Hey guys,
I’ve been using the beta 2.0 code for IAM modules in Ansible and was hoping to propose a couple of changes to these modules?
Firstly, I’ve noticed that the creates of an IAM role doesn’t return the AWS boto result. Instead it returns a list of all the IAM roles including the newly created one.
This seems a little odd, as surely if I just created a new IAM role, I want the results that AWS provides as part of that command.
AWS response:
{ 'Role': { 'Path': 'string', 'RoleName': 'string', 'RoleId': 'string', 'Arn': 'string', 'CreateDate': datetime(2015, 1, 1), 'AssumeRolePolicyDocument': 'string' } }
I was wondering whether there was any objections to updating from the following example:
`
def create_role(module, iam, name, path, role_list, prof_list):
changed = False
try:
if name not in role_list:
changed = True
iam.create_role(
name, path=path).create_role_response.create_role_result.role.role_name
if name not in prof_list:
iam.create_instance_profile(name, path=path)
iam.add_role_to_instance_profile(name, name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = [rl[‘role_name’] for rl in iam.list_roles().list_roles_response.
list_roles_result.roles]
return changed, updated_role_list
`
To this instead?
`
def create_role(module, iam, name, path, role_list, prof_list):
changed = False
try:
if name not in role_list:
changed = True
iam.create_role(
name, path=path).create_role_response.create_role_result.role.role_name
if name not in prof_list:
iam.create_instance_profile(name, path=path)
iam.add_role_to_instance_profile(name, name)
except boto.exception.BotoServerError, err:
module.fail_json(changed=changed, msg=str(err))
else:
updated_role_list = [rl[‘role_name’] for rl in iam.list_roles().list_roles_response.
list_roles_result.roles]
return result
`
The other thing that I’ve found but I’m not 100% sure how to fix is AWS’s eventual consistency issue. I can see that for the ec2 modules it’s being catered for by using a wait_for timeout to check for running state. But I’m not sure how IAM would work.
I’ve had the issue where I create a new IAM role for EC2 to consume, but when I go to attach it slightly later on in the play, I get instance_profile does not exist even though it does. If I rerun the play it’s fine, but this would cause me some issues as I’m running some of these plays using the in-memory hosts/variables.
“Instance creation failed => InvalidParameterValue: Value (vc_spectre_mongod_ec2_iam_role) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name”
Karen