Skip to content

C
configuration
Switch branch/tag
Find file
Normal viewHistoryPermalink
ec2_iam_role 4.47 KB
Newer Older
early version works for create, not idempotent
21960a11
 
e0d committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 
#!/usr/bin/env python
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

DOCUMENTATION = """
---
module: ec2_iam_role
short_description: Create or delete iam roles.
description:
  - Can create or delete AwS iam roles.
version_added: "1.8"
author: Edward Zarecor
options:
  state:
    description:
      - create, update or delete the role
    required: true
    choices: ['present', 'absent']
  name:
    description:
      - Name for the role
    required: true
  vpc_id:
    description:
      - The VPC that this acl belongs to
    required: true
    default: null
extends_documentation_fragment: aws
"""

EXAMPLES = '''
- ec2_acl:
    name: public-acls
    state: present
    vpc_id: 'vpc-abababab'

'''

from ansible.module_utils.basic import *
from ansible.module_utils.ec2 import *
import sys
try:
    import boto
except ImportError:
    print "failed=True msg='boto required for this module'"
    sys.exit(1)

def present(connection, module):

    profile_name = module.params.get('instance_profile_name')
    role_name =  module.params.get('role_name')
    policies = module.params.get('policies')

    fetched_profile = None
    fetched_role = None

    profile_arn = None
    role_arn = None

    try:
        fetched_profile = connection.get_instance_profile(profile_name)
    except boto.exception.BotoServerError as bse:
        pass

    if not fetched_profile:
        instance_profile = connection.create_instance_profile(profile_name)
        profile_arn = instance_profile.arn
    else:
        profile_arn = fetched_profile.arn

    try:
        fetched_role = connection.get_role(role_name)
    except boto.exception.BotoServerError as bse:
        pass

    if not fetched_role:
        role = connection.create_role(role_name)
        role_arn = role.arn
    else:
        role_arn = fetched_role.arn

    if not fetched_profile and not fetched_role:
        connection.add_role_to_instance_profile(profile_name, role_name)

    for policy in policies:

        fetched_policy = None

        try:
            fetched_policy = connection.get_role_policy(role_name, policy['name'])
        except boto.exception.BotoServerError as bse:
            pass

        if not fetched_policy:
            connection.put_role_policy(role_name, policy['name'], policy['document'])
        else:
            # TODO: idempotent?
            connection.put_role_policy(role_name, policy['name'], policy['document'])


    module.exit_json(changed=True,
                     instance_profile_arn=profile_arn,
                     role_arn=role_arn)


def absent(connection, module):

    profile_name = module.params.get('instance_profile_name')
    role_name =  module.params.get('role_name')
    policies = module.params.get('policies')

    for policy in policies:
        try:
            connection.delete_role_policy(role_name,policy['name'])
        except boto.exception.BotoServerError as bse:
            # TODO: parse code to verify that this is not found case
            pass

    connection.remove_role_from_instance_profile(profile_name,role_name)
    connection.delete_role(role_name)
    connection.delete_instance_profile(profile_name)

    module.exit_json(changed=True)


def main():
    argument_spec = ec2_argument_spec()
    argument_spec.update(
        dict(
            state=dict(default='present', choices=['present', 'absent']),
            instance_profile_name=dict(required=True, type='str'),
            role_name=dict(required=True, type='str'),
            policies=dict(type='list')
        )
    )

    module = AnsibleModule(argument_spec=argument_spec)
    profile = module.params.get('profile')

    try:
        connection = boto.connect_iam(profile_name=profile)
    except boto.exception.NoAuthHandlerFound, e:
        module.fail_json(msg = str(e))

    state = module.params.get('state')

    if state == 'present':
        present(connection, module)
    elif state == 'absent':
        absent(connection, module)

main()