def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] for pol in current_policies: if urllib.unquote(iam.get_role_policy(name, pol). get_role_policy_result.policy_document) == pdoc: policy_match = True if policy_match: msg=("The policy document you specified already exists " "under the name %s." % pol) if state == 'present' and skip: if policy_name not in current_policies and not policy_match: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'present' and not skip: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) updated_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names]
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False, msg="No such role, policy will be skipped.") else: module.fail_json(msg=e.message) try: matching_policies = [] for pol in current_policies: if urllib.parse.unquote( iam.get_role_policy( name, pol).get_role_policy_result.policy_document) == pdoc: policy_match = True matching_policies.append(pol) if state == 'present': # If policy document does not already exist (either it's changed # or the policy is not present) or if we're not skipping dupes then # make the put call. Note that the put call does a create or update. if not policy_match or (not skip and policy_name not in matching_policies): changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) else: module.fail_json(msg=err.message) updated_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ] except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=changed, msg=error_msg) return changed, name, updated_policies
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False, msg="No such role, policy will be skipped.") else: module.fail_json(msg=e.message) try: pol = "" for pol in current_policies: if urllib.unquote(iam.get_role_policy(name, pol). get_role_policy_result.policy_document) == pdoc: policy_match = True break if state == 'present': # If policy document does not already exist (either it's changed # or the policy is not present) or if we're not skipping dupes then # make the put call. Note that the put call does a create or update. if (not policy_match or not skip) and pol != name: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError as err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) else: module.fail_json(msg=err.message) updated_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] except boto.exception.BotoServerError as err: error_msg = boto_exception(err) module.fail_json(changed=changed, msg=error_msg) return changed, name, updated_policies
def delete_role(module, iam, name, role_list, prof_list): changed = False try: if name in role_list: cur_ins_prof = [rp['instance_profile_name'] for rp in iam.list_instance_profiles_for_role(name). list_instance_profiles_for_role_result. instance_profiles] for profile in cur_ins_prof: iam.remove_role_from_instance_profile(profile, name) try: iam.delete_role(name) except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if ('must detach all policies first') in error_msg: for policy in iam.list_role_policies(name).list_role_policies_result.policy_names: iam.delete_role_policy(name, policy) try: iam.delete_role(name) except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if ('must detach all policies first') in error_msg: module.fail_json(changed=changed, msg="All inline polices have been removed. Though it appears" "that %s has Managed Polices. This is not " "currently supported by boto. Please detach the polices " "through the console and try again." % name) else: module.fail_json(changed=changed, msg=str(err)) else: changed = True else:
def update_iam_role(iam, role_name, assume_role_policy_file, permission_policy_file): try: iam.get_role(role_name) except: print role_name + ' role not found. Creating role ' iam.create_role(role_name) print 'Updating assume role policy of ' + role_name with open(assume_role_policy_file, "r") as myfile: policy = myfile.read() iam.update_assume_role_policy(role_name, policy) print 'Updating attached permission policies of ' + role_name for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'): iam.delete_role_policy(role_name, rp) with open(permission_policy_file, "r") as myfile: policy = myfile.read() iam.put_role_policy(role_name, role_name + '_permission_policy', policy) try: iam.get_instance_profile(role_name) except: print role_name + ' instance profile not found. Creating instance profile' iam.create_instance_profile(role_name) print 'Updating role and instance profile association of ' + role_name for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'): iam.remove_role_from_instance_profile(role_name, role_name) iam.add_role_to_instance_profile(role_name, role_name)
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False) else: module.fail_json(msg=e.message) try: for pol in current_policies: if urllib.unquote( iam.get_role_policy( name, pol).get_role_policy_result.policy_document) == pdoc: policy_match = True if state == 'present' and skip: if policy_name not in current_policies and not policy_match: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'present' and not skip: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) updated_policies = [ cp for cp in iam.list_role_policies( name).list_role_policies_result.policy_names ]
def get_merged_policies(roles: list, region: str): iam = boto.iam.connect_to_region(region) policies = [] for role in roles: policy_names = iam.list_role_policies(role) for policy_name in policy_names['list_role_policies_response']['list_role_policies_result']['policy_names']: policy = iam.get_role_policy(role, policy_name)['get_role_policy_response']['get_role_policy_result'] document = urllib.parse.unquote(policy['policy_document']) policies.append({'PolicyName': policy_name, 'PolicyDocument': json.loads(document)}) return policies
def role_action(module, iam, name, policy_name, skip, pdoc, state): policy_match = False changed = False try: current_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names] except boto.exception.BotoServerError as e: if e.error_code == "NoSuchEntity": # Role doesn't exist so it's safe to assume the policy doesn't either module.exit_json(changed=False) else: module.fail_json(msg=e.message) try: for pol in current_policies: if urllib.unquote(iam.get_role_policy(name, pol).get_role_policy_result.policy_document) == pdoc: policy_match = True if state == 'present' and skip: if policy_name not in current_policies and not policy_match: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'present' and not skip: changed = True iam.put_role_policy(name, policy_name, pdoc) elif state == 'absent': try: iam.delete_role_policy(name, policy_name) changed = True except boto.exception.BotoServerError, err: error_msg = boto_exception(err) if 'cannot be found.' in error_msg: changed = False module.exit_json(changed=changed, msg="%s policy is already absent" % policy_name) updated_policies = [cp for cp in iam.list_role_policies(name). list_role_policies_result. policy_names]
def get_merged_policies(roles: list, region: str): iam = boto.iam.connect_to_region(region) policies = [] for role in roles: policy_names = iam.list_role_policies(role) for policy_name in policy_names['list_role_policies_response'][ 'list_role_policies_result']['policy_names']: policy = iam.get_role_policy( role, policy_name )['get_role_policy_response']['get_role_policy_result'] document = urllib.parse.unquote(policy['policy_document']) policies.append({ 'PolicyName': policy_name, 'PolicyDocument': json.loads(document) }) return policies
def get_policies_in_role(iam, name): return iam.list_role_policies(name).list_role_policies_result.policy_names