| Parameter | +Parameter | Choices/Defaults | Comments | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| + | aws_access_key @@ -59,7 +59,7 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | aws_ca_bundle @@ -75,7 +75,7 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | aws_config @@ -91,7 +91,7 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | aws_secret_key @@ -108,22 +108,7 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- database_name
-
-
- string
-
- |
- - | -
- The name of the database where results are written.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | debug_botocore_endpoint_logs @@ -142,22 +127,7 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- description
-
-
- string
-
- |
- - | -
- Description of the crawler being defined.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | ec2_url @@ -173,78 +143,66 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + |
- name
+ locale
string
- / required
|
+ Default: "EN"
|
- The name you assign to this crawler definition. It must be unique in your account.
+ The locale to use for localizing the findings.
+ Supported locales include
+ DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN and ZH_TW.For more information about supported locales see the AWS Documentation
https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + |
- profile
+ policy
- string
+ json
+ / required
|
- The profile option is mutually exclusive with the aws_access_key, aws_secret_key and security_token options.
- aliases: aws_profile A properly json formatted policy.
+ aliases: policy_document |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + |
- purge_tags
+ policy_type
- boolean
+ string
|
|
- If purge_tags=true and tags is set, existing tags will be purged from the resource to match exactly what is defined by tags parameter.
- If the tags parameter is not set then tags will not be modified, even if purge_tags=True.
- Tag keys beginning with
+ aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.The type of policy to validate.
+ identity policies grant permissions to IAM principals, including both managed and inline policies for IAM roles, users, and groups.resource policies policies grant permissions on AWS resources, including trust policies for IAM roles and bucket policies for S3 buckets. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- recrawl_policy
-
-
- dictionary
-
- |
- - | -
- A policy that specifies whether to crawl the entire dataset again, or to crawl only folders that were added since the last crawler run.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
- recrawl_behavior
+ profile
string
@@ -253,13 +211,12 @@ Parameters
|
- |
Specifies whether to crawl the entire dataset again or to crawl only folders that were added since the last crawler run.
- Supported options are
+ CRAWL_EVERYTHING and CRAWL_NEW_FOLDERS_ONLY.The profile option is mutually exclusive with the aws_access_key, aws_secret_key and security_token options.
+ aliases: aws_profile | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | region @@ -275,41 +232,9 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- role
-
-
- string
-
- |
- - | -
- The name or ARN of the IAM role associated with this crawler.
- Required when state=present.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- schema_change_policy
-
-
- dictionary
-
- |
- - | -
- The policy for the crawler's update and deletion behavior.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
- delete_behavior
+ resource_type
string
@@ -318,30 +243,37 @@ Parameters
|
- |
Defines the deletion behavior when the crawler finds a deleted object.
- Supported options are
+ LOG, DELETE_FROM_DATABASE, and DEPRECATE_IN_DATABASE.The type of resource to attach to your resource policy.
+ Ignored unless policy_type=resource.
+ Supported resource types include
+ AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint and AWS::S3ObjectLambda::AccessPointFor resource types not supported as valid values, IAM Access Analyzer runs policy checks that apply to all resource policies.
+ For more information about supported locales see the AWS Documentation
https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
- update_behavior
+ results_filter
- string
+ list
+ / elements=string
|
+
|
- Defines the update behavior when the crawler finds a changed schema..
- Supported options are
+ LOG and UPDATE_IN_DATABASE.Filter the findings and limit them to specific finding types.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + | security_token @@ -359,75 +291,7 @@ Parameters | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- state
-
-
- string
- / required
-
- |
-
-
|
-
- Create or delete the AWS Glue crawler.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- table_prefix
-
-
- string
-
- |
- - | -
- The table prefix used for catalog tables that are created.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- tags
-
-
- dictionary
-
- |
- - | -
- A dictionary representing the tags to be applied to the resource.
- If the tags parameter is not set then tags will not be modified.
- aliases: resource_tags |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
-
- targets
-
-
- dictionary
-
- |
- - | -
- A list of targets to crawl. See example below.
- Required when state=present.
- |
- ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + |
validate_certs
@@ -464,31 +328,10 @@ Examples
.. code-block:: yaml
- # Note: These examples do not set authentication details, see the AWS Guide for details.
-
- # Create an AWS Glue crawler
- - community.aws.aws_glue_crawler:
- name: my-glue-crawler
- database_name: my_database
- role: my-iam-role
- schema_change_policy:
- delete_behavior: DELETE_FROM_DATABASE
- update_behavior: UPDATE_IN_DATABASE
- recrawl_policy:
- recrawl_ehavior: CRAWL_EVERYTHING
- targets:
- S3Targets:
- - Path: "s3://my-bucket/prefix/folder/"
- ConnectionName: my-connection
- Exclusions:
- - "**.json"
- - "**.yml"
- state: present
-
- # Delete an AWS Glue crawler
- - community.aws.aws_glue_crawler:
- name: my-glue-crawler
- state: absent
+ # Validate a policy
+ - name: Validate a simple IAM policy
+ community.aws.accessanalyzer_validate_policy_info:
+ policy: "{{ lookup('template', 'managed_policy.json.j2') }}"
@@ -500,311 +343,308 @@ Common return values are documented `here | Key |
+ Key |
Returned |
Description |
+ |
- creation_time
+ findings
|
-
- string
+ list
+ / elements=dictionary
when state is present |
+ success |
- |
The time and date that this crawler definition was created.
+ The list of findings in a policy returned by IAM Access Analyzer based on its suite of policy checks.
- Sample:
- 2021-04-01T05:19:58.326000+00:00
+ | |
+
- database_name
+ finding_details
|
-
string
when state is present |
+ success |
- |
The name of the database where results are written.
+ A localized message describing the finding.
Sample:
- my_table
+ Resource ARN does not match the expected ARN format. Update the resource portion of the ARN.
+ | |
+
- description
+ finding_type
|
-
string
when state is present |
+ success |
- |
Description of the crawler.
+ The severity of the finding.
Sample:
- My crawler
+ ERROR
+ | |
+
- last_updated
+ issue_code
|
-
string
when state is present |
+ success |
- |
The time and date that this crawler definition was last updated.
+ An identifier for the type of issue found.
Sample:
- 2021-04-01T05:19:58.326000+00:00
+ INVALID_ARN_RESOURCE
+ | |
+
- name
+ learn_more_link
|
-
string
always |
+ success |
- |
The name of the AWS Glue crawler.
+ A link to additional information about the finding type.
Sample:
- my-glue-crawler
+ https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html
+ | |
+
- recrawl_policy
+ locations
|
-
- complex
+ list
+ / elements=dictionary
when state is present |
+ success |
- |
A policy that specifies whether to crawl the entire dataset again, or to crawl only folders that were added since the last crawler run.
+ The location of the item resulting in the recommendations.
|
-
+ | |
+
- RecrawlBehavior
+ path
|
-
- string
+ list
+ / elements=dictionary
when state is present |
+ success |
- |
Whether to crawl the entire dataset again or to crawl only folders that were added since the last crawler run.
+ A path in a policy, represented as a sequence of path elements.
Sample:
- CRAWL_EVERYTHING
+ [{'value': 'Statement'}, {'index': 0}, {'value': 'Resource'}, {'index': 0}]
+ | |
+ |
+
- role
+ span
|
-
- string
+ dictionary
when state is present |
+
|
- |
The name or ARN of the IAM role associated with this crawler.
+ Where in the policy the finding refers to.
+ Note - when using lookups or passing dictionaries to policy the policy string may be converted to a single line of JSON, changing th column, line and offset values.
- Sample:
- my-iam-role
|
+ |
+ |
- schema_change_policy
+ end
|
-
- complex
+ dictionary
when state is present |
+ success |
- |
The policy for the crawler's update and deletion behavior.
+ The end position of the span.
|
+ |
+ |
+ |
- DeleteBehavior
+ column
|
-
- string
+ integer
when state is present |
+ success |
- |
The deletion behavior when the crawler finds a deleted object.
+ The column of the position, starting from
0.- Sample:
- DELETE_FROM_DATABASE
|
+ |
+ |
+ |
- UpdateBehavior
+ line
|
-
- string
+ integer
when state is present |
+ success |
- |
The update behavior when the crawler finds a changed schema.
+ The line of the position, starting from
1.- Sample:
- UPDATE_IN_DATABASE
+ | |
+ |
+ |
+ |
+
- table_prefix
+ offset
|
-
- string
+ integer
when state is present |
+ success |
- |
The table prefix used for catalog tables that are created.
+ The offset within the policy that corresponds to the position, starting from
0.- Sample:
- my_prefix
|
+ |
+ |
- targets
+ start
|
-
- complex
+ dictionary
when state is present |
+ success |
- |
A list of targets to crawl.
+ The start position of the span.
|
-
-
- CatalogTargets
-
- |
-
- list
-
- when state is present |
-
- |
- List of catalog targets.
- - |
-
-
- DynamoDBTargets
-
- |
-
- list
-
- when state is present |
-
- |
- List of DynamoDB targets.
- - |
|
- JdbcTargets
+ column
|
-
- list
+ integer
when state is present |
+ success |
- |
List of JDBC targets.
+ The column of the position, starting from
0. |
+ |
+ |
+ |
- MongoDBTargets
+ line
|
-
- list
+ integer
when state is present |
+ success |
- |
List of Mongo DB targets.
+ The line of the position, starting from
1. |
+ |
+ |
+ |
- S3Targets
+ offset
|
-
- list
+ integer
when state is present |
+ success |
- |
List of S3 targets.
+ The offset within the policy that corresponds to the position, starting from
0. | |||||||||||||||||||||||||||||||||||||||
aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.| Parameter | -Choices/Defaults | -Comments | -
|---|---|---|
|
-
- all_lists
-
-
- boolean
-
- |
-
-
|
-
- Get all CloudFront lists that do not require parameters.
- |
-
|
-
- aws_access_key
-
-
- string
-
- |
- - | -
- AWS access key. If not set then the value of the AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY or EC2_ACCESS_KEY environment variable is used.The aws_access_key and profile options are mutually exclusive.
- aliases: ec2_access_key, access_key |
-
|
-
- aws_ca_bundle
-
-
- path
-
- |
- - | -
- The location of a CA Bundle to use when validating SSL certificates.
- Note: The CA Bundle is read 'module' side and may need to be explicitly copied from the controller if not run locally.
- |
-
|
-
- aws_config
-
-
- dictionary
-
- |
- - | -
- A dictionary to modify the botocore configuration.
- Parameters can be found at https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config.
- |
-
|
-
- aws_secret_key
-
-
- string
-
- |
- - | -
- AWS secret key. If not set then the value of the AWS_SECRET_ACCESS_KEY, AWS_SECRET_KEY, or EC2_SECRET_KEY environment variable is used.The aws_secret_key and profile options are mutually exclusive.
- aliases: ec2_secret_key, secret_key |
-
|
-
- debug_botocore_endpoint_logs
-
-
- boolean
-
- |
-
-
|
-
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action" API calls made during a task, outputing the set to the resource_actions key in the task results. Use the aws_resource_action callback to output to total list made during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also be used.
- |
-
|
-
- distribution
-
-
- boolean
-
- |
-
-
|
-
- Get information about a distribution.
- Requires distribution_id or domain_name_alias to be specified.
- |
-
|
-
- distribution_config
-
-
- boolean
-
- |
-
-
|
-
- Get the configuration information about a distribution.
- Requires distribution_id or domain_name_alias to be specified.
- |
-
|
-
- distribution_id
-
-
- string
-
- |
- - | -
- The id of the CloudFront distribution. Used with distribution, distribution_config, invalidation, streaming_distribution, streaming_distribution_config, list_invalidations.
- |
-
|
-
- domain_name_alias
-
-
- string
-
- |
- - | -
- Can be used instead of distribution_id - uses the aliased CNAME for the CloudFront distribution to get the distribution id where required.
- |
-
|
-
- ec2_url
-
-
- string
-
- |
- - | -
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used.
- aliases: aws_endpoint_url, endpoint_url |
-
|
-
- invalidation
-
-
- boolean
-
- |
-
-
|
-
- Get information about an invalidation.
- Requires invalidation_id to be specified.
- |
-
|
-
- invalidation_id
-
-
- string
-
- |
- - | -
- The id of the invalidation to get information about.
- Used with invalidation.
- |
-
|
-
- list_distributions
-
-
- boolean
-
- |
-
-
|
-
- Get a list of CloudFront distributions.
- |
-
|
-
- list_distributions_by_web_acl_id
-
-
- boolean
-
- |
-
-
|
-
- Get a list of distributions using web acl id as a filter.
- Requires web_acl_id to be set.
- |
-
|
-
- list_invalidations
-
-
- boolean
-
- |
-
-
|
-
- Get a list of invalidations.
- Requires distribution_id or domain_name_alias to be specified.
- |
-
|
-
- list_origin_access_identities
-
-
- boolean
-
- |
-
-
|
-
- Get a list of CloudFront origin access identities.
- Requires origin_access_identity_id to be set.
- |
-
|
-
- list_streaming_distributions
-
-
- boolean
-
- |
-
-
|
-
- Get a list of streaming distributions.
- |
-
|
-
- origin_access_identity
-
-
- boolean
-
- |
-
-
|
-
- Get information about an origin access identity.
- Requires origin_access_identity_id to be specified.
- |
-
|
-
- origin_access_identity_config
-
-
- boolean
-
- |
-
-
|
-
- Get the configuration information about an origin access identity.
- Requires origin_access_identity_id to be specified.
- |
-
|
-
- origin_access_identity_id
-
-
- string
-
- |
- - | -
- The id of the CloudFront origin access identity to get information about.
- |
-
|
-
- profile
-
-
- string
-
- |
- - | -
- The profile option is mutually exclusive with the aws_access_key, aws_secret_key and security_token options.
- aliases: aws_profile |
-
|
-
- region
-
-
- string
-
- |
- - | -
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION environment variable, if any, is used. See http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region
- aliases: aws_region, ec2_region |
-
|
-
- security_token
-
-
- string
-
- |
- - | -
- AWS STS security token. If not set then the value of the AWS_SECURITY_TOKEN or EC2_SECURITY_TOKEN environment variable is used.The security_token and profile options are mutually exclusive.
- Aliases aws_session_token and session_token have been added in version 3.2.0.
- aliases: aws_session_token, session_token, aws_security_token, access_token |
-
|
-
- streaming_distribution
-
-
- boolean
-
- |
-
-
|
-
- Get information about a specified RTMP distribution.
- Requires distribution_id or domain_name_alias to be specified.
- |
-
|
-
- streaming_distribution_config
-
-
- boolean
-
- |
-
-
|
-
- Get the configuration information about a specified RTMP distribution.
- Requires distribution_id or domain_name_alias to be specified.
- |
-
|
-
- summary
-
-
- boolean
-
- |
-
-
|
-
- Returns a summary of all distributions, streaming distributions and origin_access_identities.
- This is the default behaviour if no option is selected.
- |
-
|
-
- validate_certs
-
-
- boolean
-
- |
-
-
|
-
- When set to "no", SSL certificates will not be validated for communication with the AWS APIs.
- |
-
aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.true. However, this behavior can be confusing and as such the default will change to false in a release after 2022-06-01. To maintain the existing behavior explicitly set skip_duplicates=true.false, this will default to true in release 5.0.0.true.aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.False has been deprecated. The default value will change to True in release 5.0.0.