def get_subnet_info(subnet):
if 'Subnets' in subnet:
return [get_subnet_info(s) for s in subnet['Subnets']]
elif 'Subnet' in subnet:
subnet = camel_dict_to_snake_dict(subnet['Subnet'])
else:
subnet = camel_dict_to_snake_dict(subnet)
if 'tags' in subnet:
subnet['tags'] = boto3_tag_list_to_assible_dict(subnet['tags'])
else:
subnet['tags'] = dict()
if 'subnet_id' in subnet:
subnet['id'] = subnet['subnet_id']
del subnet['subnet_id']
subnet['ipv6_cidr_block'] = ''
subnet['ipv6_association_id'] = ''
ipv6set = subnet.get('ipv6_cidr_block_association_set')
if ipv6set:
for item in ipv6set:
if item.get('ipv6_cidr_block_state',
{}).get('state') in ('associated', 'associating'):
subnet['ipv6_cidr_block'] = item['ipv6_cidr_block']
subnet['ipv6_association_id'] = item['association_id']
return subnet
def create_or_update_role(connection, module):
params = generate_create_params(module)
role_name = params['RoleName']
create_instance_profile = module.params.get('create_instance_profile')
purge_policies = module.params.get('purge_policies')
if purge_policies is None:
purge_policies = True
managed_policies = module.params.get('managed_policies')
if managed_policies:
# Attempt to list the policies early so we don't leave things behind if we can't find them.
managed_policies = convert_friendly_names_to_arns(
connection, module, managed_policies)
changed = False
# Get role
role = get_role(connection, module, role_name)
# If role is None, create it
if role is None:
role = create_basic_role(connection, module, params)
changed = True
else:
changed |= update_role_tags(connection, module, params, role)
changed |= update_role_assumed_policy(connection, module, params, role)
changed |= update_role_description(connection, module, params, role)
changed |= update_role_max_session_duration(connection, module, params,
role)
changed |= update_role_permissions_boundary(connection, module, params,
role)
if create_instance_profile:
changed |= create_instance_profiles(connection, module, params, role)
changed |= update_managed_policies(connection, module, params, role,
managed_policies, purge_policies)
# Get the role again
if not role.get('MadeInCheckMode', False):
role = get_role(connection, module, params['RoleName'])
role['AttachedPolicies'] = get_attached_policy_list(
connection, module, params['RoleName'])
role['tags'] = get_role_tags(connection, module)
module.exit_json(changed=changed,
iam_role=camel_dict_to_snake_dict(role,
ignore_list=['tags']),
**camel_dict_to_snake_dict(role, ignore_list=['tags']))
def fail_json_aws(self, exception, msg=None):
"""call fail_json with processed exception
function for converting exceptions thrown by AWS SDK modules,
botocore, boto3 and boto, into nice error messages.
"""
last_traceback = traceback.format_exc()
# to_native is trusted to handle exceptions that str() could
# convert to text.
try:
except_msg = to_native(exception.message)
except AttributeError:
except_msg = to_native(exception)
if msg is not None:
message = '{0}: {1}'.format(msg, except_msg)
else:
message = except_msg
try:
response = exception.response
except AttributeError:
response = None
failure = dict(msg=message,
exception=last_traceback,
**self._gather_versions())
if response is not None:
failure.update(**camel_dict_to_snake_dict(response))
self.fail_json(**failure)
def list_ec2_images(ec2_client, module):
image_ids = module.params.get("image_ids")
owners = module.params.get("owners")
executable_users = module.params.get("executable_users")
filters = module.params.get("filters")
owner_param = []
# describe_images is *very* slow if you pass the `Owners`
# param (unless it's self), for some reason.
# Converting the owners to filters and removing from the
# owners param greatly speeds things up.
# Implementation based on aioue's suggestion in #24886
for owner in owners:
if owner.isdigit():
if 'owner-id' not in filters:
filters['owner-id'] = list()
filters['owner-id'].append(owner)
elif owner == 'self':
# self not a valid owner-alias filter (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html)
owner_param.append(owner)
else:
if 'owner-alias' not in filters:
filters['owner-alias'] = list()
filters['owner-alias'].append(owner)
filters = assible_dict_to_boto3_filter_list(filters)
try:
images = ec2_client.describe_images(ImageIds=image_ids, Filters=filters, Owners=owner_param, ExecutableUsers=executable_users)
images = [camel_dict_to_snake_dict(image) for image in images["Images"]]
except (ClientError, BotoCoreError) as err:
module.fail_json_aws(err, msg="error describing images")
for image in images:
try:
image['tags'] = boto3_tag_list_to_assible_dict(image.get('tags', []))
if module.params.get("describe_image_attributes"):
launch_permissions = ec2_client.describe_image_attribute(Attribute='launchPermission', ImageId=image['image_id'])['LaunchPermissions']
image['launch_permissions'] = [camel_dict_to_snake_dict(perm) for perm in launch_permissions]
except (ClientError, BotoCoreError) as err:
# describing launch permissions of images owned by others is not permitted, but shouldn't cause failures
pass
images.sort(key=lambda e: e.get('creation_date', '')) # it may be possible that creation_date does not always exist
module.exit_json(images=images)
def _parse_response(response):
credentials = response.get('Credentials', {})
user = response.get('AssumedRoleUser', {})
sts_cred = {
'access_key': credentials.get('AccessKeyId'),
'secret_key': credentials.get('SecretAccessKey'),
'session_token': credentials.get('SessionToken'),
'expiration': credentials.get('Expiration')
}
sts_user = camel_dict_to_snake_dict(user)
return sts_cred, sts_user
def main():
argument_spec = dict(
name=dict(required=True),
cidr_block=dict(type='list', required=True),
ipv6_cidr=dict(type='bool', default=False),
tenancy=dict(choices=['default', 'dedicated'], default='default'),
dns_support=dict(type='bool', default=True),
dns_hostnames=dict(type='bool', default=True),
dhcp_opts_id=dict(),
tags=dict(type='dict', aliases=['resource_tags']),
state=dict(choices=['present', 'absent'], default='present'),
multi_ok=dict(type='bool', default=False),
purge_cidrs=dict(type='bool', default=False),
)
module = AssibleAWSModule(argument_spec=argument_spec,
supports_check_mode=True)
name = module.params.get('name')
cidr_block = get_cidr_network_bits(module, module.params.get('cidr_block'))
ipv6_cidr = module.params.get('ipv6_cidr')
purge_cidrs = module.params.get('purge_cidrs')
tenancy = module.params.get('tenancy')
dns_support = module.params.get('dns_support')
dns_hostnames = module.params.get('dns_hostnames')
dhcp_id = module.params.get('dhcp_opts_id')
tags = module.params.get('tags')
state = module.params.get('state')
multi = module.params.get('multi_ok')
changed = False
connection = module.client(
'ec2',
retry_decorator=AWSRetry.jittered_backoff(
retries=8,
delay=3,
catch_extra_error_codes=['InvalidVpcID.NotFound']))
if dns_hostnames and not dns_support:
module.fail_json(
msg=
'In order to enable DNS Hostnames you must also enable DNS support'
)
if state == 'present':
# Check if VPC exists
vpc_id = vpc_exists(module, connection, name, cidr_block, multi)
if vpc_id is None:
vpc_id = create_vpc(connection, module, cidr_block[0], tenancy)
changed = True
vpc_obj = get_vpc(module, connection, vpc_id)
associated_cidrs = dict(
(cidr['CidrBlock'], cidr['AssociationId'])
for cidr in vpc_obj.get('CidrBlockAssociationSet', [])
if cidr['CidrBlockState']['State'] != 'disassociated')
to_add = [cidr for cidr in cidr_block if cidr not in associated_cidrs]
to_remove = [
associated_cidrs[cidr] for cidr in associated_cidrs
if cidr not in cidr_block
]
expected_cidrs = [
cidr for cidr in associated_cidrs
if associated_cidrs[cidr] not in to_remove
] + to_add
if len(cidr_block) > 1:
for cidr in to_add:
changed = True
try:
connection.associate_vpc_cidr_block(CidrBlock=cidr,
VpcId=vpc_id)
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e, "Unable to associate CIDR {0}.".format(ipv6_cidr))
if ipv6_cidr:
if 'Ipv6CidrBlockAssociationSet' in vpc_obj.keys():
module.warn(
"Only one IPv6 CIDR is permitted per VPC, {0} already has CIDR {1}"
.format(
vpc_id, vpc_obj['Ipv6CidrBlockAssociationSet'][0]
['Ipv6CidrBlock']))
else:
try:
connection.associate_vpc_cidr_block(
AmazonProvidedIpv6CidrBlock=ipv6_cidr, VpcId=vpc_id)
changed = True
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e, "Unable to associate CIDR {0}.".format(ipv6_cidr))
if purge_cidrs:
for association_id in to_remove:
changed = True
try:
connection.disassociate_vpc_cidr_block(
AssociationId=association_id)
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e,
"Unable to disassociate {0}. You must detach or delete all gateways and resources that "
"are associated with the CIDR block before you can disassociate it."
.format(association_id))
if dhcp_id is not None:
try:
if update_dhcp_opts(connection, module, vpc_obj, dhcp_id):
changed = True
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, "Failed to update DHCP options")
if tags is not None or name is not None:
try:
if update_vpc_tags(connection, module, vpc_id, tags, name):
changed = True
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Failed to update tags")
current_dns_enabled = connection.describe_vpc_attribute(
Attribute='enableDnsSupport', VpcId=vpc_id,
aws_retry=True)['EnableDnsSupport']['Value']
current_dns_hostnames = connection.describe_vpc_attribute(
Attribute='enableDnsHostnames', VpcId=vpc_id,
aws_retry=True)['EnableDnsHostnames']['Value']
if current_dns_enabled != dns_support:
changed = True
if not module.check_mode:
try:
connection.modify_vpc_attribute(
VpcId=vpc_id, EnableDnsSupport={'Value': dns_support})
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e, "Failed to update enabled dns support attribute")
if current_dns_hostnames != dns_hostnames:
changed = True
if not module.check_mode:
try:
connection.modify_vpc_attribute(
VpcId=vpc_id,
EnableDnsHostnames={'Value': dns_hostnames})
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e, "Failed to update enabled dns hostnames attribute")
# wait for associated cidrs to match
if to_add or to_remove:
try:
connection.get_waiter('vpc_available').wait(
VpcIds=[vpc_id],
Filters=[{
'Name': 'cidr-block-association.cidr-block',
'Values': expected_cidrs
}])
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, "Failed to wait for CIDRs to update")
# try to wait for enableDnsSupport and enableDnsHostnames to match
wait_for_vpc_attribute(connection, module, vpc_id, 'enableDnsSupport',
dns_support)
wait_for_vpc_attribute(connection, module, vpc_id,
'enableDnsHostnames', dns_hostnames)
final_state = camel_dict_to_snake_dict(
get_vpc(module, connection, vpc_id))
final_state['tags'] = boto3_tag_list_to_assible_dict(
final_state.get('tags', []))
final_state['id'] = final_state.pop('vpc_id')
module.exit_json(changed=changed, vpc=final_state)
elif state == 'absent':
# Check if VPC exists
vpc_id = vpc_exists(module, connection, name, cidr_block, multi)
if vpc_id is not None:
try:
if not module.check_mode:
connection.delete_vpc(VpcId=vpc_id)
changed = True
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e,
msg=
"Failed to delete VPC {0} You may want to use the ec2_vpc_subnet, ec2_vpc_igw, "
"and/or ec2_vpc_route_table modules to ensure the other components are absent."
.format(vpc_id))
module.exit_json(changed=changed, vpc={})
def ensure_ipv6_cidr_block(conn, module, subnet, ipv6_cidr, check_mode,
start_time):
wait = module.params['wait']
changed = False
if subnet['ipv6_association_id'] and not ipv6_cidr:
if not check_mode:
disassociate_ipv6_cidr(conn, module, subnet, start_time)
changed = True
if ipv6_cidr:
filters = assible_dict_to_boto3_filter_list({
'ipv6-cidr-block-association.ipv6-cidr-block':
ipv6_cidr,
'vpc-id':
subnet['vpc_id']
})
try:
check_subnets = get_subnet_info(
describe_subnets_with_backoff(conn, Filters=filters))
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Couldn't get subnet info")
if check_subnets and check_subnets[0]['ipv6_cidr_block']:
module.fail_json(
msg="The IPv6 CIDR '{0}' conflicts with another subnet".format(
ipv6_cidr))
if subnet['ipv6_association_id']:
if not check_mode:
disassociate_ipv6_cidr(conn, module, subnet, start_time)
changed = True
try:
if not check_mode:
associate_resp = conn.associate_subnet_cidr_block(
SubnetId=subnet['id'], Ipv6CidrBlock=ipv6_cidr)
changed = True
except (botocore.exceptions.ClientError,
botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(
e,
msg="Couldn't associate ipv6 cidr {0} to {1}".format(
ipv6_cidr, subnet['id']))
else:
if not check_mode and wait:
filters = assible_dict_to_boto3_filter_list({
'ipv6-cidr-block-association.state': ['associated'],
'vpc-id':
subnet['vpc_id']
})
handle_waiter(conn, module, 'subnet_exists', {
'SubnetIds': [subnet['id']],
'Filters': filters
}, start_time)
if associate_resp.get('Ipv6CidrBlockAssociation',
{}).get('AssociationId'):
subnet['ipv6_association_id'] = associate_resp[
'Ipv6CidrBlockAssociation']['AssociationId']
subnet['ipv6_cidr_block'] = associate_resp[
'Ipv6CidrBlockAssociation']['Ipv6CidrBlock']
if subnet['ipv6_cidr_block_association_set']:
subnet['ipv6_cidr_block_association_set'][
0] = camel_dict_to_snake_dict(
associate_resp['Ipv6CidrBlockAssociation'])
else:
subnet['ipv6_cidr_block_association_set'].append(
camel_dict_to_snake_dict(
associate_resp['Ipv6CidrBlockAssociation']))
return changed