Vh0dZdZdZddlZ ddlmZddlmZddlm Z ddl m Z dd l m Z dd lmZdd lmZGd d eZGddZGddeZGddeZGddeZdZedk(reyy#e$rYlwxYw)aU --- module: iam_policy version_added: 5.0.0 short_description: Manage inline IAM policies for users, groups, and roles description: - Allows uploading or removing inline IAM policies for IAM users, groups or roles. - To administer managed policies please see M(community.aws.iam_user), M(community.aws.iam_role), M(amazon.aws.iam_group) and M(community.aws.iam_managed_policy). - This module was originally added to C(community.aws) in release 1.0.0. options: iam_type: description: - Type of IAM resource. required: true choices: [ "user", "group", "role"] type: str iam_name: description: - Name of IAM resource you wish to target for policy actions. In other words, the user name, group name or role name. required: true type: str policy_name: description: - The name label for the policy to create or remove. required: true type: str policy_json: description: - A properly json formatted policy as string. type: json state: description: - Whether to create or delete the IAM policy. choices: [ "present", "absent"] default: present type: str skip_duplicates: description: - When O(skip_duplicates=true) the module looks for any policies that match the document you pass in. If there is a match it will not make a new policy object with the same rules. default: false type: bool author: - "Jonathan I. Davila (@defionscode)" - "Dennis Podkovyrin (@sbj-ss)" extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.boto3 a # Advanced example, create two new groups and add a READ-ONLY policy to both # groups. - name: Create Two Groups, Mario and Luigi amazon.aws.iam_group: name: "{{ item }}" state: present loop: - Mario - Luigi register: new_groups - name: Apply READ-ONLY policy to new groups that have been recently created amazon.aws.iam_policy: iam_type: group iam_name: "{{ item.iam_group.group.group_name }}" policy_name: "READ-ONLY" policy_json: "{{ lookup('template', 'readonly.json.j2') }}" state: present loop: "{{ new_groups.results }}" # Create a new S3 policy with prefix per user - name: Create S3 policy from template amazon.aws.iam_policy: iam_type: user iam_name: "{{ item.user }}" policy_name: "s3_limited_access_{{ item.prefix }}" state: present policy_json: "{{ lookup('template', 's3_policy.json.j2') }}" loop: - user: s3_user prefix: s3_user_prefix a user_name: description: Name of IAM user. returned: When I(iam_type=user) type: str sample: "ExampleUser001" group_name: description: Name of IAM group. returned: When I(iam_type=group) type: str sample: "ExampleGroup001" role_name: description: Name of IAM role. returned: When I(iam_type=role) type: str sample: "ExampleRole001" policy_names: description: A list of names of the inline policies embedded in the specified IAM resource (user, group, or role). returned: always type: list elements: str sample: ["READ-ONLY"] diff: description: A dict representing difference between policies applied on IAM resource (user, group, or role). returned: always type: dict contains: before: description: The policy that exists on IAM resource before new policy is applied. returned: always type: dict sample: { "READ-ONLY": { "Statement": [ { "Action": "ec2:DescribeAccountAttributes", "Effect": "Deny", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } } after: description: The current policy on IAM resource after new policy is applied. returned: always type: dict sample: { "READ-ONLY": { "Statement": [ { "Action": "ec2:DescribeAccountAttributes", "Effect": "Allow", "Resource": "*", "Sid": "VisualEditor0" } ], "Version": "2012-10-17" } } N) BotoCoreError) ClientError) string_types)is_boto3_error_code)AnsibleAWSModule)compare_policies)AWSRetryc eZdZy) PolicyErrorN)__name__ __module__ __qualname__i/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/modules/iam_policy.pyr r srr cpeZdZdZedZdZdZdZdZ dZ dZ d Z d Z d Zd Zd ZdZdZy)Policyc||_||_||_||_||_||_||_d|_|jj|_ i|_ y)NF) clientname policy_name policy_jsonskip_duplicatesstate check_modechangedget_all_policiescopyoriginal_policiesupdated_policies)selfrrrrrrrs r__init__zPolicy.__init__s_  &&. $ !%!6!6!8!=!=!? "rcy)Nrrrr _iam_typezPolicy._iam_typesrciSNrr!rs r_listz Policy._lists rc |j|jjdgS#td$rgcYSwxYw)N PolicyNames AccessDenied)r)rgetrr!s rlistz Policy.lists@ ::dii(,,]B? ?">2 I s*-AAcy)Nz{}rr!rrs r_getz Policy._getsrcn |j|j|dS#td$ricYSwxYw)NPolicyDocumentr,)r2rr)r!rs rr-z Policy.gets; 99TYY 45EF F">2 I s !44cyr'rr!rr policy_docs r_putz Policy._put rcd|_|jry|j|j|jt j |dy)NT) sort_keys)rrr8rrjsondumps)r!r7s rputz Policy.puts9 ??  $))T--tzz*PT/UVrcyr'rr1s r_deletezPolicy._deleter9rcJ|jj|_|j|j vrd|_yd|_|jj |jd|jry|j|j|jyNFT) rrr rr/rpoprr@rr.s rdeletez Policy.deletes| $ 6 6 ; ; =   499; . DL   !!$"2"2D9 ??  TYY 0 01rc |j|jS y#tj$r}t dt |d}~wwxYw)Nz+Failed to decode the policy as valid JSON: )rget_policy_from_jsonr<JSONDecodeErrorr str)r!es rget_policy_textzPolicy.get_policy_texts_ V+0022,## V KCPQF8TU U Vs AA  Act|jtr!tj|j}|S|j}|Sr') isinstancerrr<loads)r!pdocs rrFzPolicy.get_policy_from_jsons? d&& 5::d../D ##D rc\i}|jD]}|j|||<|Sr')r/r-)r!policiespols rrzPolicy.get_all_policiess299; *C HHSMHSM *rc~g}|j}d}|jD]/}t|j||r|j |d}1|jj |_|j|vry|jr|ry|j|||j |j<yrB) rJr/rrappendrr rrr>)r!matching_policiesr7 policy_matchrQs rcreatez Policy.creates))+  99; $C#D$:$:3$?L!((-#  $ !% 6 6 ; ; =   0 0    L  2<d../rc 8|jdk(r|jn|jdk(r|jd|j|j dz|j d|j dt|j|jiS)Npresentabsentr_name policy_namesdiff)beforeafter) rrVrDrr%rr/dictrr r.s rrunz Policy.runs{ :: " KKM ZZ8 # KKM t|| NN w & DIIK D--++   rN)r r rr" staticmethodr%r)r/r2r-r8r>r@rDrJrFrrVr`rrrrrs] #   W  2 =&  rrc4eZdZedZdZdZdZdZy) UserPolicycy)Nuserrrrrr%zUserPolicy._iam_type+rc<|jjd|S)NT) aws_retryUserName)rlist_user_policiesr(s rr)zUserPolicy._list/{{--t-LLrc>|jjd||SNT)rhri PolicyName)rget_user_policyr1s rr2zUserPolicy._get2{{**TDU`*aarc@|jjd|||S)NT)rhrirnr4)rput_user_policyr6s rr8zUserPolicy._put5({{**TkR\+  rc>|jjd||Srm)rdelete_user_policyr1s rr@zUserPolicy._delete:{{--tXc-ddrN r r rrar%r)r2r8r@rrrrcrc*+Mb errcc4eZdZedZdZdZdZdZy) RolePolicycy)Nrolerrrrr%zRolePolicy._iam_type?rfrc<|jjd|S)NT)rhRoleName)rlist_role_policiesr(s rr)zRolePolicy._listCrkrc>|jjd||SNT)rhr~rn)rget_role_policyr1s rr2zRolePolicy._getFrprc@|jjd|||S)NT)rhr~rnr4)rput_role_policyr6s rr8zRolePolicy._putIrsrc>|jjd||Sr)rdelete_role_policyr1s rr@zRolePolicy._deleteNrvrNrwrrrrzrz>rxrrzc4eZdZedZdZdZdZdZy) GroupPolicycy)Ngrouprrrrr%zGroupPolicy._iam_typeSsrc<|jjd|S)NT)rh GroupName)rlist_group_policiesr(s rr)zGroupPolicy._listWs{{...NNrc>|jjd||SNT)rhrrn)rget_group_policyr1s rr2zGroupPolicy._getZs{{++ddWb+ccrc@|jjd|||S)NT)rhrrnr4)rput_group_policyr6s rr8zGroupPolicy._put]s({{++d{S],  rc>|jjd||Sr)rdelete_group_policyr1s rr@zGroupPolicy._deletebs{{..Ze.ffrNrwrrrrrRs+Od grrc ttdgdtdddgtdtdtddd td d d  }d g}t||d}t|jdtj|j j d|j j d|j j d|j j d|j j d|j}|j j d} |dk(r tdi|}n!|dk(r tdi|}n|dk(r tdi|}|jdijy#ttf$r}|j|Yd}~yd}~wt $r%}|j#t%|Yd}~yd}~wwxYw)NT)rerr|)requiredchoicesrXrY)defaultr)rr<F)typerrbool)iam_typeriam_namerrr)rrX)rT) argument_spec required_ifsupports_check_modeiam)retry_decoratorrrrrr)rrrrrrrrrer|r)msgr)r_rrr jittered_backoffparamsr-rrcrzr exit_jsonr`rr fail_json_awsr fail_jsonrH)rrmoduleargsrpolicyrIs rmainrfst-FG9y(.CDt$$'fdUC&%%H M 5KM{hl mF }}UH4M4M4O}P ]]  z *MM%%m4MM%%m4 ))*;<mm($$ D}}  ,H % v '$'F  '$'F   (4(F*FJJL* ; ' Q %SV$$%s%AFG*#F99 G*G%%G*__main__) DOCUMENTATIONEXAMPLESRETURNr<botocore.exceptionsrr ImportErroransible.module_utils.sixrrs3 j D= ~  1/2\XWP ) v v ree(ee(g&g(&%R zF[  s A==BB