VhF ddlZ ddlZddlmZddlmZddlmZddlmZddl m Z ddl m Z dd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZGdde ZGdde Zej5dej6dZej5dej6dZej5dej6dZej6dZej6dZ ej6dZ!ejEdgej6dZ#ejEd gej6d!Z$ejEd"gej6dnd#Z%ejMd$ej6d%Z'e'Z(ejEd&gej6d'Z)ejEd(gej6dnd)Z*ejEd*gej6dnd+Z+ejEd,ej6d-Z,ejEd.ej6d/Z-ejEd0gej6d1Z.ejEd2ej6dod3Z/ejEd4ej6d5Z0d6Z1d7Z2ejMd8ej6d9Z3ejMd:ej6d;Z4ejMd<ej6d=Z5d>Z6d?Z7d@Z8ejMdAej6dBZ9ej5dCej6dDZ:ejMdEej6dFZ;ej5dGej6dHZejMdMej6dNZ?ejMdOej6dPZ@ejMdQej6dRZAdndSZBdndTZCdqdUZDdVedWefdXZEdYedWefdZZFd[edWefd\ZGd]edWefd^ZHd_edWefd`ZIdaedWefdbZJdcedWefddZKdeedWefdfZLdrdgedheMdWefdiZNdjedWefdkZOdledWefdmZPy#e$rYwxYw)sN) to_native) parse_aws_arnvalidate_aws_arnis_boto3_error_code)AWSErrorHandler)AnsibleAWSError)AWSRetry)ansible_dict_to_boto3_tag_list)AnsibleAWSResource)AnsibleAWSResourceList) BotoResource)BotoResourceList#boto3_resource_list_to_ansible_dictboto3_resource_to_ansible_dictc eZdZy)AnsibleIAMErrorN)__name__ __module__ __qualname__g/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/module_utils/iam.pyrrsrrc eZdZeZedZy)IAMErrorHandlerctdS)N NoSuchEntityr)clss r _is_missingzIAMErrorHandler._is_missing%s ">22rN)rrrr_CUSTOM_EXCEPTION classmethodr#rrrrr"s'33rrzdetach group policyc*|j||y)N) PolicyArn GroupNameT)detach_group_policy)clientarngroups rdetach_iam_group_policyr-*s > rzdetach role policyc*|j||y)N)r'RoleNameT)detach_role_policy)r*r+roles rdetach_iam_role_policyr21 d; rzdetach user policyc*|j||y)N)r'UserNameT)detach_user_policy)r*r+users rdetach_iam_user_policyr88r3rc ,|jdi|dS)NInstanceProfiler)get_instance_profile)r*kwargss r_get_iam_instance_profilesr=?s &6 & & 0 01B CCrc j|jd}|jdi|jdS)Nlist_instance_profilesInstanceProfilesr get_paginatorpaginatebuild_full_resultr*r< paginators r_list_iam_instance_profilesrGDs8$$%=>I 9   ' ' 9 9 ; > @@rz list rolesc|i}|r||d<|jd}|jdi|jdS)NrW list_rolesRolesrrArZs rlist_iam_rolesriysJ D !\$$\2I 9   % % 7 7 9' BBrzlist mfa devicesc|i}|r||d<|jd}|jdi|jdS)Nr5list_mfa_devices MFADevicesrrA)r*r7r\rFs rlist_iam_mfa_devicesrmsK D Z$$%78I 9   % % 7 7 9, GGrzget rolec,|j|dS)NrMRole)get_roler*names r get_iam_rolerss ??D? )& 11rz get groupcd|jd}|j|jS)N get_group)r(rA)r*rrrFs r get_iam_grouprvs1$$[1I     - ? ? AArzget access keys for userc\|j|}t|jdgS)Nr5AccessKeyMetadata)list_access_keysnormalize_iam_access_keysgetr*r7resultss rget_iam_access_keysrs.%%t%4G $W[[1Db%I JJrzget userc|j|}|rt|jdgS|jdgS)NrxUser)get_usernormalize_iam_userr|)r*r7 normalizer~s r get_iam_userrs>ooto,G!'++fb"9:: ;;vr ""rz get user tagscJ|j|}|jdgS)NrxTags)list_user_tagsr|r}s rlist_iam_user_tagsrs(##T#2G ;;vr ""rc@t|}|D]}|d|k(s |cSy)N PolicyName)ra)r*rrpoliciespolicys rfind_iam_managed_policy_by_namers2(0H , 4 'M rc>t||}|yt||dS)NArn)rget_iam_managed_policy_by_arn)r*rrrs rget_iam_managed_policy_by_namers' ,VT :F ~ ( ??rz get policyc0|j|d}|S)NrdPolicy) get_policy)r*r+rs rrrs!    -h 7F Mrzlist policy versionsc,|j|dS)NrdVersions)list_policy_versions)r*r+s r list_iam_managed_policy_versionsrs  & & & 5j AArzget policy versionc.|j||dS)N)r' VersionId PolicyVersion)get_policy_version)r*r+versions rget_iam_managed_policy_versionrs  $ $sg $ F WWrc td|Dr|Si}t|}|D]}|d||d<|d||d< |Dcgc] }||| c}Scc}w#t$r}tdt |z||d}~wwxYw)Nc3<K|]}|t|dyw)Niam)servicer).0rs r z7convert_managed_policy_names_to_arns..s! dvQWQc FE 2 2 dsrrzFailed to find policy by name:)message exception)allraKeyErrorrstr)r* policy_names allpoliciesrres r$convert_managed_policy_names_to_arnsrs d ddK(0H3,25M F<()%+E] F5M"3e2>U&BT F#UUU e&FQ&O[\]cddes0AA AAA B$A>>Bct|dS)zAGiven an AnsibleAWSModule instance, get the active AWS account IDr)get_aws_account_info)modules rget_aws_account_idrs  ' **rc2d}d} |jdtj}|jd}|j d}|j dj dd }|||j#dt|t|fS#t jjt jjf$rA |jd tj}|jdd dj d\}}}}}} n#td $r} t| j} n#t$rt| } YnwxYwt| } | | d d k7r|j!| d| j d}| j d}Yd} ~ nZd} ~ wt jjt jjf$r} |j!| dYd} ~ nd} ~ wwxYwYwxYw)aGiven an AnsibleAWSModule instance, return the account information (account id and partition) we are currently working on get_account_info tries too find out the account that we are working on. It's not guaranteed that this will be easy so we try in several different ways. Giving either IAM or STS privileges to the account should be enough to permit this. Tries: - sts:GetCallerIdentity - iam:GetUser - sts:DecodeAuthorizationMessage Nsts)retry_decoratorT) aws_retryAccountr:rrr AccessDeniedrzeFailed to get AWS account information, Try allowing sts:GetCallerIdentity or iam:GetUser permissions.)msg account_id partition)r*r jittered_backoffget_caller_identityr|splitbotocore exceptions BotoCoreError ClientErrorrr rrAttributeErrorr fail_json_aws fail_json) rrr sts_client caller_id iam_client_arn_service_reg _resourcer except_msgresults rrrsJI]]5(:S:S:U]V 22T2B ]]9- MM%(..s3A6 :Y.w   j !9Y#7 88C    - -x/B/B/N/N O uh>W>W>YZJEOEXEXcgEXEhioEpFeCj CD)XtZ#>2 0 *&qyy1 ! *&q\  *":.F~ !2e!;$$% L1J ;/I    - -    + +    { !    'snA+B8HAD*)H*H9EF8E&#F8%E&&A F83H8:H2H H HHHzcreate instance profilec^t|xsi}|xsd}|j|||}|dS)N/)InstanceProfileNamePathrr:)r create_instance_profile)r*rrr[tags boto3_tagsrs rcreate_iam_instance_profiler"s?0 ;J ;3D  + +4V` + aF # $$rzdelete instance profilec(|j|y)NrT)delete_instance_profilerqs rdelete_iam_instance_profiler+s ""t"< rzadd role to instance profilec*|j||yN)rr/T)add_role_to_instance_profiler* profile_namerPs r add_role_to_iam_instance_profiler3s ''LS\'] rz!remove role from instance profilec*|j||yr)!remove_role_from_instance_profilers r%remove_role_from_iam_instance_profiler:s ,,Xa,b rzlist instance profilesct|r t||S|rt||gS|r t||St|S)z Returns a list of IAM instance profiles in boto3 format. Profiles need to be converted to Ansible format using normalize_iam_instance_profile before being displayed. See also: normalize_iam_instance_profile rMr)rW)rJr=rG)r*rrprefixr1s rlist_iam_instance_profilesrBsB 3FTJJ *6tLMM *6fEE &v ..rztag instance profilecN|syt|xsi}|j||y)N)rr)r tag_instance_profile)r*rrrrs rtag_iam_instance_profilerTs+ / ;J DzJrzuntag instance profilec0|sy|j||y)N)rTagKeys)untag_instance_profile)r*rrrs runtag_iam_instance_profiler]s  !!dD!Irztag managed policycN|syt|xsi}|j||y)N)r'r)r tag_policy)r*r+rrs rtag_iam_policyres+ / ;J *5rzuntag managed policyc0|sy|j||y)N)r'r) untag_policy)r*r+rs runtag_iam_policyrns  #t4rc|yddd}d}|j|d}t||kDrd|d|Stj||s|d|Sy)N@)r1r7z [\w+=,.@-]+ Length of z name may not exceed z name must match pattern )r|lenre fullmatch) resource_typerrLENGTHSregex max_lengths r_validate_iam_namervsl |2&G E]C0J 4y:M?*? |LL <<t $ 9%AA rc|yd}d}t||kDrd|d|S|jdr|jds|dStj||s|d|Sy)Nz\/([\w+=,.@-]+\/)*irz path may not exceed rz path must begin and end with /z path must match pattern )rendswith startswithrr)rr[rrs r_validate_iam_pathrs| | !EJ 4y:M?*? |LL == T__S%9 ?@@ <<t $ 9%AA rcDt||}|r|St||}|r|SyN)rr)rrrr[ name_problem path_problems rvalidate_iam_identifiersr s/%mT:L%mT:L rdevicereturnct|S)zXConverts IAM MFA Device from the CamelCase boto3 format to the snake_case Ansible formatr)r s rnormalize_iam_mfa_devicer s *& 11rdevicesct|S)zcConverts a list of IAM MFA Devices from the CamelCase boto3 format to the snake_case Ansible formatr)rs rnormalize_iam_mfa_devicesrs /w 77rr7ct|S)zSConverts IAM users from the CamelCase boto3 format to the snake_case Ansible formatr)r7s rrrs )$ //rrct|S)zVConverts IAM policies from the CamelCase boto3 format to the snake_case Ansible formatr)rs rnormalize_iam_policyrs )& 11rr,ct|dS)zTConverts IAM Groups from the CamelCase boto3 format to the snake_case Ansible formatF force_tagsr)r,s rnormalize_iam_grouprs *%E BBr access_keyct|dS)zYConverts IAM access keys from the CamelCase boto3 format to the snake_case Ansible formatFrr)rs rnormalize_iam_access_keyrs ** GGr access_keysc@|s|St|d}t|dS)zcConverts a list of IAM access keys from the CamelCase boto3 format to the snake_case Ansible formatFrc&|jddS)N create_date)r|)ds rz+normalize_iam_access_keys..sQUU=$-Gr)key)rsorted)rs rr{r{s' 5keTK +#G HHrprofilec0dti}t||}|S)zL Converts a boto3 format IAM instance profile into "Ansible" format rh)nested_transforms)_normalize_iam_rolesr)r# transformstransformed_profiles rnormalize_iam_instance_profiler)s#/0J8T^_ rr1 _v7_compatcndti}dg}t|||}|r|jdr|d|d<|S)z Converts a boto3 format IAM instance role into "Ansible" format _v7_compat is deprecated and will be removed in release after 2026-05-01 DO NOT USE. r@AssumeRolePolicyDocument)r% ignore_listassume_role_policy_document_raw) _normalize_iam_instance_profilesrr|)r1r*r'r-transformed_roles rnormalize_iam_roler1sN %&FGJ-.K5djfqrdhh9:>BC]>^:; rprofilescF|s|S|Dcgc] }t|c}Scc}wr)r))r2ps rr/r/s$ 7? @! *1 - @@ @rolescF|s|S|Dcgc] }t|c}Scc}wr)r1)r6rs rr&r&s$  +0 1a q ! 11 1r5r)T)NNN)NN)F)Qrr ImportErroransible.module_utils._textrr+rrr errorsr rr retriesr taggingr transformationrrrrrrrrdeletion_error_handlerrr-r2r8r=rGrJlist_error_handlerrQrUr]common_error_handlerralist_managed_policiesrerirmrsrvrrrrrrrrrrrrrrrrrrrrrrr r rrrrrr{r)boolr1r/r&rrrrDsp   1!)#'3.2(,?: o 3o3''(=>? ''(<=> ''(<=> DDPP PP ##$CADA ##L"5C6C##$6;H<H##J/202##K0B1B ##$>CKDK ##J/#0###O4#5# @%%l34 %%&<=B>B%%&:;X<X e+ 69r%%&?@%A%''(ABC %%&DEF ''(KLM ##$K%%&>?J@J %%&:;6<6%%&<=5>5  2\26H2 8'78