def update_iam_role(iam, role_name, assume_role_policy_file,
permission_policy_file):
try:
iam.get_role(role_name)
except:
print role_name + ' role not found. Creating role '
iam.create_role(role_name)
print 'Updating assume role policy of ' + role_name
with open(assume_role_policy_file, "r") as myfile:
policy = myfile.read()
iam.update_assume_role_policy(role_name, policy)
print 'Updating attached permission policies of ' + role_name
for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'):
iam.delete_role_policy(role_name, rp)
with open(permission_policy_file, "r") as myfile:
policy = myfile.read()
iam.put_role_policy(role_name, role_name + '_permission_policy', policy)
try:
iam.get_instance_profile(role_name)
except:
print role_name + ' instance profile not found. Creating instance profile'
iam.create_instance_profile(role_name)
print 'Updating role and instance profile association of ' + role_name
for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'):
iam.remove_role_from_instance_profile(role_name, role_name)
iam.add_role_to_instance_profile(role_name, role_name)
def iam_role(name, policy_name='managedpolicy'):
policy = json.dumps(policies[name],
sort_keys=True,
indent=4,
separators=(',', ': '))
try:
role = iam.get_role(name)
except boto.exception.BotoServerError:
role = None
if role is None:
iam.create_role(name)
role = iam.get_role(name)
# ...someday, maybe support for multiple policies via iam.list_role_policies()
iam.put_role_policy(name, policy_name, policy)
def create_role(module, iam, name, path, role_list, prof_list,
trust_policy_doc):
changed = False
iam_role_result = None
instance_profile_result = None
try:
if name not in role_list:
changed = True
iam_role_result = iam.create_role(
name, assume_role_policy_document=trust_policy_doc,
path=path).create_role_response.create_role_result.role
if name not in prof_list:
instance_profile_result = iam.create_instance_profile(name, path=path) \
.create_instance_profile_response.create_instance_profile_result.instance_profile
iam.add_role_to_instance_profile(name, name)
else:
instance_profile_result = iam.get_instance_profile(
name
).get_instance_profile_response.get_instance_profile_result.instance_profile
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = list_all_roles(iam)
iam_role_result = iam.get_role(
name).get_role_response.get_role_result.role
return changed, updated_role_list, iam_role_result, instance_profile_result
def build_opsworks_stack():
print '------------------------------------'
print 'Building Vulnpryer Opsworks Stack'
print '------------------------------------'
# Connect to AWS Opsworks
ow = boto.opsworks.connect_to_region(region_name=config.get('general', 'opsworks_aws_region'), aws_access_key_id=config.get('general', 'aws_access_key_id'), aws_secret_access_key=config.get('general', 'aws_secret_access_key'))
# Check if stack exists
for stack in ow.describe_stacks().get('Stacks'):
if stack.get('Name') == config.get('opsworks', 'stack_name'):
print 'Stack ' + config.get('opsworks', 'stack_name') + ' exists. Deleting stack with Stack ID ' + stack.get('StackId')
# Delete instances
for instance in ow.describe_instances(stack_id=stack.get('StackId')).get('Instances'):
ow.delete_instance(instance_id=instance.get('InstanceId'))
ow.delete_stack(stack.get('StackId'))
# Retrieve IAM ARNs
iam = boto.iam.connect_to_region(region_name=config.get('general', 'opsworks_aws_region'), aws_access_key_id=config.get('general', 'aws_access_key_id'), aws_secret_access_key=config.get('general', 'aws_secret_access_key'))
service_arn = iam.get_role(config.get('opsworks', 'opsworks_role')).get('get_role_response').get('get_role_result').get('role').get('arn')
ip_arn = iam.get_instance_profile(config.get('opsworks', 'opsworks_resource_role')).get('get_instance_profile_response').get('get_instance_profile_result').get('instance_profile').get('arn')
# Creating new Opworks Stack
try:
new_stack = ow.create_stack(config.get('opsworks', 'stack_name'), config.get('general', 'vpc_aws_region'), service_arn, ip_arn, vpc_id=config.get('opsworks', 'vpc_id'), default_os=config.get('opsworks', 'default_os'), default_subnet_id=config.get('opsworks', 'default_subnet_id'), custom_json=config.get('opsworks', 'custom_json'), configuration_manager=ast.literal_eval(config.get('opsworks', 'configuration_manager')), chef_configuration=ast.literal_eval(config.get('opsworks', 'chef_configuration')), use_custom_cookbooks=config.getboolean('opsworks', 'use_custom_cookbooks'), use_opsworks_security_groups=config.getboolean('opsworks', 'use_opsworks_security_groups'), custom_cookbooks_source=ast.literal_eval(config.get('opsworks', 'custom_cookbooks_source')), default_ssh_key_name=config.get('opsworks', 'default_ssh_key_name'), attributes={'Color':'rgb(45, 114, 184)'})
new_layer = ow.create_layer(new_stack.get('StackId'), 'custom', config.get('opsworks', 'layer_name'), config.get('opsworks', 'layer_short_name'), attributes=None, custom_instance_profile_arn=ip_arn, custom_security_group_ids=[config.get('opsworks', 'layer_security_group')], packages=None, volume_configurations=None, enable_auto_healing=True, auto_assign_elastic_ips=False, auto_assign_public_ips=True, custom_recipes=ast.literal_eval(config.get('opsworks', 'layer_custom_recipes')), install_updates_on_boot=True, use_ebs_optimized_instances=False)
except:
print "New stack failed to create. Check keys and configuration before proceeding."
return False
new_instance = ow.create_instance(new_stack.get('StackId'), [new_layer.get('LayerId')], config.get('opsworks', 'instance_type'), hostname=config.get('opsworks', 'instance_name'))
print 'Successfully built Opsworks Stack ' + config.get('opsworks', 'stack_name') + ' with stack id ' + new_stack.get('StackId')
return new_instance.get('InstanceId')
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
role_name = dict(default=None,required=True),
assume_role_policy_document = dict(default=None,required=False),
state = dict(default='present', choices=['present', 'absent']),
)
)
module = AnsibleModule(
argument_spec=argument_spec
)
role_name = module.params.get('role_name')
assume_role_policy_document = module.params.get('assume_role_policy_document')
if type(assume_role_policy_document) == type(dict()):
assume_role_policy_document = json.dumps(assume_role_policy_document)
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
role_missing = False
role_data = None
try:
response = iam.get_role(role_name)
role_data = response.get_role_result.role
except boto.exception.BotoServerError as e:
if e.status == 404:
role_missing = True
if state == 'present':
if role_missing:
response = iam.create_role(role_name, assume_role_policy_document)
module.exit_json(changed = True, role = response.create_role_result.role)
else:
module.exit_json(changed = False, role = role_data)
elif state == 'absent':
if not role_missing:
response = iam.delete_role(role_name)
module.exit_json(changed = not role_missing)
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(
dict(
role_name=dict(default=None, required=True),
assume_role_policy_document=dict(default=None, required=False),
state=dict(default='present', choices=['present', 'absent']),
))
module = AnsibleModule(argument_spec=argument_spec)
role_name = module.params.get('role_name')
assume_role_policy_document = module.params.get(
'assume_role_policy_document')
if type(assume_role_policy_document) == type(dict()):
assume_role_policy_document = json.dumps(assume_role_policy_document)
region, ec2_url, aws_connect_params = get_aws_connection_info(module)
iam = connect_to_aws(boto.iam, region, **aws_connect_params)
state = module.params.get('state')
role_missing = False
role_data = None
try:
response = iam.get_role(role_name)
role_data = response.get_role_result.role
except boto.exception.BotoServerError as e:
if e.status == 404:
role_missing = True
if state == 'present':
if role_missing:
response = iam.create_role(role_name, assume_role_policy_document)
module.exit_json(changed=True,
role=response.create_role_result.role)
else:
module.exit_json(changed=False, role=role_data)
elif state == 'absent':
if not role_missing:
response = iam.delete_role(role_name)
module.exit_json(changed=not role_missing)
def create_role(module, iam, name, path, role_list, prof_list, trust_policy_doc):
changed = False
iam_role_result = None
instance_profile_result = None
try:
if name not in role_list:
changed = True
iam_role_result = iam.create_role(name,
assume_role_policy_document=trust_policy_doc,
path=path).create_role_response.create_role_result.role
if name not in prof_list:
instance_profile_result = iam.create_instance_profile(name, path=path) \
.create_instance_profile_response.create_instance_profile_result.instance_profile
iam.add_role_to_instance_profile(name, name)
else:
instance_profile_result = iam.get_instance_profile(name).get_instance_profile_response.get_instance_profile_result.instance_profile
except boto.exception.BotoServerError as err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = list_all_roles(iam)
iam_role_result = iam.get_role(name).get_role_response.get_role_result.role
return changed, updated_role_list, iam_role_result, instance_profile_result
