Vhm*dZdZdZddlmZddlmZddlmZddlmZddlm Z dd lm Z dd lm Z dd l m Z dd lmZdd lmZddlmZej&ddZdZej&ddZej&ddZej0ddZdZdZej0ddZej:ddZdZej0dd Z ej&d!d"Z!ej&d#d$Z"d%Z#ej&d&d'Z$ej:d(d)Z%ej&d*d+Z&d,Z'ej&d-d.Z(d/Z)ej:d0d1Z*ej0d2d3Z+ej:d4d5Z,ej0d6d7Z-ej:d8d9Z.ej0d:d;Z/ej:d<d=Z0ej0d>d?Z1ej:d@dAZ2ej0dBdCZ3dDZ4ej:dEdFZ5ej0dGdHZ6ej:dIdJZ7ej0dKdLZ8ej:dMdNZ9dOZ:dPZ;e- Note: user names are unique within an account. Paths (O(path)) do B(not) affect the uniqueness requirements of O(name). For example it is not permitted to have both C(/Path1/MyUser) and C(/Path2/MyUser) in the same account. - O(user_name) was added as an alias in release 7.2.0. required: true type: str aliases: ['user_name'] path: description: - The path for the user. - For more information about IAM paths, see the AWS IAM identifiers documentation U(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html). aliases: ['prefix', 'path_prefix'] required: false type: str version_added: 7.2.0 boundary: description: - The ARN of an IAM managed policy to apply as a boundary policy for this user. - Boundary policies can be used to restrict the permissions a user can excercise, but does not grant any policies in and of itself. - For more information on boundaries, see U(https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). - Set to the empty string V("") to remove the boundary policy. aliases: ["boundary_policy_arn", "permissions_boundary"] required: false type: str version_added: 7.2.0 password: description: - The password to apply to the user. required: false type: str version_added: 2.2.0 version_added_collection: community.aws password_reset_required: description: - Defines if the user is required to set a new password when they log in. - Ignored unless a new password is set. required: false type: bool default: false version_added: 3.1.0 version_added_collection: community.aws update_password: default: always choices: ['always', 'on_create'] description: - When to update user passwords. - O(update_password=always) will ensure the password is set to O(password). - O(update_password=on_create) will only set the password for newly created users. type: str version_added: 2.2.0 version_added_collection: community.aws remove_password: description: - Option to delete user login passwords. - This field is mutually exclusive to O(password). type: 'bool' version_added: 2.2.0 version_added_collection: community.aws managed_policies: description: - A list of managed policy ARNs or friendly names to attach to the user. - To embed an inline policy, use M(community.aws.iam_policy). required: false type: list default: [] elements: str aliases: ['managed_policy'] state: description: - Create or remove the IAM user. required: true choices: [ 'present', 'absent' ] type: str purge_policies: description: - When O(purge_policies=true) any managed policies not listed in O(managed_policies) will be detached. required: false default: false type: bool aliases: ['purge_policy', 'purge_managed_policies'] wait: description: - When O(wait=True) the module will wait for up to O(wait_timeout) seconds for IAM user creation before returning. default: True type: bool version_added: 2.2.0 version_added_collection: community.aws wait_timeout: description: - How long (in seconds) to wait for creation / updates to complete. default: 120 type: int version_added: 2.2.0 version_added_collection: community.aws notes: - Support for O(tags) and O(purge_tags) was added in release 2.1.0. extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.tags - amazon.aws.boto3 a2 # Note: These examples do not set authentication details, see the AWS Guide for details. # Note: This module does not allow management of groups that users belong to. # Groups should manage their membership directly using amazon.aws.iam_group, # as users belong to them. - name: Create a user amazon.aws.iam_user: name: testuser1 state: present - name: Create a user with a password amazon.aws.iam_user: name: testuser1 password: SomeSecurePassword state: present - name: Create a user and attach a managed policy using its ARN amazon.aws.iam_user: name: testuser1 managed_policies: - arn:aws:iam::aws:policy/AmazonSNSFullAccess state: present - name: Remove all managed policies from an existing user with an empty list amazon.aws.iam_user: name: testuser1 state: present purge_policies: true - name: Create user with tags amazon.aws.iam_user: name: testuser1 state: present tags: Env: Prod - name: Delete the user amazon.aws.iam_user: name: testuser1 state: absent aE user: description: Dictionary containing all the user information. returned: success type: complex contains: arn: description: The Amazon Resource Name (ARN) specifying the user. type: str returned: always sample: "arn:aws:iam::123456789012:user/testuser1" create_date: description: The date and time, in ISO 8601 date-time format, when the user was created. type: str returned: always sample: "2017-02-08T04:36:28+00:00" user_id: description: The stable and unique string identifying the user. type: str returned: always sample: "AGPA12345EXAMPLE54321" user_name: description: The friendly name that identifies the user. type: str returned: always sample: "testuser1" path: description: The path to the user. type: str returned: always sample: "/" tags: description: User tags. type: dict returned: always sample: {"Env": "Prod"} attached_policies: version_added: 7.2.0 description: - List containing basic information about managed policies attached to the group. returned: always type: list elements: dict sample: [ { "policy_arn": "arn:aws:iam::123456789012:policy/test_policy", "policy_name": "test_policy" } ] contains: policy_arn: description: The Amazon Resource Name (ARN) specifying the managed policy. type: str sample: "arn:aws:iam::123456789012:policy/test_policy" policy_name: description: The friendly name that identifies the policy. type: str sample: test_policy )camel_dict_to_snake_dict)AnsibleIAMError)IAMErrorHandler)$convert_managed_policy_names_to_arns) get_iam_user)normalize_iam_user)validate_iam_identifiers)AnsibleAWSModule)AWSRetry)ansible_dict_to_boto3_tag_list)compare_aws_tagszwait for IAM user creationc J|jd}|jdi|y)N user_exists) get_waiterwait) connectionparamswaiters g/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/modules/iam_user.py_wait_user_existsrs#  " "= 1FFKK&c|jjdsy|jjd}|jjd}t|d}||z}||d}t|||y)Nrname wait_timeout)Delay MaxAttempts) WaiterConfigUserName)rgetminr)rmodule user_namerdelay max_attempts waiter_configs rwait_iam_existsr(sk ==  V $ !!&)I==$$^4L  a E5(L#LAMj}yQrz create usercd|i}|r||d<|r||d<|rt||d<|jr|jd||jd ddi|d}t |S) Nr PathPermissionsBoundaryTagsT)changed create_params aws_retryUserr)r check_mode exit_json create_userr)rr#r$pathboundarytagsrusers rr3r3 s}) $F v(0$% 7=v V< !: ! ! ;D ;F ;F CD d ##rzcreate user login profilec *|jdddi|SNr/Tr)create_login_profilerrs r_create_login_profiler< *: * * DT DV DDrzupdate user login profilec *|jdddi|Sr9)update_login_profiler;s r_update_login_profiler@$r=rcF|||d}t|fi|}|r|St|fi|S)N)r PasswordPasswordResetRequired)r@r<)rrpasswordreset user_paramsretvals r_create_or_update_login_profilerH)s=!&K #: = =F   ;{ ;;rc>|y|dk(r|sy|rydt||||fS)N)FN on_create)TNT)rH)rr1r$rDupdaterEnew_users rensure_login_profilerM7s6 X 0YRWX XXrzget login profilecF|jd|jdS)NTr/r LoginProfile)get_login_profiler!rrs r_get_login_profilerSCs#  ' '$ ' F J J> ZZrzdelete login profilec*|jd|yNTrO)delete_login_profilerRs r_delete_login_profilerWHs##dT#BrcL|ry|syt||}|sy|ryt||y)NFT)rSrW)rr1r$remove_passwordrL login_profiles rremove_login_profiler[Ms5 'z9=M *i0 rzget policies for userc.|jd|dS)NTrOAttachedPolicies)list_attached_user_policies)rr$s r_list_attached_policiesr__s  1 1D9 1 UVh iirzattach policy to usercD|sy|ry|D]}|j||yNFT)r PolicyArn)attach_user_policyrr1r$policies policy_arns rattach_policiesrgd2 P %%yJ%OPrzdetach policy from usercD|sy|ry|D]}|j||yra)detach_user_policyrds rdetach_policiesrknrhrc8|yt||}t||}|Dcgc]}|d }}tt|t|z }g} |r tt|t|z } |s| sy|ryt |||| t ||||ycc}w)NFrbT)rr_listsetrkrg) rr1r$managed_policiespurge_policiesattached_policies_descpolicycurrent_attached_policiespolicies_to_addpolicies_to_removes rensure_managed_policiesrvxs;JHXY5ZKCY Z !4 Z Z3/037P3QQRO!#&?"@3GWCX"XY #5J I7IJJ IG !![s Bzset tags for userc|y|d}t|||\}}|s|sy|ry|r|j|||r|j|t|y)NFr6) purge_tagsT)r TagKeys)r r,)r untag_usertag_userr ) rr1r7r$new_tagsrx existing_tags tags_to_addtags_to_removes rensure_user_tagsrslLM"2=(Wa"bK +y.IY5ST_5`a rz$remove permissions boundary for userc0|ry|jd|yrU) delete_user_permissions_boundaryrr1r$s r!_delete_user_permissions_boundaryrs//$/Srz!set permissions boundary for userc2|ry|jd||y)NT)r/r r+)put_user_permissions_boundary)rr1r$r5s r_put_user_permissions_boundaryrs,,tiem,nrc|y|r|jddnd}|r|jd}||k(ry|ry|dk(rt|||yt||||y)NFpermissions_boundarypermissions_boundary_arnT)r!rr)rr1r7r$r5current_boundarys rensure_permissions_boundaryrss?Ctxx 6;+//0JK##2~)*j)L  'z:y(S rzset path for usercp|y|r|jddnd}||k(ry|ry|jd||y)NFr4rT)r/r NewPath)r! update_user)rr1r7r$r4 current_paths r ensure_pathrsG |+/488FB'TL |TItL rc N|jjd}d}d}t||}|jjd}|r)t||jjdgd}|Rt ||||jjd||jjd}d}t ||d}t ||j||jjd|jjd |jjd |\}}||z}|t||j||jjd |z}|t||j|||z}|t||j|||jjdz}|t||j||jjd |jjd z}|t||j|||jjd|jjdz}|jr|j|t||}|r'|r%|jdijdd|d < dt||i} |jt!| |j|d|i|y#t"$r1} |j%dt'| j(Yd} ~ Ld} ~ wwxYw)NrFr5rr4r6TrDupdate_passwordpassword_reset_requiredrYrorprxr-rPrCattached_policiesz#Failed to list attached policies - r7)r-iam_userr7)rr!rrr3r(rMr1r[rrrvrr2r_rKrrwarnstr exception) rr#r$r-rLr7r5profile_changedrZrees rcreate_or_update_userrs !!&)IGH  I .D}}  ,H7 V]]EVEVWaEbDcdefg |    MM  f %  MM  f %   F+%9 *% +, 34&"O] G # +, G *  G {  &! G & ,- *+ G   &! ,' G)  I .D=*7*;*;NB*O*S*STkmr*s &' ')@Y)WX ,X67 W~DI   1#akk2B1C D   s+(K** L$3'LL$zdelete access keyc2|ry|jd||y)NT)r/r AccessKeyId)delete_access_keyrr1r$key_ids rrrEs!  4)QW X rzlist access keyscf|jd|d}|sy|D]}t||||dy)NTrOAccessKeyMetadataFr)list_access_keysr)rr1r$ access_keys access_keys rdelete_access_keysrMsJ--y-QRefK !X *j)Z =VWX rzdelete SSH keyc2|ry|jd||yNT)r/r SSHPublicKeyIddelete_ssh_public_keyrs rdelete_ssh_keyrWs!$$tiX^$_ rz list SSH keyscf|jd|d}|sy|D]}t||||dy)NTrO SSHPublicKeysFr)list_ssh_public_keysr)rr1r$ public_keys public_keys rdelete_ssh_public_keysr_sK11D91UVefK !X z:y*EU:VWX rzdelete service credentialc2|ry|jd||yrr)rr1r$cred_ids rdelete_service_credentialris!$$tiX_$` rzlist service credentialscf|jd|d}|sy|D]}t||||dy)NTrOServiceSpecificCredentialsFServiceSpecificCredentialId)!list_service_specific_credentialsr)rr1r$ credentials credentials rdelete_service_credentialsrqsP>>Xa>b$K !p !*j)ZPmEnop rzdelete signing certificatec2|ry|jd||y)NT)r/r CertificateId)delete_signing_certificate)rr1r$cert_ids rrr}s!))D9\c)d rzlist signing certificatescf|jd|d}|sy|D]}t||||dy)NTrO CertificatesFr)list_signing_certificatesr)rr1r$ certificates certificates rdelete_signing_certificatesrsL77$QZ7[\jkL #d ":z9kRaFbcd rzdelete MFA devicec2|ry|jd||y)NT)r/r SerialNumber)deactivate_mfa_device)rr1r$ device_ids rdelete_mfa_devicers!$$tiV_$` rzlist MFA devicescf|jd|d}|sy|D]}t||||dy)NTrO MFADevicesFr)list_mfa_devicesr)rr1r$devicesdevices rdelete_mfa_devicesrsI))D9)Ml[G U*j)VN=STU rcft||}|Dcgc]}|d }}t||||ycc}w)Nrb)r_rk)rr1r$rqrrrss rdetach_all_policiesrs=4ZKCY Z !4 Z ZJ I7PQ![s .zdelete inline policyc2|ry|jd||y)NT)r/r PolicyName)delete_user_policy)rr1r$rrs rdelete_inline_policyrs!!!D9QW!X rzlist inline policiesc`|jd|d}|sy|D]}t||||y)NTrO PolicyNamesF)list_user_policiesr)rr1r$inline_policies policy_names rdelete_inline_policiesrsE 33dY3WXefO &M ZY LM rzremove user from groupc2|ry|jd||y)NT)r/r GroupName)remove_user_from_group)rr1r$ group_names rremove_from_grouprs!%%yT^%_ rzlist groups containing usercf|jd|d}|sy|D]}t||||dy)NTrOGroupsFr)list_groups_for_userr)rr1r$ user_groupsgroups rremove_from_all_groupsrsJ11D91UV^_K Q*j)U;=OPQ rz delete userc0|ry|jd|yrU) delete_userrs rrrsTI> rc|jjd}t||}|s|jd|jr|jdt ||j|ddt ||j|t||j|t||j|t||j|t||j|t||j|t||j|t||j|t||j|}|j|y)NrFrT)rr!rr2r1r[rrrrrrrrr)rr#r$r7r-s r destroy_userrs !!&)I  I .D '&$V%6%6 4Oz6#4#4i@:v'8'8)Dz6+<+r%sey v) V: xVSShPV\XPfX&%%&BCD R&%%m4$5$"&%%&ABECE $##$?@EAE < Y$##$78[9[(''(>?C@C$$##$;<j=j&%%&=>P?P&%%&?@PAP6&%%&9:;,(''(NOTPT &%%&IJoKo .&%%&9:;"aJH(''(;<=$##$678(''(89:$##O45(''(CDE$##$>?@(''(DEF$##$?@A(''(;<=$##$678R(''(>?@$##$:;<(''(@AB$##$ABC('' 67&&R/&d zFr