From fd54c54b51cc86475b8adcc916d20d0958931c9d Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Mon, 28 Oct 2019 09:18:58 +0100 Subject: [PATCH] AWS IAM Sanity test cleanup and deprecate unused 'fail_on_delete' option (#63961) * AWS IAM Sanity test cleanup * Changelog and porting guide updates * Review recommendations --- .../63961-deprecate-fail_on_delete.yml | 2 ++ .../rst/porting_guides/porting_guide_2.10.rst | 2 +- lib/ansible/modules/cloud/amazon/iam.py | 24 ++++++++++++++----- lib/ansible/modules/cloud/amazon/iam_cert.py | 12 ++++++++++ lib/ansible/modules/cloud/amazon/iam_group.py | 7 ++++++ .../cloud/amazon/iam_managed_policy.py | 14 +++++++++-- .../cloud/amazon/iam_mfa_device_info.py | 1 + .../cloud/amazon/iam_password_policy.py | 4 ++++ .../amazon/iam_server_certificate_info.py | 1 + lib/ansible/modules/cloud/amazon/iam_user.py | 6 +++++ test/sanity/ignore.txt | 23 ------------------ 11 files changed, 64 insertions(+), 32 deletions(-) create mode 100644 changelogs/fragments/63961-deprecate-fail_on_delete.yml diff --git a/changelogs/fragments/63961-deprecate-fail_on_delete.yml b/changelogs/fragments/63961-deprecate-fail_on_delete.yml new file mode 100644 index 00000000000..ad5ea495bb8 --- /dev/null +++ b/changelogs/fragments/63961-deprecate-fail_on_delete.yml @@ -0,0 +1,2 @@ +deprecated_features: +- "iam_managed_policy - The ``fail_on_delete`` option had no effect and will be removed in Ansible 2.14" diff --git a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst index 62c3bb78f6a..8f38a4d6e7f 100644 --- a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst +++ b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst @@ -52,8 +52,8 @@ Deprecation notices The following functionality will be removed in Ansible 2.14. Please update update your playbooks accordingly. * The :ref:`openssl_csr ` module's option ``version`` no longer supports values other than ``1`` (the current only standardized CSR version). - * :ref:`docker_container `: the ``trust_image_content`` option will be removed. It has always been ignored by the module. +* :ref:`iam_managed_policy `: the ``fail_on_delete`` option wil be removed. It has always been ignored by the module. Noteworthy module changes diff --git a/lib/ansible/modules/cloud/amazon/iam.py b/lib/ansible/modules/cloud/amazon/iam.py index a96f8ca1113..e05e3885458 100644 --- a/lib/ansible/modules/cloud/amazon/iam.py +++ b/lib/ansible/modules/cloud/amazon/iam.py @@ -23,56 +23,70 @@ options: description: - Type of IAM resource choices: ["user", "group", "role"] + type: str name: description: - Name of IAM resource to create or identify required: true + type: str new_name: description: - When state is update, will replace name with new_name on IAM resource + type: str new_path: description: - When state is update, will replace the path with new_path on the IAM resource + type: str state: description: - Whether to create, delete or update the IAM resource. Note, roles cannot be updated. required: true choices: [ "present", "absent", "update" ] + type: str path: description: - When creating or updating, specify the desired path of the resource. If state is present, it will replace the current path to match what is passed in when they do not match. default: "/" + type: str trust_policy: description: - The inline (JSON or YAML) trust policy document that grants an entity permission to assume the role. Mutually exclusive with C(trust_policy_filepath). version_added: "2.2" + type: dict trust_policy_filepath: description: - The path to the trust policy document that grants an entity permission to assume the role. Mutually exclusive with C(trust_policy). version_added: "2.2" + type: str access_key_state: description: - When type is user, it creates, removes, deactivates or activates a user's access key(s). Note that actions apply only to keys specified. - choices: [ "create", "remove", "active", "inactive"] + choices: [ "create", "remove", "active", "inactive", "Create", "Remove", "Active", "Inactive"] + type: str key_count: description: - When access_key_state is create it will ensure this quantity of keys are present. Defaults to 1. - default: '1' + default: 1 + type: int access_key_ids: description: - A list of the keys that you want impacted by the access_key_state parameter. + type: list groups: description: - A list of groups the user should belong to. When update, will gracefully remove groups not listed. + type: list password: description: - When type is user and state is present, define the users login password. Also works with update. Note that always returns changed. + type: str update_password: default: always choices: ['always', 'on_create'] description: - C(always) will update passwords if they differ. C(on_create) will only set the password for newly created users. + type: str notes: - 'Currently boto does not support the removal of Managed Policies, the module will error out if your user/group/role has managed policies when you try to do state=absent. They will need to be removed manually.' @@ -603,11 +617,9 @@ def delete_role(module, iam, name, role_list, prof_list): def main(): argument_spec = ec2_argument_spec() argument_spec.update(dict( - iam_type=dict( - default=None, required=True, choices=['user', 'group', 'role']), + iam_type=dict(required=True, choices=['user', 'group', 'role']), groups=dict(type='list', default=None, required=False), - state=dict( - default=None, required=True, choices=['present', 'absent', 'update']), + state=dict(required=True, choices=['present', 'absent', 'update']), password=dict(default=None, required=False, no_log=True), update_password=dict(default='always', required=False, choices=['always', 'on_create']), access_key_state=dict(default=None, required=False, choices=[ diff --git a/lib/ansible/modules/cloud/amazon/iam_cert.py b/lib/ansible/modules/cloud/amazon/iam_cert.py index 3476bf052e3..dc55cec6e68 100644 --- a/lib/ansible/modules/cloud/amazon/iam_cert.py +++ b/lib/ansible/modules/cloud/amazon/iam_cert.py @@ -13,6 +13,10 @@ # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'} @@ -30,36 +34,44 @@ options: description: - Name of certificate to add, update or remove. required: true + type: str new_name: description: - When state is present, this will update the name of the cert. - The cert, key and cert_chain parameters will be ignored if this is defined. + type: str new_path: description: - When state is present, this will update the path of the cert. - The cert, key and cert_chain parameters will be ignored if this is defined. + type: str state: description: - Whether to create(or update) or delete certificate. - If new_path or new_name is defined, specifying present will attempt to make an update these. required: true choices: [ "present", "absent" ] + type: str path: description: - When creating or updating, specify the desired path of the certificate. default: "/" + type: str cert_chain: description: - The path to, or content of the CA certificate chain in PEM encoded format. As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content. + type: str cert: description: - The path to, or content of the certificate body in PEM encoded format. As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content. + type: str key: description: - The path to, or content of the private key in PEM encoded format. As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content. + type: str dup_ok: description: - By default the module will not upload a certificate that is already uploaded into AWS. diff --git a/lib/ansible/modules/cloud/amazon/iam_group.py b/lib/ansible/modules/cloud/amazon/iam_group.py index 968a2e924d9..48d47107fed 100644 --- a/lib/ansible/modules/cloud/amazon/iam_group.py +++ b/lib/ansible/modules/cloud/amazon/iam_group.py @@ -14,6 +14,9 @@ # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . +from __future__ import absolute_import, division, print_function +__metaclass__ = type + ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'} @@ -33,19 +36,23 @@ options: description: - The name of the group to create. required: true + type: str managed_policy: description: - A list of managed policy ARNs or friendly names to attach to the role. To embed an inline policy, use M(iam_policy). required: false + type: list users: description: - A list of existing users to add as members of the group. required: false + type: list state: description: - Create or remove the IAM group required: true choices: [ 'present', 'absent' ] + type: str purge_policy: description: - Detach policy which not included in managed_policy list diff --git a/lib/ansible/modules/cloud/amazon/iam_managed_policy.py b/lib/ansible/modules/cloud/amazon/iam_managed_policy.py index a8bdebb7d9b..e13c2bb6e18 100644 --- a/lib/ansible/modules/cloud/amazon/iam_managed_policy.py +++ b/lib/ansible/modules/cloud/amazon/iam_managed_policy.py @@ -22,27 +22,37 @@ options: description: - The name of the managed policy. required: True + type: str policy_description: description: - A helpful description of this policy, this value is immutable and only set when creating a new policy. default: '' + type: str policy: description: - A properly json formatted policy + type: json make_default: description: - Make this revision the default revision. default: True + type: bool only_version: description: - Remove all other non default revisions, if this is used with C(make_default) it will result in all other versions of this policy being deleted. type: bool - default: 'no' + default: false state: description: - Should this managed policy be present or absent. Set to absent to detach all entities from this policy and remove it if found. default: present choices: [ "present", "absent" ] + type: str + fail_on_delete: + description: + - The I(fail_on_delete) option does nothing and will be removed in Ansible 2.14. + type: bool + author: "Dan Kozlowski (@dkhenry)" extends_documentation_fragment: - aws @@ -277,7 +287,7 @@ def main(): policy=dict(type='json'), make_default=dict(type='bool', default=True), only_version=dict(type='bool', default=False), - fail_on_delete=dict(type='bool', default=True), + fail_on_delete=dict(type='bool', removed_in_version='2.14'), state=dict(default='present', choices=['present', 'absent']), )) diff --git a/lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py b/lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py index 33a888e8d3f..b09da4da5e9 100644 --- a/lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py +++ b/lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py @@ -24,6 +24,7 @@ options: user_name: description: - The name of the user whose MFA devices will be listed + type: str extends_documentation_fragment: - aws - ec2 diff --git a/lib/ansible/modules/cloud/amazon/iam_password_policy.py b/lib/ansible/modules/cloud/amazon/iam_password_policy.py index 02b0147f19c..2d78ee27f27 100644 --- a/lib/ansible/modules/cloud/amazon/iam_password_policy.py +++ b/lib/ansible/modules/cloud/amazon/iam_password_policy.py @@ -28,11 +28,13 @@ options: - Specifies the overall state of the password policy. required: true choices: ['present', 'absent'] + type: str min_pw_length: description: - Minimum password length. default: 6 aliases: [minimum_password_length] + type: int require_symbols: description: - Require symbols in password. @@ -65,11 +67,13 @@ options: do not expire automatically. default: 0 aliases: [password_max_age] + type: int pw_reuse_prevent: description: - Prevent re-use of passwords. default: 0 aliases: [password_reuse_prevent, prevent_reuse] + type: int pw_expire: description: - Prevents users from change an expired password. diff --git a/lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py b/lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py index 9f833ea2a14..ec7929723ae 100644 --- a/lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py +++ b/lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py @@ -26,6 +26,7 @@ options: description: - The name of the server certificate you are retrieving attributes for. required: true + type: str extends_documentation_fragment: - aws - ec2 diff --git a/lib/ansible/modules/cloud/amazon/iam_user.py b/lib/ansible/modules/cloud/amazon/iam_user.py index 7ab90c6e0ac..2f5afec7e09 100644 --- a/lib/ansible/modules/cloud/amazon/iam_user.py +++ b/lib/ansible/modules/cloud/amazon/iam_user.py @@ -2,6 +2,9 @@ # Copyright (c) 2017 Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +from __future__ import absolute_import, division, print_function +__metaclass__ = type + ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'} @@ -19,15 +22,18 @@ options: description: - The name of the user to create. required: true + type: str managed_policy: description: - A list of managed policy ARNs or friendly names to attach to the user. To embed an inline policy, use M(iam_policy). required: false + type: list state: description: - Create or remove the IAM user required: true choices: [ 'present', 'absent' ] + type: str purge_policy: description: - Detach policies which are not included in managed_policy list diff --git a/test/sanity/ignore.txt b/test/sanity/ignore.txt index cc6c705de68..9d53a4f9833 100644 --- a/test/sanity/ignore.txt +++ b/test/sanity/ignore.txt @@ -939,24 +939,6 @@ lib/ansible/modules/cloud/amazon/execute_lambda.py metaclass-boilerplate lib/ansible/modules/cloud/amazon/execute_lambda.py validate-modules:doc-default-does-not-match-spec lib/ansible/modules/cloud/amazon/execute_lambda.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/cloud/amazon/execute_lambda.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam.py validate-modules:no-default-for-required-parameter -lib/ansible/modules/cloud/amazon/iam.py validate-modules:doc-choices-do-not-match-spec -lib/ansible/modules/cloud/amazon/iam.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/cloud/amazon/iam.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam_cert.py future-import-boilerplate -lib/ansible/modules/cloud/amazon/iam_cert.py metaclass-boilerplate -lib/ansible/modules/cloud/amazon/iam_cert.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam_group.py future-import-boilerplate -lib/ansible/modules/cloud/amazon/iam_group.py metaclass-boilerplate -lib/ansible/modules/cloud/amazon/iam_group.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/cloud/amazon/iam_group.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:undocumented-parameter -lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:doc-default-does-not-match-spec -lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/cloud/amazon/iam_managed_policy.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam_mfa_device_info.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam_password_policy.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/cloud/amazon/iam_password_policy.py validate-modules:doc-missing-type lib/ansible/modules/cloud/amazon/iam_policy.py future-import-boilerplate lib/ansible/modules/cloud/amazon/iam_policy.py metaclass-boilerplate lib/ansible/modules/cloud/amazon/iam_policy.py validate-modules:no-default-for-required-parameter @@ -967,11 +949,6 @@ lib/ansible/modules/cloud/amazon/iam_role.py future-import-boilerplate lib/ansible/modules/cloud/amazon/iam_role.py metaclass-boilerplate lib/ansible/modules/cloud/amazon/iam_role.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/cloud/amazon/iam_role_info.py validate-modules:doc-missing-type -lib/ansible/modules/cloud/amazon/iam_server_certificate_info.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/cloud/amazon/iam_user.py future-import-boilerplate -lib/ansible/modules/cloud/amazon/iam_user.py metaclass-boilerplate -lib/ansible/modules/cloud/amazon/iam_user.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/cloud/amazon/iam_user.py validate-modules:doc-missing-type lib/ansible/modules/cloud/amazon/kinesis_stream.py pylint:blacklisted-name lib/ansible/modules/cloud/amazon/kinesis_stream.py validate-modules:no-default-for-required-parameter lib/ansible/modules/cloud/amazon/kinesis_stream.py validate-modules:doc-default-does-not-match-spec