def template(basedir, varname, vars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True): ''' templates a data structure by traversing it and substituting for other data structures ''' from ansible import utils try: if convert_bare and isinstance(varname, basestring): first_part = varname.split(".")[0].split("[")[0] if first_part in vars and '{{' not in varname and '$' not in varname: varname = "{{%s}}" % varname if isinstance(varname, basestring): if '{{' in varname or '{%' in varname: varname = template_from_string(basedir, varname, vars, fail_on_undefined) if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["): eval_results = utils.safe_eval(varname, locals=vars, include_exceptions=True) if eval_results[1] is None: varname = eval_results[0] return varname elif isinstance(varname, (list, tuple)): return [template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined) for v in varname] elif isinstance(varname, dict): d = {} for (k, v) in varname.iteritems(): d[k] = template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined) return d else: return varname except errors.AnsibleFilterError: if filter_fatal: raise else: return varname
def template(basedir, varname, templatevars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True): ''' templates a data structure by traversing it and substituting for other data structures ''' from ansible import utils try: if convert_bare and isinstance(varname, basestring): first_part = varname.split(".")[0].split("[")[0] if first_part in templatevars and '{{' not in varname and '$' not in varname: varname = "{{%s}}" % varname if isinstance(varname, basestring): if '{{' in varname or '{%' in varname: try: varname = template_from_string(basedir, varname, templatevars, fail_on_undefined) except errors.AnsibleError, e: raise errors.AnsibleError("Failed to template %s: %s" % (varname, str(e))) # template_from_string may return non strings for the case where the var is just # a reference to a single variable, so we should re_check before we do further evals if isinstance(varname, basestring): if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["): eval_results = utils.safe_eval(varname, locals=templatevars, include_exceptions=True) if eval_results[1] is None: varname = eval_results[0] return varname elif isinstance(varname, (list, tuple)): return [template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) for v in varname]
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) envdict={} if self.runner.environment: env=template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) testQueue = args["queue_name"] region = args["region"] spec_file = path.expanduser("~/.nucleator/contrib/Bucketandq/orchestrator/specification.json") queue = self.initQueue(testQueue, region, env) self.main(self.addMessageToQueue, queue, spec_file) return ReturnData(conn=conn, comm_ok=True, result=dict(failed=False, changed=False, msg="Bucketandq Messages Created!")) except Exception, e: # deal with failure gracefully result = dict(failed=True, msg=type(e).__name__ + ": " + str(e)) return ReturnData(conn=conn, comm_ok=False, result=result)
def run(self, terms, inject=None, **kwargs): terms = safe_eval(terms) if not isinstance(terms, dict): print terms raise errors.AnsibleError("with_hash_items expects a dict") return [{"key": term[0], "value": term[1]} for term in terms.items()]
def template(basedir, varname, templatevars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True): ''' templates a data structure by traversing it and substituting for other data structures ''' from ansible import utils try: if convert_bare and isinstance(varname, basestring): first_part = varname.split(".")[0].split("[")[0] if first_part in templatevars and '{{' not in varname and '$' not in varname: varname = "{{%s}}" % varname if isinstance(varname, basestring): if '{{' in varname or '{%' in varname: varname = template_from_string(basedir, varname, templatevars, fail_on_undefined) if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["): eval_results = utils.safe_eval(varname, locals=templatevars, include_exceptions=True) if eval_results[1] is None: varname = eval_results[0] return varname elif isinstance(varname, (list, tuple)): return [template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) for v in varname] elif isinstance(varname, dict): d = {} for (k, v) in varname.iteritems(): d[k] = template(basedir, v, templatevars, lookup_fatal, depth, expand_lists, convert_bare, fail_on_undefined, filter_fatal) return d else: return varname except errors.AnsibleFilterError: if filter_fatal: raise else: return varname
def _command_filter(self, command, arg, items, inject): """Return only the items for which filter is true""" if '{{' not in arg: arg = '{{%s}}' % arg for item in items: template_vars = dict(inject, item=item) decision = safe_eval( template(self.basedir, arg, template_vars), locals=template_vars) if decision: yield item
def _compute_environment_string(self, inject=None): ''' what environment variables to use when running the command? ''' if not self.environment: return "" enviro = template.template(self.basedir, self.environment, inject, convert_bare=True) enviro = utils.safe_eval(enviro) if type(enviro) != dict: raise errors.AnsibleError("environment must be a dictionary, received %s" % enviro) result = "" for (k,v) in enviro.iteritems(): result = "%s=%s %s" % (k, pipes.quote(str(v)), result) return result
def template(basedir, varname, vars, lookup_fatal=True, depth=0, expand_lists=True, convert_bare=False, fail_on_undefined=False, filter_fatal=True): ''' templates a data structure by traversing it and substituting for other data structures ''' from ansible import utils try: if convert_bare and isinstance(varname, basestring): first_part = varname.split(".")[0].split("[")[0] if first_part in vars and '{{' not in varname and '$' not in varname: varname = "{{%s}}" % varname if isinstance(varname, basestring): if '{{' in varname or '{%' in varname: varname = template_from_string(basedir, varname, vars, fail_on_undefined) if (varname.startswith("{") and not varname.startswith("{{")) or varname.startswith("["): eval_results = utils.safe_eval(varname, locals=vars, include_exceptions=True) if eval_results[1] is None: varname = eval_results[0] if not '$' in varname: return varname m = _legacy_varFind(basedir, varname, vars, lookup_fatal, depth, expand_lists) if not m: return varname if m['start'] == 0 and m['end'] == len(varname): if m['replacement'] is not None: Flags.LEGACY_TEMPLATE_WARNING = True return template(basedir, m['replacement'], vars, lookup_fatal, depth, expand_lists) else: return varname else: Flags.LEGACY_TEMPLATE_WARNING = True return legacy_varReplace(basedir, varname, vars, lookup_fatal, depth, expand_lists) elif isinstance(varname, (list, tuple)): return [template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined) for v in varname] elif isinstance(varname, dict): d = {} for (k, v) in varname.iteritems(): d[k] = template(basedir, v, vars, lookup_fatal, depth, expand_lists, fail_on_undefined=fail_on_undefined) return d else: return varname except errors.AnsibleFilterError: if filter_fatal: raise else: return varname
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): args = {} if complex_args: args.update(complex_args) # attempt to prevent confusing messages when the variable didn't interpolate module_args = module_args.replace("{{ ", "{{").replace(" }}", "}}") kv = utils.parse_kv(module_args) args.update(kv) if not 'msg' in args and not 'var' in args: args['msg'] = 'Hello world!' result = {} if 'msg' in args: if 'fail' in args and utils.boolean(args['fail']): result = dict(failed=True, msg=args['msg']) else: result = dict(msg=args['msg']) elif 'var' in args: results = utils.safe_eval(args['var'], inject, include_exceptions=True, template_call=True) intermediate = results[0] exception = results[1] if exception is not None: intermediate = "failed to evaluate: %s" % str(exception) result[args['var']] = intermediate # force flag to make debug output module always verbose result['verbose_always'] = True return ReturnData(conn=conn, result=result)
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) redshift_endpoint = args["redshift_endpoint"] cage = args["cage_name"] customer = args["customer_name"] envdict={} if self.runner.environment: env=template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) route53_conn = boto.connect_route53(aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) domain_name = "%s.%s.47lining.com" % (cage, customer) zones = route53_conn.get_hosted_zone_by_name(domain_name) if not zones: domain_name = "%s.%s.com" % (cage, customer) zones = route53_conn.get_hosted_zone_by_name(domain_name) zone_id = zones["GetHostedZoneResponse"]["HostedZone"]["Id"] zone_id = zone_id[12:] recordset = ResourceRecordSets(route53_conn, zone_id) try: change = recordset.add_change("UPSERT", "redshift.%s." % domain_name, "CNAME") change.add_value(redshift_endpoint) recordset.commit() except Exception, e: print "e: ", e change = recordset.add_change("CREATE", "redshift.%s." % domain_name, "CNAME") change.add_value(redshift_endpoint) recordset.commit() return ReturnData(conn=conn, comm_ok=True, result=dict(failed=False, changed=False, msg="CNAME is created!"))
def process(self, result, terms, index, current, inject): d = {i: current[i] for i in range(index)} if index == len(terms): result.append(d) return if type(terms[index]) in {str, unicode}: inject_ = {} inject_.update(inject) inject_['item'] = d items = safe_eval(template.template_from_string(self.basedir, terms[index], inject_, fail_on_undefined=True)) else: items = terms[index] if type(items) == dict: for i in items: current[index] = {'key': i, 'value': items[i]} self.process(result, terms, index + 1, current, inject) else: for i in items: current[index] = i self.process(result, terms, index + 1, current, inject)
def _executor_internal(self, host, new_stdin): ''' executes any module one or more times ''' host_variables = self.inventory.get_variables(host) host_connection = host_variables.get('ansible_connection', self.transport) if host_connection in [ 'paramiko', 'ssh', 'accelerate' ]: port = host_variables.get('ansible_ssh_port', self.remote_port) if port is None: port = C.DEFAULT_REMOTE_PORT else: # fireball, local, etc port = self.remote_port inject = {} inject = utils.combine_vars(inject, self.default_vars) inject = utils.combine_vars(inject, host_variables) inject = utils.combine_vars(inject, self.module_vars) inject = utils.combine_vars(inject, self.setup_cache[host]) inject.setdefault('ansible_ssh_user', self.remote_user) inject['hostvars'] = HostVars(self.setup_cache, self.inventory) inject['group_names'] = host_variables.get('group_names', []) inject['groups'] = self.inventory.groups_list() inject['vars'] = self.module_vars inject['defaults'] = self.default_vars inject['environment'] = self.environment if self.inventory.basedir() is not None: inject['inventory_dir'] = self.inventory.basedir() if self.inventory.src() is not None: inject['inventory_file'] = self.inventory.src() # late processing of parameterized sudo_user if self.sudo_user is not None: self.sudo_user = template.template(self.basedir, self.sudo_user, inject) # allow with_foo to work in playbooks... items = None items_plugin = self.module_vars.get('items_lookup_plugin', None) if items_plugin is not None and items_plugin in utils.plugins.lookup_loader: basedir = self.basedir if '_original_file' in inject: basedir = os.path.dirname(inject['_original_file']) filesdir = os.path.join(basedir, '..', 'files') if os.path.exists(filesdir): basedir = filesdir items_terms = self.module_vars.get('items_lookup_terms', '') items_terms = template.template(basedir, items_terms, inject) items = utils.plugins.lookup_loader.get(items_plugin, runner=self, basedir=basedir).run(items_terms, inject=inject) if type(items) != list: raise errors.AnsibleError("lookup plugins have to return a list: %r" % items) if len(items) and utils.is_list_of_strings(items) and self.module_name in [ 'apt', 'yum', 'pkgng' ]: # hack for apt, yum, and pkgng so that with_items maps back into a single module call inject['item'] = ",".join(items) items = None # logic to replace complex args if possible complex_args = self.complex_args # logic to decide how to run things depends on whether with_items is used if items is None: if isinstance(complex_args, basestring): complex_args = template.template(self.basedir, complex_args, inject, convert_bare=True) complex_args = utils.safe_eval(complex_args) if type(complex_args) != dict: raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args) return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args) elif len(items) > 0: # executing using with_items, so make multiple calls # TODO: refactor if self.background > 0: raise errors.AnsibleError("lookup plugins (with_*) cannot be used with async tasks") aggregrate = {} all_comm_ok = True all_changed = False all_failed = False results = [] for x in items: inject['item'] = x # TODO: this idiom should be replaced with an up-conversion to a Jinja2 template evaluation if isinstance(self.complex_args, basestring): complex_args = template.template(self.basedir, self.complex_args, inject, convert_bare=True) complex_args = utils.safe_eval(complex_args) if type(complex_args) != dict: raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args) result = self._executor_internal_inner( host, self.module_name, self.module_args, inject, port, complex_args=complex_args ) results.append(result.result) if result.comm_ok == False: all_comm_ok = False all_failed = True break for x in results: if x.get('changed') == True: all_changed = True if (x.get('failed') == True) or (('rc' in x) and (x['rc'] != 0)): all_failed = True break msg = 'All items completed' if all_failed: msg = "One or more items failed." rd_result = dict(failed=all_failed, changed=all_changed, results=results, msg=msg) if not all_failed: del rd_result['failed'] return ReturnData(host=host, comm_ok=all_comm_ok, result=rd_result) else: self.callbacks.on_skipped(host, None) return ReturnData(host=host, comm_ok=True, result=dict(changed=False, skipped=True))
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) account_number = args["account_number"] region = args["region"] cloudtrail_bucket = args["cloudtrail_bucket"] envdict = {} if self.runner.environment: env = template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) if region == "us-east-1": other_regions = [ "us-west-1", "us-west-2", "eu-west-1", "us-east-2" ] elif region == "us-east-2": other_regions = [ "us-east-1", "us-west-1", "us-west-2", "eu-west-1" ] elif region == "us-west-1": other_regions = [ "us-east-1", "us-east-2", "us-west-2", "eu-west-1" ] elif region == "us-west-2": other_regions = [ "us-east-1", "us-east-2", "us-west-1", "eu-west-1" ] elif region == "eu-west-1": other_regions = [ "us-east-1", "us-east-2", "us-west-1", "us-west-2" ] else: raise SystemExit(1) # unsupported region for connect_region in other_regions: cloudtrail_name = "Cloudtrail-%s-%s" % (account_number, connect_region) try: connection = cloudtrail.connect_to_region( connect_region, aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) except Exception, e: raise Exception try: result = connection.update_trail( cloudtrail_name, cloudtrail_bucket, include_global_service_events=False) result = connection.start_logging(cloudtrail_name) except Exception, e: result = connection.create_trail( cloudtrail_name, cloudtrail_bucket, include_global_service_events=False) result = connection.start_logging(cloudtrail_name)
def _executor_internal(self, host, new_stdin): ''' executes any module one or more times ''' host_variables = self.inventory.get_variables(host) host_connection = host_variables.get('ansible_connection', self.transport) if host_connection in [ 'paramiko', 'ssh', 'accelerate' ]: port = host_variables.get('ansible_ssh_port', self.remote_port) if port is None: port = C.DEFAULT_REMOTE_PORT else: # fireball, local, etc port = self.remote_port inject = {} inject = utils.combine_vars(inject, self.default_vars) inject = utils.combine_vars(inject, host_variables) inject = utils.combine_vars(inject, self.module_vars) inject = utils.combine_vars(inject, self.setup_cache[host]) inject.setdefault('ansible_ssh_user', self.remote_user) inject['hostvars'] = HostVars(self.setup_cache, self.inventory) inject['group_names'] = host_variables.get('group_names', []) inject['groups'] = self.inventory.groups_list() inject['vars'] = self.module_vars inject['defaults'] = self.default_vars inject['environment'] = self.environment inject['playbook_dir'] = self.basedir if self.inventory.basedir() is not None: inject['inventory_dir'] = self.inventory.basedir() if self.inventory.src() is not None: inject['inventory_file'] = self.inventory.src() # allow with_foo to work in playbooks... items = None items_plugin = self.module_vars.get('items_lookup_plugin', None) if items_plugin is not None and items_plugin in utils.plugins.lookup_loader: basedir = self.basedir if '_original_file' in inject: basedir = os.path.dirname(inject['_original_file']) filesdir = os.path.join(basedir, '..', 'files') if os.path.exists(filesdir): basedir = filesdir items_terms = self.module_vars.get('items_lookup_terms', '') items_terms = template.template(basedir, items_terms, inject) items = utils.plugins.lookup_loader.get(items_plugin, runner=self, basedir=basedir).run(items_terms, inject=inject) if type(items) != list: raise errors.AnsibleError("lookup plugins have to return a list: %r" % items) if len(items) and utils.is_list_of_strings(items) and self.module_name in [ 'apt', 'yum', 'pkgng' ]: # hack for apt, yum, and pkgng so that with_items maps back into a single module call use_these_items = [] for x in items: inject['item'] = x if not self.conditional or utils.check_conditional(self.conditional, self.basedir, inject, fail_on_undefined=self.error_on_undefined_vars): use_these_items.append(x) inject['item'] = ",".join(use_these_items) items = None # logic to replace complex args if possible complex_args = self.complex_args # logic to decide how to run things depends on whether with_items is used if items is None: if isinstance(complex_args, basestring): complex_args = template.template(self.basedir, complex_args, inject, convert_bare=True) complex_args = utils.safe_eval(complex_args) if type(complex_args) != dict: raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args) return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args) elif len(items) > 0: # executing using with_items, so make multiple calls # TODO: refactor if self.background > 0: raise errors.AnsibleError("lookup plugins (with_*) cannot be used with async tasks") aggregrate = {} all_comm_ok = True all_changed = False all_failed = False results = [] for x in items: inject['item'] = x # TODO: this idiom should be replaced with an up-conversion to a Jinja2 template evaluation if isinstance(self.complex_args, basestring): complex_args = template.template(self.basedir, self.complex_args, inject, convert_bare=True) complex_args = utils.safe_eval(complex_args) if type(complex_args) != dict: raise errors.AnsibleError("args must be a dictionary, received %s" % complex_args) result = self._executor_internal_inner( host, self.module_name, self.module_args, inject, port, complex_args=complex_args ) results.append(result.result) if result.comm_ok == False: all_comm_ok = False all_failed = True break for x in results: if x.get('changed') == True: all_changed = True if (x.get('failed') == True) or ('failed_when_result' in x and [x['failed_when_result']] or [('rc' in x) and (x['rc'] != 0)])[0]: all_failed = True break msg = 'All items completed' if all_failed: msg = "One or more items failed." rd_result = dict(failed=all_failed, changed=all_changed, results=results, msg=msg) if not all_failed: del rd_result['failed'] return ReturnData(host=host, comm_ok=all_comm_ok, result=rd_result) else: self.callbacks.on_skipped(host, None) return ReturnData(host=host, comm_ok=True, result=dict(changed=False, skipped=True))
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) # get starting credentials # from environment: # AWS_ACCESS_KEY_ID # AWS_SECRET_ACCESS_KEY # use get started credentials to do the roles dance and obtain # temporary credentials in target account #target_role_name = 'init-test3-shoppertrak-NucleatorCageBuilder-1I5ZOAYRJLS8Z' data = {} data.update(inject) # TODO use nucleator facts instead source_role_name = data[ 'nucleator_builder_role_name'] # TODO - RHS var here could have names in better alignment with current conventions target_role_name = data[ 'cage_builder_role_name'] # TODO - RHS var here could have names in better alignment with current conventions print "Target Role Name: ", target_role_name print "Source Role Name: ", source_role_name source_account_id = data['source_account_number'] target_account_id = data['target_account_number'] print "Target Account Number: ", target_account_id print "Source Account Number: ", source_account_id try: envdict = {} if self.runner.environment: env = template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) aws_access_key_id = env.get("AWS_ACCESS_KEY_ID") aws_secret_access_key = env.get("AWS_SECRET_ACCESS_KEY") security_token = env.get("AWS_SECURITY_TOKEN") aws_access_key_id = aws_access_key_id if aws_access_key_id else None aws_secret_access_key = aws_secret_access_key if aws_secret_access_key else None security_token = security_token if security_token else None sts_connection = STSConnection( aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, security_token=security_token) source_role = sts_connection.assume_role( role_arn='arn:aws:iam::{0}:role/{1}'.format( source_account_id, source_role_name), role_session_name='SourceRoleSession') vv("Successfully assumed {0} role in account {1}".format( source_role_name, source_account_id)) except Exception, e: result = dict( failed=True, msg=type(e).__name__ + ": Failed to obtain temporary credentials for role " + source_role_name + " in target account " + source_account_id + ", message: '" + str(e)) return ReturnData(conn=conn, comm_ok=False, result=result) try: sts_connection = STSConnection( aws_access_key_id=source_role.credentials.access_key, aws_secret_access_key=source_role.credentials.secret_key, security_token=source_role.credentials.session_token) target_role = sts_connection.assume_role( role_arn='arn:aws:iam::{0}:role/{1}'.format( target_account_id, target_role_name), role_session_name='TargetRoleSession') vv("Successfully assumed {0} role in account {1}".format( target_role_name, target_account_id)) except Exception, e: # deal with failure gracefully result = dict( failed=True, msg=type(e).__name__ + ": Failed to obtain temporary credentials for role " + target_role_name + " in target account " + target_account_id + ", message: '" + str(e) + " Security_Token: " + source_role.credentials.session_token) return ReturnData(conn=conn, comm_ok=False, result=result)
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) role_name = args["role_name"] account_number = args["account_number"] region = args["region"] logging_bucket = args["log_bucket"] envdict = {} if self.runner.environment: env = template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) bucketName = "config-bucket-%s-%s" % (account_number, region) snsName = "config-topic-%s-%s" % (account_number, region) s3_conn = s3.connect_to_region( region, aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) try: bucket = s3_conn.get_bucket(bucketName) except Exception, e: if (region == "us-east-1"): bucket1 = s3_conn.create_bucket(bucketName) bucket2 = s3_conn.get_bucket(logging_bucket) response = bucket1.enable_logging(bucket2, "ConfigBucket/") else: bucket1 = s3_conn.create_bucket(bucketName, location=region) bucket2 = s3_conn.get_bucket(logging_bucket) response = bucket1.enable_logging(bucket2, "ConfigBucket/") sns_conn = sns.connect_to_region( region, aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) sns_conn.create_topic(snsName) snsARN = "arn:aws:sns:%s:%s:%s" % (region, account_number, snsName) connection = configservice.connect_to_region( region, aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) response = connection.describe_configuration_recorders() if len(response["ConfigurationRecorders"]) is 0: recorder_name = "config-recorder-%s" % account_number else: for item in response["ConfigurationRecorders"]: recorder_name = item["name"] response = connection.describe_delivery_channels() if len(response["DeliveryChannels"]) is 0: channel_name = "config-channel-%s" % account_number else: for item in response["DeliveryChannels"]: channel_name = item["name"] ConfigurationRecorder = { 'name': recorder_name, 'roleARN': "arn:aws:iam::%s:role/%s" % (account_number, role_name) } ConfigurationChannel = { 'name': channel_name, 's3BucketName': bucketName, 'snsTopicARN': snsARN } response = connection.put_configuration_recorder( ConfigurationRecorder) response = connection.put_delivery_channel(ConfigurationChannel) response = connection.start_configuration_recorder(recorder_name) return ReturnData(conn=conn, comm_ok=True, result=dict(failed=False, changed=False, msg="Config Service Created"))
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs): try: args = {} if complex_args: args.update(complex_args) args.update(parse_kv(module_args)) access_policies = {} role_name = args["role_name"] print "Role Name: ", role_name assume_role_trust_policy = json.dumps(args["trust_policy"]) access_policies = args["access_policies"] envdict = {} if self.runner.environment: env = template.template(self.runner.basedir, self.runner.environment, inject, convert_bare=True) env = utils.safe_eval(env) sts_connection = STSConnection( aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) c = boto.connect_iam( aws_access_key_id=env.get("AWS_ACCESS_KEY_ID"), aws_secret_access_key=env.get("AWS_SECRET_ACCESS_KEY"), security_token=env.get("AWS_SECURITY_TOKEN")) #Look for the role try: role = c.get_role(role_name) #Make sure the trust policy exists try: temp_trust_policy = urllib.unquote( role["get_role_response"]["get_role_result"]["role"] ["assume_role_policy_document"]) #Reorganize the json dict so it is in the same order of the yaml policy temp_trust_policy = json.dumps( json.loads(temp_trust_policy)) #Trust policy does not match, update it if not assume_role_trust_policy == temp_trust_policy: if not assume_role_trust_policy == "\"\"": c.update_assume_role_policy( role_name, assume_role_trust_policy) #Make sure each new policy exists for policies in access_policies: try: temp_policy = urllib.unquote( c.get_role_policy(role_name, policies["policy_name"]) ["get_role_policy_response"] ["get_role_policy_result"]["policy_document"]) #Policy has same name but does not match, update it if not temp_policy == json.dumps( policies["policy_document"]): if not policies["policy_document"] == "\"\"": c.delete_role_policy( role_name, policies["policy_name"]) c.put_role_policy( role_name, policies["policy_name"], json.dumps( policies["policy_document"])) #Can't find policy, add it except Exception, e: try: c.put_role_policy( role_name, policies["policy_name"], json.dumps(policies["policy_document"])) except Exception, e: # deal with failure gracefully result = dict(failed=True, msg=type(e).__name__ + ": " + str(e)) return ReturnData(conn=conn, comm_ok=False, result=result) #Returns true if the policy name exists def checkIfPolicyExists(access_policies, temp_name): for policy_name in access_policies: if policy_name["policy_name"] == temp_name: return True return False #Delete any policies that are not in the yaml temp_policy_names = c.list_role_policies(role_name) for temp_name in temp_policy_names[ "list_role_policies_response"][ "list_role_policies_result"]["policy_names"]: exists = checkIfPolicyExists(access_policies, temp_name) if not exists: c.delete_role_policy(role_name, temp_name) #Can't find trust policy, add it except Exception, e: try: c.update_assume_role_policy(role_name, assume_role_trust_policy) except Exception, e: # deal with failure gracefully result = dict(failed=True, msg=type(e).__name__ + ": " + str(e)) return ReturnData(conn=conn, comm_ok=False, result=result)