def update_iam_role(iam, role_name, assume_role_policy_file, permission_policy_file): try: iam.get_role(role_name) except: print role_name + ' role not found. Creating role ' iam.create_role(role_name) print 'Updating assume role policy of ' + role_name with open(assume_role_policy_file, "r") as myfile: policy = myfile.read() iam.update_assume_role_policy(role_name, policy) print 'Updating attached permission policies of ' + role_name for rp in iam.list_role_policies(role_name).get('list_role_policies_response').get('list_role_policies_result').get('policy_names'): iam.delete_role_policy(role_name, rp) with open(permission_policy_file, "r") as myfile: policy = myfile.read() iam.put_role_policy(role_name, role_name + '_permission_policy', policy) try: iam.get_instance_profile(role_name) except: print role_name + ' instance profile not found. Creating instance profile' iam.create_instance_profile(role_name) print 'Updating role and instance profile association of ' + role_name for ip in iam.list_instance_profiles_for_role(role_name).get('list_instance_profiles_for_role_response').get('list_instance_profiles_for_role_result').get('instance_profiles'): iam.remove_role_from_instance_profile(role_name, role_name) iam.add_role_to_instance_profile(role_name, role_name)
def create_role(module, iam, name, path, role_list, prof_list): changed = False try: if name not in role_list: changed = True iam.create_role( name, path=path).create_role_response.create_role_result.role.role_name if name not in prof_list: iam.create_instance_profile(name, path=path) iam.add_role_to_instance_profile(name, name) except boto.exception.BotoServerError, err: module.fail_json(changed=changed, msg=str(err))
def iam_role(name, policy_name='managedpolicy'): policy = json.dumps(policies[name], sort_keys=True, indent=4, separators=(',', ': ')) try: role = iam.get_role(name) except boto.exception.BotoServerError: role = None if role is None: iam.create_role(name) role = iam.get_role(name) # ...someday, maybe support for multiple policies via iam.list_role_policies() iam.put_role_policy(name, policy_name, policy)
def create_role(iam, name, path, role_list, prof_list): changed = False if name not in role_list: changed = True iam.create_role( name, path=path).create_role_response.create_role_result.role.role_name if name not in prof_list: iam.create_instance_profile(name, path=path) iam.add_role_to_instance_profile(name, name) updated_role_list = [rl['role_name'] for rl in iam.list_roles().list_roles_response. list_roles_result.roles] return changed, updated_role_list
def create_role(module, iam, name, path, role_list, prof_list, trust_policy_doc): changed = False iam_role_result = None instance_profile_result = None try: if name not in role_list: changed = True iam_role_result = iam.create_role( name, assume_role_policy_document=trust_policy_doc, path=path).create_role_response.create_role_result.role if name not in prof_list: instance_profile_result = iam.create_instance_profile(name, path=path) \ .create_instance_profile_response.create_instance_profile_result.instance_profile iam.add_role_to_instance_profile(name, name) else: instance_profile_result = iam.get_instance_profile( name ).get_instance_profile_response.get_instance_profile_result.instance_profile except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = list_all_roles(iam) iam_role_result = iam.get_role( name).get_role_response.get_role_result.role return changed, updated_role_list, iam_role_result, instance_profile_result
def get_role_name(): with mock_iam_deprecated(): iam = boto.connect_iam() role = iam.create_role("my-role")["create_role_response"]["create_role_result"][ "role" ]["arn"] return role
def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( role_name = dict(default=None,required=True), assume_role_policy_document = dict(default=None,required=False), state = dict(default='present', choices=['present', 'absent']), ) ) module = AnsibleModule( argument_spec=argument_spec ) role_name = module.params.get('role_name') assume_role_policy_document = module.params.get('assume_role_policy_document') if type(assume_role_policy_document) == type(dict()): assume_role_policy_document = json.dumps(assume_role_policy_document) region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) state = module.params.get('state') role_missing = False role_data = None try: response = iam.get_role(role_name) role_data = response.get_role_result.role except boto.exception.BotoServerError as e: if e.status == 404: role_missing = True if state == 'present': if role_missing: response = iam.create_role(role_name, assume_role_policy_document) module.exit_json(changed = True, role = response.create_role_result.role) else: module.exit_json(changed = False, role = role_data) elif state == 'absent': if not role_missing: response = iam.delete_role(role_name) module.exit_json(changed = not role_missing)
def main(): argument_spec = ec2_argument_spec() argument_spec.update( dict( role_name=dict(default=None, required=True), assume_role_policy_document=dict(default=None, required=False), state=dict(default='present', choices=['present', 'absent']), )) module = AnsibleModule(argument_spec=argument_spec) role_name = module.params.get('role_name') assume_role_policy_document = module.params.get( 'assume_role_policy_document') if type(assume_role_policy_document) == type(dict()): assume_role_policy_document = json.dumps(assume_role_policy_document) region, ec2_url, aws_connect_params = get_aws_connection_info(module) iam = connect_to_aws(boto.iam, region, **aws_connect_params) state = module.params.get('state') role_missing = False role_data = None try: response = iam.get_role(role_name) role_data = response.get_role_result.role except boto.exception.BotoServerError as e: if e.status == 404: role_missing = True if state == 'present': if role_missing: response = iam.create_role(role_name, assume_role_policy_document) module.exit_json(changed=True, role=response.create_role_result.role) else: module.exit_json(changed=False, role=role_data) elif state == 'absent': if not role_missing: response = iam.delete_role(role_name) module.exit_json(changed=not role_missing)
def create_role(module, iam, name, path, role_list, prof_list, trust_policy_doc): changed = False iam_role_result = None instance_profile_result = None try: if name not in role_list: changed = True iam_role_result = iam.create_role(name, assume_role_policy_document=trust_policy_doc, path=path).create_role_response.create_role_result.role.role_name if name not in prof_list: instance_profile_result = iam.create_instance_profile(name, path=path).create_instance_profile_response.create_instance_profile_result.instance_profile iam.add_role_to_instance_profile(name, name) except boto.exception.BotoServerError as err: module.fail_json(changed=changed, msg=str(err)) else: updated_role_list = list_all_roles(iam) return changed, updated_role_list, iam_role_result, instance_profile_result