Add aws_caller_facts module and use it in setup-iam.yml (#36683)

* Add aws_caller_facts module and use it in setup-iam.yml

This removes the dependency on having the command line AWS tools
installed.

hacking/aws_config/setup-iam.yml

@@ -25,13 +25,12 @@
       when: iam_group is not defined
 
     - name: Get aws account ID
-      command: aws sts get-caller-identity --output text --query 'Account' "{{ '--profile=' ~ profile if profile else '' }}"
+      aws_caller_facts:
-      changed_when: False
+      register: aws_caller_facts
-      register: aws_account_command
 
     - name: Set aws_account_fact
       set_fact:
-        aws_account: "{{ aws_account_command.stdout }}"
+        aws_account: "{{ aws_caller_facts.account }}"
 
 
     - name: Ensure Managed IAM policies exist

lib/ansible/modules/cloud/amazon/aws_caller_facts.py

@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# Copyright (c) 2017 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.1',
+    'status': ['preview'],
+    'supported_by': 'community'
+}
+
+DOCUMENTATION = '''
+---
+module: aws_caller_facts
+short_description: Get facts about the user and account being used to make AWS calls.
+description:
+    - This module returns information about the accont and user / role that the AWS access tokens are from.
+    - The primary use of this is to get the account id for templating into ARNs or similar to avoid needing to specify this information in inventory.
+version_added: "2.6"
+
+author: Ed Costello    (@orthanc)
+
+requirements: [ 'botocore', 'boto3' ]
+extends_documentation_fragment:
+    - aws
+    - ec2
+'''
+
+EXAMPLES = '''
+# Note: These examples do not set authentication details, see the AWS Guide for details.
+
+- name: Get the current caller identity facts
+  aws_caller_facts:
+  register: caller_facts
+'''
+
+RETURN = '''
+account:
+    description: The account id the access credentials are associated with.
+    returned: success
+    type: string
+    sample: "123456789012"
+arn:
+    description: The arn identifying the user the credentials are associated with.
+    returned: success
+    type: string
+    sample: arn:aws:sts::123456789012:federated-user/my-federated-user-name
+user_id:
+    description: |
+        The user id the access credentials are associated with. Note that this may not correspond to
+        anything you can look up in the case of roles or federated identities.
+    returned: success
+    type: string
+    sample: 123456789012:my-federated-user-name
+'''
+
+from ansible.module_utils.aws.core import AnsibleAWSModule
+from ansible.module_utils.ec2 import camel_dict_to_snake_dict
+
+try:
+    from botocore.exceptions import BotoCoreError, ClientError
+except ImportError:
+    pass  # caught by imported HAS_BOTO3
+
+
+def main():
+    module = AnsibleAWSModule(
+        argument_spec={},
+        supports_check_mode=True,
+    )
+
+    client = module.client('sts')
+
+    try:
+        caller_identity = client.get_caller_identity()
+        module.exit_json(
+            changed=False,
+            **camel_dict_to_snake_dict(caller_identity)
+        )
+    except (BotoCoreError, ClientError) as e:
+        module.fail_json_aws(e, msg='Failed to retrieve caller identity')
+
+
+if __name__ == '__main__':
+    main()

test/integration/targets/aws_caller_facts/aliases

@@ -0,0 +1,2 @@
+cloud/aws
+posix/ci/cloud/group4/aws

test/integration/targets/aws_caller_facts/tasks/main.yaml

@@ -0,0 +1,14 @@
+- name: retrieve caller facts
+  aws_caller_facts:
+    region: "{{ aws_region }}"
+    aws_access_key: "{{ aws_access_key }}"
+    aws_secret_key: "{{ aws_secret_key }}"
+    security_token: "{{security_token}}"
+  register: result
+
+- name: assert correct keys are returned
+  assert:
+    that:
+      - result.account is not none
+      - result.arn is not none
+      - result.user_id is not none