def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
profile_name = dict(default=None,required=True),
state = dict(default='present', choices=['present', 'absent']),
)
)
module = AnsibleModule(
argument_spec=argument_spec
)
profile_name = module.params.get('profile_name')
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
missing = False
try:
iam.get_instance_profile(profile_name)
except boto.exception.BotoServerError as e:
if e.status == 404:
missing = True
if state == 'present':
if missing:
iam.create_instance_profile(profile_name)
module.exit_json(changed = missing)
elif state == 'absent':
if not missing:
iam.delete_instance_profile(profile_name)
module.exit_json(changed = not missing)
def delete_role(iam, name, role_list, prof_list):
changed = False
if name in role_list:
cur_ins_prof = [rp['instance_profile_name'] for rp in
iam.list_instance_profiles_for_role(name).
list_instance_profiles_for_role_result.
instance_profiles]
for profile in cur_ins_prof:
iam.remove_role_from_instance_profile(profile, name)
iam.delete_role(name)
changed = True
for prof in prof_list:
if name == prof:
iam.delete_instance_profile(name)
updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response.
list_roles_result.roles]
return changed, updated_role_list
def delete_role(module, iam, name, role_list, prof_list):
changed = False
iam_role_result = None
instance_profile_result = None
try:
if name in role_list:
cur_ins_prof = [
rp['instance_profile_name']
for rp in iam.list_instance_profiles_for_role(name).
list_instance_profiles_for_role_result.instance_profiles
]
for profile in cur_ins_prof:
iam.remove_role_from_instance_profile(profile, name)
try:
iam.delete_role(name)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
for policy in iam.list_role_policies(
name).list_role_policies_result.policy_names:
iam.delete_role_policy(name, policy)
try:
iam_role_result = iam.delete_role(name)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
module.fail_json(
changed=changed,
msg=
"All inline policies have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the policies "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
changed = True
for prof in prof_list:
if name == prof:
instance_profile_result = iam.delete_instance_profile(name)
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = list_all_roles(iam)
return changed, updated_role_list, iam_role_result, instance_profile_result
def delete_role(module, iam, name, role_list, prof_list):
changed = False
iam_role_result = None
instance_profile_result = None
try:
if name in role_list:
cur_ins_prof = [rp['instance_profile_name'] for rp in
iam.list_instance_profiles_for_role(name).
list_instance_profiles_for_role_result.
instance_profiles]
for profile in cur_ins_prof:
iam.remove_role_from_instance_profile(profile, name)
try:
iam.delete_role(name)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
for policy in iam.list_role_policies(name).list_role_policies_result.policy_names:
iam.delete_role_policy(name, policy)
try:
iam_role_result = iam.delete_role(name)
except boto.exception.BotoServerError as err:
error_msg = boto_exception(err)
if ('must detach all policies first') in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
changed = True
for prof in prof_list:
if name == prof:
instance_profile_result = iam.delete_instance_profile(name)
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = list_all_roles(iam)
return changed, updated_role_list, iam_role_result, instance_profile_result
if ('must detach all policies first') in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
changed = True
for prof in prof_list:
if name == prof:
iam.delete_instance_profile(name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response.
list_roles_result.roles]
return changed, updated_role_list
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
iam_type=dict(
default=None, required=True, choices=['user', 'group', 'role']),
groups=dict(type='list', default=None, required=False),
state=dict(
def delete_role(module, iam, name, prof_list, max_attempts=10, max_wait=32):
changed = False
iam_role_result = None
instance_profile_result = None
try:
# Follow the official AWS docs for deleting a IAM role:
# http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-api
# Step 1: Remove this role from any instance profiles
for profile in get_instance_profiles_for_role(iam, name):
iam.remove_role_from_instance_profile(profile, name)
changed = True
# Check to see of the role is actually removed
wait_for_aws(
lambda: profile not in get_instance_profiles_for_role(
iam, name), changed,
"Timeout waiting for role in profile deletion", max_attempts,
max_wait)
# Step 2: Remove all policies from the role
for policy in get_policies_in_role(iam, name):
iam.delete_role_policy(name, policy)
changed = True
# Check to see of the policy is actually removed
wait_for_aws(lambda: policy not in get_policies_in_role(iam, name),
changed, "Timeout waiting for role policy deletion",
max_attempts, max_wait)
# Step 3: Delete the role
iam_role_result = iam.delete_role(name)
if iam_role_result:
changed = True
# Check to see if the role has been removed
wait_for_aws(lambda: name not in get_iam_roles(iam), changed,
"Timeout waiting for IAM role deltion", max_attempts,
max_wait)
# Delete any instance profiles matching the IAM role name
for prof in prof_list:
if name == prof:
instance_profile_result = iam.delete_instance_profile(name)
wait_for_aws(lambda: prof not in get_instance_profiles(iam),
changed,
"Timeout waiting for instance profile deletion",
max_attempts, max_wait)
except boto.exception.BotoServerError as err:
# Catch the case where a non-existent role is deleted.
error_msg = boto_exception(err)
if ('The role with name %s cannot be found.' % (name)) in error_msg:
changed = False
else:
module.fail_json(changed=changed, msg=str(err))
return changed, get_iam_roles(
iam), iam_role_result, instance_profile_result
if ('must detach all policies first') in error_msg:
module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
changed = True
for prof in prof_list:
if name == prof:
iam.delete_instance_profile(name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response.
list_roles_result.roles]
return changed, updated_role_list
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
iam_type=dict(
default=None, required=True, choices=['user', 'group', 'role']),
groups=dict(type='list', default=None, required=False),
state=dict(
msg=
"All inline polices have been removed. Though it appears"
"that %s has Managed Polices. This is not "
"currently supported by boto. Please detach the polices "
"through the console and try again." % name)
else:
module.fail_json(changed=changed, msg=str(err))
else:
changed = True
else:
changed = True
for prof in prof_list:
if name == prof:
instance_profile_result = iam.delete_instance_profile(name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = [
rl['role_name'] for rl in
iam.list_roles().list_roles_response.list_roles_result.roles
]
return changed, updated_role_list, iam_role_result, instance_profile_result
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(
dict(iam_type=dict(default=None,
required=True,
