golden hour
/opt/saltstack/salt/lib/python3.10/site-packages/salt/states
⬆️ Go Up
Upload
File/Folder
Size
Actions
__init__.py
25 B
Del
OK
__pycache__
-
Del
OK
acme.py
5.08 KB
Del
OK
alias.py
2.49 KB
Del
OK
alternatives.py
6.75 KB
Del
OK
ansiblegate.py
7.93 KB
Del
OK
apache.py
3.95 KB
Del
OK
apache_conf.py
2.72 KB
Del
OK
apache_module.py
2.73 KB
Del
OK
apache_site.py
2.66 KB
Del
OK
aptpkg.py
1.42 KB
Del
OK
archive.py
68.24 KB
Del
OK
artifactory.py
6.84 KB
Del
OK
at.py
7.48 KB
Del
OK
augeas.py
10.57 KB
Del
OK
aws_sqs.py
2.59 KB
Del
OK
azurearm_compute.py
11.78 KB
Del
OK
azurearm_dns.py
26.05 KB
Del
OK
azurearm_network.py
89.12 KB
Del
OK
azurearm_resource.py
28.23 KB
Del
OK
beacon.py
7.58 KB
Del
OK
bigip.py
96.63 KB
Del
OK
blockdev.py
5.13 KB
Del
OK
boto3_elasticache.py
48.01 KB
Del
OK
boto3_elasticsearch.py
32.58 KB
Del
OK
boto3_route53.py
37.54 KB
Del
OK
boto3_sns.py
12.69 KB
Del
OK
boto_apigateway.py
82.83 KB
Del
OK
boto_asg.py
31.93 KB
Del
OK
boto_cfn.py
11.53 KB
Del
OK
boto_cloudfront.py
6.01 KB
Del
OK
boto_cloudtrail.py
13.18 KB
Del
OK
boto_cloudwatch_alarm.py
6.4 KB
Del
OK
boto_cloudwatch_event.py
12.33 KB
Del
OK
boto_cognitoidentity.py
13.69 KB
Del
OK
boto_datapipeline.py
18.5 KB
Del
OK
boto_dynamodb.py
29.32 KB
Del
OK
boto_ec2.py
71.98 KB
Del
OK
boto_elasticache.py
16.75 KB
Del
OK
boto_elasticsearch_domain.py
12.27 KB
Del
OK
boto_elb.py
55.1 KB
Del
OK
boto_elbv2.py
12.19 KB
Del
OK
boto_iam.py
69.16 KB
Del
OK
boto_iam_role.py
27.12 KB
Del
OK
boto_iot.py
25.33 KB
Del
OK
boto_kinesis.py
16.69 KB
Del
OK
boto_kms.py
12.11 KB
Del
OK
boto_lambda.py
35.52 KB
Del
OK
boto_lc.py
11.04 KB
Del
OK
boto_rds.py
26 KB
Del
OK
boto_route53.py
19.49 KB
Del
OK
boto_s3.py
9.32 KB
Del
OK
boto_s3_bucket.py
24.67 KB
Del
OK
boto_secgroup.py
32.62 KB
Del
OK
boto_sns.py
8.92 KB
Del
OK
boto_sqs.py
7.97 KB
Del
OK
boto_vpc.py
62.23 KB
Del
OK
bower.py
8.26 KB
Del
OK
btrfs.py
10.34 KB
Del
OK
cabal.py
5.73 KB
Del
OK
ceph.py
1.9 KB
Del
OK
chef.py
3.76 KB
Del
OK
chocolatey.py
16.15 KB
Del
OK
chronos_job.py
4.6 KB
Del
OK
cimc.py
14.32 KB
Del
OK
cisconso.py
3.14 KB
Del
OK
cloud.py
14.4 KB
Del
OK
cmd.py
40.92 KB
Del
OK
composer.py
8.38 KB
Del
OK
consul.py
5.4 KB
Del
OK
cron.py
23.39 KB
Del
OK
cryptdev.py
6.17 KB
Del
OK
csf.py
9.98 KB
Del
OK
cyg.py
7.05 KB
Del
OK
ddns.py
4.2 KB
Del
OK
debconfmod.py
6.33 KB
Del
OK
dellchassis.py
24.49 KB
Del
OK
disk.py
6.49 KB
Del
OK
docker_container.py
85.27 KB
Del
OK
docker_image.py
16.7 KB
Del
OK
docker_network.py
36.78 KB
Del
OK
docker_volume.py
6.72 KB
Del
OK
drac.py
4.17 KB
Del
OK
dvs.py
26.29 KB
Del
OK
elasticsearch.py
20.38 KB
Del
OK
elasticsearch_index.py
3.25 KB
Del
OK
elasticsearch_index_template.py
3.67 KB
Del
OK
environ.py
5.81 KB
Del
OK
eselect.py
2.27 KB
Del
OK
esxcluster.py
22.4 KB
Del
OK
esxdatacenter.py
4.44 KB
Del
OK
esxi.py
63.07 KB
Del
OK
esxvm.py
20.11 KB
Del
OK
etcd_mod.py
11 KB
Del
OK
ethtool.py
9.88 KB
Del
OK
event.py
2.48 KB
Del
OK
file.py
316.7 KB
Del
OK
firewall.py
1.33 KB
Del
OK
firewalld.py
26.08 KB
Del
OK
gem.py
7.13 KB
Del
OK
git.py
123.85 KB
Del
OK
github.py
27.25 KB
Del
OK
glance_image.py
2.26 KB
Del
OK
glassfish.py
21.47 KB
Del
OK
glusterfs.py
12.21 KB
Del
OK
gnomedesktop.py
7.47 KB
Del
OK
gpg.py
5.28 KB
Del
OK
grafana.py
12.11 KB
Del
OK
grafana4_dashboard.py
17.31 KB
Del
OK
grafana4_datasource.py
6.15 KB
Del
OK
grafana4_org.py
7.73 KB
Del
OK
grafana4_user.py
5.52 KB
Del
OK
grafana_dashboard.py
17.74 KB
Del
OK
grafana_datasource.py
5.31 KB
Del
OK
grains.py
15.57 KB
Del
OK
group.py
9.84 KB
Del
OK
heat.py
9.69 KB
Del
OK
helm.py
10.39 KB
Del
OK
hg.py
6.33 KB
Del
OK
highstate_doc.py
1.41 KB
Del
OK
host.py
8.64 KB
Del
OK
http.py
7.46 KB
Del
OK
icinga2.py
9.07 KB
Del
OK
idem.py
3.91 KB
Del
OK
ifttt.py
2.12 KB
Del
OK
incron.py
5.71 KB
Del
OK
influxdb08_database.py
2.85 KB
Del
OK
influxdb08_user.py
3.39 KB
Del
OK
influxdb_continuous_query.py
2.83 KB
Del
OK
influxdb_database.py
2.11 KB
Del
OK
influxdb_retention_policy.py
4.82 KB
Del
OK
influxdb_user.py
4.84 KB
Del
OK
infoblox_a.py
4.24 KB
Del
OK
infoblox_cname.py
4.19 KB
Del
OK
infoblox_host_record.py
6.59 KB
Del
OK
infoblox_range.py
6.85 KB
Del
OK
ini_manage.py
12.67 KB
Del
OK
ipmi.py
8.42 KB
Del
OK
ipset.py
9.66 KB
Del
OK
iptables.py
27.65 KB
Del
OK
jboss7.py
23.95 KB
Del
OK
jenkins.py
3.36 KB
Del
OK
junos.py
17.78 KB
Del
OK
kapacitor.py
6.46 KB
Del
OK
kernelpkg.py
6.42 KB
Del
OK
keyboard.py
2.01 KB
Del
OK
keystone.py
27.12 KB
Del
OK
keystone_domain.py
2.81 KB
Del
OK
keystone_endpoint.py
4.69 KB
Del
OK
keystone_group.py
3.25 KB
Del
OK
keystone_project.py
3.36 KB
Del
OK
keystone_role.py
2.33 KB
Del
OK
keystone_role_grant.py
4.08 KB
Del
OK
keystone_service.py
2.89 KB
Del
OK
keystone_user.py
3.47 KB
Del
OK
keystore.py
5.67 KB
Del
OK
kmod.py
8.59 KB
Del
OK
kubernetes.py
24.87 KB
Del
OK
layman.py
2.44 KB
Del
OK
ldap.py
19.78 KB
Del
OK
libcloud_dns.py
5.7 KB
Del
OK
libcloud_loadbalancer.py
5.66 KB
Del
OK
libcloud_storage.py
5.13 KB
Del
OK
linux_acl.py
24.42 KB
Del
OK
locale.py
2.52 KB
Del
OK
logadm.py
4.67 KB
Del
OK
logrotate.py
3.86 KB
Del
OK
loop.py
7.74 KB
Del
OK
lvm.py
13.33 KB
Del
OK
lvs_server.py
6.28 KB
Del
OK
lvs_service.py
4.38 KB
Del
OK
lxc.py
22.17 KB
Del
OK
lxd.py
7.88 KB
Del
OK
lxd_container.py
22.25 KB
Del
OK
lxd_image.py
10.59 KB
Del
OK
lxd_profile.py
7.11 KB
Del
OK
mac_assistive.py
1.55 KB
Del
OK
mac_keychain.py
5.59 KB
Del
OK
mac_xattr.py
3.15 KB
Del
OK
macdefaults.py
2.65 KB
Del
OK
macpackage.py
6.76 KB
Del
OK
makeconf.py
6.87 KB
Del
OK
marathon_app.py
4.45 KB
Del
OK
mdadm_raid.py
6.41 KB
Del
OK
memcached.py
3.95 KB
Del
OK
modjk.py
2.84 KB
Del
OK
modjk_worker.py
6.49 KB
Del
OK
module.py
18.64 KB
Del
OK
mongodb_database.py
1.65 KB
Del
OK
mongodb_user.py
6.26 KB
Del
OK
monit.py
2.68 KB
Del
OK
mount.py
50.32 KB
Del
OK
mssql_database.py
3 KB
Del
OK
mssql_login.py
3.64 KB
Del
OK
mssql_role.py
2.37 KB
Del
OK
mssql_user.py
3.51 KB
Del
OK
msteams.py
2.53 KB
Del
OK
mysql_database.py
6.05 KB
Del
OK
mysql_grants.py
8.49 KB
Del
OK
mysql_query.py
13.07 KB
Del
OK
mysql_user.py
9.51 KB
Del
OK
net_napalm_yang.py
9.15 KB
Del
OK
netacl.py
31.92 KB
Del
OK
netconfig.py
33.42 KB
Del
OK
netntp.py
12.51 KB
Del
OK
netsnmp.py
11.33 KB
Del
OK
netusers.py
16.1 KB
Del
OK
network.py
23.97 KB
Del
OK
neutron_network.py
3.96 KB
Del
OK
neutron_secgroup.py
4 KB
Del
OK
neutron_secgroup_rule.py
4.75 KB
Del
OK
neutron_subnet.py
4.29 KB
Del
OK
nexus.py
4.97 KB
Del
OK
nfs_export.py
4.92 KB
Del
OK
nftables.py
19.5 KB
Del
OK
npm.py
11.21 KB
Del
OK
ntp.py
2.12 KB
Del
OK
nxos.py
10.37 KB
Del
OK
nxos_upgrade.py
3.5 KB
Del
OK
openstack_config.py
3.26 KB
Del
OK
openvswitch_bridge.py
4.36 KB
Del
OK
openvswitch_db.py
2.24 KB
Del
OK
openvswitch_port.py
17.24 KB
Del
OK
opsgenie.py
4.07 KB
Del
OK
pagerduty.py
1.89 KB
Del
OK
pagerduty_escalation_policy.py
5.42 KB
Del
OK
pagerduty_schedule.py
6.09 KB
Del
OK
pagerduty_service.py
3.93 KB
Del
OK
pagerduty_user.py
1.18 KB
Del
OK
panos.py
48.13 KB
Del
OK
pbm.py
20.46 KB
Del
OK
pcs.py
36.46 KB
Del
OK
pdbedit.py
3.43 KB
Del
OK
pecl.py
3.65 KB
Del
OK
pip_state.py
38.55 KB
Del
OK
pkg.py
138.08 KB
Del
OK
pkgbuild.py
11.37 KB
Del
OK
pkgng.py
685 B
Del
OK
pkgrepo.py
27.53 KB
Del
OK
portage_config.py
5.01 KB
Del
OK
ports.py
5.65 KB
Del
OK
postgres_cluster.py
4.19 KB
Del
OK
postgres_database.py
6.08 KB
Del
OK
postgres_extension.py
5.68 KB
Del
OK
postgres_group.py
8.52 KB
Del
OK
postgres_initdb.py
2.84 KB
Del
OK
postgres_language.py
3.94 KB
Del
OK
postgres_privileges.py
7.86 KB
Del
OK
postgres_schema.py
4.34 KB
Del
OK
postgres_tablespace.py
6.62 KB
Del
OK
postgres_user.py
9.49 KB
Del
OK
powerpath.py
2.34 KB
Del
OK
probes.py
15.06 KB
Del
OK
process.py
1.32 KB
Del
OK
proxy.py
4.94 KB
Del
OK
pushover.py
3.13 KB
Del
OK
pyenv.py
6.07 KB
Del
OK
pyrax_queues.py
2.97 KB
Del
OK
quota.py
1.4 KB
Del
OK
rabbitmq_cluster.py
1.84 KB
Del
OK
rabbitmq_plugin.py
2.77 KB
Del
OK
rabbitmq_policy.py
4.59 KB
Del
OK
rabbitmq_upstream.py
7.9 KB
Del
OK
rabbitmq_user.py
8.89 KB
Del
OK
rabbitmq_vhost.py
3.04 KB
Del
OK
rbac_solaris.py
6.67 KB
Del
OK
rbenv.py
7.36 KB
Del
OK
rdp.py
1.28 KB
Del
OK
redismod.py
4.76 KB
Del
OK
reg.py
19.22 KB
Del
OK
restconf.py
6.41 KB
Del
OK
rsync.py
4.45 KB
Del
OK
rvm.py
6.56 KB
Del
OK
salt_proxy.py
1.34 KB
Del
OK
saltmod.py
33.12 KB
Del
OK
saltutil.py
8.91 KB
Del
OK
schedule.py
12.47 KB
Del
OK
selinux.py
18.61 KB
Del
OK
serverdensity_device.py
6.41 KB
Del
OK
service.py
37.89 KB
Del
OK
slack.py
4.98 KB
Del
OK
smartos.py
44.83 KB
Del
OK
smtp.py
2.3 KB
Del
OK
snapper.py
7.24 KB
Del
OK
solrcloud.py
4.48 KB
Del
OK
splunk.py
4.32 KB
Del
OK
splunk_search.py
3.17 KB
Del
OK
sqlite3.py
14.7 KB
Del
OK
ssh_auth.py
19.57 KB
Del
OK
ssh_known_hosts.py
7.92 KB
Del
OK
stateconf.py
494 B
Del
OK
status.py
2.21 KB
Del
OK
statuspage.py
17.29 KB
Del
OK
supervisord.py
10.48 KB
Del
OK
svn.py
8.14 KB
Del
OK
sysctl.py
4.11 KB
Del
OK
sysfs.py
2.13 KB
Del
OK
syslog_ng.py
2.97 KB
Del
OK
sysrc.py
2.82 KB
Del
OK
telemetry_alert.py
7.04 KB
Del
OK
test.py
13.09 KB
Del
OK
testinframod.py
1.35 KB
Del
OK
timezone.py
3.42 KB
Del
OK
tls.py
1.81 KB
Del
OK
tomcat.py
9.72 KB
Del
OK
trafficserver.py
8.82 KB
Del
OK
tuned.py
3.32 KB
Del
OK
uptime.py
1.87 KB
Del
OK
user.py
38.63 KB
Del
OK
vagrant.py
11.4 KB
Del
OK
vault.py
3.28 KB
Del
OK
vbox_guest.py
4.05 KB
Del
OK
victorops.py
3.32 KB
Del
OK
virt.py
80.41 KB
Del
OK
virtualenv_mod.py
11.21 KB
Del
OK
webutil.py
3.89 KB
Del
OK
win_certutil.py
4.8 KB
Del
OK
win_dacl.py
7.96 KB
Del
OK
win_dism.py
14.97 KB
Del
OK
win_dns_client.py
8.32 KB
Del
OK
win_firewall.py
6.87 KB
Del
OK
win_iis.py
31.56 KB
Del
OK
win_lgpo.py
24.99 KB
Del
OK
win_lgpo_reg.py
10.96 KB
Del
OK
win_license.py
1.6 KB
Del
OK
win_network.py
14.18 KB
Del
OK
win_path.py
6.39 KB
Del
OK
win_pki.py
5.56 KB
Del
OK
win_powercfg.py
3.79 KB
Del
OK
win_servermanager.py
10.4 KB
Del
OK
win_shortcut.py
7.81 KB
Del
OK
win_smtp_server.py
10.01 KB
Del
OK
win_snmp.py
6.64 KB
Del
OK
win_system.py
13.78 KB
Del
OK
win_wua.py
16.27 KB
Del
OK
win_wusa.py
3.53 KB
Del
OK
winrepo.py
2.74 KB
Del
OK
wordpress.py
4.82 KB
Del
OK
x509.py
27.86 KB
Del
OK
x509_v2.py
64.78 KB
Del
OK
xml.py
1.75 KB
Del
OK
xmpp.py
2.61 KB
Del
OK
zabbix_action.py
9.35 KB
Del
OK
zabbix_host.py
27.25 KB
Del
OK
zabbix_hostgroup.py
5.64 KB
Del
OK
zabbix_mediatype.py
16.89 KB
Del
OK
zabbix_template.py
35.14 KB
Del
OK
zabbix_user.py
17.6 KB
Del
OK
zabbix_usergroup.py
9.64 KB
Del
OK
zabbix_usermacro.py
9.69 KB
Del
OK
zabbix_valuemap.py
8.11 KB
Del
OK
zcbuildout.py
5.16 KB
Del
OK
zenoss.py
2.89 KB
Del
OK
zfs.py
34.48 KB
Del
OK
zk_concurrency.py
5.81 KB
Del
OK
zone.py
46.48 KB
Del
OK
zookeeper.py
11.55 KB
Del
OK
zpool.py
13.4 KB
Del
OK
Edit: boto_iam.py
""" Manage IAM objects ================== .. versionadded:: 2015.8.0 This module uses ``boto``, which can be installed via package, or pip. This module accepts explicit IAM credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available `here <http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html>`_. It's also possible to specify ``key``, ``keyid`` and ``region`` via a profile, either passed in as a dict, or as a string to pull from pillars or minion config: .. code-block:: yaml delete-user: boto_iam.user_absent: - name: myuser - delete_keys: true .. code-block:: yaml delete-keys: boto_iam.keys_absent: - access_keys: - 'AKIAJHTMIQ2ASDFLASDF' - 'PQIAJHTMIQ2ASRTLASFR' - user_name: myuser .. code-block:: yaml create-user: boto_iam.user_present: - name: myuser - policies: mypolicy: | { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*"}] } - password: NewPassword$$1 - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' .. code-block:: yaml create-group: boto_iam.group_present: - name: mygroup - users: - myuser - myuser1 - policies: mypolicy: | { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*"}] } - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'safsdfsal;fdkjsafkljsASSADFalkfj' .. code-block:: yaml change-policy: boto_iam.account_policy: - change_password: True - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'safsdfsal;fdkjsafkljsASSADFalkfj' .. code-block:: yaml create server certificate: boto_iam.server_cert_present: - name: mycert - public_key: salt://base/mycert.crt - private_key: salt://base/mycert.key - cert_chain: salt://base/mycert_chain.crt - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' .. code-block:: yaml delete server certificate: boto_iam.server_cert_absent: - name: mycert .. code-block:: yaml create keys for user: boto_iam.keys_present: - name: myusername - number: 2 - save_dir: /root - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' .. code-block:: yaml create policy: boto_iam.policy_present: - name: myname - policy_document: '{"MyPolicy": "Statement": [{"Action": ["sqs:*"], "Effect": "Allow", "Resource": ["arn:aws:sqs:*:*:*"], "Sid": "MyPolicySqs1"}]}' - region: eu-west-1 - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'fdkjsafkljsASSADFalkfjasdf' .. code-block:: yaml add-saml-provider: boto_iam.saml_provider_present: - name: my_saml_provider - saml_metadata_document: salt://base/files/provider.xml - keyid: 'AKIAJHTMIQ2ASDFLASDF' - key: 'safsdfsal;fdkjsafkljsASSADFalkfj' """ import logging import os import xml.etree.ElementTree as ET import salt.utils.data import salt.utils.dictupdate as dictupdate import salt.utils.files import salt.utils.json import salt.utils.odict as odict import salt.utils.stringutils log = logging.getLogger(__name__) __virtualname__ = "boto_iam" def __virtual__(): """ Only load if elementtree xml library and boto are available. """ if "boto_iam.get_user" in __salt__: return True else: return ( False, "Cannot load {} state: boto_iam module unavailable".format(__virtualname__), ) def user_absent( name, delete_keys=True, delete_mfa_devices=True, delete_profile=True, region=None, key=None, keyid=None, profile=None, ): """ .. versionadded:: 2015.8.0 Ensure the IAM user is absent. User cannot be deleted if it has keys. name (string) The name of the new user. delete_keys (bool) Delete all keys from user. delete_mfa_devices (bool) Delete all mfa devices from user. .. versionadded:: 2016.3.0 delete_profile (bool) Delete profile from user. .. versionadded:: 2016.3.0 region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} if not __salt__["boto_iam.get_user"](name, region, key, keyid, profile): ret["result"] = True ret["comment"] = "IAM User {} does not exist.".format(name) return ret # delete the user's access keys if delete_keys: keys = __salt__["boto_iam.get_all_access_keys"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) log.debug("Keys for user %s are %s.", name, keys) if isinstance(keys, dict): keys = keys["list_access_keys_response"]["list_access_keys_result"][ "access_key_metadata" ] for k in keys: if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "Key {} is set to be deleted.".format(k["access_key_id"]), ] ) ret["result"] = None else: if _delete_key( ret, k["access_key_id"], name, region, key, keyid, profile ): ret["comment"] = " ".join( [ ret["comment"], "Key {} has been deleted.".format(k["access_key_id"]), ] ) ret["changes"][k["access_key_id"]] = "deleted" # delete the user's MFA tokens if delete_mfa_devices: devices = __salt__["boto_iam.get_all_mfa_devices"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) if devices: for d in devices: serial = d["serial_number"] if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "IAM user {} MFA device {} is set to be deactivated.".format( name, serial ), ] ) ret["result"] = None else: mfa_deactivated = __salt__["boto_iam.deactivate_mfa_device"]( user_name=name, serial=serial, region=region, key=key, keyid=keyid, profile=profile, ) if mfa_deactivated: ret["comment"] = " ".join( [ ret["comment"], "IAM user {} MFA device {} is deactivated.".format( name, serial ), ] ) if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "Virtual MFA device {} is set to be deleted.".format( serial ), ] ) ret["result"] = None else: mfa_deleted = __salt__["boto_iam.delete_virtual_mfa_device"]( serial=serial, region=region, key=key, keyid=keyid, profile=profile, ) if mfa_deleted: ret["comment"] = " ".join( [ ret["comment"], "Virtual MFA device {} is deleted.".format(serial), ] ) # delete the user's login profile if delete_profile: if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "IAM user {} login profile is set to be deleted.".format(name), ] ) ret["result"] = None else: profile_deleted = __salt__["boto_iam.delete_login_profile"]( name, region, key, keyid, profile ) if profile_deleted: ret["comment"] = " ".join( [ ret["comment"], "IAM user {} login profile is deleted.".format(name), ] ) if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "IAM user {} managed policies are set to be detached.".format(name), ] ) ret["result"] = None else: _ret = _user_policies_detached(name, region, key, keyid, profile) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "IAM user {} inline policies are set to be deleted.".format(name), ] ) ret["result"] = None else: _ret = _user_policies_deleted(name, region, key, keyid, profile) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret # finally, actually delete the user if __opts__["test"]: ret["comment"] = " ".join( [ret["comment"], "IAM user {} is set to be deleted.".format(name)] ) ret["result"] = None return ret deleted = __salt__["boto_iam.delete_user"](name, region, key, keyid, profile) if deleted is True: ret["comment"] = " ".join( [ret["comment"], "IAM user {} is deleted.".format(name)] ) ret["result"] = True ret["changes"]["deleted"] = name return ret ret["comment"] = "IAM user {} could not be deleted.\n {}".format(name, deleted) ret["result"] = False return ret def keys_present( name, number, save_dir, region=None, key=None, keyid=None, profile=None, save_format="{2}\n{0}\n{3}\n{1}\n", ): """ .. versionadded:: 2015.8.0 Ensure the IAM access keys are present. name (string) The name of the new user. number (int) Number of keys that user should have. save_dir (string) The directory that the key/keys will be saved. Keys are saved to a file named according to the username privided. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. save_format (dict) Save format is repeated for each key. Default format is "{2}\\n{0}\\n{3}\\n{1}\\n", where {0} and {1} are placeholders for new key_id and key respectively, whereas {2} and {3} are "key_id-{number}" and 'key-{number}' strings kept for compatibility. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} if not __salt__["boto_iam.get_user"](name, region, key, keyid, profile): ret["result"] = False ret["comment"] = "IAM User {} does not exist.".format(name) return ret if not isinstance(number, int): ret["comment"] = "The number of keys must be an integer." ret["result"] = False return ret if not os.path.isdir(save_dir): ret["comment"] = "The directory {} does not exist.".format(save_dir) ret["result"] = False return ret keys = __salt__["boto_iam.get_all_access_keys"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) if isinstance(keys, str): log.debug("keys are : false %s", keys) error, message = _get_error(keys) ret["comment"] = "Could not get keys.\n{}\n{}".format(error, message) ret["result"] = False return ret keys = keys["list_access_keys_response"]["list_access_keys_result"][ "access_key_metadata" ] log.debug("Keys are : %s.", keys) if len(keys) >= number: ret["comment"] = "The number of keys exist for user {}".format(name) ret["result"] = True return ret if __opts__["test"]: ret["comment"] = "Access key is set to be created for {}.".format(name) ret["result"] = None return ret new_keys = {} for i in range(number - len(keys)): created = __salt__["boto_iam.create_access_key"]( name, region, key, keyid, profile ) if isinstance(created, str): error, message = _get_error(created) ret["comment"] = "Could not create keys.\n{}\n{}".format(error, message) ret["result"] = False return ret log.debug("Created is : %s", created) response = "create_access_key_response" result = "create_access_key_result" new_keys[str(i)] = {} new_keys[str(i)]["key_id"] = created[response][result]["access_key"][ "access_key_id" ] new_keys[str(i)]["secret_key"] = created[response][result]["access_key"][ "secret_access_key" ] try: with salt.utils.files.fopen("{}/{}".format(save_dir, name), "a") as _wrf: for key_num, key in new_keys.items(): key_id = key["key_id"] secret_key = key["secret_key"] _wrf.write( salt.utils.stringutils.to_str( save_format.format( key_id, secret_key, "key_id-{}".format(key_num), "key-{}".format(key_num), ) ) ) ret["comment"] = "Keys have been written to file {}/{}.".format(save_dir, name) ret["result"] = True ret["changes"] = new_keys return ret except OSError: ret["comment"] = "Could not write to file {}/{}.".format(save_dir, name) ret["result"] = False return ret def keys_absent( access_keys, user_name, region=None, key=None, keyid=None, profile=None ): """ .. versionadded:: 2015.8.0 Ensure the IAM user access_key_id is absent. access_key_id (list) A list of access key ids user_name (string) The username of the user region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": access_keys, "result": True, "comment": "", "changes": {}} if not __salt__["boto_iam.get_user"](user_name, region, key, keyid, profile): ret["result"] = False ret["comment"] = "IAM User {} does not exist.".format(user_name) return ret for k in access_keys: ret = _delete_key(ret, k, user_name, region, key, keyid, profile) return ret def _delete_key( ret, access_key_id, user_name, region=None, key=None, keyid=None, profile=None ): keys = __salt__["boto_iam.get_all_access_keys"]( user_name=user_name, region=region, key=key, keyid=keyid, profile=profile ) log.debug("Keys for user %s are : %s.", keys, user_name) if isinstance(keys, str): log.debug("Keys %s are a string. Something went wrong.", keys) ret["comment"] = " ".join( [ret["comment"], "Key {} could not be deleted.".format(access_key_id)] ) return ret keys = keys["list_access_keys_response"]["list_access_keys_result"][ "access_key_metadata" ] for k in keys: log.debug( "Key is: %s and is compared with: %s", k["access_key_id"], access_key_id ) if str(k["access_key_id"]) == str(access_key_id): if __opts__["test"]: ret["comment"] = "Access key {} is set to be deleted.".format( access_key_id ) ret["result"] = None return ret deleted = __salt__["boto_iam.delete_access_key"]( access_key_id, user_name, region, key, keyid, profile ) if deleted: ret["comment"] = " ".join( [ret["comment"], "Key {} has been deleted.".format(access_key_id)] ) ret["changes"][access_key_id] = "deleted" return ret ret["comment"] = " ".join( [ret["comment"], "Key {} could not be deleted.".format(access_key_id)] ) return ret ret["comment"] = " ".join([ret["comment"], "Key {} does not exist.".format(k)]) return ret def user_present( name, policies=None, policies_from_pillars=None, managed_policies=None, password=None, path=None, region=None, key=None, keyid=None, profile=None, ): """ .. versionadded:: 2015.8.0 Ensure the IAM user is present name (string) The name of the new user. policies (dict) A dict of IAM group policy documents. policies_from_pillars (list) A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars. managed_policies (list) A list of managed policy names or ARNs that should be attached to this user. password (string) The password for the new user. Must comply with account policy. path (string) The path of the user. Default is '/'. .. versionadded:: 2015.8.2 region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} if not policies: policies = {} if not policies_from_pillars: policies_from_pillars = [] if not managed_policies: managed_policies = [] _policies = {} for policy in policies_from_pillars: _policy = __salt__["pillar.get"](policy) _policies.update(_policy) _policies.update(policies) exists = __salt__["boto_iam.get_user"](name, region, key, keyid, profile) if not exists: if __opts__["test"]: ret["comment"] = "IAM user {} is set to be created.".format(name) ret["result"] = None return ret created = __salt__["boto_iam.create_user"]( name, path, region, key, keyid, profile ) if created: ret["changes"]["user"] = created ret["comment"] = " ".join( [ret["comment"], "User {} has been created.".format(name)] ) if password: ret = _case_password(ret, name, password, region, key, keyid, profile) _ret = _user_policies_present(name, _policies, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) else: ret["comment"] = " ".join([ret["comment"], "User {} is present.".format(name)]) if password: ret = _case_password(ret, name, password, region, key, keyid, profile) _ret = _user_policies_present(name, _policies, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) _ret = _user_policies_attached(name, managed_policies, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] return ret return ret def _user_policies_present( name, policies=None, region=None, key=None, keyid=None, profile=None ): ret = {"result": True, "comment": "", "changes": {}} policies_to_create = {} policies_to_delete = [] for policy_name, policy in policies.items(): if isinstance(policy, str): dict_policy = salt.utils.json.loads( policy, object_pairs_hook=odict.OrderedDict ) else: dict_policy = policy _policy = __salt__["boto_iam.get_user_policy"]( name, policy_name, region, key, keyid, profile ) if _policy != dict_policy: log.debug("Policy mismatch:\n%s\n%s", _policy, dict_policy) policies_to_create[policy_name] = policy _list = __salt__["boto_iam.get_all_user_policies"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) for policy_name in _list: if policy_name not in policies: policies_to_delete.append(policy_name) if policies_to_create or policies_to_delete: _to_modify = list(policies_to_delete) _to_modify.extend(policies_to_create) if __opts__["test"]: ret["comment"] = "{} policies to be modified on user {}.".format( ", ".join(_to_modify), name ) ret["result"] = None return ret ret["changes"]["old"] = {"policies": _list} for policy_name, policy in policies_to_create.items(): policy_set = __salt__["boto_iam.put_user_policy"]( name, policy_name, policy, region, key, keyid, profile ) if not policy_set: _list = __salt__["boto_iam.get_all_user_policies"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to add policy {} for user {}".format( policy_name, name ) return ret for policy_name in policies_to_delete: policy_unset = __salt__["boto_iam.delete_user_policy"]( name, policy_name, region, key, keyid, profile ) if not policy_unset: _list = __salt__["boto_iam.get_all_user_policies"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to add policy {} to user {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.get_all_user_policies"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"policies": _list} ret["comment"] = "{} policies modified on user {}.".format( ", ".join(_list), name ) return ret def _user_policies_attached( name, managed_policies=None, region=None, key=None, keyid=None, profile=None ): ret = {"result": True, "comment": "", "changes": {}} policies_to_attach = [] policies_to_detach = [] for policy in managed_policies or []: entities = __salt__["boto_iam.list_entities_for_policy"]( policy, entity_filter="User", region=region, key=key, keyid=keyid, profile=profile, ) found = False for userdict in entities.get("policy_users", []): if name == userdict.get("user_name"): found = True break if not found: policies_to_attach.append(policy) _list = __salt__["boto_iam.list_attached_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) oldpolicies = [x.get("policy_arn") for x in _list] for policy_data in _list: if ( policy_data.get("policy_name") not in managed_policies and policy_data.get("policy_arn") not in managed_policies ): policies_to_detach.append(policy_data.get("policy_arn")) if policies_to_attach or policies_to_detach: _to_modify = list(policies_to_detach) _to_modify.extend(policies_to_attach) if __opts__["test"]: ret["comment"] = "{} policies to be modified on user {}.".format( ", ".join(_to_modify), name ) ret["result"] = None return ret ret["changes"]["old"] = {"managed_policies": oldpolicies} for policy_name in policies_to_attach: policy_set = __salt__["boto_iam.attach_user_policy"]( policy_name, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_set: _list = __salt__["boto_iam.list_attached_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to add policy {} to user {}".format( policy_name, name ) return ret for policy_name in policies_to_detach: policy_unset = __salt__["boto_iam.detach_user_policy"]( policy_name, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_unset: _list = __salt__["boto_iam.list_attached_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to remove policy {} from user {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.list_attached_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] log.debug(newpolicies) ret["changes"]["new"] = {"managed_policies": newpolicies} ret["comment"] = "{} policies modified on user {}.".format( ", ".join(newpolicies), name ) return ret def _user_policies_detached(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} _list = __salt__["boto_iam.list_attached_user_policies"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) oldpolicies = [x.get("policy_arn") for x in _list] if not _list: ret["comment"] = "No attached policies in user {}.".format(name) return ret if __opts__["test"]: ret["comment"] = "{} policies to be detached from user {}.".format( ", ".join(oldpolicies), name ) ret["result"] = None return ret ret["changes"]["old"] = {"managed_policies": oldpolicies} for policy_arn in oldpolicies: policy_unset = __salt__["boto_iam.detach_user_policy"]( policy_arn, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_unset: _list = __salt__["boto_iam.list_attached_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to detach {} from user {}".format(policy_arn, name) return ret _list = __salt__["boto_iam.list_attached_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["comment"] = "{} policies detached from user {}.".format( ", ".join(oldpolicies), name ) return ret def _user_policies_deleted(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} oldpolicies = __salt__["boto_iam.get_all_user_policies"]( user_name=name, region=region, key=key, keyid=keyid, profile=profile ) if not oldpolicies: ret["comment"] = "No inline policies in user {}.".format(name) return ret if __opts__["test"]: ret["comment"] = "{} policies to be deleted from user {}.".format( ", ".join(oldpolicies), name ) ret["result"] = None return ret ret["changes"]["old"] = {"inline_policies": oldpolicies} for policy_name in oldpolicies: policy_deleted = __salt__["boto_iam.delete_user_policy"]( name, policy_name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_deleted: newpolicies = __salt__["boto_iam.get_all_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"inline_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to detach {} from user {}".format( policy_name, name ) return ret newpolicies = __salt__["boto_iam.get_all_user_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"inline_policies": newpolicies} ret["comment"] = "{} policies deleted from user {}.".format( ", ".join(oldpolicies), name ) return ret def _case_password( ret, name, password, region=None, key=None, keyid=None, profile=None ): if __opts__["test"]: ret["comment"] = "Login policy for {} is set to be changed.".format(name) ret["result"] = None return ret login = __salt__["boto_iam.create_login_profile"]( name, password, region, key, keyid, profile ) log.debug("Login is : %s.", login) if login: if "Conflict" in login: ret["comment"] = " ".join( [ret["comment"], "Login profile for user {} exists.".format(name)] ) else: ret["comment"] = " ".join( [ret["comment"], "Password has been added to User {}.".format(name)] ) ret["changes"]["password"] = "REDACTED" else: ret["result"] = False ret["comment"] = " ".join( [ ret["comment"], "Password for user {} could not be set.\nPlease check your password" " policy.".format(name), ] ) return ret def group_absent(name, region=None, key=None, keyid=None, profile=None): """ .. versionadded:: 2015.8.0 Ensure the IAM group is absent. name (string) The name of the group. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} if not __salt__["boto_iam.get_group"](name, region, key, keyid, profile): ret["result"] = True ret["comment"] = "IAM Group {} does not exist.".format(name) return ret if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "IAM group {} managed policies are set to be detached.".format(name), ] ) ret["result"] = None else: _ret = _group_policies_detached(name, region, key, keyid, profile) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "IAM group {} inline policies are set to be deleted.".format(name), ] ) ret["result"] = None else: _ret = _group_policies_deleted(name, region, key, keyid, profile) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] if ret["result"] is False: return ret ret["comment"] = " ".join( [ret["comment"], "IAM group {} users are set to be removed.".format(name)] ) existing_users = __salt__["boto_iam.get_group_members"]( group_name=name, region=region, key=key, keyid=keyid, profile=profile ) _ret = _case_group(ret, [], name, existing_users, region, key, keyid, profile) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] return ret # finally, actually delete the group if __opts__["test"]: ret["comment"] = " ".join( [ret["comment"], "IAM group {} is set to be deleted.".format(name)] ) ret["result"] = None return ret deleted = __salt__["boto_iam.delete_group"](name, region, key, keyid, profile) if deleted is True: ret["comment"] = " ".join( [ret["comment"], "IAM group {} is deleted.".format(name)] ) ret["result"] = True ret["changes"]["deleted"] = name return ret ret["comment"] = "IAM group {} could not be deleted.\n {}".format(name, deleted) ret["result"] = False return ret def group_present( name, policies=None, policies_from_pillars=None, managed_policies=None, users=None, path="/", region=None, key=None, keyid=None, profile=None, delete_policies=True, ): """ .. versionadded:: 2015.8.0 Ensure the IAM group is present name (string) The name of the new group. path (string) The path for the group, defaults to '/' policies (dict) A dict of IAM group policy documents. policies_from_pillars (list) A list of pillars that contain role policy dicts. Policies in the pillars will be merged in the order defined in the list and key conflicts will be handled by later defined keys overriding earlier defined keys. The policies defined here will be merged with the policies defined in the policies argument. If keys conflict, the keys in the policies argument will override the keys defined in policies_from_pillars. managed_policies (list) A list of policy names or ARNs that should be attached to this group. users (list) A list of users to be added to the group. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. delete_policies (boolean) Delete or detach existing policies that are not in the given list of policies. Default value is ``True``. If ``False`` is specified, existing policies will not be deleted or detached allowing manual modifications on the IAM group to be persistent. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} if not policies: policies = {} if not policies_from_pillars: policies_from_pillars = [] if not managed_policies: managed_policies = [] _policies = {} for policy in policies_from_pillars: _policy = __salt__["pillar.get"](policy) _policies.update(_policy) _policies.update(policies) exists = __salt__["boto_iam.get_group"]( group_name=name, region=region, key=key, keyid=keyid, profile=profile ) if not exists: if __opts__["test"]: ret["comment"] = "IAM group {} is set to be created.".format(name) ret["result"] = None return ret created = __salt__["boto_iam.create_group"]( group_name=name, path=path, region=region, key=key, keyid=keyid, profile=profile, ) if not created: ret["comment"] = "Failed to create IAM group {}.".format(name) ret["result"] = False return ret ret["changes"]["group"] = created ret["comment"] = " ".join( [ret["comment"], "Group {} has been created.".format(name)] ) else: ret["comment"] = " ".join([ret["comment"], "Group {} is present.".format(name)]) # Group exists, ensure group policies and users are set. _ret = _group_policies_present( name, _policies, region, key, keyid, profile, delete_policies ) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] return ret _ret = _group_policies_attached( name, managed_policies, region, key, keyid, profile, delete_policies ) ret["changes"] = dictupdate.update(ret["changes"], _ret["changes"]) ret["comment"] = " ".join([ret["comment"], _ret["comment"]]) if not _ret["result"]: ret["result"] = _ret["result"] return ret if users is not None: log.debug("Users are : %s.", users) existing_users = __salt__["boto_iam.get_group_members"]( group_name=name, region=region, key=key, keyid=keyid, profile=profile ) ret = _case_group(ret, users, name, existing_users, region, key, keyid, profile) return ret def _case_group(ret, users, group_name, existing_users, region, key, keyid, profile): _users = [] for user in existing_users: _users.append(user["user_name"]) log.debug("upstream users are %s", _users) for user in users: log.debug("users are %s", user) if user in _users: log.debug("user exists") ret["comment"] = " ".join( [ ret["comment"], "User {} is already a member of group {}.".format(user, group_name), ] ) continue else: log.debug("user is set to be added %s", user) if __opts__["test"]: ret["comment"] = "User {} is set to be added to group {}.".format( user, group_name ) ret["result"] = None else: __salt__["boto_iam.add_user_to_group"]( user, group_name, region, key, keyid, profile ) ret["comment"] = " ".join( [ ret["comment"], "User {} has been added to group {}.".format(user, group_name), ] ) ret["changes"][user] = group_name for user in _users: if user not in users: if __opts__["test"]: ret["comment"] = " ".join( [ ret["comment"], "User {} is set to be removed from group {}.".format( user, group_name ), ] ) ret["result"] = None else: __salt__["boto_iam.remove_user_from_group"]( group_name=group_name, user_name=user, region=region, key=key, keyid=keyid, profile=profile, ) ret["comment"] = " ".join( [ ret["comment"], "User {} has been removed from group {}.".format( user, group_name ), ] ) ret["changes"][user] = "Removed from group {}.".format(group_name) return ret def _group_policies_present( name, policies=None, region=None, key=None, keyid=None, profile=None, delete_policies=True, ): ret = {"result": True, "comment": "", "changes": {}} policies_to_create = {} policies_to_delete = [] for policy_name, policy in policies.items(): if isinstance(policy, str): dict_policy = salt.utils.json.loads( policy, object_pairs_hook=odict.OrderedDict ) else: dict_policy = policy _policy = __salt__["boto_iam.get_group_policy"]( name, policy_name, region, key, keyid, profile ) if _policy != dict_policy: log.debug("Policy mismatch:\n%s\n%s", _policy, dict_policy) policies_to_create[policy_name] = policy _list = __salt__["boto_iam.get_all_group_policies"]( name, region, key, keyid, profile ) for policy_name in _list: if delete_policies and policy_name not in policies: policies_to_delete.append(policy_name) if policies_to_create or policies_to_delete: _to_modify = list(policies_to_delete) _to_modify.extend(policies_to_create) if __opts__["test"]: ret["comment"] = "{} policies to be modified on group {}.".format( ", ".join(_to_modify), name ) ret["result"] = None return ret ret["changes"]["old"] = {"policies": _list} for policy_name, policy in policies_to_create.items(): policy_set = __salt__["boto_iam.put_group_policy"]( name, policy_name, policy, region, key, keyid, profile ) if not policy_set: _list = __salt__["boto_iam.get_all_group_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to add policy {} to group {}".format( policy_name, name ) return ret for policy_name in policies_to_delete: policy_unset = __salt__["boto_iam.delete_group_policy"]( name, policy_name, region, key, keyid, profile ) if not policy_unset: _list = __salt__["boto_iam.get_all_group_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["result"] = False ret["comment"] = "Failed to add policy {} to group {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.get_all_group_policies"]( name, region, key, keyid, profile ) ret["changes"]["new"] = {"policies": _list} ret["comment"] = "{} policies modified on group {}.".format( ", ".join(_list), name ) return ret def _group_policies_attached( name, managed_policies=None, region=None, key=None, keyid=None, profile=None, detach_policies=True, ): ret = {"result": True, "comment": "", "changes": {}} policies_to_attach = [] policies_to_detach = [] for policy in managed_policies or []: entities = __salt__["boto_iam.list_entities_for_policy"]( policy, entity_filter="Group", region=region, key=key, keyid=keyid, profile=profile, ) found = False for groupdict in entities.get("policy_groups", []): if name == groupdict.get("group_name"): found = True break if not found: policies_to_attach.append(policy) _list = __salt__["boto_iam.list_attached_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) oldpolicies = [x.get("policy_arn") for x in _list] for policy_data in _list: if ( detach_policies and policy_data.get("policy_name") not in managed_policies and policy_data.get("policy_arn") not in managed_policies ): policies_to_detach.append(policy_data.get("policy_arn")) if policies_to_attach or policies_to_detach: _to_modify = list(policies_to_detach) _to_modify.extend(policies_to_attach) if __opts__["test"]: ret["comment"] = "{} policies to be modified on group {}.".format( ", ".join(_to_modify), name ) ret["result"] = None return ret ret["changes"]["old"] = {"managed_policies": oldpolicies} for policy_name in policies_to_attach: policy_set = __salt__["boto_iam.attach_group_policy"]( policy_name, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_set: _list = __salt__["boto_iam.list_attached_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to add policy {} to group {}".format( policy_name, name ) return ret for policy_name in policies_to_detach: policy_unset = __salt__["boto_iam.detach_group_policy"]( policy_name, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_unset: _list = __salt__["boto_iam.list_attached_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to remove policy {} from group {}".format( policy_name, name ) return ret _list = __salt__["boto_iam.list_attached_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] log.debug(newpolicies) ret["changes"]["new"] = {"managed_policies": newpolicies} ret["comment"] = "{} policies modified on group {}.".format( ", ".join(newpolicies), name ) return ret def _group_policies_detached(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} _list = __salt__["boto_iam.list_attached_group_policies"]( group_name=name, region=region, key=key, keyid=keyid, profile=profile ) oldpolicies = [x.get("policy_arn") for x in _list] if not _list: ret["comment"] = "No attached policies in group {}.".format(name) return ret if __opts__["test"]: ret["comment"] = "{} policies to be detached from group {}.".format( ", ".join(oldpolicies), name ) ret["result"] = None return ret ret["changes"]["old"] = {"managed_policies": oldpolicies} for policy_arn in oldpolicies: policy_unset = __salt__["boto_iam.detach_group_policy"]( policy_arn, name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_unset: _list = __salt__["boto_iam.list_attached_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to detach {} from group {}".format( policy_arn, name ) return ret _list = __salt__["boto_iam.list_attached_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) newpolicies = [x.get("policy_arn") for x in _list] ret["changes"]["new"] = {"managed_policies": newpolicies} ret["comment"] = "{} policies detached from group {}.".format( ", ".join(newpolicies), name ) return ret def _group_policies_deleted(name, region=None, key=None, keyid=None, profile=None): ret = {"result": True, "comment": "", "changes": {}} oldpolicies = __salt__["boto_iam.get_all_group_policies"]( group_name=name, region=region, key=key, keyid=keyid, profile=profile ) if not oldpolicies: ret["comment"] = "No inline policies in group {}.".format(name) return ret if __opts__["test"]: ret["comment"] = "{} policies to be deleted from group {}.".format( ", ".join(oldpolicies), name ) ret["result"] = None return ret ret["changes"]["old"] = {"inline_policies": oldpolicies} for policy_name in oldpolicies: policy_deleted = __salt__["boto_iam.delete_group_policy"]( name, policy_name, region=region, key=key, keyid=keyid, profile=profile ) if not policy_deleted: newpolicies = __salt__["boto_iam.get_all_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"inline_policies": newpolicies} ret["result"] = False ret["comment"] = "Failed to detach {} from group {}".format( policy_name, name ) return ret newpolicies = __salt__["boto_iam.get_all_group_policies"]( name, region=region, key=key, keyid=keyid, profile=profile ) ret["changes"]["new"] = {"inline_policies": newpolicies} ret["comment"] = "{} policies deleted from group {}.".format( ", ".join(oldpolicies), name ) return ret def account_policy( name=None, allow_users_to_change_password=None, hard_expiry=None, max_password_age=None, minimum_password_length=None, password_reuse_prevention=None, require_lowercase_characters=None, require_numbers=None, require_symbols=None, require_uppercase_characters=None, region=None, key=None, keyid=None, profile=None, ): """ Change account policy. .. versionadded:: 2015.8.0 name (string) The name of the account policy allow_users_to_change_password (bool) Allows all IAM users in your account to use the AWS Management Console to change their own passwords. hard_expiry (bool) Prevents IAM users from setting a new password after their password has expired. max_password_age (int) The number of days that an IAM user password is valid. minimum_password_length (int) The minimum number of characters allowed in an IAM user password. password_reuse_prevention (int) Specifies the number of previous passwords that IAM users are prevented from reusing. require_lowercase_characters (bool) Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z). require_numbers (bool) Specifies whether IAM user passwords must contain at least one numeric character (0 to 9). require_symbols (bool) Specifies whether IAM user passwords must contain at least one of the following non-alphanumeric characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ' require_uppercase_characters (bool) Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) """ config = locals() ret = {"name": "Account Policy", "result": True, "comment": "", "changes": {}} info = __salt__["boto_iam.get_account_policy"](region, key, keyid, profile) if not info: ret["comment"] = "Account policy is not Enabled." ret["result"] = False return ret for key, value in config.items(): if key in ("region", "key", "keyid", "profile", "name"): continue if value is not None and str(info[key]) != str(value).lower(): ret["comment"] = " ".join( [ ret["comment"], "Policy value {} has been set to {}.".format(value, info[key]), ] ) ret["changes"][key] = str(value).lower() if not ret["changes"]: ret["comment"] = "Account policy is not changed." return ret if __opts__["test"]: ret["comment"] = "Account policy is set to be changed." ret["result"] = None return ret if __salt__["boto_iam.update_account_password_policy"]( allow_users_to_change_password, hard_expiry, max_password_age, minimum_password_length, password_reuse_prevention, require_lowercase_characters, require_numbers, require_symbols, require_uppercase_characters, region, key, keyid, profile, ): return ret ret["comment"] = "Account policy is not changed." ret["changes"] = {} ret["result"] = False return ret def server_cert_absent(name, region=None, key=None, keyid=None, profile=None): """ Deletes a server certificate. .. versionadded:: 2015.8.0 name (string) The name for the server certificate. Do not include the path in this value. region (string) The name of the region to connect to. key (string) The key to be used in order to connect keyid (string) The keyid to be used in order to connect profile (string) The profile that contains a dict of region, key, keyid """ ret = {"name": name, "result": True, "comment": "", "changes": {}} exists = __salt__["boto_iam.get_server_certificate"]( name, region, key, keyid, profile ) if not exists: ret["comment"] = "Certificate {} does not exist.".format(name) return ret if __opts__["test"]: ret["comment"] = "Server certificate {} is set to be deleted.".format(name) ret["result"] = None return ret deleted = __salt__["boto_iam.delete_server_cert"](name, region, key, keyid, profile) if not deleted: ret["result"] = False ret["comment"] = "Certificate {} failed to be deleted.".format(name) return ret ret["comment"] = "Certificate {} was deleted.".format(name) ret["changes"] = deleted return ret def server_cert_present( name, public_key, private_key, cert_chain=None, path=None, region=None, key=None, keyid=None, profile=None, ): """ Crete server certificate. .. versionadded:: 2015.8.0 name (string) The name for the server certificate. Do not include the path in this value. public_key (string) The contents of the public key certificate in PEM-encoded format. private_key (string) The contents of the private key in PEM-encoded format. cert_chain (string) The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain. path (string) The path for the server certificate. region (string) The name of the region to connect to. key (string) The key to be used in order to connect keyid (string) The keyid to be used in order to connect profile (string) The profile that contains a dict of region, key, keyid """ ret = {"name": name, "result": True, "comment": "", "changes": {}} exists = __salt__["boto_iam.get_server_certificate"]( name, region, key, keyid, profile ) log.debug("Variables are : %s.", locals()) if exists: ret["comment"] = "Certificate {} exists.".format(name) return ret if "salt://" in public_key: try: public_key = __salt__["cp.get_file_str"](public_key) except OSError as e: log.debug(e) ret["comment"] = "File {} not found.".format(public_key) ret["result"] = False return ret if "salt://" in private_key: try: private_key = __salt__["cp.get_file_str"](private_key) except OSError as e: log.debug(e) ret["comment"] = "File {} not found.".format(private_key) ret["result"] = False return ret if cert_chain is not None and "salt://" in cert_chain: try: cert_chain = __salt__["cp.get_file_str"](cert_chain) except OSError as e: log.debug(e) ret["comment"] = "File {} not found.".format(cert_chain) ret["result"] = False return ret if __opts__["test"]: ret["comment"] = "Server certificate {} is set to be created.".format(name) ret["result"] = None return ret created = __salt__["boto_iam.upload_server_cert"]( name, public_key, private_key, cert_chain, path, region, key, keyid, profile ) if created is not False: ret["comment"] = "Certificate {} was created.".format(name) ret["changes"] = created return ret ret["result"] = False ret["comment"] = "Certificate {} failed to be created.".format(name) return ret def policy_present( name, policy_document, path=None, description=None, region=None, key=None, keyid=None, profile=None, ): """ .. versionadded:: 2015.8.0 Ensure the IAM managed policy is present name (string) The name of the new policy. policy_document (dict) The document of the new policy path (string) The path in which the policy will be created. Default is '/'. description (string) Description region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} policy = __salt__["boto_iam.get_policy"](name, region, key, keyid, profile) if not policy: if __opts__["test"]: ret["comment"] = "IAM policy {} is set to be created.".format(name) ret["result"] = None return ret created = __salt__["boto_iam.create_policy"]( name, policy_document, path, description, region, key, keyid, profile ) if created: ret["changes"]["policy"] = created ret["comment"] = " ".join( [ret["comment"], "Policy {} has been created.".format(name)] ) else: ret["result"] = False ret["comment"] = "Failed to update policy." ret["changes"] = {} return ret else: policy = policy.get("policy", {}) ret["comment"] = " ".join( [ret["comment"], "Policy {} is present.".format(name)] ) _describe = __salt__["boto_iam.get_policy_version"]( name, policy.get("default_version_id"), region, key, keyid, profile ).get("policy_version", {}) if isinstance(_describe["document"], str): describeDict = salt.utils.json.loads(_describe["document"]) else: describeDict = _describe["document"] if isinstance(policy_document, str): policy_document = salt.utils.json.loads(policy_document) r = salt.utils.data.compare_dicts(describeDict, policy_document) if bool(r): if __opts__["test"]: ret["comment"] = "Policy {} set to be modified.".format(name) ret["result"] = None return ret ret["comment"] = " ".join([ret["comment"], "Policy to be modified"]) policy_document = salt.utils.json.dumps(policy_document) r = __salt__["boto_iam.create_policy_version"]( policy_name=name, policy_document=policy_document, set_as_default=True, region=region, key=key, keyid=keyid, profile=profile, ) if not r.get("created"): ret["result"] = False ret["comment"] = "Failed to update policy: {}.".format( r["error"]["message"] ) ret["changes"] = {} return ret __salt__["boto_iam.delete_policy_version"]( policy_name=name, version_id=policy["default_version_id"], region=region, key=key, keyid=keyid, profile=profile, ) ret["changes"].setdefault("new", {})["document"] = policy_document ret["changes"].setdefault("old", {})["document"] = _describe["document"] return ret def policy_absent(name, region=None, key=None, keyid=None, profile=None): """ .. versionadded:: 2015.8.0 Ensure the IAM managed policy with the specified name is absent name (string) The name of the new policy. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} r = __salt__["boto_iam.policy_exists"]( name, region=region, key=key, keyid=keyid, profile=profile ) if not r: ret["comment"] = "Policy {} does not exist.".format(name) return ret if __opts__["test"]: ret["comment"] = "Policy {} is set to be removed.".format(name) ret["result"] = None return ret # delete non-default versions versions = __salt__["boto_iam.list_policy_versions"]( name, region=region, key=key, keyid=keyid, profile=profile ) if versions: for version in versions: if version.get("is_default_version", False) in ("true", True): continue r = __salt__["boto_iam.delete_policy_version"]( name, version_id=version.get("version_id"), region=region, key=key, keyid=keyid, profile=profile, ) if not r: ret["result"] = False ret["comment"] = "Failed to delete policy {}.".format(name) return ret r = __salt__["boto_iam.delete_policy"]( name, region=region, key=key, keyid=keyid, profile=profile ) if not r: ret["result"] = False ret["comment"] = "Failed to delete policy {}.".format(name) return ret ret["changes"]["old"] = {"policy": name} ret["changes"]["new"] = {"policy": None} ret["comment"] = "Policy {} deleted.".format(name) return ret def saml_provider_present( name, saml_metadata_document, region=None, key=None, keyid=None, profile=None ): """ .. versionadded:: 2016.11.0 Ensure the SAML provider with the specified name is present. name (string) The name of the SAML provider. saml_metadata_document (string) The xml document of the SAML provider. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} if "salt://" in saml_metadata_document: try: saml_metadata_document = __salt__["cp.get_file_str"](saml_metadata_document) ET.fromstring(saml_metadata_document) except OSError as e: log.debug(e) ret[ "comment" ] = "SAML document file {} not found or could not be loaded".format(name) ret["result"] = False return ret for provider in __salt__["boto_iam.list_saml_providers"]( region=region, key=key, keyid=keyid, profile=profile ): if provider == name: ret["comment"] = "SAML provider {} is present.".format(name) return ret if __opts__["test"]: ret["comment"] = "SAML provider {} is set to be create.".format(name) ret["result"] = None return ret created = __salt__["boto_iam.create_saml_provider"]( name, saml_metadata_document, region=region, key=key, keyid=keyid, profile=profile, ) if created: ret["comment"] = "SAML provider {} was created.".format(name) ret["changes"]["new"] = name return ret ret["result"] = False ret["comment"] = "SAML provider {} failed to be created.".format(name) return ret def saml_provider_absent(name, region=None, key=None, keyid=None, profile=None): """ .. versionadded:: 2016.11.0 Ensure the SAML provider with the specified name is absent. name (string) The name of the SAML provider. saml_metadata_document (string) The xml document of the SAML provider. region (string) Region to connect to. key (string) Secret key to be used. keyid (string) Access key to be used. profile (dict) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid. """ ret = {"name": name, "result": True, "comment": "", "changes": {}} provider = __salt__["boto_iam.list_saml_providers"]( region=region, key=key, keyid=keyid, profile=profile ) if len(provider) == 0: ret["comment"] = "SAML provider {} is absent.".format(name) return ret if __opts__["test"]: ret["comment"] = "SAML provider {} is set to be removed.".format(name) ret["result"] = None return ret deleted = __salt__["boto_iam.delete_saml_provider"]( name, region=region, key=key, keyid=keyid, profile=profile ) if deleted is not False: ret["comment"] = "SAML provider {} was deleted.".format(name) ret["changes"]["old"] = name return ret ret["result"] = False ret["comment"] = "SAML provider {} failed to be deleted.".format(name) return ret def _get_error(error): # Converts boto exception to string that can be used to output error. error = "\n".join(error.split("\n")[1:]) error = ET.fromstring(error) code = error[0][1].text message = error[0][2].text return code, message
Save