archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[aws] Add aws_iam_role check mode support (#39002)

Browse Source 
* Check mode when adding

* Check mode when deleting

* Add check mode
pull/39622/merge
cahlchang 6 years ago committed by Ryan Brown
parent 910bc892c6
commit e2908ae8df
1 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File

40
lib/ansible/modules/cloud/amazon/iam_role.py
Unescape Escape View File

@ -206,7 +206,8 @@ def convert_friendly_names_to_arns(connection, module, policy_names):
def remove_policies(connection, module, policies_to_remove, params): def remove_policies(connection, module, policies_to_remove, params):
for policy in policies_to_remove: for policy in policies_to_remove:
try: try:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy) if not module.check_mode:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy)
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)), module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -236,7 +237,11 @@ def create_or_update_role(connection, module):
# If role is None, create it # If role is None, create it
if role is None: if role is None:
try: try:
role = connection.create_role(**params) if not module.check_mode:
role = connection.create_role(**params)
else:
role = {'MadeInCheckMode': True}
role['AssumeRolePolicyDocument'] = json.loads(params['AssumeRolePolicyDocument'])
changed = True changed = True
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to create role: {0}".format(to_native(e)), module.fail_json(msg="Unable to create role: {0}".format(to_native(e)),
@ -248,7 +253,8 @@ def create_or_update_role(connection, module):
# Check Assumed Policy document # Check Assumed Policy document
if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']): if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']):
try: try:
connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument']))) if not module.check_mode:
connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])))
changed = True changed = True
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)), module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)),
@ -279,7 +285,8 @@ def create_or_update_role(connection, module):
# Attach roles not already attached # Attach roles not already attached
for policy_arn in set(managed_policies) - set(current_attached_policies_arn_list): for policy_arn in set(managed_policies) - set(current_attached_policies_arn_list):
try: try:
connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn) if not module.check_mode:
connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn)
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)), module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -289,7 +296,7 @@ def create_or_update_role(connection, module):
changed = True changed = True
# Instance profile # Instance profile
if create_instance_profile: if create_instance_profile and not role.get('MadeInCheckMode', False):
try: try:
instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles'] instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles']
except ClientError as e: except ClientError as e:
@ -301,7 +308,8 @@ def create_or_update_role(connection, module):
if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles): if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles):
# Make sure an instance profile is attached # Make sure an instance profile is attached
try: try:
connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path']) if not module.check_mode:
connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path'])
changed = True changed = True
except ClientError as e: except ClientError as e:
# If the profile already exists, no problem, move on # If the profile already exists, no problem, move on
@ -313,12 +321,14 @@ def create_or_update_role(connection, module):
except BotoCoreError as e: except BotoCoreError as e:
module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)), module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc()) exception=traceback.format_exc())
connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName']) if not module.check_mode:
connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'])
# Get the role again # Get the role again
role = get_role(connection, module, params['RoleName']) if not role.get('MadeInCheckMode', False):
role = get_role(connection, module, params['RoleName'])
role['attached_policies'] = get_attached_policy_list(connection, module, params['RoleName'])
role['attached_policies'] = get_attached_policy_list(connection, module, params['RoleName'])
module.exit_json(changed=changed, iam_role=camel_dict_to_snake_dict(role), **camel_dict_to_snake_dict(role)) module.exit_json(changed=changed, iam_role=camel_dict_to_snake_dict(role), **camel_dict_to_snake_dict(role))
@ -342,7 +352,8 @@ def destroy_role(connection, module):
# Now remove the role from the instance profile(s) # Now remove the role from the instance profile(s)
for profile in instance_profiles: for profile in instance_profiles:
try: try:
connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName']) if not module.check_mode:
connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName'])
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format( module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format(
params['RoleName'], profile['InstanceProfileName'], to_native(e)), params['RoleName'], profile['InstanceProfileName'], to_native(e)),
@ -355,7 +366,8 @@ def destroy_role(connection, module):
# Now remove any attached policies otherwise deletion fails # Now remove any attached policies otherwise deletion fails
try: try:
for policy in get_attached_policy_list(connection, module, params['RoleName']): for policy in get_attached_policy_list(connection, module, params['RoleName']):
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn']) if not module.check_mode:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn'])
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)), module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -364,7 +376,8 @@ def destroy_role(connection, module):
exception=traceback.format_exc()) exception=traceback.format_exc())
try: try:
connection.delete_role(**params) if not module.check_mode:
connection.delete_role(**params)
except ClientError as e: except ClientError as e:
module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)), module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -421,7 +434,8 @@ def main():
) )
module = AnsibleModule(argument_spec=argument_spec, module = AnsibleModule(argument_spec=argument_spec,
required_if=[('state', 'present', ['assume_role_policy_document'])]) required_if=[('state', 'present', ['assume_role_policy_document'])],
supports_check_mode=True)
if not HAS_BOTO3: if not HAS_BOTO3:
module.fail_json(msg='boto3 required for this module') module.fail_json(msg='boto3 required for this module')

Write Preview
Loading…
Cancel
Save