__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
# This file is part of Ansible
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = '''
---
module: iam_policy
version_added: 5.0.0
short_description: Manage inline IAM policies for users, groups, and roles
description:
- Allows uploading or removing inline IAM policies for IAM users, groups or roles.
- To administer managed policies please see M(community.aws.iam_user), M(community.aws.iam_role),
M(community.aws.iam_group) and M(community.aws.iam_managed_policy)
- This module was originally added to C(community.aws) in release 1.0.0.
options:
iam_type:
description:
- Type of IAM resource.
required: true
choices: [ "user", "group", "role"]
type: str
iam_name:
description:
- Name of IAM resource you wish to target for policy actions. In other words, the user name, group name or role name.
required: true
type: str
policy_name:
description:
- The name label for the policy to create or remove.
required: true
type: str
policy_json:
description:
- A properly json formatted policy as string.
type: json
state:
description:
- Whether to create or delete the IAM policy.
choices: [ "present", "absent"]
default: present
type: str
skip_duplicates:
description:
- When I(skip_duplicates=true) the module looks for any policies that match the document you pass in.
If there is a match it will not make a new policy object with the same rules.
default: false
type: bool
author:
- "Jonathan I. Davila (@defionscode)"
- "Dennis Podkovyrin (@sbj-ss)"
extends_documentation_fragment:
- amazon.aws.aws
- amazon.aws.ec2
- amazon.aws.boto3
'''
EXAMPLES = '''
# Advanced example, create two new groups and add a READ-ONLY policy to both
# groups.
- name: Create Two Groups, Mario and Luigi
community.aws.iam_group:
name: "{{ item }}"
state: present
loop:
- Mario
- Luigi
register: new_groups
- name: Apply READ-ONLY policy to new groups that have been recently created
amazon.aws.iam_policy:
iam_type: group
iam_name: "{{ item.iam_group.group.group_name }}"
policy_name: "READ-ONLY"
policy_json: "{{ lookup('template', 'readonly.json.j2') }}"
state: present
loop: "{{ new_groups.results }}"
# Create a new S3 policy with prefix per user
- name: Create S3 policy from template
amazon.aws.iam_policy:
iam_type: user
iam_name: "{{ item.user }}"
policy_name: "s3_limited_access_{{ item.prefix }}"
state: present
policy_json: "{{ lookup('template', 's3_policy.json.j2') }}"
loop:
- user: s3_user
prefix: s3_user_prefix
'''
RETURN = '''
policy_names:
description: A list of names of the inline policies embedded in the specified IAM resource (user, group, or role).
returned: always
type: list
elements: str
'''
import json
try:
from botocore.exceptions import BotoCoreError, ClientError
except ImportError:
pass
from ansible.module_utils.six import string_types
from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
from ansible_collections.amazon.aws.plugins.module_utils.ec2 import AWSRetry
from ansible_collections.amazon.aws.plugins.module_utils.ec2 import compare_policies
from ansible_collections.amazon.aws.plugins.module_utils.botocore import is_boto3_error_code
class PolicyError(Exception):
pass
class Policy:
def __init__(self, client, name, policy_name, policy_json, skip_duplicates, state, check_mode):
self.client = client
self.name = name
self.policy_name = policy_name
self.policy_json = policy_json
self.skip_duplicates = skip_duplicates
self.state = state
self.check_mode = check_mode
self.changed = False
self.original_policies = self.get_all_policies().copy()
self.updated_policies = {}
@staticmethod
def _iam_type():
return ''
def _list(self, name):
return {}
def list(self):
try:
return self._list(self.name).get('PolicyNames', [])
except is_boto3_error_code('AccessDenied'):
return []
def _get(self, name, policy_name):
return '{}'
def get(self, policy_name):
try:
return self._get(self.name, policy_name)['PolicyDocument']
except is_boto3_error_code('AccessDenied'):
return {}
def _put(self, name, policy_name, policy_doc):
pass
def put(self, policy_doc):
self.changed = True
if self.check_mode:
return
self._put(self.name, self.policy_name, json.dumps(policy_doc, sort_keys=True))
def _delete(self, name, policy_name):
pass
def delete(self):
self.updated_policies = self.original_policies.copy()
if self.policy_name not in self.list():
self.changed = False
return
self.changed = True
self.updated_policies.pop(self.policy_name, None)
if self.check_mode:
return
self._delete(self.name, self.policy_name)
def get_policy_text(self):
try:
if self.policy_json is not None:
return self.get_policy_from_json()
except json.JSONDecodeError as e:
raise PolicyError('Failed to decode the policy as valid JSON: %s' % str(e))
return None
def get_policy_from_json(self):
if isinstance(self.policy_json, string_types):
pdoc = json.loads(self.policy_json)
else:
pdoc = self.policy_json
return pdoc
def get_all_policies(self):
policies = {}
for pol in self.list():
policies[pol] = self.get(pol)
return policies
def create(self):
matching_policies = []
policy_doc = self.get_policy_text()
policy_match = False
for pol in self.list():
if not compare_policies(self.original_policies[pol], policy_doc):
matching_policies.append(pol)
policy_match = True
self.updated_policies = self.original_policies.copy()
if self.policy_name in matching_policies:
return
if self.skip_duplicates and policy_match:
return
self.put(policy_doc)
self.updated_policies[self.policy_name] = policy_doc
def run(self):
if self.state == 'present':
self.create()
elif self.state == 'absent':
self.delete()
return {
'changed': self.changed,
self._iam_type() + '_name': self.name,
'policies': self.list(),
'policy_names': self.list(),
'diff': dict(
before=self.original_policies,
after=self.updated_policies,
),
}
class UserPolicy(Policy):
@staticmethod
def _iam_type():
return 'user'
def _list(self, name):
return self.client.list_user_policies(aws_retry=True, UserName=name)
def _get(self, name, policy_name):
return self.client.get_user_policy(aws_retry=True, UserName=name, PolicyName=policy_name)
def _put(self, name, policy_name, policy_doc):
return self.client.put_user_policy(aws_retry=True, UserName=name, PolicyName=policy_name, PolicyDocument=policy_doc)
def _delete(self, name, policy_name):
return self.client.delete_user_policy(aws_retry=True, UserName=name, PolicyName=policy_name)
class RolePolicy(Policy):
@staticmethod
def _iam_type():
return 'role'
def _list(self, name):
return self.client.list_role_policies(aws_retry=True, RoleName=name)
def _get(self, name, policy_name):
return self.client.get_role_policy(aws_retry=True, RoleName=name, PolicyName=policy_name)
def _put(self, name, policy_name, policy_doc):
return self.client.put_role_policy(aws_retry=True, RoleName=name, PolicyName=policy_name, PolicyDocument=policy_doc)
def _delete(self, name, policy_name):
return self.client.delete_role_policy(aws_retry=True, RoleName=name, PolicyName=policy_name)
class GroupPolicy(Policy):
@staticmethod
def _iam_type():
return 'group'
def _list(self, name):
return self.client.list_group_policies(aws_retry=True, GroupName=name)
def _get(self, name, policy_name):
return self.client.get_group_policy(aws_retry=True, GroupName=name, PolicyName=policy_name)
def _put(self, name, policy_name, policy_doc):
return self.client.put_group_policy(aws_retry=True, GroupName=name, PolicyName=policy_name, PolicyDocument=policy_doc)
def _delete(self, name, policy_name):
return self.client.delete_group_policy(aws_retry=True, GroupName=name, PolicyName=policy_name)
def main():
argument_spec = dict(
iam_type=dict(required=True, choices=['user', 'group', 'role']),
state=dict(default='present', choices=['present', 'absent']),
iam_name=dict(required=True),
policy_name=dict(required=True),
policy_json=dict(type='json', default=None, required=False),
skip_duplicates=dict(type='bool', default=False, required=False)
)
required_if = [
('state', 'present', ('policy_json',), True),
]
module = AnsibleAWSModule(
argument_spec=argument_spec,
required_if=required_if,
supports_check_mode=True
)
args = dict(
client=module.client('iam', retry_decorator=AWSRetry.jittered_backoff()),
name=module.params.get('iam_name'),
policy_name=module.params.get('policy_name'),
policy_json=module.params.get('policy_json'),
skip_duplicates=module.params.get('skip_duplicates'),
state=module.params.get('state'),
check_mode=module.check_mode,
)
iam_type = module.params.get('iam_type')
try:
if iam_type == 'user':
policy = UserPolicy(**args)
elif iam_type == 'role':
policy = RolePolicy(**args)
elif iam_type == 'group':
policy = GroupPolicy(**args)
module.deprecate("The 'policies' return key is deprecated and will be replaced by 'policy_names'. Both values are returned for now.",
date='2024-08-01', collection_name='amazon.aws')
module.exit_json(**(policy.run()))
except (BotoCoreError, ClientError) as e:
module.fail_json_aws(e)
except PolicyError as e:
module.fail_json(msg=str(e))
if __name__ == '__main__':
main()
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| __pycache__ | Folder | 0755 |
|
|
| autoscaling_group.py | File | 82.17 KB | 0644 |
|
| autoscaling_group_info.py | File | 16.46 KB | 0644 |
|
| aws_az_info.py | File | 6.12 KB | 0644 |
|
| aws_caller_info.py | File | 3.66 KB | 0644 |
|
| cloudformation.py | File | 35.27 KB | 0644 |
|
| cloudformation_info.py | File | 19.77 KB | 0644 |
|
| cloudtrail.py | File | 24 KB | 0644 |
|
| cloudtrail_info.py | File | 9.68 KB | 0644 |
|
| cloudwatch_metric_alarm.py | File | 18.87 KB | 0644 |
|
| cloudwatch_metric_alarm_info.py | File | 11.32 KB | 0644 |
|
| cloudwatchevent_rule.py | File | 18.49 KB | 0644 |
|
| cloudwatchlogs_log_group.py | File | 13.58 KB | 0644 |
|
| cloudwatchlogs_log_group_info.py | File | 4.72 KB | 0644 |
|
| cloudwatchlogs_log_group_metric_filter.py | File | 7.12 KB | 0644 |
|
| ec2_ami.py | File | 31.7 KB | 0644 |
|
| ec2_ami_info.py | File | 9.32 KB | 0644 |
|
| ec2_eip.py | File | 24.46 KB | 0644 |
|
| ec2_eip_info.py | File | 4.36 KB | 0644 |
|
| ec2_eni.py | File | 33.18 KB | 0644 |
|
| ec2_eni_info.py | File | 9.94 KB | 0644 |
|
| ec2_instance.py | File | 87.54 KB | 0644 |
|
| ec2_instance_info.py | File | 22.73 KB | 0644 |
|
| ec2_key.py | File | 12.67 KB | 0644 |
|
| ec2_metadata_facts.py | File | 29.53 KB | 0644 |
|
| ec2_security_group.py | File | 62.18 KB | 0644 |
|
| ec2_security_group_info.py | File | 10.7 KB | 0644 |
|
| ec2_snapshot.py | File | 13.31 KB | 0644 |
|
| ec2_snapshot_info.py | File | 10.67 KB | 0644 |
|
| ec2_spot_instance.py | File | 24.21 KB | 0644 |
|
| ec2_spot_instance_info.py | File | 10.6 KB | 0644 |
|
| ec2_tag.py | File | 4.97 KB | 0644 |
|
| ec2_tag_info.py | File | 1.78 KB | 0644 |
|
| ec2_vol.py | File | 31.01 KB | 0644 |
|
| ec2_vol_info.py | File | 6.89 KB | 0644 |
|
| ec2_vpc_dhcp_option.py | File | 21.87 KB | 0644 |
|
| ec2_vpc_dhcp_option_info.py | File | 7.19 KB | 0644 |
|
| ec2_vpc_endpoint.py | File | 18.54 KB | 0644 |
|
| ec2_vpc_endpoint_info.py | File | 9.74 KB | 0644 |
|
| ec2_vpc_endpoint_service_info.py | File | 5.61 KB | 0644 |
|
| ec2_vpc_igw.py | File | 8.65 KB | 0644 |
|
| ec2_vpc_igw_info.py | File | 6 KB | 0644 |
|
| ec2_vpc_nat_gateway.py | File | 31.08 KB | 0644 |
|
| ec2_vpc_nat_gateway_info.py | File | 7.28 KB | 0644 |
|
| ec2_vpc_net.py | File | 26.35 KB | 0644 |
|
| ec2_vpc_net_info.py | File | 10.16 KB | 0644 |
|
| ec2_vpc_route_table.py | File | 33.92 KB | 0644 |
|
| ec2_vpc_route_table_info.py | File | 8.92 KB | 0644 |
|
| ec2_vpc_subnet.py | File | 21.59 KB | 0644 |
|
| ec2_vpc_subnet_info.py | File | 7.1 KB | 0644 |
|
| elb_application_lb.py | File | 32.32 KB | 0644 |
|
| elb_application_lb_info.py | File | 13.22 KB | 0644 |
|
| elb_classic_lb.py | File | 78.43 KB | 0644 |
|
| iam_policy.py | File | 10.46 KB | 0644 |
|
| iam_policy_info.py | File | 5.9 KB | 0644 |
|
| iam_user.py | File | 21.6 KB | 0644 |
|
| iam_user_info.py | File | 5.96 KB | 0644 |
|
| kms_key.py | File | 38.2 KB | 0644 |
|
| kms_key_info.py | File | 18.46 KB | 0644 |
|
| lambda.py | File | 33.54 KB | 0644 |
|
| lambda_alias.py | File | 10.47 KB | 0644 |
|
| lambda_event.py | File | 15.42 KB | 0644 |
|
| lambda_execute.py | File | 10.08 KB | 0644 |
|
| lambda_info.py | File | 20.06 KB | 0644 |
|
| lambda_layer.py | File | 12.31 KB | 0644 |
|
| lambda_layer_info.py | File | 7.39 KB | 0644 |
|
| lambda_policy.py | File | 13.45 KB | 0644 |
|
| rds_cluster.py | File | 46.03 KB | 0644 |
|
| rds_cluster_info.py | File | 10.62 KB | 0644 |
|
| rds_cluster_snapshot.py | File | 12.69 KB | 0644 |
|
| rds_instance.py | File | 63.34 KB | 0644 |
|
| rds_instance_info.py | File | 12.63 KB | 0644 |
|
| rds_instance_snapshot.py | File | 12.26 KB | 0644 |
|
| rds_option_group.py | File | 23.86 KB | 0644 |
|
| rds_option_group_info.py | File | 12.56 KB | 0644 |
|
| rds_param_group.py | File | 13.04 KB | 0644 |
|
| rds_snapshot_info.py | File | 12.4 KB | 0644 |
|
| rds_subnet_group.py | File | 13.05 KB | 0644 |
|
| route53.py | File | 28.19 KB | 0644 |
|
| route53_health_check.py | File | 24.4 KB | 0644 |
|
| route53_info.py | File | 32.05 KB | 0644 |
|
| route53_zone.py | File | 19.93 KB | 0644 |
|
| s3_bucket.py | File | 52.93 KB | 0644 |
|
| s3_object.py | File | 55.57 KB | 0644 |
|
| s3_object_info.py | File | 32.55 KB | 0644 |
|