1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

[aws] Add aws_iam_role check mode support (#39002)

* Check mode when adding

* Check mode when deleting

* Add check mode
This commit is contained in:
cahlchang 2018-05-03 21:00:36 +09:00 committed by Ryan Brown
parent 910bc892c6
commit e2908ae8df

View file

@ -206,7 +206,8 @@ def convert_friendly_names_to_arns(connection, module, policy_names):
def remove_policies(connection, module, policies_to_remove, params):
for policy in policies_to_remove:
try:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy)
if not module.check_mode:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy)
except ClientError as e:
module.fail_json(msg="Unable to detach policy {0} from {1}: {2}".format(policy, params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -236,7 +237,11 @@ def create_or_update_role(connection, module):
# If role is None, create it
if role is None:
try:
role = connection.create_role(**params)
if not module.check_mode:
role = connection.create_role(**params)
else:
role = {'MadeInCheckMode': True}
role['AssumeRolePolicyDocument'] = json.loads(params['AssumeRolePolicyDocument'])
changed = True
except ClientError as e:
module.fail_json(msg="Unable to create role: {0}".format(to_native(e)),
@ -248,7 +253,8 @@ def create_or_update_role(connection, module):
# Check Assumed Policy document
if not compare_assume_role_policy_doc(role['AssumeRolePolicyDocument'], params['AssumeRolePolicyDocument']):
try:
connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])))
if not module.check_mode:
connection.update_assume_role_policy(RoleName=params['RoleName'], PolicyDocument=json.dumps(json.loads(params['AssumeRolePolicyDocument'])))
changed = True
except ClientError as e:
module.fail_json(msg="Unable to update assume role policy for role {0}: {1}".format(params['RoleName'], to_native(e)),
@ -279,7 +285,8 @@ def create_or_update_role(connection, module):
# Attach roles not already attached
for policy_arn in set(managed_policies) - set(current_attached_policies_arn_list):
try:
connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn)
if not module.check_mode:
connection.attach_role_policy(RoleName=params['RoleName'], PolicyArn=policy_arn)
except ClientError as e:
module.fail_json(msg="Unable to attach policy {0} to role {1}: {2}".format(policy_arn, params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -289,7 +296,7 @@ def create_or_update_role(connection, module):
changed = True
# Instance profile
if create_instance_profile:
if create_instance_profile and not role.get('MadeInCheckMode', False):
try:
instance_profiles = connection.list_instance_profiles_for_role(RoleName=params['RoleName'])['InstanceProfiles']
except ClientError as e:
@ -301,7 +308,8 @@ def create_or_update_role(connection, module):
if not any(p['InstanceProfileName'] == params['RoleName'] for p in instance_profiles):
# Make sure an instance profile is attached
try:
connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path'])
if not module.check_mode:
connection.create_instance_profile(InstanceProfileName=params['RoleName'], Path=params['Path'])
changed = True
except ClientError as e:
# If the profile already exists, no problem, move on
@ -313,12 +321,14 @@ def create_or_update_role(connection, module):
except BotoCoreError as e:
module.fail_json(msg="Unable to create instance profile for role {0}: {1}".format(params['RoleName'], to_native(e)),
exception=traceback.format_exc())
connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'])
if not module.check_mode:
connection.add_role_to_instance_profile(InstanceProfileName=params['RoleName'], RoleName=params['RoleName'])
# Get the role again
role = get_role(connection, module, params['RoleName'])
if not role.get('MadeInCheckMode', False):
role = get_role(connection, module, params['RoleName'])
role['attached_policies'] = get_attached_policy_list(connection, module, params['RoleName'])
role['attached_policies'] = get_attached_policy_list(connection, module, params['RoleName'])
module.exit_json(changed=changed, iam_role=camel_dict_to_snake_dict(role), **camel_dict_to_snake_dict(role))
@ -342,7 +352,8 @@ def destroy_role(connection, module):
# Now remove the role from the instance profile(s)
for profile in instance_profiles:
try:
connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName'])
if not module.check_mode:
connection.remove_role_from_instance_profile(InstanceProfileName=profile['InstanceProfileName'], RoleName=params['RoleName'])
except ClientError as e:
module.fail_json(msg="Unable to remove role {0} from instance profile {1}: {2}".format(
params['RoleName'], profile['InstanceProfileName'], to_native(e)),
@ -355,7 +366,8 @@ def destroy_role(connection, module):
# Now remove any attached policies otherwise deletion fails
try:
for policy in get_attached_policy_list(connection, module, params['RoleName']):
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn'])
if not module.check_mode:
connection.detach_role_policy(RoleName=params['RoleName'], PolicyArn=policy['PolicyArn'])
except ClientError as e:
module.fail_json(msg="Unable to detach policy {0} from role {1}: {2}".format(policy['PolicyArn'], params['RoleName'], to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -364,7 +376,8 @@ def destroy_role(connection, module):
exception=traceback.format_exc())
try:
connection.delete_role(**params)
if not module.check_mode:
connection.delete_role(**params)
except ClientError as e:
module.fail_json(msg="Unable to delete role: {0}".format(to_native(e)),
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
@ -421,7 +434,8 @@ def main():
)
module = AnsibleModule(argument_spec=argument_spec,
required_if=[('state', 'present', ['assume_role_policy_document'])])
required_if=[('state', 'present', ['assume_role_policy_document'])],
supports_check_mode=True)
if not HAS_BOTO3:
module.fail_json(msg='boto3 required for this module')