cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[cloud] iam_role: allow retention of existing policies (#28513)

Browse source 
* module_iam_role: add_remove_policies_option

* Update 24080 with requested changes.

* Fix whitespace and rename the option remove_unlisted_policies to purge_policies.

Update version_added

* Fix exception handling in iam_role module

* Fix line length
This commit is contained in:
Sloane Hertel 2018-01-30 15:13:45 -05:00 committed by Ryan Brown
parent 234a877ea5
commit 2c4f52d404
1 changed files with 86 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
lib/ansible/modules/cloud/amazon/iam_role.py
View file

@ -36,6 +36,12 @@ options:
- A list of managed policy ARNs or, since Ansible 2.4, a list of either managed policy ARNs or friendly names. - A list of managed policy ARNs or, since Ansible 2.4, a list of either managed policy ARNs or friendly names.
To embed an inline policy, use M(iam_policy). To remove existing policies, use an empty list item. To embed an inline policy, use M(iam_policy). To remove existing policies, use an empty list item.
aliases: [ managed_policies ] aliases: [ managed_policies ]
purge_policies:
description:
- Detaches any managed policies not listed in the "managed_policy" option. Set to false if you want to attach policies elsewhere.
type: bool
default: true
version_added: "2.5"
state: state:
description: description:
- Create or remove the IAM role - Create or remove the IAM role
@ -143,6 +149,7 @@ iam_role:
] ]
''' '''
from ansible.module_utils._text import to_native
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ec2 import camel_dict_to_snake_dict, ec2_argument_spec, get_aws_connection_info, boto3_conn, sort_json_policy_dict from ansible.module_utils.ec2 import camel_dict_to_snake_dict, ec2_argument_spec, get_aws_connection_info, boto3_conn, sort_json_policy_dict
from ansible.module_utils.ec2 import HAS_BOTO3 from ansible.module_utils.ec2 import HAS_BOTO3
@ -151,7 +158,7 @@ import json
import traceback import traceback
try: try:
from botocore.exceptions import ClientError, NoCredentialsError from botocore.exceptions import ClientError, BotoCoreError
except ImportError: except ImportError:
pass # caught by imported HAS_BOTO3 pass # caught by imported HAS_BOTO3
@ -196,6 +203,19 @@ def convert_friendly_names_to_arns(connection, module, policy_names):
module.fail_json(msg="Couldn't find policy: " + str(e)) module.fail_json(msg="Couldn't find policy: " + str(e))
def remove_policies(connection, module, policies_to_remove, params):
for policy in policies_to_remove:
try:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy)
except ClientError as e:
module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)),
exception=traceback.format_exc())
return True
def create_or_update_role(connection, module): def create_or_update_role(connection, module):
params = dict() params = dict()
@ -219,7 +239,9 @@ def create_or_update_role(connection, module):
role = connection.create_role(**params) role = connection.create_role(**params)
changed = True changed = True
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to create role", exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to create role", exception=traceback.format_exc())
else: else:
# Check Assumed Policy document # Check Assumed Policy document
if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']): if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']):
@ -227,40 +249,41 @@ def create_or_update_role(connection, module):
connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument']))) connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])))
changed = True changed = True
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc())
if managed_policies is not None: if managed_policies is not None:
# Get list of current attached managed policies # Get list of current attached managed policies
current_attached_policies = get_attached_policy_list(connection, module, params['RoleName']) current_attached_policies = get_attached_policy_list(connection, module, params['RoleName'])
current_attached_policies_arn_list = [policy['PolicyArn'] for policy in current_attached_policies]
# If a single empty list item then all managed policies to be removed # If a single empty list item then all managed policies to be removed
if len(managed_policies) == 1 and not managed_policies[0]: if len(managed_policies) == 1 and not managed_policies[0] and module.params.get('purge_policies'):
for policy in current_attached_policies:
try: # Detach policies not present
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn']) if remove_policies(connection, module, set(current_attached_policies_arn_list) - set(managed_policies), params):
except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
changed = True changed = True
else: else:
# Make a list of the ARNs from the attached policies # Make a list of the ARNs from the attached policies
current_attached_policies_arn_list = []
for policy in current_attached_policies:
current_attached_policies_arn_list.append(policy['PolicyArn'])
# Detach roles not defined in task # Detach roles not defined in task
for policy_arn in list(set(current_attached_policies_arn_list) - set(managed_policies)): if module.params.get('purge_policies'):
try: if remove_policies(connection, module, set(current_attached_policies_arn_list) - set(managed_policies), params):
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn) changed = True
except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
changed = True
# Attach roles not already attached # Attach roles not already attached
for policy_arn in list(set(managed_policies) - set(current_attached_policies_arn_list)): for policy_arn in set(managed_policies) - set(current_attached_policies_arn_list):
try: try:
connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn) connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn)
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)),
exception=traceback.format_exc())
changed = True changed = True
# Instance profile # Instance profile
@ -268,7 +291,11 @@ def create_or_update_role(connection, module):
try: try:
instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles'] instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles']
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc())
if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles): if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles):
# Make sure an instance profile is attached # Make sure an instance profile is attached
try: try:
@ -279,7 +306,11 @@ def create_or_update_role(connection, module):
if e.response['Error']['Code'] == 'EntityAlreadyExists': if e.response['Error']['Code'] == 'EntityAlreadyExists':
pass pass
else: else:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc())
connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName']) connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'])
# Get the role again # Get the role again
@ -300,26 +331,43 @@ def destroy_role(connection, module):
try: try:
instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles'] instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles']
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc())
# Now remove the role from the instance profile(s) # Now remove the role from the instance profile(s)
for profile in instance_profiles: for profile in instance_profiles:
try: try:
connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName']) connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName'])
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format(
params['RoleName'], profile['InstanceProfileName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format(
params['RoleName'], profile['InstanceProfileName'], to_native(e)),
exception=traceback.format_exc())
# Now remove any attached policies otherwise deletion fails # Now remove any attached policies otherwise deletion fails
try: try:
for policy in get_attached_policy_list(connection, module, params['RoleName']): for policy in get_attached_policy_list(connection, module, params['RoleName']):
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn']) connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn'])
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)),
exception=traceback.format_exc())
try: try:
connection.delete_role(**params) connection.delete_role(**params)
except ClientError as e: except ClientError as e:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)), exception=traceback.format_exc())
else: else:
module.exit_json(changed=False) module.exit_json(changed=False)
@ -333,9 +381,10 @@ def get_role(connection, module, name):
if e.response['Error']['Code'] == 'NoSuchEntity': if e.response['Error']['Code'] == 'NoSuchEntity':
return None return None
else: else:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to get role {0}: {1}".format(name, to_native(e)),
except NoCredentialsError as e: exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
module.fail_json(msg="AWS authentication problem. " + e.message, exception=traceback.format_exc()) except BotoCoreError as e:
module.fail_json(msg="Unable to get role {0}: {1}".format(name, to_native(e)), exception=traceback.format_exc())
def get_attached_policy_list(connection, module, name): def get_attached_policy_list(connection, module, name):
@ -344,9 +393,13 @@ def get_attached_policy_list(connection, module, name):
return connection.list_attached_role_policies(RoleName=name)['AttachedPolicies'] return connection.list_attached_role_policies(RoleName=name)['AttachedPolicies']
except ClientError as e: except ClientError as e:
if e.response['Error']['Code'] == 'NoSuchEntity': if e.response['Error']['Code'] == 'NoSuchEntity':
return None return []
else: else:
module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) module.fail_json(msg="Unable to list attached policies for role {0}: {1}".format(name, to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
except BotoCoreError as e:
module.fail_json(msg="Unable to list attached policies for role {0}: {1}".format(name, to_native(e)),
exception=traceback.format_exc())
def main(): def main():
@ -360,7 +413,8 @@ def main():
managed_policy=dict(type='list', aliases=['managed_policies']), managed_policy=dict(type='list', aliases=['managed_policies']),
state=dict(type='str', choices=['present', 'absent'], default='present'), state=dict(type='str', choices=['present', 'absent'], default='present'),
description=dict(type='str'), description=dict(type='str'),
create_instance_profile=dict(type='bool', default=True) create_instance_profile=dict(type='bool', default=True),
purge_policies=dict(type='bool', default=True),
) )
) )