iam_group - add support for setting the path (#1892)

iam_group - add support for setting the path SUMMARY Adds support for the 'path' option on IAM Groups. Adds attached_policies return value. Also refactors create_or_update_group because it was getting large and unwieldy. Splits up test file, and adds tests for policy management ISSUE TYPE Feature Pull Request COMPONENT NAME iam_group ADDITIONAL INFORMATION Reviewed-by: Milan Zink <[email protected]> Reviewed-by: Alina Buzachis
ansible-collections · Dec 4, 2023 · 9e45fc2 · 9e45fc2
1 parent 06b729c
commit 9e45fc2
Show file tree

Hide file tree

Showing 10 changed files with 641 additions and 233 deletions.
diff --git a/changelogs/fragments/20231130-iam_group.yml b/changelogs/fragments/20231130-iam_group.yml
@@ -0,0 +1,4 @@
+minor_changes:
+- iam_group - add support for setting group path (https://github.com/ansible-collections/amazon.aws/pull/1892).
+- iam_group - adds attached_policies return value (https://github.com/ansible-collections/amazon.aws/pull/1892).
+- iam_group - code refactored to avoid single long function (https://github.com/ansible-collections/amazon.aws/pull/1892).
diff --git a/plugins/module_utils/iam.py b/plugins/module_utils/iam.py
@@ -14,6 +14,7 @@
 from ansible.module_utils.common.dict_transformations import camel_dict_to_snake_dict
 
 from .arn import parse_aws_arn
+from .arn import validate_aws_arn
 from .botocore import is_boto3_error_code
 from .exceptions import AnsibleAWSError
 from .retries import AWSRetry
@@ -72,6 +73,34 @@ def _remove_role_from_instance_profile(client, **kwargs):
     client.remove_role_from_instance_profile(**kwargs)
 
 
+@AWSRetry.jittered_backoff()
+def _list_managed_policies(client, **kwargs):
+    paginator = client.get_paginator("list_policies")
+    return paginator.paginate(**kwargs).build_full_result()
+
+
+def list_managed_policies(client):
+    try:
+        return _list_managed_policies(client)["Policies"]
+    except (botocore.exceptions.BotoCoreError, botocore.exceptions.ClientError) as e:
+        raise AnsibleIAMError(message="Failed to list all managed policies", exception=e)
+
+
+def convert_managed_policy_names_to_arns(client, policy_names):
+    if all(validate_aws_arn(policy, service="iam") for policy in policy_names if policy is not None):
+        return policy_names
+    allpolicies = {}
+    policies = list_managed_policies(client)
+
+    for policy in policies:
+        allpolicies[policy["PolicyName"]] = policy["Arn"]
+        allpolicies[policy["Arn"]] = policy["Arn"]
+    try:
+        return [allpolicies[policy] for policy in policy_names if policy is not None]
+    except KeyError as e:
+        raise AnsibleIAMError(message="Failed to find policy by name:" + str(e))
+
+
 def get_aws_account_id(module):
     """Given an AnsibleAWSModule instance, get the active AWS account ID"""