From 2f21617cedc5374125ff26b78762954591a15cf7 Mon Sep 17 00:00:00 2001 From: jillr Date: Mon, 2 Mar 2020 19:25:18 +0000 Subject: [PATCH 01/23] Initial commit This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/eb75681585a23ea79e642b86a0f8e64e0f40a6d7 --- plugins/modules/sts_assume_role.py | 180 ++++++++ .../targets/sts_assume_role/aliases | 2 + .../targets/sts_assume_role/meta/main.yml | 3 + .../targets/sts_assume_role/tasks/main.yml | 384 ++++++++++++++++++ .../sts_assume_role/templates/policy.json.j2 | 12 + 5 files changed, 581 insertions(+) create mode 100644 plugins/modules/sts_assume_role.py create mode 100644 tests/integration/targets/sts_assume_role/aliases create mode 100644 tests/integration/targets/sts_assume_role/meta/main.yml create mode 100644 tests/integration/targets/sts_assume_role/tasks/main.yml create mode 100644 tests/integration/targets/sts_assume_role/templates/policy.json.j2 diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py new file mode 100644 index 00000000000..3c03f291706 --- /dev/null +++ b/plugins/modules/sts_assume_role.py @@ -0,0 +1,180 @@ +#!/usr/bin/python +# Copyright: Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['stableinterface'], + 'supported_by': 'community'} + + +DOCUMENTATION = ''' +--- +module: sts_assume_role +short_description: Assume a role using AWS Security Token Service and obtain temporary credentials +description: + - Assume a role using AWS Security Token Service and obtain temporary credentials. +author: + - Boris Ekelchik (@bekelchik) + - Marek Piatek (@piontas) +options: + role_arn: + description: + - The Amazon Resource Name (ARN) of the role that the caller is + assuming U(https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#Identifiers_ARNs). + required: true + type: str + role_session_name: + description: + - Name of the role's session - will be used by CloudTrail. + required: true + type: str + policy: + description: + - Supplemental policy to use in addition to assumed role's policies. + type: str + duration_seconds: + description: + - The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 43200 seconds (12 hours). + - The max depends on the IAM role's sessions duration setting. + - By default, the value is set to 3600 seconds. + type: int + external_id: + description: + - A unique identifier that is used by third parties to assume a role in their customers' accounts. + type: str + mfa_serial_number: + description: + - The identification number of the MFA device that is associated with the user who is making the AssumeRole call. + type: str + mfa_token: + description: + - The value provided by the MFA device, if the trust policy of the role being assumed requires MFA. + type: str +notes: + - In order to use the assumed role in a following playbook task you must pass the access_key, access_secret and access_token. +extends_documentation_fragment: +- ansible.amazon.aws +- ansible.amazon.ec2 + +requirements: + - boto3 + - botocore + - python >= 2.6 +''' + +RETURN = ''' +sts_creds: + description: The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token + returned: always + type: dict + sample: + access_key: XXXXXXXXXXXXXXXXXXXX + expiration: 2017-11-11T11:11:11+00:00 + secret_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + session_token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +sts_user: + description: The Amazon Resource Name (ARN) and the assumed role ID + returned: always + type: dict + sample: + assumed_role_id: arn:aws:sts::123456789012:assumed-role/demo/Bob + arn: ARO123EXAMPLE123:Bob +changed: + description: True if obtaining the credentials succeeds + type: bool + returned: always +''' + +EXAMPLES = ''' +# Note: These examples do not set authentication details, see the AWS Guide for details. + +# Assume an existing role (more details: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) +- sts_assume_role: + role_arn: "arn:aws:iam::123456789012:role/someRole" + role_session_name: "someRoleSession" + register: assumed_role + +# Use the assumed role above to tag an instance in account 123456789012 +- ec2_tag: + aws_access_key: "{{ assumed_role.sts_creds.access_key }}" + aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" + security_token: "{{ assumed_role.sts_creds.session_token }}" + resource: i-xyzxyz01 + state: present + tags: + MyNewTag: value + +''' + +from ansible_collections.ansible.amazon.plugins.module_utils.aws.core import AnsibleAWSModule +from ansible_collections.ansible.amazon.plugins.module_utils.ec2 import camel_dict_to_snake_dict + +try: + from botocore.exceptions import ClientError, ParamValidationError +except ImportError: + pass # caught by AnsibleAWSModule + + +def _parse_response(response): + credentials = response.get('Credentials', {}) + user = response.get('AssumedRoleUser', {}) + + sts_cred = { + 'access_key': credentials.get('AccessKeyId'), + 'secret_key': credentials.get('SecretAccessKey'), + 'session_token': credentials.get('SessionToken'), + 'expiration': credentials.get('Expiration') + + } + sts_user = camel_dict_to_snake_dict(user) + return sts_cred, sts_user + + +def assume_role_policy(connection, module): + params = { + 'RoleArn': module.params.get('role_arn'), + 'RoleSessionName': module.params.get('role_session_name'), + 'Policy': module.params.get('policy'), + 'DurationSeconds': module.params.get('duration_seconds'), + 'ExternalId': module.params.get('external_id'), + 'SerialNumber': module.params.get('mfa_serial_number'), + 'TokenCode': module.params.get('mfa_token') + } + changed = False + + kwargs = dict((k, v) for k, v in params.items() if v is not None) + + try: + response = connection.assume_role(**kwargs) + changed = True + except (ClientError, ParamValidationError) as e: + module.fail_json_aws(e) + + sts_cred, sts_user = _parse_response(response) + module.exit_json(changed=changed, sts_creds=sts_cred, sts_user=sts_user) + + +def main(): + argument_spec = dict( + role_arn=dict(required=True), + role_session_name=dict(required=True), + duration_seconds=dict(required=False, default=None, type='int'), + external_id=dict(required=False, default=None), + policy=dict(required=False, default=None), + mfa_serial_number=dict(required=False, default=None), + mfa_token=dict(required=False, default=None) + ) + + module = AnsibleAWSModule(argument_spec=argument_spec) + + connection = module.client('sts') + + assume_role_policy(connection, module) + + +if __name__ == '__main__': + main() diff --git a/tests/integration/targets/sts_assume_role/aliases b/tests/integration/targets/sts_assume_role/aliases new file mode 100644 index 00000000000..6e3860bee23 --- /dev/null +++ b/tests/integration/targets/sts_assume_role/aliases @@ -0,0 +1,2 @@ +cloud/aws +shippable/aws/group2 diff --git a/tests/integration/targets/sts_assume_role/meta/main.yml b/tests/integration/targets/sts_assume_role/meta/main.yml new file mode 100644 index 00000000000..1f64f1169a9 --- /dev/null +++ b/tests/integration/targets/sts_assume_role/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - prepare_tests + - setup_ec2 diff --git a/tests/integration/targets/sts_assume_role/tasks/main.yml b/tests/integration/targets/sts_assume_role/tasks/main.yml new file mode 100644 index 00000000000..345454932f7 --- /dev/null +++ b/tests/integration/targets/sts_assume_role/tasks/main.yml @@ -0,0 +1,384 @@ +--- +# tasks file for sts_assume_role + +- block: + + # ============================================================ + # TODO create simple ansible sts_get_caller_identity module + - blockinfile: + path: "{{ output_dir }}/sts.py" + create: yes + block: | + #!/usr/bin/env python + import boto3 + sts = boto3.client('sts') + response = sts.get_caller_identity() + print(response['Account']) + + - name: get the aws account id + command: "{{ ansible_python.executable }} '{{ output_dir }}/sts.py'" + environment: + AWS_ACCESS_KEY_ID: "{{ aws_access_key }}" + AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}" + AWS_SESSION_TOKEN: "{{ security_token }}" + register: result + + - name: register account id + set_fact: + aws_account: "{{ result.stdout | replace('\n', '') }}" + + # ============================================================ + - name: create test iam role + iam_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + name: "ansible-test-sts-{{ resource_prefix }}" + assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" + create_instance_profile: False + managed_policy: + - arn:aws:iam::aws:policy/IAMReadOnlyAccess + state: present + register: test_role + + # ============================================================ + - name: pause to ensure role exists before using + pause: + seconds: 30 + + # ============================================================ + - name: test with no parameters + sts_assume_role: + register: result + ignore_errors: true + + - name: assert with no parameters + assert: + that: + - 'result.failed' + - "'missing required arguments:' in result.msg" + + # ============================================================ + - name: test with empty parameters + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: + role_session_name: + policy: + duration_seconds: + external_id: + mfa_token: + mfa_serial_number: + register: result + ignore_errors: true + + - name: assert with empty parameters + assert: + that: + - 'result.failed' + - "'Missing required parameter in input:' in result.msg" + when: result.module_stderr is not defined + + - name: assert with empty parameters + assert: + that: + - 'result.failed' + - "'Member must have length greater than or equal to 20' in result.module_stderr" + when: result.module_stderr is defined + + # ============================================================ + - name: test with only 'role_arn' parameter + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + role_arn: "{{ test_role.iam_role.arn }}" + register: result + ignore_errors: true + + - name: assert with only 'role_arn' parameter + assert: + that: + - 'result.failed' + - "'missing required arguments: role_session_name' in result.msg" + + # ============================================================ + - name: test with only 'role_session_name' parameter + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + role_session_name: "AnsibleTest" + register: result + ignore_errors: true + + - name: assert with only 'role_session_name' parameter + assert: + that: + - 'result.failed' + - "'missing required arguments: role_arn' in result.msg" + + # ============================================================ + - name: test assume role with invalid policy + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region }}" + role_arn: "{{ test_role.iam_role.arn }}" + role_session_name: "AnsibleTest" + policy: "invalid policy" + register: result + ignore_errors: true + + - name: assert assume role with invalid policy + assert: + that: + - 'result.failed' + - "'The policy is not in the valid JSON format.' in result.msg" + when: result.module_stderr is not defined + + - name: assert assume role with invalid policy + assert: + that: + - 'result.failed' + - "'The policy is not in the valid JSON format.' in result.module_stderr" + when: result.module_stderr is defined + + # ============================================================ + - name: test assume role with invalid duration seconds + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: "{{ test_role.iam_role.arn }}" + role_session_name: AnsibleTest + duration_seconds: invalid duration + register: result + ignore_errors: true + + - name: assert assume role with invalid duration seconds + assert: + that: + - result is failed + - 'result.msg is search("argument \w+ is of type <.*> and we were unable to convert to int: <.*> cannot be converted to an int")' + + # ============================================================ + - name: test assume role with invalid external id + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: "{{ test_role.iam_role.arn }}" + role_session_name: AnsibleTest + external_id: invalid external id + register: result + ignore_errors: true + + - name: assert assume role with invalid external id + assert: + that: + - 'result.failed' + - "'Member must satisfy regular expression pattern:' in result.msg" + when: result.module_stderr is not defined + + - name: assert assume role with invalid external id + assert: + that: + - 'result.failed' + - "'Member must satisfy regular expression pattern:' in result.module_stderr" + when: result.module_stderr is defined + + # ============================================================ + - name: test assume role with invalid mfa serial number + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: "{{ test_role.iam_role.arn }}" + role_session_name: AnsibleTest + mfa_serial_number: invalid serial number + register: result + ignore_errors: true + + - name: assert assume role with invalid mfa serial number + assert: + that: + - 'result.failed' + - "'Member must satisfy regular expression pattern:' in result.msg" + when: result.module_stderr is not defined + + - name: assert assume role with invalid mfa serial number + assert: + that: + - 'result.failed' + - "'Member must satisfy regular expression pattern:' in result.module_stderr" + when: result.module_stderr is defined + + # ============================================================ + - name: test assume role with invalid mfa token code + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: "{{ test_role.iam_role.arn }}" + role_session_name: AnsibleTest + mfa_token: invalid token code + register: result + ignore_errors: true + + - name: assert assume role with invalid mfa token code + assert: + that: + - 'result.failed' + - "'Member must satisfy regular expression pattern:' in result.msg" + when: result.module_stderr is not defined + + - name: assert assume role with invalid mfa token code + assert: + that: + - 'result.failed' + - "'Member must satisfy regular expression pattern:' in result.module_stderr" + when: result.module_stderr is defined + + # ============================================================ + - name: test assume role with invalid role_arn + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: invalid role arn + role_session_name: AnsibleTest + register: result + ignore_errors: true + + - name: assert assume role with invalid role_arn + assert: + that: + - result.failed + - "'Invalid length for parameter RoleArn' in result.msg" + when: result.module_stderr is not defined + + - name: assert assume role with invalid role_arn + assert: + that: + - 'result.failed' + - "'Member must have length greater than or equal to 20' in result.module_stderr" + when: result.module_stderr is defined + + # ============================================================ + - name: test assume not existing sts role + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region}}" + role_arn: "arn:aws:iam::123456789:role/non-existing-role" + role_session_name: "AnsibleTest" + register: result + ignore_errors: true + + - name: assert assume not existing sts role + assert: + that: + - 'result.failed' + - "'is not authorized to perform: sts:AssumeRole' in result.msg" + when: result.module_stderr is not defined + + - name: assert assume not existing sts role + assert: + that: + - 'result.failed' + - "'is not authorized to perform: sts:AssumeRole' in result.msg" + when: result.module_stderr is defined + + # ============================================================ + - name: test assume role + sts_assume_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + region: "{{ aws_region }}" + role_arn: "{{ test_role.iam_role.arn }}" + role_session_name: AnsibleTest + register: assumed_role + + - name: assert assume role + assert: + that: + - 'not assumed_role.failed' + - "'sts_creds' in assumed_role" + - "'access_key' in assumed_role.sts_creds" + - "'secret_key' in assumed_role.sts_creds" + - "'session_token' in assumed_role.sts_creds" + + # ============================================================ + - name: test that assumed credentials have IAM read-only access + iam_role: + aws_access_key: "{{ assumed_role.sts_creds.access_key }}" + aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" + security_token: "{{ assumed_role.sts_creds.session_token }}" + region: "{{ aws_region}}" + name: "ansible-test-sts-{{ resource_prefix }}" + assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" + create_instance_profile: False + state: present + register: result + + - name: assert assumed role with privileged action (expect changed=false) + assert: + that: + - 'not result.failed' + - 'not result.changed' + - "'iam_role' in result" + + # ============================================================ + - name: test assumed role with unprivileged action + iam_role: + aws_access_key: "{{ assumed_role.sts_creds.access_key }}" + aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" + security_token: "{{ assumed_role.sts_creds.session_token }}" + region: "{{ aws_region}}" + name: "ansible-test-sts-{{ resource_prefix }}-new" + assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" + state: present + register: result + ignore_errors: true + + - name: assert assumed role with unprivileged action (expect changed=false) + assert: + that: + - 'result.failed' + - "'is not authorized to perform: iam:CreateRole' in result.msg" + # runs on Python2 + when: result.module_stderr is not defined + + - name: assert assumed role with unprivileged action (expect changed=false) + assert: + that: + - 'result.failed' + - "'is not authorized to perform: iam:CreateRole' in result.module_stderr" + # runs on Python3 + when: result.module_stderr is defined + + # ============================================================ + always: + + - name: delete test iam role + iam_role: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token }}" + name: "ansible-test-sts-{{ resource_prefix }}" + assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" + managed_policy: + - arn:aws:iam::aws:policy/IAMReadOnlyAccess + state: absent diff --git a/tests/integration/targets/sts_assume_role/templates/policy.json.j2 b/tests/integration/targets/sts_assume_role/templates/policy.json.j2 new file mode 100644 index 00000000000..559562fd91d --- /dev/null +++ b/tests/integration/targets/sts_assume_role/templates/policy.json.j2 @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::{{ aws_account }}:root" + }, + "Action": "sts:AssumeRole" + } + ] +} \ No newline at end of file From d7105cf8051e47fd5a44789418148976f604c991 Mon Sep 17 00:00:00 2001 From: Jill R <4121322+jillr@users.noreply.github.com> Date: Wed, 25 Mar 2020 15:39:40 -0700 Subject: [PATCH 02/23] Rename collection (#12) * Rename core collection Rename references to ansible.amazon to amazon.aws. * Rename community.amazon to community.aws Fix pep8 line lengths for rewritten amazon.aws imports * Missed a path in shippable.sh * Dependency repos moved This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/235c5db571cc45db5839476c94356c9b91e1f228 --- plugins/modules/sts_assume_role.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 3c03f291706..8283c49d862 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -57,8 +57,8 @@ notes: - In order to use the assumed role in a following playbook task you must pass the access_key, access_secret and access_token. extends_documentation_fragment: -- ansible.amazon.aws -- ansible.amazon.ec2 +- amazon.aws.aws +- amazon.aws.ec2 requirements: - boto3 @@ -110,8 +110,8 @@ ''' -from ansible_collections.ansible.amazon.plugins.module_utils.aws.core import AnsibleAWSModule -from ansible_collections.ansible.amazon.plugins.module_utils.ec2 import camel_dict_to_snake_dict +from ansible_collections.amazon.aws.plugins.module_utils.aws.core import AnsibleAWSModule +from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict try: from botocore.exceptions import ClientError, ParamValidationError From aee58d39c023b6a0cd7c4495ef5c12581f9b7a81 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Wed, 29 Apr 2020 23:19:49 +0200 Subject: [PATCH 03/23] Fix more doc issues where strings are parsed as datetimes by YAML parser. (#55) This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/4a0e1a4d8797e71dbb39ab04d14b41133d01c979 --- plugins/modules/sts_assume_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 8283c49d862..7f86c34a475 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -73,7 +73,7 @@ type: dict sample: access_key: XXXXXXXXXXXXXXXXXXXX - expiration: 2017-11-11T11:11:11+00:00 + expiration: '2017-11-11T11:11:11+00:00' secret_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX session_token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sts_user: From eb5af1c531dff304b399d026a8aff5f0f6b5c348 Mon Sep 17 00:00:00 2001 From: Jill R <4121322+jillr@users.noreply.github.com> Date: Tue, 19 May 2020 16:06:12 -0700 Subject: [PATCH 04/23] Remove METADATA and cleanup galaxy.yml (#70) * Remove ANSIBLE_METADATA entirely, see ansible/ansible/pull/69454. Remove `license` field from galaxy.yml, in favor of `license_file`. This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/05672a64e2362cc2d865b5af6a57da6bc3cd08e3 --- plugins/modules/sts_assume_role.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 7f86c34a475..f836e478e23 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -6,11 +6,6 @@ __metaclass__ = type -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['stableinterface'], - 'supported_by': 'community'} - - DOCUMENTATION = ''' --- module: sts_assume_role From 7c501b738e50404bb4c410be5b4f7fe4af10f22d Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 17 Jun 2020 01:24:54 +0530 Subject: [PATCH 05/23] Update Examples with FQCN (#67) Updated module examples with FQCN Signed-off-by: Abhijeet Kasurde This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/98173aefbbceed7fc0d9db62687b73f96a55a999 --- plugins/modules/sts_assume_role.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index f836e478e23..4048373c614 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -88,13 +88,13 @@ # Note: These examples do not set authentication details, see the AWS Guide for details. # Assume an existing role (more details: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) -- sts_assume_role: +- community.aws.sts_assume_role: role_arn: "arn:aws:iam::123456789012:role/someRole" role_session_name: "someRoleSession" register: assumed_role # Use the assumed role above to tag an instance in account 123456789012 -- ec2_tag: +- amazon.aws.ec2_tag: aws_access_key: "{{ assumed_role.sts_creds.access_key }}" aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" security_token: "{{ assumed_role.sts_creds.session_token }}" From 4800bf2363f3a3d6b7ed2da94e88237e7ba90715 Mon Sep 17 00:00:00 2001 From: flowerysong Date: Tue, 16 Jun 2020 19:30:00 -0400 Subject: [PATCH 06/23] Update module_utils paths to remove aws subdir (#23) Co-authored-by: Ezekiel Hendrickson This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/10853d9441a586ba177006dd889325cfb24a3dd6 --- plugins/modules/sts_assume_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 4048373c614..fca345ad4ac 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -105,7 +105,7 @@ ''' -from ansible_collections.amazon.aws.plugins.module_utils.aws.core import AnsibleAWSModule +from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict try: From 80e4144dcbbcb37cb021f44405b9849931de49cb Mon Sep 17 00:00:00 2001 From: Jill R <4121322+jillr@users.noreply.github.com> Date: Wed, 17 Jun 2020 09:31:32 -0700 Subject: [PATCH 07/23] Update docs (#99) * Update docs Remove .git from repo url so links in readme will generate correctly Add required ansible version Run latest version of add_docs.py Add version_added string to modules * galaxy.yml was missing authors This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/96ee268e5267f5b12c3d59892bc1279f75aa3135 --- plugins/modules/sts_assume_role.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index fca345ad4ac..378eb0031f8 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -9,6 +9,7 @@ DOCUMENTATION = ''' --- module: sts_assume_role +version_added: 1.0.0 short_description: Assume a role using AWS Security Token Service and obtain temporary credentials description: - Assume a role using AWS Security Token Service and obtain temporary credentials. From 7d812e468b7bb6646330915a6f8df8c43df42d1e Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 17 Feb 2021 17:13:34 +0100 Subject: [PATCH 08/23] sts_assume_role: Relax expectations on message when passing a non-integer as duration (#420) * sts_assume_role: Relax expectations on message when passing a non-integer as duration * Use standard module_defaults block to pass credentials and switch to aws_caller_info * Delete the instance profile when we delete the role This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/b3f5d45d4da4884e0c46e86a0d0ee694847e1ef3 --- .../targets/sts_assume_role/tasks/main.yml | 94 +++++-------------- 1 file changed, 21 insertions(+), 73 deletions(-) diff --git a/tests/integration/targets/sts_assume_role/tasks/main.yml b/tests/integration/targets/sts_assume_role/tasks/main.yml index 345454932f7..4a625a10b6f 100644 --- a/tests/integration/targets/sts_assume_role/tasks/main.yml +++ b/tests/integration/targets/sts_assume_role/tasks/main.yml @@ -1,38 +1,28 @@ --- # tasks file for sts_assume_role -- block: - - # ============================================================ - # TODO create simple ansible sts_get_caller_identity module - - blockinfile: - path: "{{ output_dir }}/sts.py" - create: yes - block: | - #!/usr/bin/env python - import boto3 - sts = boto3.client('sts') - response = sts.get_caller_identity() - print(response['Account']) - - - name: get the aws account id - command: "{{ ansible_python.executable }} '{{ output_dir }}/sts.py'" - environment: - AWS_ACCESS_KEY_ID: "{{ aws_access_key }}" - AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}" - AWS_SESSION_TOKEN: "{{ security_token }}" - register: result +- module_defaults: + group/aws: + region: "{{ aws_region }}" + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token | default(omit) }}" + collections: + - amazon.aws + block: + # Get some information about who we are before starting our tests + # we'll need this as soon as we start working on the policies + - name: get ARN of calling user + aws_caller_info: + register: aws_caller_info - name: register account id set_fact: - aws_account: "{{ result.stdout | replace('\n', '') }}" + aws_account: "{{ aws_caller_info.account }}" # ============================================================ - name: create test iam role iam_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" name: "ansible-test-sts-{{ resource_prefix }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" create_instance_profile: False @@ -49,6 +39,9 @@ # ============================================================ - name: test with no parameters sts_assume_role: + aws_access_key: '{{ omit }}' + aws_secret_key: '{{ omit }}' + security_token: '{{ omit }}' register: result ignore_errors: true @@ -61,10 +54,6 @@ # ============================================================ - name: test with empty parameters sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: role_session_name: policy: @@ -92,9 +81,6 @@ # ============================================================ - name: test with only 'role_arn' parameter sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" role_arn: "{{ test_role.iam_role.arn }}" register: result ignore_errors: true @@ -108,9 +94,6 @@ # ============================================================ - name: test with only 'role_session_name' parameter sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" role_session_name: "AnsibleTest" register: result ignore_errors: true @@ -124,10 +107,6 @@ # ============================================================ - name: test assume role with invalid policy sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region }}" role_arn: "{{ test_role.iam_role.arn }}" role_session_name: "AnsibleTest" policy: "invalid policy" @@ -151,10 +130,6 @@ # ============================================================ - name: test assume role with invalid duration seconds sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: "{{ test_role.iam_role.arn }}" role_session_name: AnsibleTest duration_seconds: invalid duration @@ -165,15 +140,12 @@ assert: that: - result is failed - - 'result.msg is search("argument \w+ is of type <.*> and we were unable to convert to int: <.*> cannot be converted to an int")' + - "'duration_seconds' in result.msg" + - "'cannot be converted to an int' in result.msg" # ============================================================ - name: test assume role with invalid external id sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: "{{ test_role.iam_role.arn }}" role_session_name: AnsibleTest external_id: invalid external id @@ -197,10 +169,6 @@ # ============================================================ - name: test assume role with invalid mfa serial number sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: "{{ test_role.iam_role.arn }}" role_session_name: AnsibleTest mfa_serial_number: invalid serial number @@ -224,10 +192,6 @@ # ============================================================ - name: test assume role with invalid mfa token code sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: "{{ test_role.iam_role.arn }}" role_session_name: AnsibleTest mfa_token: invalid token code @@ -251,10 +215,6 @@ # ============================================================ - name: test assume role with invalid role_arn sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: invalid role arn role_session_name: AnsibleTest register: result @@ -277,10 +237,6 @@ # ============================================================ - name: test assume not existing sts role sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region}}" role_arn: "arn:aws:iam::123456789:role/non-existing-role" role_session_name: "AnsibleTest" register: result @@ -303,10 +259,6 @@ # ============================================================ - name: test assume role sts_assume_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" - region: "{{ aws_region }}" role_arn: "{{ test_role.iam_role.arn }}" role_session_name: AnsibleTest register: assumed_role @@ -326,7 +278,6 @@ aws_access_key: "{{ assumed_role.sts_creds.access_key }}" aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" security_token: "{{ assumed_role.sts_creds.session_token }}" - region: "{{ aws_region}}" name: "ansible-test-sts-{{ resource_prefix }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" create_instance_profile: False @@ -346,7 +297,6 @@ aws_access_key: "{{ assumed_role.sts_creds.access_key }}" aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" security_token: "{{ assumed_role.sts_creds.session_token }}" - region: "{{ aws_region}}" name: "ansible-test-sts-{{ resource_prefix }}-new" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" state: present @@ -374,11 +324,9 @@ - name: delete test iam role iam_role: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token }}" name: "ansible-test-sts-{{ resource_prefix }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" + delete_instance_profile: True managed_policy: - arn:aws:iam::aws:policy/IAMReadOnlyAccess state: absent From 5876323f0281284919756575812bcbfaac30dbd0 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 13 Mar 2021 17:32:35 +0100 Subject: [PATCH 09/23] Fix missing no_log=True. This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/6b09f2af722af7a97add18ec0c9e229361ce6e88 --- plugins/modules/sts_assume_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 378eb0031f8..d1203a3c5a5 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -162,7 +162,7 @@ def main(): external_id=dict(required=False, default=None), policy=dict(required=False, default=None), mfa_serial_number=dict(required=False, default=None), - mfa_token=dict(required=False, default=None) + mfa_token=dict(required=False, default=None, no_log=True) ) module = AnsibleAWSModule(argument_spec=argument_spec) From ede3341a06a9b1650783fbb1bb93706904023f6b Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Thu, 6 May 2021 21:01:46 +0200 Subject: [PATCH 10/23] Update the default module requirements from python 2.6/boto to python 3.6/boto3 This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/c097c55293be0834a2b9d394733ec28965d142d7 --- plugins/modules/sts_assume_role.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index d1203a3c5a5..c7435ad6fdc 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -55,11 +55,6 @@ extends_documentation_fragment: - amazon.aws.aws - amazon.aws.ec2 - -requirements: - - boto3 - - botocore - - python >= 2.6 ''' RETURN = ''' From 7f5f429143058db405f865fed160526791b7dead Mon Sep 17 00:00:00 2001 From: jillr Date: Thu, 29 Apr 2021 21:58:50 +0000 Subject: [PATCH 11/23] Remove shippable references from repo This collection has been operating on Zuul CI for some weeks now This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/4e0d83c65568a99a24307e37a14e6e0b173c948b --- tests/integration/targets/sts_assume_role/aliases | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/integration/targets/sts_assume_role/aliases b/tests/integration/targets/sts_assume_role/aliases index 6e3860bee23..4ef4b2067d0 100644 --- a/tests/integration/targets/sts_assume_role/aliases +++ b/tests/integration/targets/sts_assume_role/aliases @@ -1,2 +1 @@ cloud/aws -shippable/aws/group2 From 72046edd775d79dbd19c93f0a7c50345aa9ba013 Mon Sep 17 00:00:00 2001 From: jillr Date: Sat, 19 Jun 2021 01:15:38 +0000 Subject: [PATCH 12/23] Fix up lambda tests and more iam roles This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/d276a6127640d6eddc83295e3f06f882746d9b34 --- .../integration/targets/sts_assume_role/defaults/main.yml | 2 ++ tests/integration/targets/sts_assume_role/tasks/main.yml | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) create mode 100644 tests/integration/targets/sts_assume_role/defaults/main.yml diff --git a/tests/integration/targets/sts_assume_role/defaults/main.yml b/tests/integration/targets/sts_assume_role/defaults/main.yml new file mode 100644 index 00000000000..1287fe1f5b9 --- /dev/null +++ b/tests/integration/targets/sts_assume_role/defaults/main.yml @@ -0,0 +1,2 @@ +unique_id: "{{ resource_prefix | hash('md5') }}" +iam_role_name: "ansible-test-sts-{{ unique_id }}" diff --git a/tests/integration/targets/sts_assume_role/tasks/main.yml b/tests/integration/targets/sts_assume_role/tasks/main.yml index 4a625a10b6f..be684dcea18 100644 --- a/tests/integration/targets/sts_assume_role/tasks/main.yml +++ b/tests/integration/targets/sts_assume_role/tasks/main.yml @@ -23,7 +23,7 @@ # ============================================================ - name: create test iam role iam_role: - name: "ansible-test-sts-{{ resource_prefix }}" + name: "{{ iam_role_name }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" create_instance_profile: False managed_policy: @@ -278,7 +278,7 @@ aws_access_key: "{{ assumed_role.sts_creds.access_key }}" aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" security_token: "{{ assumed_role.sts_creds.session_token }}" - name: "ansible-test-sts-{{ resource_prefix }}" + name: "{{ iam_role_name }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" create_instance_profile: False state: present @@ -297,7 +297,7 @@ aws_access_key: "{{ assumed_role.sts_creds.access_key }}" aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" security_token: "{{ assumed_role.sts_creds.session_token }}" - name: "ansible-test-sts-{{ resource_prefix }}-new" + name: "{{ iam_role_name }}-new" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" state: present register: result @@ -324,7 +324,7 @@ - name: delete test iam role iam_role: - name: "ansible-test-sts-{{ resource_prefix }}" + name: "{{ iam_role_name }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" delete_instance_profile: True managed_policy: From f953c0f9e041694313118e75c9698a11ff7dc141 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A9ri=20Le=20Bouder?= Date: Tue, 13 Jul 2021 11:16:57 +0200 Subject: [PATCH 13/23] tests: use the new tiny_prefix variable The new tiny_prefix variable has recently been introduced. It's a 12 characters long string that is reused for the whole job. This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/4d1fa5aa4d7292611d5754b51d0b552ac67ad8b0 --- tests/integration/targets/sts_assume_role/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/integration/targets/sts_assume_role/defaults/main.yml b/tests/integration/targets/sts_assume_role/defaults/main.yml index 1287fe1f5b9..17072d6a4fd 100644 --- a/tests/integration/targets/sts_assume_role/defaults/main.yml +++ b/tests/integration/targets/sts_assume_role/defaults/main.yml @@ -1,2 +1 @@ -unique_id: "{{ resource_prefix | hash('md5') }}" -iam_role_name: "ansible-test-sts-{{ unique_id }}" +iam_role_name: "ansible-test-{{ tiny_prefix }}" From b2557715f11fead78ffd03f3b1691ea9c7071cdc Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Fri, 22 Apr 2022 11:44:07 +0200 Subject: [PATCH 14/23] Integration test dependency cleanup (#1086) Integration test dependency cleanup SUMMARY remove dependencies on setup_remote_tmp_dir where it's not used (often just copy & paste from another test) remove setup_ec2 (no main.yml means it's not doing anything) remove prepare_tests (empty main.yml means it's not doing anything) ISSUE TYPE Feature Pull Request COMPONENT NAME tests/integration/targets ADDITIONAL INFORMATION By cleaning up what we have we reduce the chance of people copying things about "because that's what test XYZ did". Reviewed-by: Alina Buzachis Reviewed-by: Mark Woolley This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/dd12046a1e2d5f39692b1890ff07e06c56b3bf0e --- tests/integration/targets/sts_assume_role/meta/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/integration/targets/sts_assume_role/meta/main.yml b/tests/integration/targets/sts_assume_role/meta/main.yml index 1f64f1169a9..32cf5dda7ed 100644 --- a/tests/integration/targets/sts_assume_role/meta/main.yml +++ b/tests/integration/targets/sts_assume_role/meta/main.yml @@ -1,3 +1 @@ -dependencies: - - prepare_tests - - setup_ec2 +dependencies: [] From 729d73240ef54f0b0424f07e3670eecb7621edfc Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 5 Oct 2022 17:04:40 +0200 Subject: [PATCH 15/23] Update extends_documentation_fragment with amazon.aws.boto3 (#1459) Update extends_documentation_fragment with amazon.aws.boto3 Depends-On: ansible/ansible-zuul-jobs#1654 SUMMARY As per ansible-collections/amazon.aws#985 add amazon.aws.boto3. ISSUE TYPE Docs Pull Request COMPONENT NAME several Reviewed-by: Jill R Reviewed-by: Mark Chappell Reviewed-by: Markus Bergholz This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/bd3c03fcba0848f593b86309740fa73e986a9646 --- plugins/modules/sts_assume_role.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index c7435ad6fdc..8e5a3b4fed2 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -55,6 +55,7 @@ extends_documentation_fragment: - amazon.aws.aws - amazon.aws.ec2 +- amazon.aws.boto3 ''' RETURN = ''' From c62018dd2e83c84fa5ee4e8ad3b487b03dba1bbe Mon Sep 17 00:00:00 2001 From: Bikouo Aubin <79859644+abikouo@users.noreply.github.com> Date: Tue, 10 Jan 2023 19:22:13 +0100 Subject: [PATCH 16/23] Ansible User-Agent identification for community.aws (#1632) Ansible User-Agent identification for community.aws SUMMARY The value will be similar to this APN/1.0 Ansible/2.14.1 community.aws/6.0.0-dev0 ISSUE TYPE Feature Pull Request Reviewed-by: Mark Chappell Reviewed-by: Bikouo Aubin Reviewed-by: Alina Buzachis This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/a8cbce24071bcc62fe4594c38aff1baf18bd2862 --- plugins/modules/sts_assume_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 8e5a3b4fed2..fe29cd3c62a 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -102,7 +102,7 @@ ''' -from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule +from ansible_collections.community.aws.plugins.module_utils.modules import AnsibleCommunityAWSModule as AnsibleAWSModule from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict try: From bf3231c8608f6a4147b35082478708ba26746850 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 8 Mar 2023 12:07:26 +0100 Subject: [PATCH 17/23] Cleanup headers and imports (#1738) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cleanup headers and imports SUMMARY Mass update of imports, docs fragments and file headers Many of the amazon.aws module_utils and docs fragments got moved about, update community.aws to reflect this. Consistently apply the comment headers as documented at https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#python-shebang-utf-8-coding ISSUE TYPE Docs Pull Request Feature Pull Request COMPONENT NAME ADDITIONAL INFORMATION Header cleanup based upon: https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#python-shebang-utf-8-coding Begin your Ansible module with #!/usr/bin/python - this “shebang” allows ansible_python_interpreter to work. Follow the shebang immediately with # -*- coding: utf-8 -*- to clarify that the file is UTF-8 encoded. and https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#copyright-and-license After the shebang and UTF-8 coding, add a copyright line with the original copyright holder and a license declaration. The license declaration should be ONLY one line, not the full GPL prefix. ... Additions to the module (for instance, rewrites) are not permitted to add additional copyright lines other than the default copyright statement if missing: Reviewed-by: Alina Buzachis This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/a4f20bf114bfab19b1c84c4ecf42efd5614ab80c --- plugins/modules/sts_assume_role.py | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index fe29cd3c62a..c53bfa9c978 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -1,21 +1,19 @@ #!/usr/bin/python +# -*- coding: utf-8 -*- + # Copyright: Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function -__metaclass__ = type - - -DOCUMENTATION = ''' +DOCUMENTATION = r""" --- module: sts_assume_role version_added: 1.0.0 short_description: Assume a role using AWS Security Token Service and obtain temporary credentials description: - - Assume a role using AWS Security Token Service and obtain temporary credentials. + - Assume a role using AWS Security Token Service and obtain temporary credentials. author: - - Boris Ekelchik (@bekelchik) - - Marek Piatek (@piontas) + - Boris Ekelchik (@bekelchik) + - Marek Piatek (@piontas) options: role_arn: description: @@ -53,12 +51,12 @@ notes: - In order to use the assumed role in a following playbook task you must pass the access_key, access_secret and access_token. extends_documentation_fragment: -- amazon.aws.aws -- amazon.aws.ec2 -- amazon.aws.boto3 -''' + - amazon.aws.common.modules + - amazon.aws.region.modules + - amazon.aws.boto3 +""" -RETURN = ''' +RETURN = r""" sts_creds: description: The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token returned: always @@ -79,9 +77,9 @@ description: True if obtaining the credentials succeeds type: bool returned: always -''' +""" -EXAMPLES = ''' +EXAMPLES = r""" # Note: These examples do not set authentication details, see the AWS Guide for details. # Assume an existing role (more details: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) @@ -100,16 +98,18 @@ tags: MyNewTag: value -''' - -from ansible_collections.community.aws.plugins.module_utils.modules import AnsibleCommunityAWSModule as AnsibleAWSModule -from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict +""" try: - from botocore.exceptions import ClientError, ParamValidationError + from botocore.exceptions import ClientError + from botocore.exceptions import ParamValidationError except ImportError: pass # caught by AnsibleAWSModule +from ansible.module_utils.common.dict_transformations import camel_dict_to_snake_dict + +from ansible_collections.community.aws.plugins.module_utils.modules import AnsibleCommunityAWSModule as AnsibleAWSModule + def _parse_response(response): credentials = response.get('Credentials', {}) From 98339bf5690d88e84364ae647e0e294c31d4c870 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 26 Apr 2023 19:26:07 +0200 Subject: [PATCH 18/23] Big Black PR (#1784) * Black prep * Black * changelog * Fix pylint unused-import in tests * Split SSM connection plugin changes * disable glue tests - bucket's missing * Disable s3_logging and s3_sync tests This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/2c4575c248776c65d66b06cd60fa09b0dae1cd6f --- plugins/modules/sts_assume_role.py | 35 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index c53bfa9c978..4a4860657cf 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -112,15 +112,14 @@ def _parse_response(response): - credentials = response.get('Credentials', {}) - user = response.get('AssumedRoleUser', {}) + credentials = response.get("Credentials", {}) + user = response.get("AssumedRoleUser", {}) sts_cred = { - 'access_key': credentials.get('AccessKeyId'), - 'secret_key': credentials.get('SecretAccessKey'), - 'session_token': credentials.get('SessionToken'), - 'expiration': credentials.get('Expiration') - + "access_key": credentials.get("AccessKeyId"), + "secret_key": credentials.get("SecretAccessKey"), + "session_token": credentials.get("SessionToken"), + "expiration": credentials.get("Expiration"), } sts_user = camel_dict_to_snake_dict(user) return sts_cred, sts_user @@ -128,13 +127,13 @@ def _parse_response(response): def assume_role_policy(connection, module): params = { - 'RoleArn': module.params.get('role_arn'), - 'RoleSessionName': module.params.get('role_session_name'), - 'Policy': module.params.get('policy'), - 'DurationSeconds': module.params.get('duration_seconds'), - 'ExternalId': module.params.get('external_id'), - 'SerialNumber': module.params.get('mfa_serial_number'), - 'TokenCode': module.params.get('mfa_token') + "RoleArn": module.params.get("role_arn"), + "RoleSessionName": module.params.get("role_session_name"), + "Policy": module.params.get("policy"), + "DurationSeconds": module.params.get("duration_seconds"), + "ExternalId": module.params.get("external_id"), + "SerialNumber": module.params.get("mfa_serial_number"), + "TokenCode": module.params.get("mfa_token"), } changed = False @@ -154,19 +153,19 @@ def main(): argument_spec = dict( role_arn=dict(required=True), role_session_name=dict(required=True), - duration_seconds=dict(required=False, default=None, type='int'), + duration_seconds=dict(required=False, default=None, type="int"), external_id=dict(required=False, default=None), policy=dict(required=False, default=None), mfa_serial_number=dict(required=False, default=None), - mfa_token=dict(required=False, default=None, no_log=True) + mfa_token=dict(required=False, default=None, no_log=True), ) module = AnsibleAWSModule(argument_spec=argument_spec) - connection = module.client('sts') + connection = module.client("sts") assume_role_policy(connection, module) -if __name__ == '__main__': +if __name__ == "__main__": main() From 663d5381077055f99ae011da0c86a6499fea65df Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 1 Jul 2023 21:39:01 +0200 Subject: [PATCH 19/23] CI test fixups - Ansible milestone update (#1863) CI test fixups - Ansible milestone update SUMMARY Fixups failures exposed by #1852 ISSUE TYPE Bugfix Pull Request COMPONENT NAME dynamodb sts_assume_role ADDITIONAL INFORMATION Reviewed-by: Mark Chappell Reviewed-by: Alina Buzachis This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/7f05515ce1dac9f33b1303386d62dc3531f402e8 --- .../targets/sts_assume_role/tasks/main.yml | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/tests/integration/targets/sts_assume_role/tasks/main.yml b/tests/integration/targets/sts_assume_role/tasks/main.yml index be684dcea18..42ef51c04d0 100644 --- a/tests/integration/targets/sts_assume_role/tasks/main.yml +++ b/tests/integration/targets/sts_assume_role/tasks/main.yml @@ -51,33 +51,6 @@ - 'result.failed' - "'missing required arguments:' in result.msg" - # ============================================================ - - name: test with empty parameters - sts_assume_role: - role_arn: - role_session_name: - policy: - duration_seconds: - external_id: - mfa_token: - mfa_serial_number: - register: result - ignore_errors: true - - - name: assert with empty parameters - assert: - that: - - 'result.failed' - - "'Missing required parameter in input:' in result.msg" - when: result.module_stderr is not defined - - - name: assert with empty parameters - assert: - that: - - 'result.failed' - - "'Member must have length greater than or equal to 20' in result.module_stderr" - when: result.module_stderr is defined - # ============================================================ - name: test with only 'role_arn' parameter sts_assume_role: From 811357d8367c8c8bf22f8dc02b20c6d8014ebb7d Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Thu, 31 Aug 2023 17:58:59 +0200 Subject: [PATCH 20/23] Mass update of docs and tests (credentials/session tokens) (#1921) Mass update of docs and tests (credentials/session tokens) SUMMARY We had a cleanup of credentials/session parameters which included a batch of deprecations and renames. Ensure that all of our tests and docs are using the 'canonical' names ISSUE TYPE Docs Pull Request COMPONENT NAME plugins/modules/batch_compute_environment.py plugins/modules/cloudformation_exports_info.py plugins/modules/ec2_vpc_vpn.py plugins/modules/elasticache.py plugins/modules/elasticache_parameter_group.py plugins/modules/elasticache_snapshot.py plugins/modules/ses_rule_set.py plugins/modules/sts_assume_role.py plugins/modules/sts_session_token.py tests/integration ADDITIONAL INFORMATION See also ansible-collections/amazon.aws#1172 ansible-collections/amazon.aws#1714 Reviewed-by: Alina Buzachis This commit was initially merged in https://github.com/ansible-collections/community.aws See: https://github.com/ansible-collections/community.aws/commit/4a5b50e9b9c0d6ca1a1f802f3b03d4f503c16885 --- plugins/modules/sts_assume_role.py | 13 +++++----- .../targets/sts_assume_role/tasks/main.yml | 24 +++++++++---------- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 4a4860657cf..4d934c2d5cd 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -49,7 +49,8 @@ - The value provided by the MFA device, if the trust policy of the role being assumed requires MFA. type: str notes: - - In order to use the assumed role in a following playbook task you must pass the access_key, access_secret and access_token. + - In order to use the assumed role in a following playbook task you must pass the I(access_key), + I(secret_key) and I(session_token) parameters to modules that should use the assumed credentials. extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules @@ -80,19 +81,19 @@ """ EXAMPLES = r""" -# Note: These examples do not set authentication details, see the AWS Guide for details. - # Assume an existing role (more details: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) - community.aws.sts_assume_role: + access_key: AKIA1EXAMPLE1EXAMPLE + secret_key: 123456789abcdefghijklmnopqrstuvwxyzABCDE role_arn: "arn:aws:iam::123456789012:role/someRole" role_session_name: "someRoleSession" register: assumed_role # Use the assumed role above to tag an instance in account 123456789012 - amazon.aws.ec2_tag: - aws_access_key: "{{ assumed_role.sts_creds.access_key }}" - aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" - security_token: "{{ assumed_role.sts_creds.session_token }}" + access_key: "{{ assumed_role.sts_creds.access_key }}" + secret_key: "{{ assumed_role.sts_creds.secret_key }}" + session_token: "{{ assumed_role.sts_creds.session_token }}" resource: i-xyzxyz01 state: present tags: diff --git a/tests/integration/targets/sts_assume_role/tasks/main.yml b/tests/integration/targets/sts_assume_role/tasks/main.yml index 42ef51c04d0..23e0dba7843 100644 --- a/tests/integration/targets/sts_assume_role/tasks/main.yml +++ b/tests/integration/targets/sts_assume_role/tasks/main.yml @@ -4,9 +4,9 @@ - module_defaults: group/aws: region: "{{ aws_region }}" - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - security_token: "{{ security_token | default(omit) }}" + access_key: "{{ aws_access_key }}" + secret_key: "{{ aws_secret_key }}" + session_token: "{{ security_token | default(omit) }}" collections: - amazon.aws block: @@ -39,9 +39,9 @@ # ============================================================ - name: test with no parameters sts_assume_role: - aws_access_key: '{{ omit }}' - aws_secret_key: '{{ omit }}' - security_token: '{{ omit }}' + access_key: '{{ omit }}' + secret_key: '{{ omit }}' + session_token: '{{ omit }}' register: result ignore_errors: true @@ -248,9 +248,9 @@ # ============================================================ - name: test that assumed credentials have IAM read-only access iam_role: - aws_access_key: "{{ assumed_role.sts_creds.access_key }}" - aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" - security_token: "{{ assumed_role.sts_creds.session_token }}" + access_key: "{{ assumed_role.sts_creds.access_key }}" + secret_key: "{{ assumed_role.sts_creds.secret_key }}" + session_token: "{{ assumed_role.sts_creds.session_token }}" name: "{{ iam_role_name }}" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" create_instance_profile: False @@ -267,9 +267,9 @@ # ============================================================ - name: test assumed role with unprivileged action iam_role: - aws_access_key: "{{ assumed_role.sts_creds.access_key }}" - aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}" - security_token: "{{ assumed_role.sts_creds.session_token }}" + access_key: "{{ assumed_role.sts_creds.access_key }}" + secret_key: "{{ assumed_role.sts_creds.secret_key }}" + session_token: "{{ assumed_role.sts_creds.session_token }}" name: "{{ iam_role_name }}-new" assume_role_policy_document: "{{ lookup('template','policy.json.j2') }}" state: present From 37fd8154be6cf60b38fb4350aec64a55511a5076 Mon Sep 17 00:00:00 2001 From: Mandar Kulkarni Date: Thu, 28 Sep 2023 15:56:26 -0700 Subject: [PATCH 21/23] Update runtime --- meta/runtime.yml | 209 ++++++++++++++++++++++++----------------------- 1 file changed, 105 insertions(+), 104 deletions(-) diff --git a/meta/runtime.yml b/meta/runtime.yml index da395988b6f..e1b75a1678d 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -2,110 +2,111 @@ requires_ansible: '>=2.12.0' action_groups: aws: - - autoscaling_group - - autoscaling_group_info - - aws_az_info - - aws_caller_info - - aws_s3 - - backup_plan - - backup_plan_info - - backup_selection - - backup_selection_info - - backup_tag - - backup_tag_info - - backup_vault - - backup_vault_info - - cloudformation - - cloudformation_info - - cloudtrail - - cloudtrail_info - - cloudwatch_metric_alarm - - cloudwatch_metric_alarm_info - - cloudwatchevent_rule - - cloudwatchevent_rule - - cloudwatchlogs_log_group - - cloudwatchlogs_log_group_info - - cloudwatchlogs_log_group_metric_filter - - ec2_ami - - ec2_ami_info - - ec2_eip - - ec2_eip_info - - ec2_elb_lb - - ec2_eni - - ec2_eni_info - - ec2_group - - ec2_group_info - - ec2_instance - - ec2_instance_info - - ec2_key - - ec2_key_info - - ec2_security_group - - ec2_security_group_info - - ec2_snapshot - - ec2_snapshot_info - - ec2_spot_instance - - ec2_spot_instance_info - - ec2_tag - - ec2_tag_info - - ec2_vol - - ec2_vol_info - - ec2_vpc_dhcp_option - - ec2_vpc_dhcp_option_info - - ec2_vpc_endpoint - - ec2_vpc_endpoint_info - - ec2_vpc_endpoint_service_info - - ec2_vpc_igw - - ec2_vpc_igw_info - - ec2_vpc_nat_gateway - - ec2_vpc_nat_gateway_info - - ec2_vpc_net - - ec2_vpc_net_info - - ec2_vpc_route_table - - ec2_vpc_route_table_info - - ec2_vpc_subnet - - ec2_vpc_subnet_info - - elb_application_lb - - elb_application_lb_info - - elb_classic_lb - - execute_lambda - - iam_group - - iam_instance_profile - - iam_instance_profile_info - - iam_managed_policy - - iam_policy - - iam_policy_info - - iam_role - - iam_role_info - - iam_user - - iam_user_info - - kms_key - - kms_key_info - - lambda - - lambda_alias - - lambda_event - - lambda_execute - - lambda_info - - lambda_layer - - lambda_layer_info - - lambda_policy - - rds_cluster - - rds_cluster_info - - rds_cluster_snapshot - - rds_instance - - rds_instance_info - - rds_instance_snapshot - - rds_option_group - - rds_option_group_info - - rds_param_group - - rds_snapshot_info - - rds_subnet_group - - route53 - - route53_health_check - - route53_info - - route53_zone - - s3_bucket - - s3_object - - s3_object_info + - autoscaling_group + - autoscaling_group_info + - aws_az_info + - aws_caller_info + - aws_s3 + - backup_plan + - backup_plan_info + - backup_selection + - backup_selection_info + - backup_tag + - backup_tag_info + - backup_vault + - backup_vault_info + - cloudformation + - cloudformation_info + - cloudtrail + - cloudtrail_info + - cloudwatch_metric_alarm + - cloudwatch_metric_alarm_info + - cloudwatchevent_rule + - cloudwatchevent_rule + - cloudwatchlogs_log_group + - cloudwatchlogs_log_group_info + - cloudwatchlogs_log_group_metric_filter + - ec2_ami + - ec2_ami_info + - ec2_eip + - ec2_eip_info + - ec2_elb_lb + - ec2_eni + - ec2_eni_info + - ec2_group + - ec2_group_info + - ec2_instance + - ec2_instance_info + - ec2_key + - ec2_key_info + - ec2_security_group + - ec2_security_group_info + - ec2_snapshot + - ec2_snapshot_info + - ec2_spot_instance + - ec2_spot_instance_info + - ec2_tag + - ec2_tag_info + - ec2_vol + - ec2_vol_info + - ec2_vpc_dhcp_option + - ec2_vpc_dhcp_option_info + - ec2_vpc_endpoint + - ec2_vpc_endpoint_info + - ec2_vpc_endpoint_service_info + - ec2_vpc_igw + - ec2_vpc_igw_info + - ec2_vpc_nat_gateway + - ec2_vpc_nat_gateway_info + - ec2_vpc_net + - ec2_vpc_net_info + - ec2_vpc_route_table + - ec2_vpc_route_table_info + - ec2_vpc_subnet + - ec2_vpc_subnet_info + - elb_application_lb + - elb_application_lb_info + - elb_classic_lb + - execute_lambda + - iam_group + - iam_instance_profile + - iam_instance_profile_info + - iam_managed_policy + - iam_policy + - iam_policy_info + - iam_role + - iam_role_info + - iam_user + - iam_user_info + - kms_key + - kms_key_info + - lambda + - lambda_alias + - lambda_event + - lambda_execute + - lambda_info + - lambda_layer + - lambda_layer_info + - lambda_policy + - rds_cluster + - rds_cluster_info + - rds_cluster_snapshot + - rds_instance + - rds_instance_info + - rds_instance_snapshot + - rds_option_group + - rds_option_group_info + - rds_param_group + - rds_snapshot_info + - rds_subnet_group + - route53 + - route53_health_check + - route53_info + - route53_zone + - s3_bucket + - s3_object + - s3_object_info + - sts_assume_role plugin_routing: action: aws_s3: From 70a6b901d1a7a25a3813b0b65e3241d45e64589b Mon Sep 17 00:00:00 2001 From: Mandar Kulkarni Date: Thu, 28 Sep 2023 16:00:51 -0700 Subject: [PATCH 22/23] promote sts_assume_role --- changelogs/fragments/migrate_sts_assume_role.yml | 4 ++++ plugins/modules/sts_assume_role.py | 5 +++-- tests/integration/targets/cloudtrail/tasks/main.yml | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/migrate_sts_assume_role.yml diff --git a/changelogs/fragments/migrate_sts_assume_role.yml b/changelogs/fragments/migrate_sts_assume_role.yml new file mode 100644 index 00000000000..f054230de9b --- /dev/null +++ b/changelogs/fragments/migrate_sts_assume_role.yml @@ -0,0 +1,4 @@ +major_changes: +- sts_assume_role - The module has been migrated from the ``community.aws`` collection. + Playbooks using the Fully Qualified Collection Name for this module should be updated + to use ``amazon.aws.sts_assume_role``. diff --git a/plugins/modules/sts_assume_role.py b/plugins/modules/sts_assume_role.py index 4d934c2d5cd..96abfd20136 100644 --- a/plugins/modules/sts_assume_role.py +++ b/plugins/modules/sts_assume_role.py @@ -8,6 +8,7 @@ --- module: sts_assume_role version_added: 1.0.0 +version_added_collection: community.aws short_description: Assume a role using AWS Security Token Service and obtain temporary credentials description: - Assume a role using AWS Security Token Service and obtain temporary credentials. @@ -82,7 +83,7 @@ EXAMPLES = r""" # Assume an existing role (more details: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) -- community.aws.sts_assume_role: +- amazon.aws.sts_assume_role: access_key: AKIA1EXAMPLE1EXAMPLE secret_key: 123456789abcdefghijklmnopqrstuvwxyzABCDE role_arn: "arn:aws:iam::123456789012:role/someRole" @@ -109,7 +110,7 @@ from ansible.module_utils.common.dict_transformations import camel_dict_to_snake_dict -from ansible_collections.community.aws.plugins.module_utils.modules import AnsibleCommunityAWSModule as AnsibleAWSModule +from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule def _parse_response(response): diff --git a/tests/integration/targets/cloudtrail/tasks/main.yml b/tests/integration/targets/cloudtrail/tasks/main.yml index 60d1dad95c0..86fc7bdc605 100644 --- a/tests/integration/targets/cloudtrail/tasks/main.yml +++ b/tests/integration/targets/cloudtrail/tasks/main.yml @@ -1336,7 +1336,7 @@ # Assume role to a role with Denied access to KMS - - community.aws.sts_assume_role: + - amazon.aws.sts_assume_role: role_arn: '{{ output_cloudwatch_no_kms_role.arn }}' role_session_name: "cloudtrailNoKms" region: '{{ aws_region }}' From 01fbbb61319be1f3142929360871da646e21b32d Mon Sep 17 00:00:00 2001 From: Mandar Kulkarni Date: Thu, 28 Sep 2023 16:08:43 -0700 Subject: [PATCH 23/23] fix indentation for runtime/meta --- meta/runtime.yml | 210 +++++++++++++++++++++++------------------------ 1 file changed, 105 insertions(+), 105 deletions(-) diff --git a/meta/runtime.yml b/meta/runtime.yml index e1b75a1678d..aa51fc25fc0 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -2,111 +2,111 @@ requires_ansible: '>=2.12.0' action_groups: aws: - - autoscaling_group - - autoscaling_group_info - - aws_az_info - - aws_caller_info - - aws_s3 - - backup_plan - - backup_plan_info - - backup_selection - - backup_selection_info - - backup_tag - - backup_tag_info - - backup_vault - - backup_vault_info - - cloudformation - - cloudformation_info - - cloudtrail - - cloudtrail_info - - cloudwatch_metric_alarm - - cloudwatch_metric_alarm_info - - cloudwatchevent_rule - - cloudwatchevent_rule - - cloudwatchlogs_log_group - - cloudwatchlogs_log_group_info - - cloudwatchlogs_log_group_metric_filter - - ec2_ami - - ec2_ami_info - - ec2_eip - - ec2_eip_info - - ec2_elb_lb - - ec2_eni - - ec2_eni_info - - ec2_group - - ec2_group_info - - ec2_instance - - ec2_instance_info - - ec2_key - - ec2_key_info - - ec2_security_group - - ec2_security_group_info - - ec2_snapshot - - ec2_snapshot_info - - ec2_spot_instance - - ec2_spot_instance_info - - ec2_tag - - ec2_tag_info - - ec2_vol - - ec2_vol_info - - ec2_vpc_dhcp_option - - ec2_vpc_dhcp_option_info - - ec2_vpc_endpoint - - ec2_vpc_endpoint_info - - ec2_vpc_endpoint_service_info - - ec2_vpc_igw - - ec2_vpc_igw_info - - ec2_vpc_nat_gateway - - ec2_vpc_nat_gateway_info - - ec2_vpc_net - - ec2_vpc_net_info - - ec2_vpc_route_table - - ec2_vpc_route_table_info - - ec2_vpc_subnet - - ec2_vpc_subnet_info - - elb_application_lb - - elb_application_lb_info - - elb_classic_lb - - execute_lambda - - iam_group - - iam_instance_profile - - iam_instance_profile_info - - iam_managed_policy - - iam_policy - - iam_policy_info - - iam_role - - iam_role_info - - iam_user - - iam_user_info - - kms_key - - kms_key_info - - lambda - - lambda_alias - - lambda_event - - lambda_execute - - lambda_info - - lambda_layer - - lambda_layer_info - - lambda_policy - - rds_cluster - - rds_cluster_info - - rds_cluster_snapshot - - rds_instance - - rds_instance_info - - rds_instance_snapshot - - rds_option_group - - rds_option_group_info - - rds_param_group - - rds_snapshot_info - - rds_subnet_group - - route53 - - route53_health_check - - route53_info - - route53_zone - - s3_bucket - - s3_object - - s3_object_info - - sts_assume_role + - autoscaling_group + - autoscaling_group_info + - aws_az_info + - aws_caller_info + - aws_s3 + - backup_plan + - backup_plan_info + - backup_selection + - backup_selection_info + - backup_tag + - backup_tag_info + - backup_vault + - backup_vault_info + - cloudformation + - cloudformation_info + - cloudtrail + - cloudtrail_info + - cloudwatch_metric_alarm + - cloudwatch_metric_alarm_info + - cloudwatchevent_rule + - cloudwatchevent_rule + - cloudwatchlogs_log_group + - cloudwatchlogs_log_group_info + - cloudwatchlogs_log_group_metric_filter + - ec2_ami + - ec2_ami_info + - ec2_eip + - ec2_eip_info + - ec2_elb_lb + - ec2_eni + - ec2_eni_info + - ec2_group + - ec2_group_info + - ec2_instance + - ec2_instance_info + - ec2_key + - ec2_key_info + - ec2_security_group + - ec2_security_group_info + - ec2_snapshot + - ec2_snapshot_info + - ec2_spot_instance + - ec2_spot_instance_info + - ec2_tag + - ec2_tag_info + - ec2_vol + - ec2_vol_info + - ec2_vpc_dhcp_option + - ec2_vpc_dhcp_option_info + - ec2_vpc_endpoint + - ec2_vpc_endpoint_info + - ec2_vpc_endpoint_service_info + - ec2_vpc_igw + - ec2_vpc_igw_info + - ec2_vpc_nat_gateway + - ec2_vpc_nat_gateway_info + - ec2_vpc_net + - ec2_vpc_net_info + - ec2_vpc_route_table + - ec2_vpc_route_table_info + - ec2_vpc_subnet + - ec2_vpc_subnet_info + - elb_application_lb + - elb_application_lb_info + - elb_classic_lb + - execute_lambda + - iam_group + - iam_instance_profile + - iam_instance_profile_info + - iam_managed_policy + - iam_policy + - iam_policy_info + - iam_role + - iam_role_info + - iam_user + - iam_user_info + - kms_key + - kms_key_info + - lambda + - lambda_alias + - lambda_event + - lambda_execute + - lambda_info + - lambda_layer + - lambda_layer_info + - lambda_policy + - rds_cluster + - rds_cluster_info + - rds_cluster_snapshot + - rds_instance + - rds_instance_info + - rds_instance_snapshot + - rds_option_group + - rds_option_group_info + - rds_param_group + - rds_snapshot_info + - rds_subnet_group + - route53 + - route53_health_check + - route53_info + - route53_zone + - s3_bucket + - s3_object + - s3_object_info + - sts_assume_role plugin_routing: action: aws_s3: