#!/usr/bin/python # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import (absolute_import, division, print_function) __metaclass__ = type ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'} DOCUMENTATION = ''' --- module: iam_role short_description: Manage AWS IAM roles description: - Manage AWS IAM roles. version_added: "2.3" author: "Rob White (@wimnat)" options: path: description: - The path to the role. For more information about paths, see U(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). default: "/" type: str name: description: - The name of the role to create. required: true type: str description: description: - Provides a description of the role. version_added: "2.5" type: str boundary: description: - The ARN of an IAM managed policy to use to restrict the permissions this role can pass on to IAM roles/users that it creates. - Boundaries cannot be set on Instance Profiles, as such if this option is specified then I(create_instance_profile) must be C(false). - This is intended for roles/users that have permissions to create new IAM objects. - For more information on boundaries, see U(https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). - Requires botocore 1.10.57 or above. aliases: [boundary_policy_arn] version_added: "2.7" type: str assume_role_policy_document: description: - The trust relationship policy document that grants an entity permission to assume the role. - This parameter is required when I(state=present). type: json managed_policies: description: - A list of managed policy ARNs or, since Ansible 2.4, a list of either managed policy ARNs or friendly names. - To remove all policies set I(purge_polices=true) and I(managed_policies=[None]). - To embed an inline policy, use M(iam_policy). aliases: ['managed_policy'] type: list max_session_duration: description: - The maximum duration (in seconds) of a session when assuming the role. - Valid values are between 1 and 12 hours (3600 and 43200 seconds). version_added: "2.10" type: int purge_policies: description: - When I(purge_policies=true) any managed policies not listed in I(managed_policies) will be detatched. - By default I(purge_policies=true). In Ansible 2.14 this will be changed to I(purge_policies=false). version_added: "2.5" type: bool aliases: ['purge_policy', 'purge_managed_policies'] state: description: - Create or remove the IAM role. default: present choices: [ present, absent ] type: str create_instance_profile: description: - Creates an IAM instance profile along with the role. default: true version_added: "2.5" type: bool delete_instance_profile: description: - When I(delete_instance_profile=true) and I(state=absent) deleting a role will also delete the instance profile created with the same I(name) as the role. - Only applies when I(state=absent). default: false version_added: "2.10" type: bool tags: description: - Tag dict to apply to the queue. - Requires botocore 1.12.46 or above. version_added: "2.10" type: dict purge_tags: description: - Remove tags not listed in I(tags) when tags is specified. default: true version_added: "2.10" type: bool requirements: [ botocore, boto3 ] extends_documentation_fragment: - aws - ec2 ''' EXAMPLES = ''' # Note: These examples do not set authentication details, see the AWS Guide for details. - name: Create a role with description and tags iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" description: This is My New Role tags: env: dev - name: "Create a role and attach a managed policy called 'PowerUserAccess'" iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" managed_policies: - arn:aws:iam::aws:policy/PowerUserAccess - name: Keep the role created above but remove all managed policies iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file','policy.json') }}" managed_policies: [] - name: Delete the role iam_role: name: mynewrole assume_role_policy_document: "{{ lookup('file', 'policy.json') }}" state: absent ''' RETURN = ''' iam_role: description: dictionary containing the IAM Role data returned: success type: complex contains: path: description: the path to the role type: str returned: always sample: / role_name: description: the friendly name that identifies the role type: str returned: always sample: myrole role_id: description: the stable and unique string identifying the role type: str returned: always sample: ABCDEFF4EZ4ABCDEFV4ZC arn: description: the Amazon Resource Name (ARN) specifying the role type: str returned: always sample: "arn:aws:iam::1234567890:role/mynewrole" create_date: description: the date and time, in ISO 8601 date-time format, when the role was created type: str returned: always sample: "2016-08-14T04:36:28+00:00" assume_role_policy_document: description: the policy that grants an entity permission to assume the role type: str returned: always sample: { 'statement': [ { 'action': 'sts:AssumeRole', 'effect': 'Allow', 'principal': { 'service': 'ec2.amazonaws.com' }, 'sid': '' } ], 'version': '2012-10-17' } attached_policies: description: a list of dicts containing the name and ARN of the managed IAM policies attached to the role type: list returned: always sample: [ { 'policy_arn': 'arn:aws:iam::aws:policy/PowerUserAccess', 'policy_name': 'PowerUserAccess' } ] tags: description: role tags type: dict returned: always sample: '{"Env": "Prod"}' ''' import json from ansible.module_utils.aws.core import AnsibleAWSModule from ansible.module_utils.ec2 import camel_dict_to_snake_dict, compare_policies from ansible.module_utils.ec2 import AWSRetry, ansible_dict_to_boto3_tag_list, boto3_tag_list_to_ansible_dict, compare_aws_tags try: from botocore.exceptions import ClientError, BotoCoreError except ImportError: pass # caught by AnsibleAWSModule def compare_assume_role_policy_doc(current_policy_doc, new_policy_doc): if not compare_policies(current_policy_doc, json.loads(new_policy_doc)): return True else: return False @AWSRetry.jittered_backoff() def _list_policies(connection): paginator = connection.get_paginator('list_policies') return paginator.paginate().build_full_result()['Policies'] def convert_friendly_names_to_arns(connection, module, policy_names): if not any([not policy.startswith('arn:') for policy in policy_names]): return policy_names allpolicies = {} policies = _list_policies(connection) for policy in policies: allpolicies[policy['PolicyName']] = policy['Arn'] allpolicies[policy['Arn']] = policy['Arn'] try: return [allpolicies[policy] for policy in policy_names] except KeyError as e: module.fail_json_aws(e, msg="Couldn't find policy") def attach_policies(connection, module, policies_to_attach, params): changed = False for policy_arn in policies_to_attach: try: if not module.check_mode: connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn, aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to attach policy {0} to role {1}".format(policy_arn, params['RoleName'])) changed = True return changed def remove_policies(connection, module, policies_to_remove, params): changed = False for policy in policies_to_remove: try: if not module.check_mode: connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy, aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to detach policy {0} from {1}".format(policy, params['RoleName'])) changed = True return changed def generate_create_params(module): params = dict() params['Path'] = module.params.get('path') params['RoleName'] = module.params.get('name') params['AssumeRolePolicyDocument'] = module.params.get('assume_role_policy_document') if module.params.get('description') is not None: params['Description'] = module.params.get('description') if module.params.get('max_session_duration') is not None: params['MaxSessionDuration'] = module.params.get('max_session_duration') if module.params.get('boundary') is not None: params['PermissionsBoundary'] = module.params.get('boundary') if module.params.get('tags') is not None: params['Tags'] = ansible_dict_to_boto3_tag_list(module.params.get('tags')) return params def create_basic_role(connection, module, params): """ Perform the Role creation. Assumes tests for the role existing have already been performed. """ try: if not module.check_mode: role = connection.create_role(aws_retry=True, **params) # 'Description' is documented as key of the role returned by create_role # but appears to be an AWS bug (the value is not returned using the AWS CLI either). # Get the role after creating it. role = get_role_with_backoff(connection, module, params['RoleName']) else: role = {'MadeInCheckMode': True} role['AssumeRolePolicyDocument'] = json.loads(params['AssumeRolePolicyDocument']) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to create role") return role def update_role_assumed_policy(connection, module, params, role): # Check Assumed Policy document if compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']): return False if module.check_mode: return True try: connection.update_assume_role_policy( RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])), aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to update assume role policy for role {0}".format(params['RoleName'])) return True def update_role_description(connection, module, params, role): # Check Description update if params.get('Description') is None: return False if role.get('Description') == params['Description']: return False if module.check_mode: return True try: connection.update_role_description(RoleName=params['RoleName'], Description=params['Description'], aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to update description for role {0}".format(params['RoleName'])) return True def update_role_max_session_duration(connection, module, params, role): # Check MaxSessionDuration update if params.get('MaxSessionDuration') is None: return False if role.get('MaxSessionDuration') == params['MaxSessionDuration']: return False if module.check_mode: return True try: connection.update_role(RoleName=params['RoleName'], MaxSessionDuration=params['MaxSessionDuration'], aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to update maximum session duration for role {0}".format(params['RoleName'])) return True def update_role_permissions_boundary(connection, module, params, role): # Check PermissionsBoundary if params.get('PermissionsBoundary') is None: return False if params.get('PermissionsBoundary') == role.get('PermissionsBoundary', {}).get('PermissionsBoundaryArn', ''): return False if module.check_mode: return True if params.get('PermissionsBoundary') == '': try: connection.delete_role_permissions_boundary(RoleName=params['RoleName'], aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to remove permission boundary for role {0}".format(params['RoleName'])) else: try: connection.put_role_permissions_boundary(RoleName=params['RoleName'], PermissionsBoundary=params['PermissionsBoundary'], aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to update permission boundary for role {0}".format(params['RoleName'])) return True def update_managed_policies(connection, module, params, role, managed_policies, purge_policies): # Check Managed Policies if managed_policies is None: return False # If we're manipulating a fake role if role.get('MadeInCheckMode', False): role['AttachedPolicies'] = list(map(lambda x: {'PolicyArn': x, 'PolicyName': x.split(':')[5]}, managed_policies)) return True # Get list of current attached managed policies current_attached_policies = get_attached_policy_list(connection, module, params['RoleName']) current_attached_policies_arn_list = [policy['PolicyArn'] for policy in current_attached_policies] if len(managed_policies) == 1 and managed_policies[0] is None: managed_policies = [] policies_to_remove = set(current_attached_policies_arn_list) - set(managed_policies) policies_to_attach = set(managed_policies) - set(current_attached_policies_arn_list) changed = False if purge_policies: changed |= remove_policies(connection, module, policies_to_remove, params) changed |= attach_policies(connection, module, policies_to_attach, params) return changed def create_or_update_role(connection, module): params = generate_create_params(module) role_name = params['RoleName'] create_instance_profile = module.params.get('create_instance_profile') purge_policies = module.params.get('purge_policies') if purge_policies is None: purge_policies = True managed_policies = module.params.get('managed_policies') if managed_policies: # Attempt to list the policies early so we don't leave things behind if we can't find them. managed_policies = convert_friendly_names_to_arns(connection, module, managed_policies) changed = False # Get role role = get_role(connection, module, role_name) # If role is None, create it if role is None: role = create_basic_role(connection, module, params) changed = True else: changed |= update_role_tags(connection, module, params, role) changed |= update_role_assumed_policy(connection, module, params, role) changed |= update_role_description(connection, module, params, role) changed |= update_role_max_session_duration(connection, module, params, role) changed |= update_role_permissions_boundary(connection, module, params, role) if create_instance_profile: changed |= create_instance_profiles(connection, module, params, role) changed |= update_managed_policies(connection, module, params, role, managed_policies, purge_policies) # Get the role again if not role.get('MadeInCheckMode', False): role = get_role(connection, module, params['RoleName']) role['AttachedPolicies'] = get_attached_policy_list(connection, module, params['RoleName']) role['tags'] = get_role_tags(connection, module) module.exit_json( changed=changed, iam_role=camel_dict_to_snake_dict(role, ignore_list=['tags']), **camel_dict_to_snake_dict(role, ignore_list=['tags'])) def create_instance_profiles(connection, module, params, role): if role.get('MadeInCheckMode', False): return False # Fetch existing Profiles try: instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'], aws_retry=True)['InstanceProfiles'] except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to list instance profiles for role {0}".format(params['RoleName'])) # Profile already exists if any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles): return False if module.check_mode: return True # Make sure an instance profile is created try: connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path'], aws_retry=True) except ClientError as e: # If the profile already exists, no problem, move on. # Implies someone's changing things at the same time... if e.response['Error']['Code'] == 'EntityAlreadyExists': return False else: module.fail_json_aws(e, msg="Unable to create instance profile for role {0}".format(params['RoleName'])) except BotoCoreError as e: module.fail_json_aws(e, msg="Unable to create instance profile for role {0}".format(params['RoleName'])) # And attach the role to the profile try: connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'], aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to attach role {0} to instance profile {0}".format(params['RoleName'])) return True def remove_instance_profiles(connection, module, role_params, role): role_name = module.params.get('name') delete_profiles = module.params.get("delete_instance_profile") try: instance_profiles = connection.list_instance_profiles_for_role(aws_retry=True, **role_params)['InstanceProfiles'] except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to list instance profiles for role {0}".format(role_name)) # Remove the role from the instance profile(s) for profile in instance_profiles: profile_name = profile['InstanceProfileName'] try: if not module.check_mode: connection.remove_role_from_instance_profile(aws_retry=True, InstanceProfileName=profile_name, **role_params) if profile_name == role_name: if delete_profiles: try: connection.delete_instance_profile(InstanceProfileName=profile_name, aws_retry=True) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to remove instance profile {0}".format(profile_name)) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to remove role {0} from instance profile {1}".format(role_name, profile_name)) def destroy_role(connection, module): role_name = module.params.get('name') role = get_role(connection, module, role_name) role_params = dict() role_params['RoleName'] = role_name boundary_params = dict(role_params) boundary_params['PermissionsBoundary'] = '' if role is None: module.exit_json(changed=False) # Before we try to delete the role we need to remove any # - attached instance profiles # - attached managed policies # - permissions boundary remove_instance_profiles(connection, module, role_params, role) update_managed_policies(connection, module, role_params, role, [], True) update_role_permissions_boundary(connection, module, boundary_params, role) try: if not module.check_mode: connection.delete_role(aws_retry=True, **role_params) except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to delete role") module.exit_json(changed=True) def get_role_with_backoff(connection, module, name): try: return AWSRetry.jittered_backoff(catch_extra_error_codes=['NoSuchEntity'])(connection.get_role)(RoleName=name)['Role'] except (BotoCoreError, ClientError) as e: module.fail_json_aws(e, msg="Unable to get role {0}".format(name)) def get_role(connection, module, name): try: return connection.get_role(RoleName=name, aws_retry=True)['Role'] except ClientError as e: if e.response['Error']['Code'] == 'NoSuchEntity': return None else: module.fail_json_aws(e, msg="Unable to get role {0}".format(name)) except BotoCoreError as e: module.fail_json_aws(e, msg="Unable to get role {0}".format(name)) def get_attached_policy_list(connection, module, name): try: return connection.list_attached_role_policies(RoleName=name, aws_retry=True)['AttachedPolicies'] except (ClientError, BotoCoreError) as e: module.fail_json_aws(e, msg="Unable to list attached policies for role {0}".format(name)) def get_role_tags(connection, module): role_name = module.params.get('name') if not hasattr(connection, 'list_role_tags'): return {} try: return boto3_tag_list_to_ansible_dict(connection.list_role_tags(RoleName=role_name, aws_retry=True)['Tags']) except (ClientError, BotoCoreError) as e: module.fail_json_aws(e, msg="Unable to list tags for role {0}".format(role_name)) def update_role_tags(connection, module, params, role): new_tags = params.get('Tags') if new_tags is None: return False new_tags = boto3_tag_list_to_ansible_dict(new_tags) role_name = module.params.get('name') purge_tags = module.params.get('purge_tags') try: existing_tags = boto3_tag_list_to_ansible_dict(connection.list_role_tags(RoleName=role_name, aws_retry=True)['Tags']) except (ClientError, KeyError): existing_tags = {} tags_to_add, tags_to_remove = compare_aws_tags(existing_tags, new_tags, purge_tags=purge_tags) if not module.check_mode: try: if tags_to_remove: connection.untag_role(RoleName=role_name, TagKeys=tags_to_remove, aws_retry=True) if tags_to_add: connection.tag_role(RoleName=role_name, Tags=ansible_dict_to_boto3_tag_list(tags_to_add), aws_retry=True) except (ClientError, BotoCoreError) as e: module.fail_json_aws(e, msg='Unable to set tags for role %s' % role_name) changed = bool(tags_to_add) or bool(tags_to_remove) return changed def main(): argument_spec = dict( name=dict(type='str', required=True), path=dict(type='str', default="/"), assume_role_policy_document=dict(type='json'), managed_policies=dict(type='list', aliases=['managed_policy']), max_session_duration=dict(type='int'), state=dict(type='str', choices=['present', 'absent'], default='present'), description=dict(type='str'), boundary=dict(type='str', aliases=['boundary_policy_arn']), create_instance_profile=dict(type='bool', default=True), delete_instance_profile=dict(type='bool', default=False), purge_policies=dict(type='bool', aliases=['purge_policy', 'purge_managed_policies']), tags=dict(type='dict'), purge_tags=dict(type='bool', default=True), ) module = AnsibleAWSModule(argument_spec=argument_spec, required_if=[('state', 'present', ['assume_role_policy_document'])], supports_check_mode=True) if module.params.get('purge_policies') is None: module.deprecate('In Ansible 2.14 the default value of purge_policies will change from true to false.' ' To maintain the existing behaviour explicity set purge_policies=true', version='ansible.builtin:2.14') if module.params.get('boundary'): if module.params.get('create_instance_profile'): module.fail_json(msg="When using a boundary policy, `create_instance_profile` must be set to `false`.") if not module.params.get('boundary').startswith('arn:aws:iam'): module.fail_json(msg="Boundary policy must be an ARN") if module.params.get('tags') is not None and not module.botocore_at_least('1.12.46'): module.fail_json(msg="When managing tags botocore must be at least v1.12.46. " "Current versions: boto3-{boto3_version} botocore-{botocore_version}".format(**module._gather_versions())) if module.params.get('boundary') is not None and not module.botocore_at_least('1.10.57'): module.fail_json(msg="When using a boundary policy, botocore must be at least v1.10.57. " "Current versions: boto3-{boto3_version} botocore-{botocore_version}".format(**module._gather_versions())) if module.params.get('max_session_duration'): max_session_duration = module.params.get('max_session_duration') if max_session_duration < 3600 or max_session_duration > 43200: module.fail_json(msg="max_session_duration must be between 1 and 12 hours (3600 and 43200 seconds)") if module.params.get('path'): path = module.params.get('path') if not path.endswith('/') or not path.startswith('/'): module.fail_json(msg="path must begin and end with /") connection = module.client('iam', retry_decorator=AWSRetry.jittered_backoff()) state = module.params.get("state") if state == 'present': create_or_update_role(connection, module) else: destroy_role(connection, module) if __name__ == '__main__': main()