From bac5820f174a24761c04ad92a82223c1301db46d Mon Sep 17 00:00:00 2001 From: Mandar Kulkarni Date: Wed, 20 Sep 2023 09:25:09 -0700 Subject: [PATCH] Promote iam_group module (#1945) Promote iam_group module SUMMARY Remove iam_group modules and tests These modules have been migrated to amazon.aws Update runtime.yml with redirects to that collection Update ignore files related to ansible-collections/amazon.aws#1755 ISSUE TYPE Bugfix Pull Request Docs Pull Request Feature Pull Request New Module Pull Request COMPONENT NAME ADDITIONAL INFORMATION Reviewed-by: Mark Chappell Reviewed-by: Helen Bailey Reviewed-by: Bikouo Aubin Reviewed-by: Alina Buzachis --- changelogs/fragments/migrate_iam_group.yml | 4 + meta/runtime.yml | 21 +- plugins/modules/iam_group.py | 413 ------------------ tests/integration/targets/iam_group/aliases | 7 - .../targets/iam_group/defaults/main.yml | 3 - .../targets/iam_group/meta/main.yml | 1 - .../targets/iam_group/tasks/main.yml | 127 ------ 7 files changed, 15 insertions(+), 561 deletions(-) create mode 100644 changelogs/fragments/migrate_iam_group.yml delete mode 100644 plugins/modules/iam_group.py delete mode 100644 tests/integration/targets/iam_group/aliases delete mode 100644 tests/integration/targets/iam_group/defaults/main.yml delete mode 100644 tests/integration/targets/iam_group/meta/main.yml delete mode 100644 tests/integration/targets/iam_group/tasks/main.yml diff --git a/changelogs/fragments/migrate_iam_group.yml b/changelogs/fragments/migrate_iam_group.yml new file mode 100644 index 00000000000..23aa0386250 --- /dev/null +++ b/changelogs/fragments/migrate_iam_group.yml @@ -0,0 +1,4 @@ +breaking_changes: +- iam_group - The module has been migrated from the ``community.aws`` collection. + Playbooks using the Fully Qualified Collection Name for this module should be updated + to use ``amazon.aws.iam_group`` (https://github.com/ansible-collections/community.aws/pull/1945). diff --git a/meta/runtime.yml b/meta/runtime.yml index eea2a4fada8..6bf6e14094c 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -10,11 +10,11 @@ action_groups: - api_gateway_info - application_autoscaling_policy - autoscaling_complete_lifecycle_action - - autoscaling_instance_refresh_info - autoscaling_instance_refresh + - autoscaling_instance_refresh_info + - autoscaling_launch_config - autoscaling_launch_config_find - autoscaling_launch_config_info - - autoscaling_launch_config - autoscaling_lifecycle_hook - autoscaling_policy - autoscaling_scheduled_action @@ -94,10 +94,10 @@ action_groups: - ec2_ami_copy - ec2_asg - ec2_asg_info - - ec2_asg_scheduled_action - ec2_asg_instance_refresh - ec2_asg_instance_refresh_info - ec2_asg_lifecycle_hook + - ec2_asg_scheduled_action - ec2_customer_gateway - ec2_customer_gateway_info - ec2_elb @@ -135,16 +135,16 @@ action_groups: - ecs_taskdefinition_info - efs - efs_info - - eks_cluster - efs_tag + - eks_cluster - eks_fargate_profile - eks_nodegroup - - elasticbeanstalk_app - elasticache - elasticache_info - elasticache_parameter_group - elasticache_snapshot - elasticache_subnet_group + - elasticbeanstalk_app - elb_classic_lb - elb_classic_lb_info - elb_instance @@ -158,7 +158,6 @@ action_groups: - glue_job - iam_access_key - iam_access_key_info - - iam_group - iam_managed_policy - iam_mfa_device_info - iam_password_policy @@ -172,13 +171,13 @@ action_groups: - lightsail - lightsail_snapshot - lightsail_static_ip - - msk_cluster - - msk_config - mq_broker - mq_broker_config - mq_broker_info - mq_user - mq_user_info + - msk_cluster + - msk_config - networkfirewall - networkfirewall_info - networkfirewall_policy @@ -192,8 +191,8 @@ action_groups: - redshift_info - redshift_subnet_group - route53_wait - - s3_bucket_notification - s3_bucket_info + - s3_bucket_notification - s3_cors - s3_lifecycle - s3_logging @@ -212,9 +211,9 @@ action_groups: - ssm_parameter - stepfunctions_state_machine - stepfunctions_state_machine_execution + - storagegateway_info - sts_assume_role - sts_session_token - - storagegateway_info - waf_condition - waf_info - waf_rule @@ -508,6 +507,8 @@ plugin_routing: redirect: amazon.aws.route53_info route53_zone: redirect: amazon.aws.route53_zone + iam_group: + redirect: amazon.aws.iam_group module_utils: route53: redirect: amazon.aws.route53 diff --git a/plugins/modules/iam_group.py b/plugins/modules/iam_group.py deleted file mode 100644 index f88ebac120d..00000000000 --- a/plugins/modules/iam_group.py +++ /dev/null @@ -1,413 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# Copyright: Contributors to the Ansible project -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -DOCUMENTATION = r""" ---- -module: iam_group -version_added: 1.0.0 -short_description: Manage AWS IAM groups -description: - - Manage AWS IAM groups. -author: - - Nick Aslanidis (@naslanidis) - - Maksym Postument (@infectsoldier) -options: - name: - description: - - The name of the group to create. - required: true - type: str - managed_policies: - description: - - A list of managed policy ARNs or friendly names to attach to the role. - - To embed an inline policy, use M(community.aws.iam_policy). - required: false - type: list - elements: str - default: [] - aliases: ['managed_policy'] - users: - description: - - A list of existing users to add as members of the group. - required: false - type: list - elements: str - default: [] - state: - description: - - Create or remove the IAM group. - required: true - choices: [ 'present', 'absent' ] - type: str - purge_policies: - description: - - When I(purge_policies=true) any managed policies not listed in I(managed_policies) will be detatched. - required: false - default: false - type: bool - aliases: ['purge_policy', 'purge_managed_policies'] - purge_users: - description: - - When I(purge_users=true) users which are not included in I(users) will be detached. - required: false - default: false - type: bool -extends_documentation_fragment: - - amazon.aws.common.modules - - amazon.aws.region.modules - - amazon.aws.boto3 -""" - -EXAMPLES = r""" -# Note: These examples do not set authentication details, see the AWS Guide for details. - -- name: Create a group - community.aws.iam_group: - name: testgroup1 - state: present - -- name: Create a group and attach a managed policy using its ARN - community.aws.iam_group: - name: testgroup1 - managed_policies: - - arn:aws:iam::aws:policy/AmazonSNSFullAccess - state: present - -- name: Create a group with users as members and attach a managed policy using its ARN - community.aws.iam_group: - name: testgroup1 - managed_policies: - - arn:aws:iam::aws:policy/AmazonSNSFullAccess - users: - - test_user1 - - test_user2 - state: present - -- name: Remove all managed policies from an existing group with an empty list - community.aws.iam_group: - name: testgroup1 - state: present - purge_policies: true - -- name: Remove all group members from an existing group - community.aws.iam_group: - name: testgroup1 - managed_policies: - - arn:aws:iam::aws:policy/AmazonSNSFullAccess - purge_users: true - state: present - -- name: Delete the group - community.aws.iam_group: - name: testgroup1 - state: absent - -""" -RETURN = r""" -iam_group: - description: dictionary containing all the group information including group membership - returned: success - type: complex - contains: - group: - description: dictionary containing all the group information - returned: success - type: complex - contains: - arn: - description: the Amazon Resource Name (ARN) specifying the group - type: str - sample: "arn:aws:iam::1234567890:group/testgroup1" - create_date: - description: the date and time, in ISO 8601 date-time format, when the group was created - type: str - sample: "2017-02-08T04:36:28+00:00" - group_id: - description: the stable and unique string identifying the group - type: str - sample: AGPA12345EXAMPLE54321 - group_name: - description: the friendly name that identifies the group - type: str - sample: testgroup1 - path: - description: the path to the group - type: str - sample: / - users: - description: list containing all the group members - returned: success - type: complex - contains: - arn: - description: the Amazon Resource Name (ARN) specifying the user - type: str - sample: "arn:aws:iam::1234567890:user/test_user1" - create_date: - description: the date and time, in ISO 8601 date-time format, when the user was created - type: str - sample: "2017-02-08T04:36:28+00:00" - user_id: - description: the stable and unique string identifying the user - type: str - sample: AIDA12345EXAMPLE54321 - user_name: - description: the friendly name that identifies the user - type: str - sample: testgroup1 - path: - description: the path to the user - type: str - sample: / -""" - -try: - import botocore -except ImportError: - pass # caught by AnsibleAWSModule - -from ansible.module_utils.common.dict_transformations import camel_dict_to_snake_dict - -from ansible_collections.amazon.aws.plugins.module_utils.arn import validate_aws_arn -from ansible_collections.amazon.aws.plugins.module_utils.botocore import is_boto3_error_code -from ansible_collections.amazon.aws.plugins.module_utils.retries import AWSRetry - -from ansible_collections.community.aws.plugins.module_utils.modules import AnsibleCommunityAWSModule as AnsibleAWSModule - - -def compare_attached_group_policies(current_attached_policies, new_attached_policies): - # If new_attached_policies is None it means we want to remove all policies - if len(current_attached_policies) > 0 and new_attached_policies is None: - return False - - current_attached_policies_arn_list = [] - for policy in current_attached_policies: - current_attached_policies_arn_list.append(policy["PolicyArn"]) - - if set(current_attached_policies_arn_list) == set(new_attached_policies): - return True - else: - return False - - -def compare_group_members(current_group_members, new_group_members): - # If new_attached_policies is None it means we want to remove all policies - if len(current_group_members) > 0 and new_group_members is None: - return False - if set(current_group_members) == set(new_group_members): - return True - else: - return False - - -def convert_friendly_names_to_arns(connection, module, policy_names): - if all(validate_aws_arn(policy, service="iam") for policy in policy_names if policy is not None): - return policy_names - allpolicies = {} - paginator = connection.get_paginator("list_policies") - policies = paginator.paginate().build_full_result()["Policies"] - - for policy in policies: - allpolicies[policy["PolicyName"]] = policy["Arn"] - allpolicies[policy["Arn"]] = policy["Arn"] - try: - return [allpolicies[policy] for policy in policy_names if policy is not None] - except KeyError as e: - module.fail_json(msg="Couldn't find policy: " + str(e)) - - -def create_or_update_group(connection, module): - params = dict() - params["GroupName"] = module.params.get("name") - managed_policies = module.params.get("managed_policies") - users = module.params.get("users") - purge_users = module.params.get("purge_users") - purge_policies = module.params.get("purge_policies") - changed = False - if managed_policies: - managed_policies = convert_friendly_names_to_arns(connection, module, managed_policies) - - # Get group - try: - group = get_group(connection, module, params["GroupName"]) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg="Couldn't get group") - - # If group is None, create it - if group is None: - # Check mode means we would create the group - if module.check_mode: - module.exit_json(changed=True) - - try: - group = connection.create_group(**params) - changed = True - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg="Couldn't create group") - - # Manage managed policies - current_attached_policies = get_attached_policy_list(connection, module, params["GroupName"]) - if not compare_attached_group_policies(current_attached_policies, managed_policies): - current_attached_policies_arn_list = [] - for policy in current_attached_policies: - current_attached_policies_arn_list.append(policy["PolicyArn"]) - - # If managed_policies has a single empty element we want to remove all attached policies - if purge_policies: - # Detach policies not present - for policy_arn in list(set(current_attached_policies_arn_list) - set(managed_policies)): - changed = True - if not module.check_mode: - try: - connection.detach_group_policy(GroupName=params["GroupName"], PolicyArn=policy_arn) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg=f"Couldn't detach policy from group {params['GroupName']}") - # If there are policies to adjust that aren't in the current list, then things have changed - # Otherwise the only changes were in purging above - if set(managed_policies) - set(current_attached_policies_arn_list): - changed = True - # If there are policies in managed_policies attach each policy - if managed_policies != [None] and not module.check_mode: - for policy_arn in managed_policies: - try: - connection.attach_group_policy(GroupName=params["GroupName"], PolicyArn=policy_arn) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg=f"Couldn't attach policy to group {params['GroupName']}") - - # Manage group memberships - try: - current_group_members = get_group(connection, module, params["GroupName"])["Users"] - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, f"Couldn't get group {params['GroupName']}") - - current_group_members_list = [] - for member in current_group_members: - current_group_members_list.append(member["UserName"]) - - if not compare_group_members(current_group_members_list, users): - if purge_users: - for user in list(set(current_group_members_list) - set(users)): - # Ensure we mark things have changed if any user gets purged - changed = True - # Skip actions for check mode - if not module.check_mode: - try: - connection.remove_user_from_group(GroupName=params["GroupName"], UserName=user) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg=f"Couldn't remove user {user} from group {params['GroupName']}") - # If there are users to adjust that aren't in the current list, then things have changed - # Otherwise the only changes were in purging above - if set(users) - set(current_group_members_list): - changed = True - # Skip actions for check mode - if users != [None] and not module.check_mode: - for user in users: - try: - connection.add_user_to_group(GroupName=params["GroupName"], UserName=user) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg=f"Couldn't add user {user} to group {params['GroupName']}") - if module.check_mode: - module.exit_json(changed=changed) - - # Get the group again - try: - group = get_group(connection, module, params["GroupName"]) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, f"Couldn't get group {params['GroupName']}") - - module.exit_json(changed=changed, iam_group=camel_dict_to_snake_dict(group)) - - -def destroy_group(connection, module): - params = dict() - params["GroupName"] = module.params.get("name") - - try: - group = get_group(connection, module, params["GroupName"]) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, f"Couldn't get group {params['GroupName']}") - if group: - # Check mode means we would remove this group - if module.check_mode: - module.exit_json(changed=True) - - # Remove any attached policies otherwise deletion fails - try: - for policy in get_attached_policy_list(connection, module, params["GroupName"]): - connection.detach_group_policy(GroupName=params["GroupName"], PolicyArn=policy["PolicyArn"]) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, msg=f"Couldn't remove policy from group {params['GroupName']}") - - # Remove any users in the group otherwise deletion fails - current_group_members_list = [] - try: - current_group_members = get_group(connection, module, params["GroupName"])["Users"] - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, f"Couldn't get group {params['GroupName']}") - for member in current_group_members: - current_group_members_list.append(member["UserName"]) - for user in current_group_members_list: - try: - connection.remove_user_from_group(GroupName=params["GroupName"], UserName=user) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, f"Couldn't remove user {user} from group {params['GroupName']}") - - try: - connection.delete_group(**params) - except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: - module.fail_json_aws(e, f"Couldn't delete group {params['GroupName']}") - - else: - module.exit_json(changed=False) - - module.exit_json(changed=True) - - -@AWSRetry.exponential_backoff() -def get_group(connection, module, name): - try: - paginator = connection.get_paginator("get_group") - return paginator.paginate(GroupName=name).build_full_result() - except is_boto3_error_code("NoSuchEntity"): - return None - - -@AWSRetry.exponential_backoff() -def get_attached_policy_list(connection, module, name): - try: - paginator = connection.get_paginator("list_attached_group_policies") - return paginator.paginate(GroupName=name).build_full_result()["AttachedPolicies"] - except is_boto3_error_code("NoSuchEntity"): - return None - - -def main(): - argument_spec = dict( - name=dict(required=True), - managed_policies=dict(default=[], type="list", aliases=["managed_policy"], elements="str"), - users=dict(default=[], type="list", elements="str"), - state=dict(choices=["present", "absent"], required=True), - purge_users=dict(default=False, type="bool"), - purge_policies=dict(default=False, type="bool", aliases=["purge_policy", "purge_managed_policies"]), - ) - - module = AnsibleAWSModule( - argument_spec=argument_spec, - supports_check_mode=True, - ) - - connection = module.client("iam") - - state = module.params.get("state") - - if state == "present": - create_or_update_group(connection, module) - else: - destroy_group(connection, module) - - -if __name__ == "__main__": - main() diff --git a/tests/integration/targets/iam_group/aliases b/tests/integration/targets/iam_group/aliases deleted file mode 100644 index 2da398045bd..00000000000 --- a/tests/integration/targets/iam_group/aliases +++ /dev/null @@ -1,7 +0,0 @@ -# reason: missing-policy -# It should be possible to test iam_groups by limiting which policies can be -# attached to the groups as well as which users can be added to the groups. -# Careful review is needed prior to adding this to the main CI. -unsupported - -cloud/aws diff --git a/tests/integration/targets/iam_group/defaults/main.yml b/tests/integration/targets/iam_group/defaults/main.yml deleted file mode 100644 index f5112b1a423..00000000000 --- a/tests/integration/targets/iam_group/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -test_user: '{{ resource_prefix }}-user' -test_group: '{{ resource_prefix }}-group' diff --git a/tests/integration/targets/iam_group/meta/main.yml b/tests/integration/targets/iam_group/meta/main.yml deleted file mode 100644 index 32cf5dda7ed..00000000000 --- a/tests/integration/targets/iam_group/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ -dependencies: [] diff --git a/tests/integration/targets/iam_group/tasks/main.yml b/tests/integration/targets/iam_group/tasks/main.yml deleted file mode 100644 index a1240846cb8..00000000000 --- a/tests/integration/targets/iam_group/tasks/main.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -- name: set up aws connection info - module_defaults: - group/aws: - access_key: "{{ aws_access_key }}" - secret_key: "{{ aws_secret_key }}" - session_token: "{{ security_token | default(omit) }}" - region: "{{ aws_region }}" - collections: - - amazon.aws - block: - - name: ensure ansible user exists - iam_user: - name: '{{ test_user }}' - state: present - - - name: ensure group exists - iam_group: - name: '{{ test_group }}' - users: - - '{{ test_user }}' - state: present - register: iam_group - - - assert: - that: - - iam_group.iam_group.users - - iam_group is changed - - - name: add non existent user to group - iam_group: - name: '{{ test_group }}' - users: - - '{{ test_user }}' - - NonExistentUser - state: present - ignore_errors: yes - register: iam_group - - - name: assert that adding non existent user to group fails with helpful message - assert: - that: - - iam_group is failed - - iam_group.msg.startswith("Couldn't add user NonExistentUser to group {{ test_group }}") - - - name: remove a user - iam_group: - name: '{{ test_group }}' - purge_users: True - users: [] - state: present - register: iam_group - - - assert: - that: - - iam_group is changed - - not iam_group.iam_group.users - - - name: re-remove a user (no change) - iam_group: - name: '{{ test_group }}' - purge_users: True - users: [] - state: present - register: iam_group - - - assert: - that: - - iam_group is not changed - - not iam_group.iam_group.users - - - name: Add the user again - iam_group: - name: '{{ test_group }}' - users: - - '{{ test_user }}' - state: present - register: iam_group - - - assert: - that: - - iam_group is changed - - iam_group.iam_group.users - - - name: Re-add the user - iam_group: - name: '{{ test_group }}' - users: - - '{{ test_user }}' - state: present - register: iam_group - - - assert: - that: - - iam_group is not changed - - iam_group.iam_group.users - - - name: remove group - iam_group: - name: '{{ test_group }}' - state: absent - register: iam_group - - - assert: - that: - - iam_group is changed - - - name: re-remove group - iam_group: - name: '{{ test_group }}' - state: absent - register: iam_group - - - assert: - that: - - iam_group is not changed - - always: - - name: remove group - iam_group: - name: '{{ test_group }}' - state: absent - - - name: remove ansible user - iam_user: - name: '{{ test_user }}' - state: absent