PNG  IHDRX cHRMz&u0`:pQ<bKGD pHYsodtIME MeqIDATxw]Wug^Qd˶ 6`!N:!@xI~)%7%@Bh&`lnjVF29gΨ4E$|>cɚ{gk= %,a KX%,a KX%,a KX%,a KX%,a KX%,a KX%, b` ǟzeאfp]<!SJmɤY޲ڿ,%c ~ع9VH.!Ͳz&QynֺTkRR.BLHi٪:l;@(!MԴ=žI,:o&N'Kù\vRmJ雵֫AWic H@" !: Cé||]k-Ha oݜ:y F())u]aG7*JV@J415p=sZH!=!DRʯvɱh~V\}v/GKY$n]"X"}t@ xS76^[bw4dsce)2dU0 CkMa-U5tvLƀ~mlMwfGE/-]7XAƟ`׮g ewxwC4\[~7@O-Q( a*XGƒ{ ՟}$_y3tĐƤatgvێi|K=uVyrŲlLӪuܿzwk$m87k( `múcE)"@rK( z4$D; 2kW=Xb$V[Ru819קR~qloѱDyįݎ*mxw]y5e4K@ЃI0A D@"BDk_)N\8͜9dz"fK0zɿvM /.:2O{ Nb=M=7>??Zuo32 DLD@D| &+֎C #B8ַ`bOb $D#ͮҪtx]%`ES`Ru[=¾!@Od37LJ0!OIR4m]GZRJu$‡c=%~s@6SKy?CeIh:[vR@Lh | (BhAMy=݃  G"'wzn޺~8ԽSh ~T*A:xR[ܹ?X[uKL_=fDȊ؂p0}7=D$Ekq!/t.*2ʼnDbŞ}DijYaȲ(""6HA;:LzxQ‘(SQQ}*PL*fc\s `/d'QXW, e`#kPGZuŞuO{{wm[&NBTiiI0bukcA9<4@SӊH*؎4U/'2U5.(9JuDfrޱtycU%j(:RUbArLֺN)udA':uGQN"-"Is.*+k@ `Ojs@yU/ H:l;@yyTn}_yw!VkRJ4P)~y#)r,D =ě"Q]ci'%HI4ZL0"MJy 8A{ aN<8D"1#IJi >XjX֔#@>-{vN!8tRݻ^)N_╗FJEk]CT՟ YP:_|H1@ CBk]yKYp|og?*dGvzنzӴzjֺNkC~AbZƷ`.H)=!QͷVTT(| u78y֮}|[8-Vjp%2JPk[}ԉaH8Wpqhwr:vWª<}l77_~{s۴V+RCģ%WRZ\AqHifɤL36: #F:p]Bq/z{0CU6ݳEv_^k7'>sq*+kH%a`0ԣisqにtү04gVgW΂iJiS'3w.w}l6MC2uԯ|>JF5`fV5m`Y**Db1FKNttu]4ccsQNnex/87+}xaUW9y>ͯ骵G{䩓Գ3+vU}~jJ.NFRD7<aJDB1#ҳgSb,+CS?/ VG J?|?,2#M9}B)MiE+G`-wo߫V`fio(}S^4e~V4bHOYb"b#E)dda:'?}׮4繏`{7Z"uny-?ǹ;0MKx{:_pÚmFמ:F " .LFQLG)Q8qN q¯¯3wOvxDb\. BKD9_NN &L:4D{mm o^tֽ:q!ƥ}K+<"m78N< ywsard5+Š²z~mnG)=}lYݧNj'QJS{S :UYS-952?&O-:W}(!6Mk4+>A>j+i|<<|;ر^߉=HE|V#F)Emm#}/"y GII웻Jі94+v뾧xu~5C95~ūH>c@덉pʃ1/4-A2G%7>m;–Y,cyyaln" ?ƻ!ʪ<{~h~i y.zZB̃/,雋SiC/JFMmBH&&FAbϓO^tubbb_hZ{_QZ-sύodFgO(6]TJA˯#`۶ɟ( %$&+V'~hiYy>922 Wp74Zkq+Ovn錄c>8~GqܲcWꂎz@"1A.}T)uiW4="jJ2W7mU/N0gcqܗOO}?9/wìXžΏ0 >֩(V^Rh32!Hj5`;O28؇2#ݕf3 ?sJd8NJ@7O0 b־?lldщ̡&|9C.8RTWwxWy46ah嘦mh٤&l zCy!PY?: CJyв]dm4ǜҐR޻RլhX{FƯanшQI@x' ao(kUUuxW_Ñ줮[w8 FRJ(8˼)_mQ _!RJhm=!cVmm ?sFOnll6Qk}alY}; "baӌ~M0w,Ggw2W:G/k2%R,_=u`WU R.9T"v,<\Ik޽/2110Ӿxc0gyC&Ny޽JҢrV6N ``یeA16"J³+Rj*;BϜkZPJaÍ<Jyw:NP8/D$ 011z֊Ⱳ3ι֘k1V_"h!JPIΣ'ɜ* aEAd:ݺ>y<}Lp&PlRfTb1]o .2EW\ͮ]38؋rTJsǏP@芎sF\> P^+dYJLbJ C-xϐn> ι$nj,;Ǖa FU *择|h ~izť3ᤓ`K'-f tL7JK+vf2)V'-sFuB4i+m+@My=O҈0"|Yxoj,3]:cо3 $#uŘ%Y"y죯LebqtҢVzq¼X)~>4L׶m~[1_k?kxֺQ`\ |ٛY4Ѯr!)N9{56(iNq}O()Em]=F&u?$HypWUeB\k]JɩSع9 Zqg4ZĊo oMcjZBU]B\TUd34ݝ~:7ڶSUsB0Z3srx 7`:5xcx !qZA!;%͚7&P H<WL!džOb5kF)xor^aujƍ7 Ǡ8/p^(L>ὴ-B,{ۇWzֺ^k]3\EE@7>lYBȝR.oHnXO/}sB|.i@ɥDB4tcm,@ӣgdtJ!lH$_vN166L__'Z)y&kH;:,Y7=J 9cG) V\hjiE;gya~%ks_nC~Er er)muuMg2;֫R)Md) ,¶ 2-wr#F7<-BBn~_(o=KO㭇[Xv eN_SMgSҐ BS헃D%g_N:/pe -wkG*9yYSZS.9cREL !k}<4_Xs#FmҶ:7R$i,fi!~' # !6/S6y@kZkZcX)%5V4P]VGYq%H1!;e1MV<!ϐHO021Dp= HMs~~a)ަu7G^];git!Frl]H/L$=AeUvZE4P\.,xi {-~p?2b#amXAHq)MWǾI_r`S Hz&|{ +ʖ_= (YS(_g0a03M`I&'9vl?MM+m~}*xT۲(fY*V4x@29s{DaY"toGNTO+xCAO~4Ϳ;p`Ѫ:>Ҵ7K 3}+0 387x\)a"/E>qpWB=1 ¨"MP(\xp߫́A3+J] n[ʼnӼaTbZUWb={~2ooKױӰp(CS\S筐R*JغV&&"FA}J>G֐p1ٸbk7 ŘH$JoN <8s^yk_[;gy-;߉DV{c B yce% aJhDȶ 2IdйIB/^n0tNtџdcKj4϶v~- CBcgqx9= PJ) dMsjpYB] GD4RDWX +h{y`,3ꊕ$`zj*N^TP4L:Iz9~6s) Ga:?y*J~?OrMwP\](21sZUD ?ܟQ5Q%ggW6QdO+\@ ̪X'GxN @'4=ˋ+*VwN ne_|(/BDfj5(Dq<*tNt1х!MV.C0 32b#?n0pzj#!38}޴o1KovCJ`8ŗ_"]] rDUy޲@ Ȗ-;xџ'^Y`zEd?0„ DAL18IS]VGq\4o !swV7ˣι%4FѮ~}6)OgS[~Q vcYbL!wG3 7띸*E Pql8=jT\꘿I(z<[6OrR8ºC~ډ]=rNl[g|v TMTղb-o}OrP^Q]<98S¤!k)G(Vkwyqyr޽Nv`N/e p/~NAOk \I:G6]4+K;j$R:Mi #*[AȚT,ʰ,;N{HZTGMoּy) ]%dHء9Պ䠬|<45,\=[bƟ8QXeB3- &dҩ^{>/86bXmZ]]yޚN[(WAHL$YAgDKp=5GHjU&99v簪C0vygln*P)9^͞}lMuiH!̍#DoRBn9l@ xA/_v=ȺT{7Yt2N"4!YN`ae >Q<XMydEB`VU}u]嫇.%e^ánE87Mu\t`cP=AD/G)sI"@MP;)]%fH9'FNsj1pVhY&9=0pfuJ&gޤx+k:!r˭wkl03׼Ku C &ѓYt{.O.zҏ z}/tf_wEp2gvX)GN#I ݭ߽v/ .& и(ZF{e"=V!{zW`, ]+LGz"(UJp|j( #V4, 8B 0 9OkRrlɱl94)'VH9=9W|>PS['G(*I1==C<5"Pg+x'K5EMd؞Af8lG ?D FtoB[je?{k3zQ vZ;%Ɠ,]E>KZ+T/ EJxOZ1i #T<@ I}q9/t'zi(EMqw`mYkU6;[t4DPeckeM;H}_g pMww}k6#H㶏+b8雡Sxp)&C $@'b,fPߑt$RbJ'vznuS ~8='72_`{q纶|Q)Xk}cPz9p7O:'|G~8wx(a 0QCko|0ASD>Ip=4Q, d|F8RcU"/KM opKle M3#i0c%<7׿p&pZq[TR"BpqauIp$ 8~Ĩ!8Սx\ւdT>>Z40ks7 z2IQ}ItԀ<-%S⍤};zIb$I 5K}Q͙D8UguWE$Jh )cu4N tZl+[]M4k8֦Zeq֮M7uIqG 1==tLtR,ƜSrHYt&QP윯Lg' I,3@P'}'R˪e/%-Auv·ñ\> vDJzlӾNv5:|K/Jb6KI9)Zh*ZAi`?S {aiVDԲuy5W7pWeQJk֤#5&V<̺@/GH?^τZL|IJNvI:'P=Ϛt"¨=cud S Q.Ki0 !cJy;LJR;G{BJy޺[^8fK6)=yʊ+(k|&xQ2`L?Ȓ2@Mf 0C`6-%pKpm')c$׻K5[J*U[/#hH!6acB JA _|uMvDyk y)6OPYjœ50VT K}cǻP[ $:]4MEA.y)|B)cf-A?(e|lɉ#P9V)[9t.EiQPDѠ3ϴ;E:+Օ t ȥ~|_N2,ZJLt4! %ա]u {+=p.GhNcŞQI?Nd'yeh n7zi1DB)1S | S#ًZs2|Ɛy$F SxeX{7Vl.Src3E℃Q>b6G ўYCmtկ~=K0f(=LrAS GN'ɹ9<\!a`)֕y[uՍ[09` 9 +57ts6}b4{oqd+J5fa/,97J#6yν99mRWxJyѡyu_TJc`~W>l^q#Ts#2"nD1%fS)FU w{ܯ R{ ˎ󅃏џDsZSQS;LV;7 Od1&1n$ N /.q3~eNɪ]E#oM~}v֯FڦwyZ=<<>Xo稯lfMFV6p02|*=tV!c~]fa5Y^Q_WN|Vs 0ҘދU97OI'N2'8N֭fgg-}V%y]U4 峧p*91#9U kCac_AFңĪy뚇Y_AiuYyTTYЗ-(!JFLt›17uTozc. S;7A&&<ԋ5y;Ro+:' *eYJkWR[@F %SHWP 72k4 qLd'J "zB6{AC0ƁA6U.'F3:Ȅ(9ΜL;D]m8ڥ9}dU "v!;*13Rg^fJyShyy5auA?ɩGHRjo^]׽S)Fm\toy 4WQS@mE#%5ʈfFYDX ~D5Ϡ9tE9So_aU4?Ѽm%&c{n>.KW1Tlb}:j uGi(JgcYj0qn+>) %\!4{LaJso d||u//P_y7iRJ߬nHOy) l+@$($VFIQ9%EeKʈU. ia&FY̒mZ=)+qqoQn >L!qCiDB;Y<%} OgBxB!ØuG)WG9y(Ą{_yesuZmZZey'Wg#C~1Cev@0D $a@˲(.._GimA:uyw֬%;@!JkQVM_Ow:P.s\)ot- ˹"`B,e CRtaEUP<0'}r3[>?G8xU~Nqu;Wm8\RIkբ^5@k+5(By'L&'gBJ3ݶ!/㮻w҅ yqPWUg<e"Qy*167΃sJ\oz]T*UQ<\FԎ`HaNmڜ6DysCask8wP8y9``GJ9lF\G g's Nn͵MLN֪u$| /|7=]O)6s !ĴAKh]q_ap $HH'\1jB^s\|- W1:=6lJBqjY^LsPk""`]w)󭃈,(HC ?䔨Y$Sʣ{4Z+0NvQkhol6C.婧/u]FwiVjZka&%6\F*Ny#8O,22+|Db~d ~Çwc N:FuuCe&oZ(l;@ee-+Wn`44AMK➝2BRՈt7g*1gph9N) *"TF*R(#'88pm=}X]u[i7bEc|\~EMn}P瘊J)K.0i1M6=7'_\kaZ(Th{K*GJyytw"IO-PWJk)..axӝ47"89Cc7ĐBiZx 7m!fy|ϿF9CbȩV 9V-՛^pV̌ɄS#Bv4-@]Vxt-Z, &ֺ*diؠ2^VXbs֔Ìl.jQ]Y[47gj=幽ex)A0ip׳ W2[ᎇhuE^~q흙L} #-b۸oFJ_QP3r6jr+"nfzRJTUqoaۍ /$d8Mx'ݓ= OՃ| )$2mcM*cЙj}f };n YG w0Ia!1Q.oYfr]DyISaP}"dIӗթO67jqR ҊƐƈaɤGG|h;t]䗖oSv|iZqX)oalv;۩meEJ\!8=$4QU4Xo&VEĊ YS^E#d,yX_> ۘ-e\ "Wa6uLĜZi`aD9.% w~mB(02G[6y.773a7 /=o7D)$Z 66 $bY^\CuP. (x'"J60׿Y:Oi;F{w佩b+\Yi`TDWa~|VH)8q/=9!g߆2Y)?ND)%?Ǐ`k/sn:;O299yB=a[Ng 3˲N}vLNy;*?x?~L&=xyӴ~}q{qE*IQ^^ͧvü{Huu=R|>JyUlZV, B~/YF!Y\u_ݼF{_C)LD]m {H 0ihhadd nUkf3oٺCvE\)QJi+֥@tDJkB$1!Đr0XQ|q?d2) Ӣ_}qv-< FŊ߫%roppVBwü~JidY4:}L6M7f٬F "?71<2#?Jyy4뷢<_a7_=Q E=S1И/9{+93֮E{ǂw{))?maÆm(uLE#lïZ  ~d];+]h j?!|$F}*"4(v'8s<ŏUkm7^7no1w2ؗ}TrͿEk>p'8OB7d7R(A 9.*Mi^ͳ; eeUwS+C)uO@ =Sy]` }l8^ZzRXj[^iUɺ$tj))<sbDJfg=Pk_{xaKo1:-uyG0M ԃ\0Lvuy'ȱc2Ji AdyVgVh!{]/&}}ċJ#%d !+87<;qN޼Nفl|1N:8ya  8}k¾+-$4FiZYÔXk*I&'@iI99)HSh4+2G:tGhS^繿 Kتm0 вDk}֚+QT4;sC}rՅE,8CX-e~>G&'9xpW,%Fh,Ry56Y–hW-(v_,? ; qrBk4-V7HQ;ˇ^Gv1JVV%,ik;D_W!))+BoS4QsTM;gt+ndS-~:11Sgv!0qRVh!"Ȋ(̦Yl.]PQWgٳE'`%W1{ndΗBk|Ž7ʒR~,lnoa&:ü$ 3<a[CBݮwt"o\ePJ=Hz"_c^Z.#ˆ*x z̝grY]tdkP*:97YľXyBkD4N.C_[;F9`8& !AMO c `@BA& Ost\-\NX+Xp < !bj3C&QL+*&kAQ=04}cC!9~820G'PC9xa!w&bo_1 Sw"ܱ V )Yl3+ס2KoXOx]"`^WOy :3GO0g;%Yv㐫(R/r (s } u B &FeYZh0y> =2<Ϟc/ -u= c&׭,.0"g"7 6T!vl#sc>{u/Oh Bᾈ)۴74]x7 gMӒ"d]U)}" v4co[ ɡs 5Gg=XR14?5A}D "b{0$L .\4y{_fe:kVS\\O]c^W52LSBDM! C3Dhr̦RtArx4&agaN3Cf<Ԉp4~ B'"1@.b_/xQ} _߃҉/gٓ2Qkqp0շpZ2fԫYz< 4L.Cyυι1t@鎫Fe sYfsF}^ V}N<_`p)alٶ "(XEAVZ<)2},:Ir*#m_YӼ R%a||EƼIJ,,+f"96r/}0jE/)s)cjW#w'Sʯ5<66lj$a~3Kʛy 2:cZ:Yh))+a߭K::N,Q F'qB]={.]h85C9cr=}*rk?vwV렵ٸW Rs%}rNAkDv|uFLBkWY YkX מ|)1!$#3%y?pF<@<Rr0}: }\J [5FRxY<9"SQdE(Q*Qʻ)q1E0B_O24[U'],lOb ]~WjHޏTQ5Syu wq)xnw8~)c 쫬gٲߠ H% k5dƝk> kEj,0% b"vi2Wس_CuK)K{n|>t{P1򨾜j>'kEkƗBg*H%'_aY6Bn!TL&ɌOb{c`'d^{t\i^[uɐ[}q0lM˕G:‚4kb祔c^:?bpg… +37stH:0}en6x˟%/<]BL&* 5&fK9Mq)/iyqtA%kUe[ڛKN]Ě^,"`/ s[EQQm?|XJ߅92m]G.E΃ח U*Cn.j_)Tѧj̿30ڇ!A0=͜ar I3$C^-9#|pk!)?7.x9 @OO;WƝZBFU keZ75F6Tc6"ZȚs2y/1 ʵ:u4xa`C>6Rb/Yм)^=+~uRd`/|_8xbB0?Ft||Z\##|K 0>>zxv8۴吅q 8ĥ)"6>~\8:qM}#͚'ĉ#p\׶ l#bA?)|g g9|8jP(cr,BwV (WliVxxᡁ@0Okn;ɥh$_ckCgriv}>=wGzβ KkBɛ[˪ !J)h&k2%07δt}!d<9;I&0wV/ v 0<H}L&8ob%Hi|޶o&h1L|u֦y~󛱢8fٲUsւ)0oiFx2}X[zVYr_;N(w]_4B@OanC?gĦx>мgx>ΛToZoOMp>40>V Oy V9iq!4 LN,ˢu{jsz]|"R޻&'ƚ{53ўFu(<٪9:΋]B;)B>1::8;~)Yt|0(pw2N%&X,URBK)3\zz&}ax4;ǟ(tLNg{N|Ǽ\G#C9g$^\}p?556]/RP.90 k,U8/u776s ʪ_01چ|\N 0VV*3H鴃J7iI!wG_^ypl}r*jɤSR 5QN@ iZ#1ٰy;_\3\BQQ x:WJv츟ٯ$"@6 S#qe딇(/P( Dy~TOϻ<4:-+F`0||;Xl-"uw$Цi󼕝mKʩorz"mϺ$F:~E'ҐvD\y?Rr8_He@ e~O,T.(ފR*cY^m|cVR[8 JҡSm!ΆԨb)RHG{?MpqrmN>߶Y)\p,d#xۆWY*,l6]v0h15M˙MS8+EdI='LBJIH7_9{Caз*Lq,dt >+~ّeʏ?xԕ4bBAŚjﵫ!'\Ը$WNvKO}ӽmSşذqsOy?\[,d@'73'j%kOe`1.g2"e =YIzS2|zŐƄa\U,dP;jhhhaxǶ?КZ՚.q SE+XrbOu%\GتX(H,N^~]JyEZQKceTQ]VGYqnah;y$cQahT&QPZ*iZ8UQQM.qo/T\7X"u?Mttl2Xq(IoW{R^ ux*SYJ! 4S.Jy~ BROS[V|žKNɛP(L6V^|cR7i7nZW1Fd@ Ara{詑|(T*dN]Ko?s=@ |_EvF]׍kR)eBJc" MUUbY6`~V޴dJKß&~'d3i WWWWWW

F1l3 Manager

Current Directory: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states
/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/
Viewing File: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/boto_iam_role.py
""" Manage IAM roles ================ .. versionadded:: 2014.7.0 This module uses ``boto``, which can be installed via package, or pip. This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available `here <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>`_. If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file: .. code-block:: yaml iam.keyid: GKTADJGHEIQSXMKKRBJ08H iam.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs It's also possible to specify ``key``, ``keyid`` and ``region`` via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: .. code-block:: yaml myprofile: keyid: GKTADJGHEIQSXMKKRBJ08H key: askjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 Creating a role will automatically create an instance profile and associate it with the role. This is the default behavior of the AWS console. .. code-block:: yaml myrole: boto_iam_role.present: - region: us-east-1 - key: GKTADJGHEIQSXMKKRBJ08H - keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs - policies_from_pillars: - shared_iam_bootstrap_policy - policies: MySQSPolicy: Statement: - Action: - sqs:* Effect: Allow Resource: - arn:aws:sqs:*:*:* Sid: MyPolicySQS1 MyS3Policy: Statement: - Action: - s3:GetObject Effect: Allow Resource: - arn:aws:s3:*:*:mybucket/* # Using a credentials profile from pillars myrole: boto_iam_role.present: - profile: myiamprofile # Passing in a credentials profile myrole: boto_iam_role.present: - profile: key: GKTADJGHEIQSXMKKRBJ08H keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs region: us-east-1 If ``delete_policies: False`` is specified, existing policies that are not in the given list of policies will not be deleted. This allows manual modifications on the IAM role to be persistent. This functionality was added in 2015.8.0. .. note:: When using the ``profile`` parameter and ``region`` is set outside of the profile group, region is ignored and a default region will be used. If ``region`` is missing from the ``profile`` data set, ``us-east-1`` will be used as the default region. """ import logging import salt.utils.dictdiffer import salt.utils.dictupdate as dictupdate from salt.utils.odict import OrderedDict log = logging.getLogger(__name__) def __virtual__(): """ Only load if boto is available. """ if "boto_iam.role_exists" in __salt__: return "boto_iam_role" return (False, "boto_iam module could not be loaded") def present( name, policy_document=None, policy_document_from_pillars=None, path=None, policies=None, policies_from_pillars=None, managed_policies=None, create_instance_profile=True, region=None, key=None, keyid=None, profile=None, delete_policies=True, ): """ Ensure the IAM role exists. name Name of the IAM role. policy_document The policy that grants an entity permission to assume the role. (See https://boto.readthedocs.io/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role) policy_document_from_pillars A pillar key that contains a role policy document. The statements defined here will be appended with the policy document statements defined in the policy_document argument. .. versionadded:: 2017.7.0 path The path to the role/instance profile. (See https://boto.readthedocs.io/en/latest/ref/iam.html#boto.iam.connection.IAMConnection.create_role) policies A dict of IAM role policies. policies_from_pillars A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars. managed_policies A list of (AWS or Customer) managed policies to be attached to the role. create_instance_profile A boolean of whether or not to create an instance profile and associate it with this role. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. delete_policies Deletes existing policies that are not in the given list of policies. Default value is ``True``. If ``False`` is specified, existing policies will not be deleted allowing manual modifications on the IAM role to be persistent. .. versionadded:: 2015.8.0 """ ret = {"name": name, "result": True, "comment": "", "changes": {}} # Build up _policy_document _policy_document = {} if policy_document_from_pillars: from_pillars = __salt__["pillar.get"](policy_document_from_pillars) if from_pillars: _policy_document["Version"] = from_pillars["Version"] _policy_document.setdefault("Statement", []) _policy_document["Statement"].extend(from_pillars["Statement"]) if policy_document: _policy_document["Version"] = policy_document["Version"] _policy_document.setdefault("Statement", []) _policy_document["Statement"].extend(policy_document["Statement"]) _ret = _role_present(name, _policy_document, path, region, key, keyid, profile) # Build up _policies if not policies: policies = {} if not policies_from_pillars: policies_from_pillars = [] if not managed_policies: managed_policies = [] _policies = {} for policy in policies_from_pillars: _policy = __salt__["pillar.get"](policy) _policies.update(_policy) _policies.update(policies) ret["changes"] = _ret["changes"] ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret if create_instance_profile: _ret = _instance_profile_present(name, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret _ret = _instance_profile_associated(name, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret _ret = _policies_present( name, _policies, region, key, keyid, profile, delete_policies ) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] _ret = _policies_attached(name, managed_policies, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] return ret def _role_present( name, policy_document=None, path=None, region=None, key=None, keyid=None, profile=None, ): ret = {"result": True, "comment": "", "changes": {}} role = __salt__["boto_iam.describe_role"](name, region, key, keyid, profile) if not role: if __opts__["test"]: ret["comment"] = f"IAM role {name} is set to be created." ret["result"] = None return ret created = __salt__["boto_iam.create_role"]( name, policy_document, path, region, key, keyid, profile ) if created: ret["changes"]["old"] = {"role": None} ret["changes"]["new"] = {"role": name} ret["comment"] = f"IAM role {name} created." else: ret["result"] = False ret["comment"] = f"Failed to create {name} IAM role." else: ret["comment"] = f"{name} role present." if not policy_document: _policy_document = __salt__["boto_iam.build_policy"]( region, key, keyid, profile ) else: _policy_document = policy_document if salt.utils.dictdiffer.deep_diff( _sort_policy(role["assume_role_policy_document"]), _sort_policy(_policy_document), ): if __opts__["test"]: msg = "Assume role policy document to be updated." ret["comment"] = "{} {}".format(ret["comment"], msg) ret["result"] = None return ret updated = __salt__["boto_iam.update_assume_role_policy"]( name, _policy_document, region, key, keyid, profile ) if updated: msg = "Assume role policy document updated." ret["comment"] = "{} {}".format(ret["comment"], msg) ret["changes"]["old"] = { "policy_document": role["assume_role_policy_document"] } ret["changes"]["new"] = {"policy_document": _policy_document} else: ret["result"] = False msg = "Failed to update assume role policy." ret["comment"] = "{} {}".format(ret["comment"], msg) return ret def _instance_profile_present(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} exists = __salt__["boto_iam.instance_profile_exists"]( name, region, key, keyid, profile ) if not exists: if __opts__["test"]: ret["comment"] = f"Instance profile {name} is set to be created." ret["result"] = None return ret created = __salt__["boto_iam.create_instance_profile"]( name, region, key, keyid, profile ) if created: ret["changes"]["old"] = {"instance_profile": None} ret["changes"]["new"] = {"instance_profile": name} ret["comment"] = f"Instance profile {name} created." else: ret["result"] = False ret["comment"] = f"Failed to create {name} instance profile." return ret def _instance_profile_associated(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} is_associated = __salt__["boto_iam.profile_associated"]( name, name, region, key, keyid, profile ) if not is_associated: if __opts__["test"]: ret["comment"] = f"Instance profile {name} is set to be associated." ret["result"] = None return ret associated = __salt__["boto_iam.associate_profile_to_role"]( name, name, region, key, keyid, profile ) if associated: ret["changes"]["old"] = {"profile_associated": None} ret["changes"]["new"] = {"profile_associated": True} ret["comment"] = f"Instance profile {name} associated." else: ret["result"] = False ret["comment"] = ( "Failed to associate {0} instance profile with {0} role.".format(name) ) return ret def _sort_policy(doc): """ List-type sub-items in policies don't happen to be order-sensitive, but compare operations will render them unequal, leading to non-idempotent state runs. We'll sort any list-type subitems before comparison to reduce the likelihood of false negatives. """ if isinstance(doc, list): return sorted(_sort_policy(i) for i in doc) elif isinstance(doc, (dict, OrderedDict)): return {k: _sort_policy(v) for k, v in doc.items()} return doc def _policies_present( name, policies=None, region=None, key=None, keyid=None, profile=None, delete_policies=True, ): ret = {"result": True, "comment": "", "changes": {}} policies_to_create = {} policies_to_delete = [] for policy_name, policy in policies.items(): _policy = __salt__["boto_iam.get_role_policy"]( name, policy_name, region, key, keyid, profile ) if _policy != policy: policies_to_create[policy_name] = policy _list = __salt__["boto_iam.list_role_policies"](name, region, key, keyid, profile) for policy_name in _list: if delete_policies and policy_name not in policies: policies_to_delete.append(policy_name) if policies_to_create or policies_to_delete: _to_modify = list(policies_to_delete) _to_modify.extend(policies_to_create) if __opts__["test"]: ret["comment"] = "{} policies to be modified on role {}.".format( ", ".join(_to_modify), name ) ret["result"] = None return ret ret["changes"]["old"] = {"policies": _list} for policy_name, policy in policies_to_create.items(): policy_set = __salt__["boto_iam.create_role_policy"]( name, policy_name, policy, region, key, keyid, profile ) if not policy_set: _list = __salt__["boto_iam.list_role_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to add policy {} to role {}".format( policy_name, name ) return ret for policy_name in policies_to_delete: policy_unset = __salt__["boto_iam.delete_role_policy"]( name, policy_name, region, key, keyid, profile ) if not policy_unset: _list = __salt__["boto_iam.list_role_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to remove policy {} from role {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.list_role_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["comment"] = "{} policies modified on role {}.".format( ", ".join(_list), name ) return ret def _policies_attached( name, managed_policies=None, region=None, key=None, keyid=None, profile=None ): ret = {"result": True, "comment": "", "changes": {}} policies_to_attach = [] policies_to_detach = [] for policy in managed_policies or []: entities = __salt__["boto_iam.list_entities_for_policy"]( policy, entity_filter="Role", region=region, key=key, keyid=keyid, profile=profile, ) found = False for roledict in entities.get("policy_roles", []): if name == roledict.get("role_name"): found = True break if not found: policies_to_attach.append(policy) _list = __salt__["boto_iam.list_attached_role_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) oldpolicies = [x.get("policy_arn") for x in _list] for policy_data in _list: if ( policy_data.get("policy_name") not in managed_policies and policy_data.get("policy_arn") not in managed_policies ): policies_to_detach.append(policy_data.get("policy_arn")) if policies_to_attach or policies_to_detach: _to_modify = list(policies_to_detach) _to_modify.extend(policies_to_attach) if __opts__["test"]: ret["comment"] = "{} policies to be modified on role {}.".format( ", ".join(_to_modify), name ) ret["result"] = None return ret ret["changes"]["old"] = {"managed_policies": oldpolicies} for policy_name in policies_to_attach: policy_set = __salt__["boto_iam.attach_role_policy"]( policy_name, role_name=name, region=region, key=key, keyid=keyid, profile=profile, ) if not policy_set: _list = __salt__["boto_iam.list_attached_role_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to add policy {} to role {}".format( policy_name, name ) return ret for policy_name in policies_to_detach: policy_unset = __salt__["boto_iam.detach_role_policy"]( policy_name, role_name=name, region=region, key=key, keyid=keyid, profile=profile, ) if not policy_unset: _list = __salt__["boto_iam.list_attached_role_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to remove policy {} from role {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.list_attached_role_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] log.debug(newpolicies) ret["changes"]["new"] = {"managed_policies": newpolicies} ret["comment"] = "{} policies modified on role {}.".format( ", ".join(newpolicies), name ) return ret def absent(name, region=None, key=None, keyid=None, profile=None): """ Ensure the IAM role is deleted. name Name of the IAM role. region Region to connect to. key Secret key to be used. keyid Access key to be used. profile A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} _ret = _policies_absent(name, region, key, keyid, profile) ret["changes"] = _ret["changes"] ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret _ret = _policies_detached(name, region, key, keyid, profile) ret["changes"] = _ret["changes"] ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret _ret = _instance_profile_disassociated(name, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret _ret = _instance_profile_absent(name, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret _ret = _role_absent(name, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] return ret def _role_absent(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} exists = __salt__["boto_iam.role_exists"](name, region, key, keyid, profile) if exists: if __opts__["test"]: ret["comment"] = f"IAM role {name} is set to be removed." ret["result"] = None return ret deleted = __salt__["boto_iam.delete_role"](name, region, key, keyid, profile) if deleted: ret["changes"]["old"] = {"role": name} ret["changes"]["new"] = {"role": None} ret["comment"] = f"IAM role {name} removed." else: ret["result"] = False ret["comment"] = f"Failed to delete {name} iam role." else: ret["comment"] = f"{name} role does not exist." return ret def _instance_profile_absent(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} exists = __salt__["boto_iam.instance_profile_exists"]( name, region, key, keyid, profile ) if exists: if __opts__["test"]: ret["comment"] = f"Instance profile {name} is set to be removed." ret["result"] = None return ret deleted = __salt__["boto_iam.delete_instance_profile"]( name, region, key, keyid, profile ) if deleted: ret["changes"]["old"] = {"instance_profile": name} ret["changes"]["new"] = {"instance_profile": None} ret["comment"] = f"Instance profile {name} removed." else: ret["result"] = False ret["comment"] = f"Failed to delete {name} instance profile." else: ret["comment"] = f"{name} instance profile does not exist." return ret def _policies_absent(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} _list = __salt__["boto_iam.list_role_policies"](name, region, key, keyid, profile) if not _list: ret["comment"] = f"No policies in role {name}." return ret if __opts__["test"]: ret["comment"] = "{} policies to be removed from role {}.".format( ", ".join(_list), name ) ret["result"] = None return ret ret["changes"]["old"] = {"policies": _list} for policy_name in _list: policy_unset = __salt__["boto_iam.delete_role_policy"]( name, policy_name, region, key, keyid, profile ) if not policy_unset: _list = __salt__["boto_iam.list_role_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to add policy {} to role {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.list_role_policies"](name, region, key, keyid, profile) ret["changes"]["new"] = {"policies": _list} ret["comment"] = "{} policies removed from role {}.".format(", ".join(_list), name) return ret def _policies_detached(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} _list = __salt__["boto_iam.list_attached_role_policies"]( role_name=name, region=region, key=key, keyid=keyid, profile=profile ) oldpolicies = [x.get("policy_arn") for x in _list] if not _list: ret["comment"] = f"No attached policies in role {name}." return ret if __opts__["test"]: ret["comment"] = "{} policies to be detached from role {}.".format( ", ".join(oldpolicies), name ) ret["result"] = None return ret ret["changes"]["old"] = {"managed_policies": oldpolicies} for policy_arn in oldpolicies: policy_unset = __salt__["boto_iam.detach_role_policy"]( policy_arn, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_unset: _list = __salt__["boto_iam.list_attached_role_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = f"Failed to detach {policy_arn} from role {name}" return ret _list = __salt__["boto_iam.list_attached_role_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["comment"] = "{} policies detached from role {}.".format( ", ".join(newpolicies), name ) return ret def _instance_profile_disassociated( name, region=None, key=None, keyid=None, profile=None ): ret = {"result": True, "comment": "", "changes": {}} is_associated = __salt__["boto_iam.profile_associated"]( name, name, region, key, keyid, profile ) if is_associated: if __opts__["test"]: ret["comment"] = "Instance profile {} is set to be disassociated.".format( name ) ret["result"] = None return ret associated = __salt__["boto_iam.disassociate_profile_from_role"]( name, name, region, key, keyid, profile ) if associated: ret["changes"]["old"] = {"profile_associated": True} ret["changes"]["new"] = {"profile_associated": False} ret["comment"] = f"Instance profile {name} disassociated." else: ret["result"] = False ret["comment"] = ( "Failed to disassociate {0} instance profile from {0} role.".format( name ) ) return ret
webs 1.0 - Enhanced UI