and '$' not in varname:
varname = "{{%s}}" % varname
if isinstance(varname, basestring):
if '{{' in varname or '{%' in varname:
try:
varname = template_from_string(basedir, varname, templatevars, fail_on_undefined)
except errors.AnsibleError, e:
raise errors.AnsibleError("Failed to template %s: %s" % (varname, str(e)))
# template_from_string may return non strings for the case where the var is just
# a reference to a single variable, so we should re_check before we do further evals
if isinstance(varname, basestring):
if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["):
eval_results = utils.safe_eval(varname, locals=templatevars, include_exceptions=True)
if eval_results[1] is None:
varname = eval_results[0]
return varname
elif isinstance(varname, (list, tuple)):
return [template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) for v in varname]
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
envdict={}
if self.runner.environment:
env=template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True)
env = utils.safe_eval(env)
testQueue = args["queue_name"]
region = args["region"]
spec_file = path.expanduser("~/.nucleator/contrib/Bucketandq/orchestrator/specification.json")
queue = self.initQueue(testQueue, region, env)
self.main(self.addMessageToQueue, queue, spec_file)
return ReturnData(conn=conn,
comm_ok=True,
result=dict(failed=False, changed=False, msg="Bucketandq Messages Created!"))
except Exception, e:
# deal with failure gracefully
result = dict(failed=True, msg=type(e).__name__ + ": " + str(e))
return ReturnData(conn=conn, comm_ok=False, result=result)
def template(basedir, varname, templatevars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True):
''' templates a data structure by traversing it and substituting for other data structures '''
from ansible import utils
try:
if convert_bare and isinstance(varname, basestring):
first_part = varname.split(".")[0].split("[")[0]
if first_part in templatevars and '{{' not in varname and '$' not in varname:
varname = "{{%s}}" % varname
if isinstance(varname, basestring):
if '{{' in varname or '{%' in varname:
try:
varname = template_from_string(basedir, varname, templatevars, fail_on_undefined)
except errors.AnsibleError, e:
raise errors.AnsibleError("Failed to template %s: %s" % (varname, str(e)))
# template_from_string may return non strings for the case where the var is just
# a reference to a single variable, so we should re_check before we do further evals
if isinstance(varname, basestring):
if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["):
eval_results = utils.safe_eval(varname, locals=templatevars, include_exceptions=True)
if eval_results[1] is None:
varname = eval_results[0]
return varname
elif isinstance(varname, (list, tuple)):
return [template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) for v in varname]
def run(self, terms, inject=None, **kwargs):
terms = safe_eval(terms)
if not isinstance(terms, dict):
print terms
raise errors.AnsibleError("with_hash_items expects a dict")
return [{"key": term[0], "value": term[1]} for term in terms.items()]
def template(basedir, varname, templatevars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True):
''' templates a data structure by traversing it and substituting for other data structures '''
from ansible import utils
try:
if convert_bare and isinstance(varname, basestring):
first_part = varname.split(".")[0].split("[")[0]
if first_part in templatevars and '{{' not in varname and '$' not in varname:
varname = "{{%s}}" % varname
if isinstance(varname, basestring):
if '{{' in varname or '{%' in varname:
varname = template_from_string(basedir, varname, templatevars, fail_on_undefined)
if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["):
eval_results = utils.safe_eval(varname, locals=templatevars, include_exceptions=True)
if eval_results[1] is None:
varname = eval_results[0]
return varname
elif isinstance(varname, (list, tuple)):
return [template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) for v in varname]
elif isinstance(varname, dict):
d = {}
for (k, v) in varname.iteritems():
d[k] = template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal)
return d
else:
return varname
except errors.AnsibleFilterError:
if filter_fatal:
raise
else:
return varname
def _command_filter(self, command, arg, items, inject):
"""Return only the items for which filter is true"""
if '{{' not in arg:
arg = '{{%s}}' % arg
for item in items:
template_vars = dict(inject, item=item)
decision = safe_eval(
template(self.basedir, arg, template_vars),
locals=template_vars)
if decision:
yield item
def _compute_environment_string(self, inject=None):
''' what environment variables to use when running the command? '''
if not self.environment:
return ""
enviro = template.template(self.basedir, self.environment, inject, convert_bare=True)
enviro = utils.safe_eval(enviro)
if type(enviro) != dict:
raise errors.AnsibleError("environment must be a dictionary, received %s" % enviro)
result = ""
for (k,v) in enviro.iteritems():
result = "%s=%s %s" % (k, pipes.quote(str(v)), result)
return result
def _compute_environment_string(self, inject=None):
''' what environment variables to use when running the command? '''
if not self.environment:
return ""
enviro = template.template(self.basedir, self.environment, inject, convert_bare=True)
enviro = utils.safe_eval(enviro)
if type(enviro) != dict:
raise errors.AnsibleError("environment must be a dictionary, received %s" % enviro)
result = ""
for (k,v) in enviro.iteritems():
result = "%s=%s %s" % (k, pipes.quote(str(v)), result)
return result
def template(basedir, varname, vars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True):
''' templates a data structure by traversing it and substituting for other data structures '''
from ansible import utils
try:
if convert_bare and isinstance(varname, basestring):
first_part = varname.split(".")[0].split("[")[0]
if first_part in vars and '{{' not in varname and '$' not in varname:
varname = "{{%s}}" % varname
if isinstance(varname, basestring):
if '{{' in varname or '{%' in varname:
varname = template_from_string(basedir, varname, vars, fail_on_undefined)
if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["):
eval_results = utils.safe_eval(varname, locals=vars, include_exceptions=True)
if eval_results[1] is None:
varname = eval_results[0]
if not '$' in varname:
return varname
m = _legacy_varFind(basedir, varname, vars, lookup_fatal, depth, expand_lists)
if not m:
return varname
if m['start'] == 0 and m['end'] == len(varname):
if m['replacement'] is not None:
Flags.LEGACY_TEMPLATE_WARNING = True
return template(basedir, m['replacement'], vars, lookup_fatal, depth, expand_lists)
else:
return varname
else:
Flags.LEGACY_TEMPLATE_WARNING = True
return legacy_varReplace(basedir, varname, vars, lookup_fatal, depth, expand_lists)
elif isinstance(varname, (list, tuple)):
return [template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined) for v in varname]
elif isinstance(varname, dict):
d = {}
for (k, v) in varname.iteritems():
d[k] = template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined)
return d
else:
return varname
except errors.AnsibleFilterError:
if filter_fatal:
raise
else:
return varname
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
args = {}
if complex_args:
args.update(complex_args)
# attempt to prevent confusing messages when the variable didn't interpolate
module_args = module_args.replace("{{ ", "{{").replace(" }}", "}}")
kv = utils.parse_kv(module_args)
args.update(kv)
if not 'msg' in args and not 'var' in args:
args['msg'] = 'Hello world!'
result = {}
if 'msg' in args:
if 'fail' in args and utils.boolean(args['fail']):
result = dict(failed=True, msg=args['msg'])
else:
result = dict(msg=args['msg'])
elif 'var' in args:
results = utils.safe_eval(args['var'],
inject,
include_exceptions=True,
template_call=True)
intermediate = results[0]
exception = results[1]
if exception is not None:
intermediate = "failed to evaluate: %s" % str(exception)
result[args['var']] = intermediate
# force flag to make debug output module always verbose
result['verbose_always'] = True
return ReturnData(conn=conn, result=result)
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
redshift_endpoint = args["redshift_endpoint"]
cage = args["cage_name"]
customer = args["customer_name"]
envdict={}
if self.runner.environment:
env=template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True)
env = utils.safe_eval(env)
route53_conn = boto.connect_route53(aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN"))
domain_name = "%s.%s.47lining.com" % (cage, customer)
zones = route53_conn.get_hosted_zone_by_name(domain_name)
if not zones:
domain_name = "%s.%s.com" % (cage, customer)
zones = route53_conn.get_hosted_zone_by_name(domain_name)
zone_id = zones["GetHostedZoneResponse"]["HostedZone"]["Id"]
zone_id = zone_id[12:]
recordset = ResourceRecordSets(route53_conn, zone_id)
try:
change = recordset.add_change("UPSERT", "redshift.%s." % domain_name, "CNAME")
change.add_value(redshift_endpoint)
recordset.commit()
except Exception, e:
print "e: ", e
change = recordset.add_change("CREATE", "redshift.%s." % domain_name, "CNAME")
change.add_value(redshift_endpoint)
recordset.commit()
return ReturnData(conn=conn,
comm_ok=True,
result=dict(failed=False, changed=False, msg="CNAME is created!"))
def process(self, result, terms, index, current, inject):
d = {i: current[i] for i in range(index)}
if index == len(terms):
result.append(d)
return
if type(terms[index]) in {str, unicode}:
inject_ = {}
inject_.update(inject)
inject_['item'] = d
items = safe_eval(template.template_from_string(self.basedir, terms[index], inject_, fail_on_undefined=True))
else:
items = terms[index]
if type(items) == dict:
for i in items:
current[index] = {'key': i, 'value': items[i]}
self.process(result, terms, index + 1, current, inject)
else:
for i in items:
current[index] = i
self.process(result, terms, index + 1, current, inject)
def _executor_internal(self, host, new_stdin):
''' executes any module one or more times '''
host_variables = self.inventory.get_variables(host)
host_connection = host_variables.get('ansible_connection', self.transport)
if host_connection in [ 'paramiko', 'ssh', 'accelerate' ]:
port = host_variables.get('ansible_ssh_port', self.remote_port)
if port is None:
port = C.DEFAULT_REMOTE_PORT
else:
# fireball, local, etc
port = self.remote_port
inject = {}
inject = utils.combine_vars(inject, self.default_vars)
inject = utils.combine_vars(inject, host_variables)
inject = utils.combine_vars(inject, self.module_vars)
inject = utils.combine_vars(inject, self.setup_cache[host])
inject.setdefault('ansible_ssh_user', self.remote_user)
inject['hostvars'] = HostVars(self.setup_cache, self.inventory)
inject['group_names'] = host_variables.get('group_names', [])
inject['groups'] = self.inventory.groups_list()
inject['vars'] = self.module_vars
inject['defaults'] = self.default_vars
inject['environment'] = self.environment
if self.inventory.basedir() is not None:
inject['inventory_dir'] = self.inventory.basedir()
if self.inventory.src() is not None:
inject['inventory_file'] = self.inventory.src()
# late processing of parameterized sudo_user
if self.sudo_user is not None:
self.sudo_user = template.template(self.basedir, self.sudo_user, inject)
# allow with_foo to work in playbooks...
items = None
items_plugin = self.module_vars.get('items_lookup_plugin', None)
if items_plugin is not None and items_plugin in utils.plugins.lookup_loader:
basedir = self.basedir
if '_original_file' in inject:
basedir = os.path.dirname(inject['_original_file'])
filesdir = os.path.join(basedir, '..', 'files')
if os.path.exists(filesdir):
basedir = filesdir
items_terms = self.module_vars.get('items_lookup_terms', '')
items_terms = template.template(basedir, items_terms, inject)
items = utils.plugins.lookup_loader.get(items_plugin, runner=self, basedir=basedir).run(items_terms, inject=inject)
if type(items) != list:
raise errors.AnsibleError("lookup plugins have to return a list: %r" % items)
if len(items) and utils.is_list_of_strings(items) and self.module_name in [ 'apt', 'yum', 'pkgng' ]:
# hack for apt, yum, and pkgng so that with_items maps back into a single module call
inject['item'] = ",".join(items)
items = None
# logic to replace complex args if possible
complex_args = self.complex_args
# logic to decide how to run things depends on whether with_items is used
if items is None:
if isinstance(complex_args, basestring):
complex_args = template.template(self.basedir, complex_args, inject, convert_bare=True)
complex_args = utils.safe_eval(complex_args)
if type(complex_args) != dict:
raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args)
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
elif len(items) > 0:
# executing using with_items, so make multiple calls
# TODO: refactor
if self.background > 0:
raise errors.AnsibleError("lookup plugins (with_*) cannot be used with async tasks")
aggregrate = {}
all_comm_ok = True
all_changed = False
all_failed = False
results = []
for x in items:
inject['item'] = x
# TODO: this idiom should be replaced with an up-conversion to a Jinja2 template evaluation
if isinstance(self.complex_args, basestring):
complex_args = template.template(self.basedir, self.complex_args, inject, convert_bare=True)
complex_args = utils.safe_eval(complex_args)
if type(complex_args) != dict:
raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args)
result = self._executor_internal_inner(
host,
self.module_name,
self.module_args,
inject,
port,
complex_args=complex_args
)
results.append(result.result)
if result.comm_ok == False:
all_comm_ok = False
all_failed = True
break
for x in results:
if x.get('changed') == True:
all_changed = True
if (x.get('failed') == True) or (('rc' in x) and (x['rc'] != 0)):
all_failed = True
break
msg = 'All items completed'
if all_failed:
msg = "One or more items failed."
rd_result = dict(failed=all_failed, changed=all_changed, results=results, msg=msg)
if not all_failed:
del rd_result['failed']
return ReturnData(host=host, comm_ok=all_comm_ok, result=rd_result)
else:
self.callbacks.on_skipped(host, None)
return ReturnData(host=host, comm_ok=True, result=dict(changed=False, skipped=True))
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
account_number = args["account_number"]
region = args["region"]
cloudtrail_bucket = args["cloudtrail_bucket"]
envdict = {}
if self.runner.environment:
env = template.template(self.runner.basedir,
self.runner.environment,
inject,
convert_bare=True)
env = utils.safe_eval(env)
if region == "us-east-1":
other_regions = [
"us-west-1", "us-west-2", "eu-west-1", "us-east-2"
]
elif region == "us-east-2":
other_regions = [
"us-east-1", "us-west-1", "us-west-2", "eu-west-1"
]
elif region == "us-west-1":
other_regions = [
"us-east-1", "us-east-2", "us-west-2", "eu-west-1"
]
elif region == "us-west-2":
other_regions = [
"us-east-1", "us-east-2", "us-west-1", "eu-west-1"
]
elif region == "eu-west-1":
other_regions = [
"us-east-1", "us-east-2", "us-west-1", "us-west-2"
]
else:
raise SystemExit(1) # unsupported region
for connect_region in other_regions:
cloudtrail_name = "Cloudtrail-%s-%s" % (account_number,
connect_region)
try:
connection = cloudtrail.connect_to_region(
connect_region,
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
except Exception, e:
raise Exception
try:
result = connection.update_trail(
cloudtrail_name,
cloudtrail_bucket,
include_global_service_events=False)
result = connection.start_logging(cloudtrail_name)
except Exception, e:
result = connection.create_trail(
cloudtrail_name,
cloudtrail_bucket,
include_global_service_events=False)
result = connection.start_logging(cloudtrail_name)
def _executor_internal(self, host, new_stdin):
''' executes any module one or more times '''
host_variables = self.inventory.get_variables(host)
host_connection = host_variables.get('ansible_connection', self.transport)
if host_connection in [ 'paramiko', 'ssh', 'accelerate' ]:
port = host_variables.get('ansible_ssh_port', self.remote_port)
if port is None:
port = C.DEFAULT_REMOTE_PORT
else:
# fireball, local, etc
port = self.remote_port
inject = {}
inject = utils.combine_vars(inject, self.default_vars)
inject = utils.combine_vars(inject, host_variables)
inject = utils.combine_vars(inject, self.module_vars)
inject = utils.combine_vars(inject, self.setup_cache[host])
inject.setdefault('ansible_ssh_user', self.remote_user)
inject['hostvars'] = HostVars(self.setup_cache, self.inventory)
inject['group_names'] = host_variables.get('group_names', [])
inject['groups'] = self.inventory.groups_list()
inject['vars'] = self.module_vars
inject['defaults'] = self.default_vars
inject['environment'] = self.environment
inject['playbook_dir'] = self.basedir
if self.inventory.basedir() is not None:
inject['inventory_dir'] = self.inventory.basedir()
if self.inventory.src() is not None:
inject['inventory_file'] = self.inventory.src()
# allow with_foo to work in playbooks...
items = None
items_plugin = self.module_vars.get('items_lookup_plugin', None)
if items_plugin is not None and items_plugin in utils.plugins.lookup_loader:
basedir = self.basedir
if '_original_file' in inject:
basedir = os.path.dirname(inject['_original_file'])
filesdir = os.path.join(basedir, '..', 'files')
if os.path.exists(filesdir):
basedir = filesdir
items_terms = self.module_vars.get('items_lookup_terms', '')
items_terms = template.template(basedir, items_terms, inject)
items = utils.plugins.lookup_loader.get(items_plugin, runner=self, basedir=basedir).run(items_terms, inject=inject)
if type(items) != list:
raise errors.AnsibleError("lookup plugins have to return a list: %r" % items)
if len(items) and utils.is_list_of_strings(items) and self.module_name in [ 'apt', 'yum', 'pkgng' ]:
# hack for apt, yum, and pkgng so that with_items maps back into a single module call
use_these_items = []
for x in items:
inject['item'] = x
if not self.conditional or utils.check_conditional(self.conditional, self.basedir, inject, fail_on_undefined=self.error_on_undefined_vars):
use_these_items.append(x)
inject['item'] = ",".join(use_these_items)
items = None
# logic to replace complex args if possible
complex_args = self.complex_args
# logic to decide how to run things depends on whether with_items is used
if items is None:
if isinstance(complex_args, basestring):
complex_args = template.template(self.basedir, complex_args, inject, convert_bare=True)
complex_args = utils.safe_eval(complex_args)
if type(complex_args) != dict:
raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args)
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
elif len(items) > 0:
# executing using with_items, so make multiple calls
# TODO: refactor
if self.background > 0:
raise errors.AnsibleError("lookup plugins (with_*) cannot be used with async tasks")
aggregrate = {}
all_comm_ok = True
all_changed = False
all_failed = False
results = []
for x in items:
inject['item'] = x
# TODO: this idiom should be replaced with an up-conversion to a Jinja2 template evaluation
if isinstance(self.complex_args, basestring):
complex_args = template.template(self.basedir, self.complex_args, inject, convert_bare=True)
complex_args = utils.safe_eval(complex_args)
if type(complex_args) != dict:
raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args)
result = self._executor_internal_inner(
host,
self.module_name,
self.module_args,
inject,
port,
complex_args=complex_args
)
results.append(result.result)
if result.comm_ok == False:
all_comm_ok = False
all_failed = True
break
for x in results:
if x.get('changed') == True:
all_changed = True
if (x.get('failed') == True) or ('failed_when_result' in x and [x['failed_when_result']] or [('rc' in x) and (x['rc'] != 0)])[0]:
all_failed = True
break
msg = 'All items completed'
if all_failed:
msg = "One or more items failed."
rd_result = dict(failed=all_failed, changed=all_changed, results=results, msg=msg)
if not all_failed:
del rd_result['failed']
return ReturnData(host=host, comm_ok=all_comm_ok, result=rd_result)
else:
self.callbacks.on_skipped(host, None)
return ReturnData(host=host, comm_ok=True, result=dict(changed=False, skipped=True))
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
# get starting credentials
# from environment:
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
# use get started credentials to do the roles dance and obtain
# temporary credentials in target account
#target_role_name = 'init-test3-shoppertrak-NucleatorCageBuilder-1I5ZOAYRJLS8Z'
data = {}
data.update(inject)
# TODO use nucleator facts instead
source_role_name = data[
'nucleator_builder_role_name'] # TODO - RHS var here could have names in better alignment with current conventions
target_role_name = data[
'cage_builder_role_name'] # TODO - RHS var here could have names in better alignment with current conventions
print "Target Role Name: ", target_role_name
print "Source Role Name: ", source_role_name
source_account_id = data['source_account_number']
target_account_id = data['target_account_number']
print "Target Account Number: ", target_account_id
print "Source Account Number: ", source_account_id
try:
envdict = {}
if self.runner.environment:
env = template.template(self.runner.basedir,
self.runner.environment,
inject,
convert_bare=True)
env = utils.safe_eval(env)
aws_access_key_id = env.get("AWS_ACCESS_KEY_ID")
aws_secret_access_key = env.get("AWS_SECRET_ACCESS_KEY")
security_token = env.get("AWS_SECURITY_TOKEN")
aws_access_key_id = aws_access_key_id if aws_access_key_id else None
aws_secret_access_key = aws_secret_access_key if aws_secret_access_key else None
security_token = security_token if security_token else None
sts_connection = STSConnection(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
security_token=security_token)
source_role = sts_connection.assume_role(
role_arn='arn:aws:iam::{0}:role/{1}'.format(
source_account_id, source_role_name),
role_session_name='SourceRoleSession')
vv("Successfully assumed {0} role in account {1}".format(
source_role_name, source_account_id))
except Exception, e:
result = dict(
failed=True,
msg=type(e).__name__ +
": Failed to obtain temporary credentials for role " +
source_role_name + " in target account " +
source_account_id + ", message: '" + str(e))
return ReturnData(conn=conn, comm_ok=False, result=result)
try:
sts_connection = STSConnection(
aws_access_key_id=source_role.credentials.access_key,
aws_secret_access_key=source_role.credentials.secret_key,
security_token=source_role.credentials.session_token)
target_role = sts_connection.assume_role(
role_arn='arn:aws:iam::{0}:role/{1}'.format(
target_account_id, target_role_name),
role_session_name='TargetRoleSession')
vv("Successfully assumed {0} role in account {1}".format(
target_role_name, target_account_id))
except Exception, e:
# deal with failure gracefully
result = dict(
failed=True,
msg=type(e).__name__ +
": Failed to obtain temporary credentials for role " +
target_role_name + " in target account " +
target_account_id + ", message: '" + str(e) +
" Security_Token: " +
source_role.credentials.session_token)
return ReturnData(conn=conn, comm_ok=False, result=result)
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
role_name = args["role_name"]
account_number = args["account_number"]
region = args["region"]
logging_bucket = args["log_bucket"]
envdict = {}
if self.runner.environment:
env = template.template(self.runner.basedir,
self.runner.environment,
inject,
convert_bare=True)
env = utils.safe_eval(env)
bucketName = "config-bucket-%s-%s" % (account_number, region)
snsName = "config-topic-%s-%s" % (account_number, region)
s3_conn = s3.connect_to_region(
region,
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
try:
bucket = s3_conn.get_bucket(bucketName)
except Exception, e:
if (region == "us-east-1"):
bucket1 = s3_conn.create_bucket(bucketName)
bucket2 = s3_conn.get_bucket(logging_bucket)
response = bucket1.enable_logging(bucket2, "ConfigBucket/")
else:
bucket1 = s3_conn.create_bucket(bucketName,
location=region)
bucket2 = s3_conn.get_bucket(logging_bucket)
response = bucket1.enable_logging(bucket2, "ConfigBucket/")
sns_conn = sns.connect_to_region(
region,
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
sns_conn.create_topic(snsName)
snsARN = "arn:aws:sns:%s:%s:%s" % (region, account_number, snsName)
connection = configservice.connect_to_region(
region,
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
response = connection.describe_configuration_recorders()
if len(response["ConfigurationRecorders"]) is 0:
recorder_name = "config-recorder-%s" % account_number
else:
for item in response["ConfigurationRecorders"]:
recorder_name = item["name"]
response = connection.describe_delivery_channels()
if len(response["DeliveryChannels"]) is 0:
channel_name = "config-channel-%s" % account_number
else:
for item in response["DeliveryChannels"]:
channel_name = item["name"]
ConfigurationRecorder = {
'name': recorder_name,
'roleARN':
"arn:aws:iam::%s:role/%s" % (account_number, role_name)
}
ConfigurationChannel = {
'name': channel_name,
's3BucketName': bucketName,
'snsTopicARN': snsARN
}
response = connection.put_configuration_recorder(
ConfigurationRecorder)
response = connection.put_delivery_channel(ConfigurationChannel)
response = connection.start_configuration_recorder(recorder_name)
return ReturnData(conn=conn,
comm_ok=True,
result=dict(failed=False,
changed=False,
msg="Config Service Created"))
def run(self,
conn,
tmp,
module_name,
module_args,
inject,
complex_args=None,
**kwargs):
try:
args = {}
if complex_args:
args.update(complex_args)
args.update(parse_kv(module_args))
access_policies = {}
role_name = args["role_name"]
print "Role Name: ", role_name
assume_role_trust_policy = json.dumps(args["trust_policy"])
access_policies = args["access_policies"]
envdict = {}
if self.runner.environment:
env = template.template(self.runner.basedir,
self.runner.environment,
inject,
convert_bare=True)
env = utils.safe_eval(env)
sts_connection = STSConnection(
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
c = boto.connect_iam(
aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"),
aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"),
security_token=env.get("AWS_SECURITY_TOKEN"))
#Look for the role
try:
role = c.get_role(role_name)
#Make sure the trust policy exists
try:
temp_trust_policy = urllib.unquote(
role["get_role_response"]["get_role_result"]["role"]
["assume_role_policy_document"])
#Reorganize the json dict so it is in the same order of the yaml policy
temp_trust_policy = json.dumps(
json.loads(temp_trust_policy))
#Trust policy does not match, update it
if not assume_role_trust_policy == temp_trust_policy:
if not assume_role_trust_policy == "\"\"":
c.update_assume_role_policy(
role_name, assume_role_trust_policy)
#Make sure each new policy exists
for policies in access_policies:
try:
temp_policy = urllib.unquote(
c.get_role_policy(role_name,
policies["policy_name"])
["get_role_policy_response"]
["get_role_policy_result"]["policy_document"])
#Policy has same name but does not match, update it
if not temp_policy == json.dumps(
policies["policy_document"]):
if not policies["policy_document"] == "\"\"":
c.delete_role_policy(
role_name, policies["policy_name"])
c.put_role_policy(
role_name, policies["policy_name"],
json.dumps(
policies["policy_document"]))
#Can't find policy, add it
except Exception, e:
try:
c.put_role_policy(
role_name, policies["policy_name"],
json.dumps(policies["policy_document"]))
except Exception, e:
# deal with failure gracefully
result = dict(failed=True,
msg=type(e).__name__ + ": " +
str(e))
return ReturnData(conn=conn,
comm_ok=False,
result=result)
#Returns true if the policy name exists
def checkIfPolicyExists(access_policies, temp_name):
for policy_name in access_policies:
if policy_name["policy_name"] == temp_name:
return True
return False
#Delete any policies that are not in the yaml
temp_policy_names = c.list_role_policies(role_name)
for temp_name in temp_policy_names[
"list_role_policies_response"][
"list_role_policies_result"]["policy_names"]:
exists = checkIfPolicyExists(access_policies,
temp_name)
if not exists:
c.delete_role_policy(role_name, temp_name)
#Can't find trust policy, add it
except Exception, e:
try:
c.update_assume_role_policy(role_name,
assume_role_trust_policy)
except Exception, e:
# deal with failure gracefully
result = dict(failed=True,
msg=type(e).__name__ + ": " + str(e))
return ReturnData(conn=conn,
comm_ok=False,
result=result)
