cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

AWS IAM Sanity test cleanup and deprecate unused 'fail_on_delete' option (#63961)

Browse source 
* AWS IAM Sanity test cleanup

* Changelog and porting guide updates

* Review recommendations
This commit is contained in:
Mark Chappell 2019-10-28 09:18:58 +01:00 committed by Felix Fontein
parent 30be3a4a9f
commit fd54c54b51
11 changed files with 64 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/63961-deprecate-fail_on_delete.yml Normal file
View file

@ -0,0 +1,2 @@
deprecated_features:
- "iam_managed_policy - The ``fail_on_delete`` option had no effect and will be removed in Ansible 2.14"

2
docs/docsite/rst/porting_guides/porting_guide_2.10.rst
View file

@ -52,8 +52,8 @@ Deprecation notices
The following functionality will be removed in Ansible 2.14. Please update update your playbooks accordingly.
* The :ref:`openssl_csr <openssl_csr_module>` module's option ``version`` no longer supports values other than ``1`` (the current only standardized CSR version).
* :ref:`docker_container <docker_container_module>`: the ``trust_image_content`` option will be removed. It has always been ignored by the module.
* :ref:`iam_managed_policy <iam_managed_policy_module>`: the ``fail_on_delete`` option wil be removed. It has always been ignored by the module.
Noteworthy module changes

24
lib/ansible/modules/cloud/amazon/iam.py
View file

@ -23,56 +23,70 @@ options:
description:
- Type of IAM resource
choices: ["user", "group", "role"]
type: str
name:
description:
- Name of IAM resource to create or identify
required: true
type: str
new_name:
description:
- When state is update, will replace name with new_name on IAM resource
type: str
new_path:
description:
- When state is update, will replace the path with new_path on the IAM resource
type: str
state:
description:
- Whether to create, delete or update the IAM resource. Note, roles cannot be updated.
required: true
choices: [ "present", "absent", "update" ]
type: str
path:
description:
- When creating or updating, specify the desired path of the resource. If state is present,
it will replace the current path to match what is passed in when they do not match.
default: "/"
type: str
trust_policy:
description:
- The inline (JSON or YAML) trust policy document that grants an entity permission to assume the role. Mutually exclusive with C(trust_policy_filepath).
version_added: "2.2"
type: dict
trust_policy_filepath:
description:
- The path to the trust policy document that grants an entity permission to assume the role. Mutually exclusive with C(trust_policy).
version_added: "2.2"
type: str
access_key_state:
description:
- When type is user, it creates, removes, deactivates or activates a user's access key(s). Note that actions apply only to keys specified.
choices: [ "create", "remove", "active", "inactive"]
choices: [ "create", "remove", "active", "inactive", "Create", "Remove", "Active", "Inactive"]
type: str
key_count:
description:
- When access_key_state is create it will ensure this quantity of keys are present. Defaults to 1.
default: '1'
default: 1
type: int
access_key_ids:
description:
- A list of the keys that you want impacted by the access_key_state parameter.
type: list
groups:
description:
- A list of groups the user should belong to. When update, will gracefully remove groups not listed.
type: list
password:
description:
- When type is user and state is present, define the users login password. Also works with update. Note that always returns changed.
type: str
update_password:
default: always
choices: ['always', 'on_create']
description:
- C(always) will update passwords if they differ. C(on_create) will only set the password for newly created users.
type: str
notes:
- 'Currently boto does not support the removal of Managed Policies, the module will error out if your
user/group/role has managed policies when you try to do state=absent. They will need to be removed manually.'
@ -603,11 +617,9 @@ def delete_role(module, iam, name, role_list, prof_list):
def main():
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
iam_type=dict(
default=None, required=True, choices=['user', 'group', 'role']),
iam_type=dict(required=True, choices=['user', 'group', 'role']),
groups=dict(type='list', default=None, required=False),
state=dict(
default=None, required=True, choices=['present', 'absent', 'update']),
state=dict(required=True, choices=['present', 'absent', 'update']),
password=dict(default=None, required=False, no_log=True),
update_password=dict(default='always', required=False, choices=['always', 'on_create']),
access_key_state=dict(default=None, required=False, choices=[

12
lib/ansible/modules/cloud/amazon/iam_cert.py
View file

@ -13,6 +13,10 @@
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
@ -30,36 +34,44 @@ options:
description:
- Name of certificate to add, update or remove.
required: true
type: str
new_name:
description:
- When state is present, this will update the name of the cert.
- The cert, key and cert_chain parameters will be ignored if this is defined.
type: str
new_path:
description:
- When state is present, this will update the path of the cert.
- The cert, key and cert_chain parameters will be ignored if this is defined.
type: str
state:
description:
- Whether to create(or update) or delete certificate.
- If new_path or new_name is defined, specifying present will attempt to make an update these.
required: true
choices: [ "present", "absent" ]
type: str
path:
description:
- When creating or updating, specify the desired path of the certificate.
default: "/"
type: str
cert_chain:
description:
- The path to, or content of the CA certificate chain in PEM encoded format.
As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content.
type: str
cert:
description:
- The path to, or content of the certificate body in PEM encoded format.
As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content.
type: str
key:
description:
- The path to, or content of the private key in PEM encoded format.
As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content.
type: str
dup_ok:
description:
- By default the module will not upload a certificate that is already uploaded into AWS.

7
lib/ansible/modules/cloud/amazon/iam_group.py
View file

@ -14,6 +14,9 @@
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
@ -33,19 +36,23 @@ options:
description:
- The name of the group to create.
required: true
type: str
managed_policy:
description:
- A list of managed policy ARNs or friendly names to attach to the role. To embed an inline policy, use M(iam_policy).
required: false
type: list
users:
description:
- A list of existing users to add as members of the group.
required: false
type: list
state:
description:
- Create or remove the IAM group
required: true
choices: [ 'present', 'absent' ]
type: str
purge_policy:
description:
- Detach policy which not included in managed_policy list

14
lib/ansible/modules/cloud/amazon/iam_managed_policy.py
View file

@ -22,27 +22,37 @@ options:
description:
- The name of the managed policy.
required: True
type: str
policy_description:
description:
- A helpful description of this policy, this value is immutable and only set when creating a new policy.
default: ''
type: str
policy:
description:
- A properly json formatted policy
type: json
make_default:
description:
- Make this revision the default revision.
default: True
type: bool
only_version:
description:
- Remove all other non default revisions, if this is used with C(make_default) it will result in all other versions of this policy being deleted.
type: bool
default: 'no'
default: false
state:
description:
- Should this managed policy be present or absent. Set to absent to detach all entities from this policy and remove it if found.
default: present
choices: [ "present", "absent" ]
type: str
fail_on_delete:
description:
- The I(fail_on_delete) option does nothing and will be removed in Ansible 2.14.
type: bool
author: "Dan Kozlowski (@dkhenry)"
extends_documentation_fragment:
- aws
@ -277,7 +287,7 @@ def main():
policy=dict(type='json'),
make_default=dict(type='bool', default=True),
only_version=dict(type='bool', default=False),
fail_on_delete=dict(type='bool', default=True),
fail_on_delete=dict(type='bool', removed_in_version='2.14'),
state=dict(default='present', choices=['present', 'absent']),
))

1
lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py
View file

@ -24,6 +24,7 @@ options:
user_name:
description:
- The name of the user whose MFA devices will be listed
type: str
extends_documentation_fragment:
- aws
- ec2

4
lib/ansible/modules/cloud/amazon/iam_password_policy.py
View file

@ -28,11 +28,13 @@ options:
- Specifies the overall state of the password policy.
required: true
choices: ['present', 'absent']
type: str
min_pw_length:
description:
- Minimum password length.
default: 6
aliases: [minimum_password_length]
type: int
require_symbols:
description:
- Require symbols in password.
@ -65,11 +67,13 @@ options:
do not expire automatically.
default: 0
aliases: [password_max_age]
type: int
pw_reuse_prevent:
description:
- Prevent re-use of passwords.
default: 0
aliases: [password_reuse_prevent, prevent_reuse]
type: int
pw_expire:
description:
- Prevents users from change an expired password.

1
lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py
View file

@ -26,6 +26,7 @@ options:
description:
- The name of the server certificate you are retrieving attributes for.
required: true
type: str
extends_documentation_fragment:
- aws
- ec2

6
lib/ansible/modules/cloud/amazon/iam_user.py
View file

@ -2,6 +2,9 @@
# Copyright (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
@ -19,15 +22,18 @@ options:
description:
- The name of the user to create.
required: true
type: str
managed_policy:
description:
- A list of managed policy ARNs or friendly names to attach to the user. To embed an inline policy, use M(iam_policy).
required: false
type: list
state:
description:
- Create or remove the IAM user
required: true
choices: [ 'present', 'absent' ]
type: str
purge_policy:
description:
- Detach policies which are not included in managed_policy list

23
test/sanity/ignore.txt
View file

@ -939,24 +939,6 @@ lib/ansible/modules/cloud/amazon/execute_lambda.py metaclass-boilerplate
lib/ansible/modules/cloud/amazon/execute_lambda.py validate-modules:doc-default-does-not-match-spec
lib/ansible/modules/cloud/amazon/execute_lambda.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/execute_lambda.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam.py validate-modules:no-default-for-required-parameter
lib/ansible/modules/cloud/amazon/iam.py validate-modules:doc-choices-do-not-match-spec
lib/ansible/modules/cloud/amazon/iam.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_cert.py future-import-boilerplate
lib/ansible/modules/cloud/amazon/iam_cert.py metaclass-boilerplate
lib/ansible/modules/cloud/amazon/iam_cert.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_group.py future-import-boilerplate
lib/ansible/modules/cloud/amazon/iam_group.py metaclass-boilerplate
lib/ansible/modules/cloud/amazon/iam_group.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam_group.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:undocumented-parameter
lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:doc-default-does-not-match-spec
lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_password_policy.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam_password_policy.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_policy.py future-import-boilerplate
lib/ansible/modules/cloud/amazon/iam_policy.py metaclass-boilerplate
lib/ansible/modules/cloud/amazon/iam_policy.py validate-modules:no-default-for-required-parameter
@ -967,11 +949,6 @@ lib/ansible/modules/cloud/amazon/iam_role.py future-import-boilerplate
lib/ansible/modules/cloud/amazon/iam_role.py metaclass-boilerplate
lib/ansible/modules/cloud/amazon/iam_role.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam_role_info.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam_user.py future-import-boilerplate
lib/ansible/modules/cloud/amazon/iam_user.py metaclass-boilerplate
lib/ansible/modules/cloud/amazon/iam_user.py validate-modules:parameter-type-not-in-doc
lib/ansible/modules/cloud/amazon/iam_user.py validate-modules:doc-missing-type
lib/ansible/modules/cloud/amazon/kinesis_stream.py pylint:blacklisted-name
lib/ansible/modules/cloud/amazon/kinesis_stream.py validate-modules:no-default-for-required-parameter
lib/ansible/modules/cloud/amazon/kinesis_stream.py validate-modules:doc-default-does-not-match-spec