def deleteRole(ctx, roleName): iam = ctx.iam # First, find out if there are any active instances using the role. If so, # then deleting it will likely break the running instance. instanceProfiles, _ = aws_profiles.getInstanceProfilesForRoleName(ctx, roleName) inUses = [] for instanceProfile in instanceProfiles: instanceProfileId = instanceProfile["InstanceProfileId"] instances, instancesByProfileId = aws_instances.getInstancesByIAMInstanceProfileId(ctx, instanceProfile["Arn"]) for instance in instances: fullName = aws_instances.getTag(ctx, instance["Tags"], "FullName") state = instance["State"]["Name"] if state != "terminated": inUses.append({"fullName": fullName, "state": state, "profileId": instanceProfileId}) if len(inUses) > 0: ctx.log("Error: Cannot delete role %s. The following active instances are attached: " % (roleName)) for entry in inUses: ctx.log( " Instance: %-25s State: %-10s Profile ID: %s" % (entry["fullName"], entry["state"], entry["profileId"]) ) ctx.log("These instance must be terminated before the role can be deleted") return for instanceProfile in instanceProfiles: instanceProfileName = instanceProfile["InstanceProfileName"] aws_profiles.removeRoleFromProfile(ctx, roleName, instanceProfileName) aws_profiles.deleteInstanceProfile(ctx, instanceProfileName) detachAllPolicies(ctx, roleName) if ctx.dry_run: ctx.log("iam.delete_role(RoleName=roleName)" % (roleName)) else: iam.delete_role(RoleName=roleName) ctx.audit("Deleted role: %s" % roleName)
def showInstanceProfiles(ctx, targetRegion, targetEnv, targetRole, targetProfileName, targetId, show_instances): instanceProfiles,instanceProfileByProfileId = aws_profiles.getAllInstanceProfiles(ctx) if show_instances: instances, instancesByProfileId = aws_instances.getInstances(ctx, targetRegion, targetEnv ) for profile in instanceProfiles: profileName = profile['InstanceProfileName'] profileId = profile['InstanceProfileId'] if targetProfileName != None and profileName != targetProfileName: continue if targetId != None and profileId != targetId: continue region, env, role = utils.regionEnvAndRole(profileName) if targetRegion != None and region != targetRegion: continue if targetEnv != None and env != targetEnv: continue if targetRole != None and role != targetRole: continue ctx.log('Profile Name: %s Profile ID: %s' % (profileName, profileId)) ctx.log(' Attached Roles:') for role in profile['Roles']: ctx.log(' %s' % (role['RoleName'])) if not show_instances: continue if profileId in instancesByProfileId: ctx.log(' Attached Instances:') for instance in instancesByProfileId[profileId]: fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName') ctx.log(' %s' % (fullName)) else: ctx.log(' No Attached Instances:') ctx.log('\n') if not show_instances: return if 'NO_INSTANCE_PROFILE' in instancesByProfileId: ctx.log('The following instances have no profile id') for instance in instancesByProfileId['NO_INSTANCE_PROFILE']: fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName') state = instance['State']['Name'] ctx.log(' %-30s State: %s' % (fullName, state)) else: ctx.log('All instances have a profile id') badIds = [] for instance in instances: if 'IamInstanceProfile' not in instance: continue profileId = instance['IamInstanceProfile']['Id'] if profileId not in instanceProfileByProfileId: fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName') state = instance['State']['Name'] badIds.append({'fullName':fullName,'state':state, 'profileId':profileId}) if len(badIds) > 0: ctx.log('\nThe following instances have a bad profile id') for entry in badIds: ctx.log(' Instance: %-25s State: %-10s Profile ID: %s' % (entry['fullName'], entry['state'], entry['profileId'])) else: ctx.log('\nAll instances have a valid profile id')