%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/lib/python2.7/site-packages/salt/states/
Upload File :
Create Path :
Current File : //usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyc

�
���^c
@@s�dZddlmZmZmZddlZddljjZddl	m
Z
ddlZddl
mZeje�Zd�Zddddddedddded�Zddddddd�Zddddd	�Zddddd
�Zd�Zddddded�Zdddddd
�Zddddd�Zddddd�Zddddd�Zddddd�Zddddd�Z ddddd�Z!dS(uq
Manage IAM roles
================

.. versionadded:: 2014.7.0

This module uses ``boto``, which can be installed via package, or pip.

This module accepts explicit IAM credentials but can also utilize
IAM roles assigned to the instance through Instance Profiles. Dynamic
credentials are then automatically obtained from AWS API and no further
configuration is necessary. More information available `here
<http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>`_.

If IAM roles are not used you need to specify them either in a pillar file or
in the minion's config file:

.. code-block:: yaml

    iam.keyid: GKTADJGHEIQSXMKKRBJ08H
    iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

It's also possible to specify ``key``, ``keyid`` and ``region`` via a profile, either
passed in as a dict, or as a string to pull from pillars or minion config:

.. code-block:: yaml

    myprofile:
        keyid: GKTADJGHEIQSXMKKRBJ08H
        key: askjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
        region: us-east-1

Creating a role will automatically create an instance profile and associate it
with the role. This is the default behavior of the AWS console.

.. code-block:: yaml

    myrole:
        boto_iam_role.present:
            - region: us-east-1
            - key: GKTADJGHEIQSXMKKRBJ08H
            - keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
            - policies_from_pillars:
                - shared_iam_bootstrap_policy
            - policies:
                MySQSPolicy:
                    Statement:
                      - Action:
                            - sqs:*
                        Effect: Allow
                        Resource:
                            - arn:aws:sqs:*:*:*
                        Sid: MyPolicySQS1
                MyS3Policy:
                    Statement:
                      - Action:
                            - s3:GetObject
                        Effect: Allow
                        Resource:
                            - arn:aws:s3:*:*:mybucket/*

    # Using a credentials profile from pillars
    myrole:
        boto_iam_role.present:
            - profile: myiamprofile

    # Passing in a credentials profile
    myrole:
        boto_iam_role.present:
            - profile:
                key: GKTADJGHEIQSXMKKRBJ08H
                keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
                region: us-east-1

If ``delete_policies: False`` is specified, existing policies that are not in
the given list of policies will not be deleted. This allows manual modifications
on the IAM role to be persistent. This functionality was added in 2015.8.0.

.. note::

    When using the ``profile`` parameter and ``region`` is set outside of
    the profile group, region is ignored and a default region will be used.

    If ``region`` is missing from the ``profile`` data set, ``us-east-1``
    will be used as the default region.

i(tabsolute_importtprint_functiontunicode_literalsN(tOrderedDict(tsixcC@sdtkrdStS(u)
    Only load if boto is available.
    uboto_iam.role_existsu
boto_iam_role(t__salt__tFalse(((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyt__virtual__csc
C@s�i|d6td6dd6id6}
i}|r}td|�}|r}|d|d<|jdg�|dj|d�q}n|r�|d|d<|jdg�|dj|d�nt|||||	|
|�}|s�i}n|s�g}n|sg}ni}x+|D]#}td|�}|j|�qW|j|�|d|
d<d	j|
d|dg�|
d<|ds�|d|
d<|
dtkr�|
Sn|r�t|||	|
|�}t	j|
d|d�|
d<d	j|
d|dg�|
d<|ds/|d|
d<|
dtkr/|
Snt
|||	|
|�}t	j|
d|d�|
d<d	j|
d|dg�|
d<|ds�|d|
d<|
dtkr�|
Sq�nt||||	|
||�}t	j|
d|d�|
d<d	j|
d|dg�|
d<|ds0|d|
d<nt||||	|
|�}t	j|
d|d�|
d<d	j|
d|dg�|
d<|ds�|d|
d<n|
S(
u
    Ensure the IAM role exists.

    name
        Name of the IAM role.

    policy_document
        The policy that grants an entity permission to assume the role.
        (See https://boto.readthedocs.io/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role)

    policy_document_from_pillars
        A pillar key that contains a role policy document. The statements
        defined here will be appended with the policy document statements
        defined in the policy_document argument.

        .. versionadded:: 2017.7.0

    path
        The path to the role/instance profile.
        (See https://boto.readthedocs.io/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role)

    policies
        A dict of IAM role policies.

    policies_from_pillars
        A list of pillars that contain role policy dicts. Policies in the
        pillars will be merged in the order defined in the list and key
        conflicts will be handled by later defined keys overriding earlier
        defined keys. The policies defined here will be merged with the
        policies defined in the policies argument. If keys conflict, the keys
        in the policies argument will override the keys defined in
        policies_from_pillars.

    managed_policies
        A list of (AWS or Customer) managed policies to be attached to the role.

    create_instance_profile
        A boolean of whether or not to create an instance profile and associate
        it with this role.

    region
        Region to connect to.

    key
        Secret key to be used.

    keyid
        Access key to be used.

    profile
        A dict with region, key and keyid, or a pillar key (string)
        that contains a dict with region, key and keyid.

    delete_policies
        Deletes existing policies that are not in the given list of policies. Default
        value is ``True``. If ``False`` is specified, existing policies will not be deleted
        allowing manual modifications on the IAM role to be persistent.

        .. versionadded:: 2015.8.0
    unameuresultuucommentuchangesu
pillar.getuVersionu	Statementu (
tTrueRt
setdefaulttextendt
_role_presenttupdatetjoinRt_instance_profile_presentt
dictupdatet_instance_profile_associatedt_policies_presentt_policies_attached(tnametpolicy_documenttpolicy_document_from_pillarstpathtpoliciestpolicies_from_pillarstmanaged_policiestcreate_instance_profiletregiontkeytkeyidtprofiletdelete_policiestrett_policy_documenttfrom_pillarst_rett	_policiestpolicyt_policy((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pytpresentjstJ"				

!
!
!

	!
!
c
C@s2itd6dd6id6}td|||||�}|s�tdrhdj|�|d<d|d<|Std|||||||�}	|	r�idd	6|dd
<i|d	6|dd<dj|�|d<q.t|d<d
j|�|d<n>dj|�|d<|s%td||||�}
n|}
tjjj	t
|d�t
|
��r.tdr�d}dj|d|�|d<d|d<|Std||
||||�}|rd}dj|d|�|d<i|dd6|dd
<i|
d6|dd<q.t|d<d}dj|d|�|d<n|S(Nuresultuucommentuchangesuboto_iam.describe_roleutestu"IAM role {0} is set to be created.uboto_iam.create_roleuroleuoldunewuIAM role {0} created.uFailed to create {0} IAM role.u{0} role present.uboto_iam.build_policyuassume_role_policy_documentu*Assume role policy document to be updated.u{0} {1}u"boto_iam.update_assume_role_policyu$Assume role policy document updated.upolicy_documentu$Failed to update assume role policy.(RRt__opts__tformattNoneRtsalttutilst
dictdiffert	deep_difft_sort_policy(
RRRRRRRR troletcreatedR!tmsgtupdated((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyR�sR	


	




cC@s�itd6dd6id6}td|||||�}|s�tdrhdj|�|d<d|d<|Std|||||�}|r�idd	6|dd
<i|d	6|dd<dj|�|d<q�t|d<d
j|�|d<n|S(Nuresultuucommentuchangesu boto_iam.instance_profile_existsutestu*Instance profile {0} is set to be created.u boto_iam.create_instance_profileuinstance_profileuoldunewuInstance profile {0} created.u&Failed to create {0} instance profile.(RRR(R)R*R(RRRRRR texistsR1((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyR+s$


	
cC@s�itd6dd6id6}td||||||�}|s�tdrkdj|�|d<d|d<|Std||||||�}|r�idd	6|dd
<itd	6|dd<dj|�|d<q�t|d<d
j|�|d<n|S(Nuresultuucommentuchangesuboto_iam.profile_associatedutestu-Instance profile {0} is set to be associated.u"boto_iam.associate_profile_to_roleuprofile_associateduoldunewu Instance profile {0} associated.u7Failed to associate {0} instance profile with {0} role.(RRR(R)R*R(RRRRRR t
is_associatedt
associated((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRFs(	


	
cC@s�t|t�r2tg|D]}t|�^q�St|ttf�rtgtj|�D]\}}|t|�f^qZ�S|S(u
    List-type sub-items in policies don't happen to be order-sensitive, but
    compare operations will render them unequal, leading to non-idempotent
    state runs.  We'll sort any list-type subitems before comparison to reduce
    the likelihood of false negatives.
    (t
isinstancetlisttsortedR/tdictRRt	iteritems(tdoctitktv((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyR/cs
#8c
C@s�itd6dd6id6}i}g}	xUtj|�D]D\}
}td||
||||�}||kr7|||
<q7q7Wtd|||||�}
x0|
D](}
|r�|
|kr�|	j|
�q�q�W|s�|	r�t|	�}|j|�tdr*djd	j	|�|�|d<d|d<|Si|
d
6|dd<x�tj|�D]�\}
}td||
|||||�}|sOtd|||||�}
i|
d
6|dd
<t|d<dj|
|�|d<|SqOWx�|	D]�}
td||
||||�}|s�td|||||�}
i|
d
6|dd
<t|d<dj|
|�|d<|Sq�Wtd|||||�}
i|
d
6|dd
<djd	j	|
�|�|d<n|S(Nuresultuucommentuchangesuboto_iam.get_role_policyuboto_iam.list_role_policiesutestu({0} policies to be modified on role {1}.u, upoliciesuolduboto_iam.create_role_policyunewu$Failed to add policy {0} to role {1}uboto_iam.delete_role_policyu)Failed to remove policy {0} from role {1}u"{0} policies modified on role {1}.(RRR;RtappendR8R
R(R)R
R*R(RRRRRRRR tpolicies_to_createtpolicies_to_deletetpolicy_nameR%R&t_listt
_to_modifyt
policy_settpolicy_unset((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRqsp
			




	
	


	
	
"cC@s�itd6dd6id6}g}g}x�|p3gD]�}	td|	ddd|d	|d
|d|�}
t}x9|
jdg�D]%}||jd
�kr�t}Pq�q�W|s4|j|	�q4q4Wtd|d|d	|d
|d|�}
g|
D]}|jd�^q�}xQ|
D]I}|jd�|kr|jd�|kr|j|jd��qqW|sn|r�t|�}|j|�tdr�djdj	|�|�|d<d|d<|Si|d6|dd<x�|D]�}td|d|d|d	|d
|d|�}|s�td|d|d	|d
|d|�}
g|
D]}|jd�^qC}i|d6|dd<t|d<dj||�|d<|Sq�Wx�|D]�}td|d|d|d	|d
|d|�}|s�td|d|d	|d
|d|�}
g|
D]}|jd�^q}i|d6|dd<t|d<dj||�|d<|Sq�Wtd|d|d	|d
|d|�}
g|
D]}|jd�^q�}tj|�i|d6|dd<djdj	|�|�|d<n|S(Nuresultuucommentuchangesu!boto_iam.list_entities_for_policyt
entity_filteruRoleRRRRupolicy_rolesu	role_nameu$boto_iam.list_attached_role_policiesu
policy_arnupolicy_nameutestu({0} policies to be modified on role {1}.u, umanaged_policiesuolduboto_iam.attach_role_policyt	role_nameunewu$Failed to add policy {0} to role {1}uboto_iam.detach_role_policyu)Failed to remove policy {0} from role {1}u"{0} policies modified on role {1}.(
RRRtgetR@R8R
R(R)R
R*tlogtdebug(RRRRRRR tpolicies_to_attachtpolicies_to_detachR%tentitiestfoundtroledictRDtxtoldpoliciestpolicy_dataRERCRFtnewpoliciesRG((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyR�s�!"





	!"


	!"
!"
"cC@s�i|d6td6dd6id6}t|||||�}|d|d<dj|d|dg�|d<|ds�|d|d<|dtkr�|Snt|||||�}|d|d<dj|d|dg�|d<|ds|d|d<|dtkr|Snt|||||�}tj|d|d�|d<dj|d|dg�|d<|ds�|d|d<|dtkr�|Snt|||||�}tj|d|d�|d<dj|d|dg�|d<|ds|d|d<|dtkr|Snt	|||||�}tj|d|d�|d<dj|d|dg�|d<|ds�|d|d<n|S(uW
    Ensure the IAM role is deleted.

    name
        Name of the IAM role.

    region
        Region to connect to.

    key
        Secret key to be used.

    keyid
        Access key to be used.

    profile
        A dict with region, key and keyid, or a pillar key (string)
        that contains a dict with region, key and keyid.
    unameuresultuucommentuchangesu (
Rt_policies_absentR
Rt_policies_detachedt_instance_profile_disassociatedRRt_instance_profile_absentt_role_absent(RRRRRR R#((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pytabsent�sF"!
!
!
!
!
cC@sitd6dd6id6}td|||||�}|r�tdrhdj|�|d<d|d<|Std|||||�}|r�i|d	6|dd
<idd	6|dd<dj|�|d<q�t|d<d
j|�|d<ndj|�|d<|S(Nuresultuucommentuchangesuboto_iam.role_existsutestu"IAM role {0} is set to be removed.uboto_iam.delete_roleuroleuoldunewuIAM role {0} removed.uFailed to delete {0} iam role.u{0} role does not exist.(RRR(R)R*R(RRRRRR R4tdeleted((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRZ=s&	


	
cC@sitd6dd6id6}td|||||�}|r�tdrhdj|�|d<d|d<|Std|||||�}|r�i|d	6|dd
<idd	6|dd<dj|�|d<q�t|d<d
j|�|d<ndj|�|d<|S(Nuresultuucommentuchangesu boto_iam.instance_profile_existsutestu*Instance profile {0} is set to be removed.u boto_iam.delete_instance_profileuinstance_profileuoldunewuInstance profile {0} removed.u&Failed to delete {0} instance profile.u${0} instance profile does not exist.(RRR(R)R*R(RRRRRR R4R\((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRY[s&


	
c	C@sitd6dd6id6}td|||||�}|sTdj|�|d<|Stdr�djd	j|�|�|d<d|d<|Si|d
6|dd<x�|D]�}td||||||�}|s�td|||||�}i|d
6|dd
<t|d<dj||�|d<|Sq�Wtd|||||�}i|d
6|dd
<djd	j|�|�|d<|S(Nuresultuucommentuchangesuboto_iam.list_role_policiesuNo policies in role {0}.utestu){0} policies to be removed from role {1}.u, upoliciesuolduboto_iam.delete_role_policyunewu$Failed to add policy {0} to role {1}u#{0} policies removed from role {1}.(RRR)R(R
R*R(	RRRRRR RDRCRG((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRVys<	



	
	
cC@sitd6dd6id6}tdd|d|d|d	|d
|�}g|D]}|jd�^qM}|s�dj|�|d<|Std
r�djdj|�|�|d<d|d<|Si|d6|dd<x�|D]�}	td|	|d|d|d	|d
|�}
|
s�td|d|d|d	|d
|�}g|D]}|jd�^q>}i|d6|dd<t|d<dj|	|�|d<|Sq�Wtd|d|d|d	|d
|�}g|D]}|jd�^q�}i|d6|dd<djdj|�|�|d<|S(Nuresultuucommentuchangesu$boto_iam.list_attached_role_policiesRIRRRRu
policy_arnu!No attached policies in role {0}.utestu*{0} policies to be detached from role {1}.u, umanaged_policiesuolduboto_iam.detach_role_policyunewu"Failed to detach {0} from role {1}u${0} policies detached from role {1}.(RRRJR)R(R
R*R(RRRRRR RDRRRSt
policy_arnRGRU((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRW�sB
!"



	!"
!"cC@s�itd6dd6id6}td||||||�}|r�tdrkdj|�|d<d|d<|Std||||||�}|r�itd	6|dd
<itd	6|dd<dj|�|d<q�t|d<d
j|�|d<n|S(Nuresultuucommentuchangesuboto_iam.profile_associatedutestu0Instance profile {0} is set to be disassociated.u'boto_iam.disassociate_profile_from_roleuprofile_associateduoldunewu#Instance profile {0} disassociated.u:Failed to disassociate {0} instance profile from {0} role.(RRR(R)R*R(RRRRRR R5R6((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyRX�s"	


("t__doc__t
__future__RRRtloggingtsalt.utils.dictupdateR,Rtsalt.utils.odictRtsalt.utils.dictdifferR+tsalt.extRt	getLoggert__name__RKRR*RR'RRRR/RRR[RZRYRVRWRX(((s=/usr/lib/python2.7/site-packages/salt/states/boto_iam_role.pyt<module>Xs�		~3	=H;#&

Zerion Mini Shell 1.0