diff --git a/lib/ansible/modules/cloud/amazon/iam_role.py b/lib/ansible/modules/cloud/amazon/iam_role.py index c3f255e9d1e..0ac77ded6d3 100644 --- a/lib/ansible/modules/cloud/amazon/iam_role.py +++ b/lib/ansible/modules/cloud/amazon/iam_role.py @@ -36,6 +36,12 @@ options: - A list of managed policy ARNs or, since Ansible 2.4, a list of either managed policy ARNs or friendly names. To embed an inline policy, use M(iam_policy). To remove existing policies, use an empty list item. aliases: [ managed_policies ] + purge_policies: + description: + - Detaches any managed policies not listed in the "managed_policy" option. Set to false if you want to attach policies elsewhere. + type: bool + default: true + version_added: "2.5" state: description: - Create or remove the IAM role @@ -143,6 +149,7 @@ iam_role: ] ''' +from ansible.module_utils._text import to_native from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ec2 import camel_dict_to_snake_dict, ec2_argument_spec, get_aws_connection_info, boto3_conn, sort_json_policy_dict from ansible.module_utils.ec2 import HAS_BOTO3 @@ -151,7 +158,7 @@ import json import traceback try: - from botocore.exceptions import ClientError, NoCredentialsError + from botocore.exceptions import ClientError, BotoCoreError except ImportError: pass # caught by imported HAS_BOTO3 @@ -196,6 +203,19 @@ def convert_friendly_names_to_arns(connection, module, policy_names): module.fail_json(msg="Couldn't find policy: " + str(e)) +def remove_policies(connection, module, policies_to_remove, params): + for policy in policies_to_remove: + try: + connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy) + except ClientError as e: + module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)), + exception=traceback.format_exc()) + return True + + def create_or_update_role(connection, module): params = dict() @@ -219,7 +239,9 @@ def create_or_update_role(connection, module): role = connection.create_role(**params) changed = True except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to create role", exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to create role", exception=traceback.format_exc()) else: # Check Assumed Policy document if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']): @@ -227,40 +249,41 @@ def create_or_update_role(connection, module): connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument']))) changed = True except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc()) if managed_policies is not None: # Get list of current attached managed policies current_attached_policies = get_attached_policy_list(connection, module, params['RoleName']) + current_attached_policies_arn_list = [policy['PolicyArn'] for policy in current_attached_policies] # If a single empty list item then all managed policies to be removed - if len(managed_policies) == 1 and not managed_policies[0]: - for policy in current_attached_policies: - try: - connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn']) - except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + if len(managed_policies) == 1 and not managed_policies[0] and module.params.get('purge_policies'): + + # Detach policies not present + if remove_policies(connection, module, set(current_attached_policies_arn_list) - set(managed_policies), params): changed = True else: # Make a list of the ARNs from the attached policies - current_attached_policies_arn_list = [] - for policy in current_attached_policies: - current_attached_policies_arn_list.append(policy['PolicyArn']) # Detach roles not defined in task - for policy_arn in list(set(current_attached_policies_arn_list) - set(managed_policies)): - try: - connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn) - except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) - changed = True + if module.params.get('purge_policies'): + if remove_policies(connection, module, set(current_attached_policies_arn_list) - set(managed_policies), params): + changed = True # Attach roles not already attached - for policy_arn in list(set(managed_policies) - set(current_attached_policies_arn_list)): + for policy_arn in set(managed_policies) - set(current_attached_policies_arn_list): try: connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn) except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)), + exception=traceback.format_exc()) changed = True # Instance profile @@ -268,7 +291,11 @@ def create_or_update_role(connection, module): try: instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles'] except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc()) if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles): # Make sure an instance profile is attached try: @@ -279,7 +306,11 @@ def create_or_update_role(connection, module): if e.response['Error']['Code'] == 'EntityAlreadyExists': pass else: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc()) connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName']) # Get the role again @@ -300,26 +331,43 @@ def destroy_role(connection, module): try: instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles'] except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to list instance profiles for role {0}: {1}".format(params['RoleName'], to_native(e)), + exception=traceback.format_exc()) # Now remove the role from the instance profile(s) for profile in instance_profiles: try: connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName']) except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format( + params['RoleName'], profile['InstanceProfileName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format( + params['RoleName'], profile['InstanceProfileName'], to_native(e)), + exception=traceback.format_exc()) # Now remove any attached policies otherwise deletion fails try: for policy in get_attached_policy_list(connection, module, params['RoleName']): connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn']) except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)), + exception=traceback.format_exc()) try: connection.delete_role(**params) except ClientError as e: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)), exception=traceback.format_exc()) else: module.exit_json(changed=False) @@ -333,9 +381,10 @@ def get_role(connection, module, name): if e.response['Error']['Code'] == 'NoSuchEntity': return None else: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) - except NoCredentialsError as e: - module.fail_json(msg="AWS authentication problem. " + e.message, exception=traceback.format_exc()) + module.fail_json(msg="Unable to get role {0}: {1}".format(name, to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to get role {0}: {1}".format(name, to_native(e)), exception=traceback.format_exc()) def get_attached_policy_list(connection, module, name): @@ -344,9 +393,13 @@ def get_attached_policy_list(connection, module, name): return connection.list_attached_role_policies(RoleName=name)['AttachedPolicies'] except ClientError as e: if e.response['Error']['Code'] == 'NoSuchEntity': - return None + return [] else: - module.fail_json(msg=e.message, exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + module.fail_json(msg="Unable to list attached policies for role {0}: {1}".format(name, to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to list attached policies for role {0}: {1}".format(name, to_native(e)), + exception=traceback.format_exc()) def main(): @@ -360,7 +413,8 @@ def main(): managed_policy=dict(type='list', aliases=['managed_policies']), state=dict(type='str', choices=['present', 'absent'], default='present'), description=dict(type='str'), - create_instance_profile=dict(type='bool', default=True) + create_instance_profile=dict(type='bool', default=True), + purge_policies=dict(type='bool', default=True), ) )