def compare_assume_role_policy_doc(current_policy_doc, new_policy_doc): if sort_json_policy_dict(current_policy_doc) == sort_json_policy_dict( json.loads(new_policy_doc)): return True else: return False
def get_or_create_policy_version(module, iam, policy, policy_document): try: versions = iam.list_policy_versions( PolicyArn=policy['Arn'])['Versions'] except botocore.exceptions.ClientError as e: module.fail_json(msg="Couldn't list policy versions: %s" % str(e), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) for v in versions: try: document = iam.get_policy_version( PolicyArn=policy['Arn'], VersionId=v['VersionId'])['PolicyVersion']['Document'] except botocore.exceptions.ClientError as e: module.fail_json(msg="Couldn't get policy version %s: %s" % (v['VersionId'], str(e)), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) if sort_json_policy_dict(document) == sort_json_policy_dict( json.loads(policy_document)): return v, False # No existing version so create one # There is a service limit (typically 5) of policy versions. # # Rather than assume that it is 5, we'll try to create the policy # and if that doesn't work, delete the oldest non default policy version # and try again. try: version = iam.create_policy_version( PolicyArn=policy['Arn'], PolicyDocument=policy_document)['PolicyVersion'] return version, True except botocore.exceptions.ClientError as e: if e['Error']['Code'] == 'LimitExceeded': delete_oldest_non_default_version(module, iam, policy) try: version = iam.create_policy_version( PolicyArn=policy['Arn'], PolicyDocument=policy_document)['PolicyVersion'] return version, True except botocore.exceptions.ClientError as e: pass # Handle both when the exception isn't LimitExceeded or # the second attempt still failed module.fail_json(msg="Couldn't create policy version: %s" % str(e), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
def get_or_create_policy_version(module, iam, policy, policy_document): try: versions = iam.list_policy_versions(PolicyArn=policy['Arn'])['Versions'] except botocore.exceptions.ClientError as e: module.fail_json(msg="Couldn't list policy versions: %s" % str(e), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) for v in versions: try: document = iam.get_policy_version(PolicyArn=policy['Arn'], VersionId=v['VersionId'])['PolicyVersion']['Document'] except botocore.exceptions.ClientError as e: module.fail_json(msg="Couldn't get policy version %s: %s" % (v['VersionId'], str(e)), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) if sort_json_policy_dict(document) == sort_json_policy_dict( json.loads(policy_document)): return v, False # No existing version so create one # There is a service limit (typically 5) of policy versions. # # Rather than assume that it is 5, we'll try to create the policy # and if that doesn't work, delete the oldest non default policy version # and try again. try: version = iam.create_policy_version(PolicyArn=policy['Arn'], PolicyDocument=policy_document)['PolicyVersion'] return version, True except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'LimitExceeded': delete_oldest_non_default_version(module, iam, policy) try: version = iam.create_policy_version(PolicyArn=policy['Arn'], PolicyDocument=policy_document)['PolicyVersion'] return version, True except botocore.exceptions.ClientError as e: pass # Handle both when the exception isn't LimitExceeded or # the second attempt still failed module.fail_json(msg="Couldn't create policy version: %s" % str(e), exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
def get_or_create_policy_version(iam, policy, policy_document): versions = iam.list_policy_versions(PolicyArn=policy['Arn'])['Versions'] for v in versions: document = iam.get_policy_version( PolicyArn=policy['Arn'], VersionId=v['VersionId'])['PolicyVersion']['Document'] if sort_json_policy_dict(document) == sort_json_policy_dict( json.loads(policy_document)): return v, False # No existing version so create one # Instead of testing the versions list for the magic number 5, we are # going to attempt to create a version and catch the error try: return iam.create_policy_version( PolicyArn=policy['Arn'], PolicyDocument=policy_document)['PolicyVersion'], True except Exception as e: delete_oldest_non_default_version(iam, policy) return iam.create_policy_version( PolicyArn=policy['Arn'], PolicyDocument=policy_document)['PolicyVersion'], True
def _create_or_update_bucket(connection, module, location): policy = module.params.get("policy") name = module.params.get("name") requester_pays = module.params.get("requester_pays") tags = module.params.get("tags") versioning = module.params.get("versioning") changed = False try: bucket = connection.get_bucket(name) except S3ResponseError as e: try: bucket = connection.create_bucket(name, location=location) changed = True except (S3CreateError, BotoClientError) as e: module.fail_json(msg=e.message) # Versioning versioning_status = bucket.get_versioning_status() if versioning is not None: if versioning and versioning_status.get('Versioning') != "Enabled": try: bucket.configure_versioning(versioning) changed = True versioning_status = bucket.get_versioning_status() except S3ResponseError as e: module.fail_json(msg=e.message, exception=traceback.format_exc()) elif not versioning and versioning_status.get('Versioning') == "Enabled": try: bucket.configure_versioning(versioning) changed = True versioning_status = bucket.get_versioning_status() except S3ResponseError as e: module.fail_json(msg=e.message, exception=traceback.format_exc()) # Requester pays requester_pays_status = get_request_payment_status(bucket) if requester_pays_status != requester_pays: if requester_pays: payer = 'Requester' else: payer = 'BucketOwner' bucket.set_request_payment(payer=payer) changed = True requester_pays_status = get_request_payment_status(bucket) # Policy try: current_policy = json.loads(bucket.get_policy()) except S3ResponseError as e: if e.error_code == "NoSuchBucketPolicy": current_policy = {} else: module.fail_json(msg=e.message) if policy is not None: if isinstance(policy, string_types): policy = json.loads(policy) if not policy: bucket.delete_policy() # only show changed if there was already a policy changed = bool(current_policy) elif sort_json_policy_dict(current_policy) != sort_json_policy_dict(policy): # doesn't necessarily mean the policy has changed; syntax could differ changed = compare_policies(sort_json_policy_dict(current_policy), sort_json_policy_dict(policy)) try: if changed: bucket.set_policy(json.dumps(policy)) current_policy = json.loads(bucket.get_policy()) except S3ResponseError as e: module.fail_json(msg=e.message) # Tags try: current_tags = bucket.get_tags() except S3ResponseError as e: if e.error_code == "NoSuchTagSet": current_tags = None else: module.fail_json(msg=e.message) if current_tags is None: current_tags_dict = {} else: current_tags_dict = dict((t.key, t.value) for t in current_tags[0]) if tags is not None: if current_tags_dict != tags: try: if tags: bucket.set_tags(create_tags_container(tags)) else: bucket.delete_tags() current_tags_dict = tags changed = True except S3ResponseError as e: module.fail_json(msg=e.message) module.exit_json(changed=changed, name=bucket.name, versioning=versioning_status, requester_pays=requester_pays_status, policy=current_policy, tags=current_tags_dict)
def run(ecr, params, verbosity): # type: (EcsEcr, dict, int) -> Tuple[bool, dict] result = {} try: name = params['name'] state = params['state'] policy_text = params['policy'] delete_policy = params['delete_policy'] registry_id = params['registry_id'] force_set_policy = params['force_set_policy'] # If a policy was given, parse it policy = policy_text and json.loads(policy_text) result['state'] = state result['created'] = False repo = ecr.get_repository(registry_id, name) if state == 'present': result['created'] = False if not repo: repo = ecr.create_repository(registry_id, name) result['changed'] = True result['created'] = True result['repository'] = repo if delete_policy: original_policy = ecr.get_repository_policy(registry_id, name) if verbosity >= 2: result['policy'] = None if verbosity >= 3: result['original_policy'] = original_policy if original_policy: ecr.delete_repository_policy(registry_id, name) result['changed'] = True elif policy_text is not None: try: policy = sort_json_policy_dict(policy) if verbosity >= 2: result['policy'] = policy original_policy = ecr.get_repository_policy( registry_id, name) if original_policy: original_policy = sort_json_policy_dict(original_policy) if verbosity >= 3: result['original_policy'] = original_policy if original_policy != policy: ecr.set_repository_policy( registry_id, name, policy_text, force_set_policy) result['changed'] = True except Exception: # Some failure w/ the policy. It's helpful to know what the # policy is. result['policy'] = policy_text raise elif state == 'absent': result['name'] = name if repo: ecr.delete_repository(registry_id, name) result['changed'] = True except Exception as err: msg = str(err) if isinstance(err, ClientError): msg = boto_exception(err) result['msg'] = msg result['exception'] = traceback.format_exc() return False, result if ecr.skipped: result['skipped'] = True if ecr.changed: result['changed'] = True return True, result
def run(ecr, params): # type: (EcsEcr, dict, int) -> Tuple[bool, dict] result = {} try: name = params['name'] state = params['state'] policy_text = params['policy'] purge_policy = params['purge_policy'] or params['delete_policy'] registry_id = params['registry_id'] force_set_policy = params['force_set_policy'] lifecycle_policy_text = params['lifecycle_policy'] purge_lifecycle_policy = params['purge_lifecycle_policy'] # Parse policies, if they are given try: policy = policy_text and json.loads(policy_text) except ValueError: result['policy'] = policy_text result['msg'] = 'Could not parse policy' return False, result try: lifecycle_policy = \ lifecycle_policy_text and json.loads(lifecycle_policy_text) except ValueError: result['lifecycle_policy'] = lifecycle_policy_text result['msg'] = 'Could not parse lifecycle_policy' return False, result result['state'] = state result['created'] = False repo = ecr.get_repository(registry_id, name) if state == 'present': result['created'] = False if not repo: repo = ecr.create_repository(registry_id, name) result['changed'] = True result['created'] = True result['repository'] = repo if purge_lifecycle_policy: original_lifecycle_policy = \ ecr.get_lifecycle_policy(registry_id, name) result['lifecycle_policy'] = None if original_lifecycle_policy: ecr.delete_lifecycle_policy(registry_id, name) result['changed'] = True elif lifecycle_policy_text is not None: try: lifecycle_policy = sort_json_policy_dict(lifecycle_policy) result['lifecycle_policy'] = lifecycle_policy original_lifecycle_policy = ecr.get_lifecycle_policy( registry_id, name) if original_lifecycle_policy: original_lifecycle_policy = sort_json_policy_dict( original_lifecycle_policy) if original_lifecycle_policy != lifecycle_policy: ecr.put_lifecycle_policy(registry_id, name, lifecycle_policy_text) result['changed'] = True except: # Some failure w/ the policy. It's helpful to know what the # policy is. result['lifecycle_policy'] = lifecycle_policy_text raise if purge_policy: original_policy = ecr.get_repository_policy(registry_id, name) result['policy'] = None if original_policy: ecr.delete_repository_policy(registry_id, name) result['changed'] = True elif policy_text is not None: try: policy = sort_json_policy_dict(policy) result['policy'] = policy original_policy = ecr.get_repository_policy( registry_id, name) if original_policy: original_policy = sort_json_policy_dict( original_policy) if original_policy != policy: ecr.set_repository_policy(registry_id, name, policy_text, force_set_policy) result['changed'] = True except: # Some failure w/ the policy. It's helpful to know what the # policy is. result['policy'] = policy_text raise elif state == 'absent': result['name'] = name if repo: ecr.delete_repository(registry_id, name) result['changed'] = True except Exception as err: msg = str(err) if isinstance(err, ClientError): msg = boto_exception(err) result['msg'] = msg result['exception'] = traceback.format_exc() return False, result if ecr.skipped: result['skipped'] = True if ecr.changed: result['changed'] = True return True, result
def _create_or_update_bucket(connection, module, location): policy = module.params.get("policy") name = module.params.get("name") requester_pays = module.params.get("requester_pays") tags = module.params.get("tags") versioning = module.params.get("versioning") changed = False try: bucket = connection.get_bucket(name) except S3ResponseError as e: try: bucket = connection.create_bucket(name, location=location) changed = True except S3CreateError as e: module.fail_json(msg=e.message) # Versioning versioning_status = bucket.get_versioning_status() if versioning is not None: if versioning and versioning_status.get('Versioning') != "Enabled": try: bucket.configure_versioning(versioning) changed = True versioning_status = bucket.get_versioning_status() except S3ResponseError as e: module.fail_json(msg=e.message, exception=traceback.format_exc()) elif not versioning and versioning_status.get( 'Versioning') == "Enabled": try: bucket.configure_versioning(versioning) changed = True versioning_status = bucket.get_versioning_status() except S3ResponseError as e: module.fail_json(msg=e.message, exception=traceback.format_exc()) # Requester pays requester_pays_status = get_request_payment_status(bucket) if requester_pays_status != requester_pays: if requester_pays: payer = 'Requester' else: payer = 'BucketOwner' bucket.set_request_payment(payer=payer) changed = True requester_pays_status = get_request_payment_status(bucket) # Policy try: current_policy = json.loads(bucket.get_policy()) except S3ResponseError as e: if e.error_code == "NoSuchBucketPolicy": current_policy = {} else: module.fail_json(msg=e.message) if policy is not None: if isinstance(policy, string_types): policy = json.loads(policy) if not policy: bucket.delete_policy() # only show changed if there was already a policy changed = bool(current_policy) elif sort_json_policy_dict(current_policy) != sort_json_policy_dict( policy): try: bucket.set_policy(json.dumps(policy)) changed = True current_policy = json.loads(bucket.get_policy()) except S3ResponseError as e: module.fail_json(msg=e.message) # Tags try: current_tags = bucket.get_tags() except S3ResponseError as e: if e.error_code == "NoSuchTagSet": current_tags = None else: module.fail_json(msg=e.message) if current_tags is None: current_tags_dict = {} else: current_tags_dict = dict((t.key, t.value) for t in current_tags[0]) if tags is not None: if current_tags_dict != tags: try: if tags: bucket.set_tags(create_tags_container(tags)) else: bucket.delete_tags() current_tags_dict = tags changed = True except S3ResponseError as e: module.fail_json(msg=e.message) module.exit_json(changed=changed, name=bucket.name, versioning=versioning_status, requester_pays=requester_pays_status, policy=current_policy, tags=current_tags_dict)
def compare_assume_role_policy_doc(current_policy_doc, new_policy_doc): if sort_json_policy_dict(current_policy_doc) == sort_json_policy_dict(json.loads(new_policy_doc)): return True else: return False
def run(ecr, params, verbosity): # type: (EcsEcr, dict, int) -> Tuple[bool, dict] result = {} try: name = params['name'] state = params['state'] policy_text = params['policy'] delete_policy = params['delete_policy'] registry_id = params['registry_id'] force_set_policy = params['force_set_policy'] # If a policy was given, parse it policy = policy_text and json.loads(policy_text) result['state'] = state result['created'] = False repo = ecr.get_repository(registry_id, name) if state == 'present': result['created'] = False if not repo: repo = ecr.create_repository(registry_id, name) result['changed'] = True result['created'] = True result['repository'] = repo if delete_policy: original_policy = ecr.get_repository_policy(registry_id, name) if verbosity >= 2: result['policy'] = None if verbosity >= 3: result['original_policy'] = original_policy if original_policy: ecr.delete_repository_policy(registry_id, name) result['changed'] = True elif policy_text is not None: try: policy = sort_json_policy_dict(policy) if verbosity >= 2: result['policy'] = policy original_policy = ecr.get_repository_policy( registry_id, name) if original_policy: original_policy = sort_json_policy_dict(original_policy) if verbosity >= 3: result['original_policy'] = original_policy if original_policy != policy: ecr.set_repository_policy( registry_id, name, policy_text, force_set_policy) result['changed'] = True except: # Some failure w/ the policy. It's helpful to know what the # policy is. result['policy'] = policy_text raise elif state == 'absent': result['name'] = name if repo: ecr.delete_repository(registry_id, name) result['changed'] = True except Exception as err: msg = str(err) if isinstance(err, ClientError): msg = boto_exception(err) result['msg'] = msg result['exception'] = traceback.format_exc() return False, result if ecr.skipped: result['skipped'] = True if ecr.changed: result['changed'] = True return True, result