mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
* AWS key management service fix; statement may not have a principal, and if there is only one AWS principal it will not be a list as expected. Fixes 25786. * remove len(), only catch exception in function for json.dumps() failure * use a defined variable and make formatting python 2.6 compatible
This commit is contained in:
parent
9e41fd399b
commit
91781487ab
1 changed files with 12 additions and 6 deletions
|
@ -165,12 +165,18 @@ def do_grant(kms, keyarn, role_arn, granttypes, mode='grant', dry_run=True, clea
|
||||||
# do we want this grant type? Are we on its statement?
|
# do we want this grant type? Are we on its statement?
|
||||||
# and does the role have this grant type?
|
# and does the role have this grant type?
|
||||||
|
|
||||||
|
# Ensure statement looks as expected
|
||||||
|
if not statement.get('Principal'):
|
||||||
|
statement['Principal'] = {'AWS': []}
|
||||||
|
if not isinstance(statement['Principal']['AWS'], list):
|
||||||
|
statement['Principal']['AWS'] = [statement['Principal']['AWS']]
|
||||||
|
|
||||||
if mode == 'grant' and statement['Sid'] == statement_label[granttype]:
|
if mode == 'grant' and statement['Sid'] == statement_label[granttype]:
|
||||||
# we're granting and we recognize this statement ID.
|
# we're granting and we recognize this statement ID.
|
||||||
|
|
||||||
if granttype in granttypes:
|
if granttype in granttypes:
|
||||||
invalid_entries = list(filter(lambda x: not x.startswith('arn:aws:iam::'), statement['Principal']['AWS']))
|
invalid_entries = list(filter(lambda x: not x.startswith('arn:aws:iam::'), statement['Principal']['AWS']))
|
||||||
if clean_invalid_entries and len(list(invalid_entries)):
|
if clean_invalid_entries and invalid_entries:
|
||||||
# we have bad/invalid entries. These are roles that were deleted.
|
# we have bad/invalid entries. These are roles that were deleted.
|
||||||
# prune the list.
|
# prune the list.
|
||||||
valid_entries = filter(lambda x: x.startswith('arn:aws:iam::'), statement['Principal']['AWS'])
|
valid_entries = filter(lambda x: x.startswith('arn:aws:iam::'), statement['Principal']['AWS'])
|
||||||
|
@ -197,12 +203,12 @@ def do_grant(kms, keyarn, role_arn, granttypes, mode='grant', dry_run=True, clea
|
||||||
try:
|
try:
|
||||||
if len(changes_needed) and not dry_run:
|
if len(changes_needed) and not dry_run:
|
||||||
policy_json_string = json.dumps(policy)
|
policy_json_string = json.dumps(policy)
|
||||||
|
except Exception as e:
|
||||||
|
raise Exception("{0}: // {1}".format(e, repr(policy)))
|
||||||
kms.put_key_policy(KeyId=keyarn, PolicyName='default', Policy=policy_json_string)
|
kms.put_key_policy(KeyId=keyarn, PolicyName='default', Policy=policy_json_string)
|
||||||
except:
|
|
||||||
raise Exception("{}: // {}".format("e", policy_json_string))
|
|
||||||
|
|
||||||
# returns nothing, so we have to just assume it didn't throw
|
# returns nothing, so we have to just assume it didn't throw
|
||||||
ret['changed'] = True
|
ret['changed'] = changes_needed and not had_invalid_entries
|
||||||
|
|
||||||
ret['changes_needed'] = changes_needed
|
ret['changes_needed'] = changes_needed
|
||||||
ret['had_invalid_entries'] = had_invalid_entries
|
ret['had_invalid_entries'] = had_invalid_entries
|
||||||
|
|
Loading…
Reference in a new issue