[aws] Add aws_iam_role check mode support (#39002)

* Check mode when adding * Check mode when deleting * Add check mode
2018-05-03 21:00:36 +09:00 · 2018-05-03 21:00:36 +09:00 · e2908ae8df
commit e2908ae8df
parent 910bc892c6
1 changed files with 27 additions and 13 deletions
--- a/lib/ansible/modules/cloud/amazon/iam_role.py
+++ b/lib/ansible/modules/cloud/amazon/iam_role.py
@ -206,7 +206,8 @@ def convert_friendly_names_to_arns(connection, module, policy_names):
 def remove_policies(connection, module, policies_to_remove, params):
    for policy in policies_to_remove:
        try:
-            connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy)
+            if not module.check_mode:
+                connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy)
        except ClientError as e:
            module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)),
                             exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -236,7 +237,11 @@ def create_or_update_role(connection, module):
    # If role is None, create it
    if role is None:
        try:
-            role = connection.create_role(**params)
+            if not module.check_mode:
+                role = connection.create_role(**params)
+            else:
+                role = {'MadeInCheckMode': True}
+                role['AssumeRolePolicyDocument'] = json.loads(params['AssumeRolePolicyDocument'])
            changed = True
        except ClientError as e:
            module.fail_json(msg="Unable to create role: {0}".format(to_native(e)),
@ -248,7 +253,8 @@ def create_or_update_role(connection, module):
        # Check Assumed Policy document
        if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']):
            try:
-                connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])))
+                if not module.check_mode:
+                    connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])))
                changed = True
            except ClientError as e:
                module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)),
@ -279,7 +285,8 @@ def create_or_update_role(connection, module):
            # Attach roles not already attached
            for policy_arn in set(managed_policies) - set(current_attached_policies_arn_list):
                try:
-                    connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn)
+                    if not module.check_mode:
+                        connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn)
                except ClientError as e:
                    module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)),
                                     exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -289,7 +296,7 @@ def create_or_update_role(connection, module):
                changed = True

    # Instance profile
-    if create_instance_profile:
+    if create_instance_profile and not role.get('MadeInCheckMode', False):
        try:
            instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles']
        except ClientError as e:
@ -301,7 +308,8 @@ def create_or_update_role(connection, module):
        if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles):
            # Make sure an instance profile is attached
            try:
-                connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path'])
+                if not module.check_mode:
+                    connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path'])
                changed = True
            except ClientError as e:
                # If the profile already exists, no problem, move on
@ -313,12 +321,14 @@ def create_or_update_role(connection, module):
            except BotoCoreError as e:
                module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)),
                                 exception=traceback.format_exc())
-            connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'])
+            if not module.check_mode:
+                connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'])

    # Get the role again
-    role = get_role(connection, module, params['RoleName'])
+    if not role.get('MadeInCheckMode', False):
+        role = get_role(connection, module, params['RoleName'])
+        role['attached_policies'] = get_attached_policy_list(connection, module, params['RoleName'])

-    role['attached_policies'] = get_attached_policy_list(connection, module, params['RoleName'])
    module.exit_json(changed=changed, iam_role=camel_dict_to_snake_dict(role), **camel_dict_to_snake_dict(role))


@ -342,7 +352,8 @@ def destroy_role(connection, module):
        # Now remove the role from the instance profile(s)
        for profile in instance_profiles:
            try:
-                connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName'])
+                if not module.check_mode:
+                    connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName'])
            except ClientError as e:
                module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format(
                                 params['RoleName'], profile['InstanceProfileName'], to_native(e)),
@ -355,7 +366,8 @@ def destroy_role(connection, module):
        # Now remove any attached policies otherwise deletion fails
        try:
            for policy in get_attached_policy_list(connection, module, params['RoleName']):
-                connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn'])
+                if not module.check_mode:
+                    connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn'])
        except ClientError as e:
            module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)),
                             exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -364,7 +376,8 @@ def destroy_role(connection, module):
                             exception=traceback.format_exc())

        try:
-            connection.delete_role(**params)
+            if not module.check_mode:
+                connection.delete_role(**params)
        except ClientError as e:
            module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)),
                             exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -421,7 +434,8 @@ def main():
    )

    module = AnsibleModule(argument_spec=argument_spec,
-                           required_if=[('state', 'present', ['assume_role_policy_document'])])
+                           required_if=[('state', 'present', ['assume_role_policy_document'])],
+                           supports_check_mode=True)

    if not HAS_BOTO3:
        module.fail_json(msg='boto3 required for this module')