def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( profile_name = dict(default=None,required=True), state = dict(default='present', choices=['present', 'absent']), ) ) module = AnsibleModule( argument_spec=argument_spec ) profile_name = module.params.get('profile_name') region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) state = module.params.get('state') missing = False try: iam.get_instance_profile(profile_name) except boto.exception.BotoServerError as e: if e.status == 404: missing = True if state == 'present': if missing: iam.create_instance_profile(profile_name) module.exit_json(changed = missing) elif state == 'absent': if not missing: iam.delete_instance_profile(profile_name) module.exit_json(changed = not missing)
def delete_role(iam, name, role_list, prof_list): changed = False if name in role_list: cur_ins_prof = [rp['instance_profile_name'] for rp in iam.list_instance_profiles_for_role(name). list_instance_profiles_for_role_result. instance_profiles] for profile in cur_ins_prof: iam.remove_role_from_instance_profile(profile, name) iam.delete_role(name) changed = True for prof in prof_list: if name == prof: iam.delete_instance_profile(name) updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response. list_roles_result.roles] return changed, updated_role_list
def delete_role(module, iam, name, role_list, prof_list): changed = False iam_role_result = None instance_profile_result = None try: if name in role_list: cur_ins_prof = [ rp['instance_profile_name'] for rp in iam.list_instance_profiles_for_role(name). list_instance_profiles_for_role_result.instance_profiles ] for profile in cur_ins_prof: iam.remove_role_from_instance_profile(profile, name) try: iam.delete_role(name) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if ('must detach all policies first') in error_msg: for policy in iam.list_role_policies( name).list_role_policies_result.policy_names: iam.delete_role_policy(name, policy) try: iam_role_result = iam.delete_role(name) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if ('must detach all policies first') in error_msg: module.fail_json( changed=changed, msg= "All inline policies have been removed. Though it appears" "that %s has Managed Polices. This is not " "currently supported by boto. Please detach the policies " "through the console and try again." % name) else: module.fail_json(changed=changed, msg=str(err)) else: changed = True else: changed = True for prof in prof_list: if name == prof: instance_profile_result = iam.delete_instance_profile(name) except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = list_all_roles(iam) return changed, updated_role_list, iam_role_result, instance_profile_result
def delete_role(module, iam, name, role_list, prof_list): changed = False iam_role_result = None instance_profile_result = None try: if name in role_list: cur_ins_prof = [rp['instance_profile_name'] for rp in iam.list_instance_profiles_for_role(name). list_instance_profiles_for_role_result. instance_profiles] for profile in cur_ins_prof: iam.remove_role_from_instance_profile(profile, name) try: iam.delete_role(name) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if ('must detach all policies first') in error_msg: for policy in iam.list_role_policies(name).list_role_policies_result.policy_names: iam.delete_role_policy(name, policy) try: iam_role_result = iam.delete_role(name) except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if ('must detach all policies first') in error_msg: module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears" "that %s has Managed Polices. This is not " "currently supported by boto. Please detach the polices " "through the console and try again." % name) else: module.fail_json(changed=changed, msg=str(err)) else: changed = True else: changed = True for prof in prof_list: if name == prof: instance_profile_result = iam.delete_instance_profile(name) except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = list_all_roles(iam) return changed, updated_role_list, iam_role_result, instance_profile_result
if ('must detach all policies first') in error_msg: module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears" "that %s has Managed Polices. This is not " "currently supported by boto. Please detach the polices " "through the console and try again." % name) else: module.fail_json(changed=changed, msg=str(err)) else: changed = True else: changed = True for prof in prof_list: if name == prof: iam.delete_instance_profile(name) except boto.exception.BotoServerError, err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response. list_roles_result.roles] return changed, updated_role_list def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( iam_type=dict( default=None, required=True, choices=['user', 'group', 'role']), groups=dict(type='list', default=None, required=False), state=dict(
def delete_role(module, iam, name, prof_list, max_attempts=10, max_wait=32): changed = False iam_role_result = None instance_profile_result = None try: # Follow the official AWS docs for deleting a IAM role: # http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-api # Step 1: Remove this role from any instance profiles for profile in get_instance_profiles_for_role(iam, name): iam.remove_role_from_instance_profile(profile, name) changed = True # Check to see of the role is actually removed wait_for_aws( lambda: profile not in get_instance_profiles_for_role( iam, name), changed, "Timeout waiting for role in profile deletion", max_attempts, max_wait) # Step 2: Remove all policies from the role for policy in get_policies_in_role(iam, name): iam.delete_role_policy(name, policy) changed = True # Check to see of the policy is actually removed wait_for_aws(lambda: policy not in get_policies_in_role(iam, name), changed, "Timeout waiting for role policy deletion", max_attempts, max_wait) # Step 3: Delete the role iam_role_result = iam.delete_role(name) if iam_role_result: changed = True # Check to see if the role has been removed wait_for_aws(lambda: name not in get_iam_roles(iam), changed, "Timeout waiting for IAM role deltion", max_attempts, max_wait) # Delete any instance profiles matching the IAM role name for prof in prof_list: if name == prof: instance_profile_result = iam.delete_instance_profile(name) wait_for_aws(lambda: prof not in get_instance_profiles(iam), changed, "Timeout waiting for instance profile deletion", max_attempts, max_wait) except boto.exception.BotoServerError as err: # Catch the case where a non-existent role is deleted. error_msg = boto_exception(err) if ('The role with name %s cannot be found.' % (name)) in error_msg: changed = False else: module.fail_json(changed=changed, msg=str(err)) return changed, get_iam_roles( iam), iam_role_result, instance_profile_result
msg= "All inline polices have been removed. Though it appears" "that %s has Managed Polices. This is not " "currently supported by boto. Please detach the polices " "through the console and try again." % name) else: module.fail_json(changed=changed, msg=str(err)) else: changed = True else: changed = True for prof in prof_list: if name == prof: instance_profile_result = iam.delete_instance_profile(name) except boto.exception.BotoServerError, err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = [ rl['role_name'] for rl in iam.list_roles().list_roles_response.list_roles_result.roles ] return changed, updated_role_list, iam_role_result, instance_profile_result def main(): argument_spec = ec2_argument_spec() argument_spec.update( dict(iam_type=dict(default=None, required=True,