From 53f2b40289a5174ff54703987c1b8fa87be34573 Mon Sep 17 00:00:00 2001 From: FERNANDO MENDIETA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Mon, 4 Mar 2024 19:39:30 +0100 Subject: [PATCH 01/16] returns boolean if a user has access to console login I have added that now return in the return json the parameter console_access in boolean format to know if the user has or not access to login by console to the account. It can be used in cases where you only want users to access with keys or by landing zones... --- plugins/modules/iam_user_info.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 259d268038d..64cee31cbdc 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -111,8 +111,20 @@ from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule +##import of botocore +from botocore.exceptions import ClientError - +##add function to check if a user has or not access to login via console +def check_console_access(connection, user_name): + try: + connection.get_login_profile(UserName=user_name) + return True + except ClientError as e: + if e.response['Error']['Code'] == 'NoSuchEntity': + return False + else: + raise + def _list_users(connection, name, group, path): # name but not path or group if name and not (path or group): @@ -136,6 +148,8 @@ def _list_users(connection, name, group, path): def list_users(connection, name, group, path): users = _list_users(connection, name, group, path) users = [u for u in users if u is not None] + for user in users: + user['console_access'] = check_console_access(connection, user['UserName']) return [normalize_iam_user(user) for user in users] From 6c1e8a877bdbee02dd739b9aafb1322a0f1ac04a Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:39:20 +0100 Subject: [PATCH 02/16] Update plugins/modules/iam_user_info.py Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com> --- plugins/modules/iam_user_info.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 64cee31cbdc..24dfb6656d5 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -117,8 +117,7 @@ ##add function to check if a user has or not access to login via console def check_console_access(connection, user_name): try: - connection.get_login_profile(UserName=user_name) - return True + return connection.get_login_profile(UserName=user_name)['LoginProfile'] except ClientError as e: if e.response['Error']['Code'] == 'NoSuchEntity': return False From 97c771d6f511ee43f67f40859d1d2d3537940216 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:40:12 +0100 Subject: [PATCH 03/16] change ClientError to boto3 exception Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com> --- plugins/modules/iam_user_info.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 24dfb6656d5..7de497324c4 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -118,11 +118,8 @@ def check_console_access(connection, user_name): try: return connection.get_login_profile(UserName=user_name)['LoginProfile'] - except ClientError as e: - if e.response['Error']['Code'] == 'NoSuchEntity': - return False - else: - raise + except is_boto3_error_code("NoSuchEntity"): + return {} def _list_users(connection, name, group, path): # name but not path or group From 6358d9d82f7d58dffb2c9ff93c250dc4374c8f9a Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:40:18 +0100 Subject: [PATCH 04/16] Update plugins/modules/iam_user_info.py Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com> --- plugins/modules/iam_user_info.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 7de497324c4..b720ba6847a 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -145,7 +145,7 @@ def list_users(connection, name, group, path): users = _list_users(connection, name, group, path) users = [u for u in users if u is not None] for user in users: - user['console_access'] = check_console_access(connection, user['UserName']) + user['LoginProfile'] = check_console_access(connection, user['UserName']) return [normalize_iam_user(user) for user in users] From 782716cd0db4b99b0dce31dee280af0fda1422ab Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:46:57 +0100 Subject: [PATCH 05/16] add console_access in RETURNS and delete import botocore --- plugins/modules/iam_user_info.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index b720ba6847a..f79cf60a803 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -103,6 +103,11 @@ type: dict returned: if user exists sample: '{"Env": "Prod"}' + console_access: + description: If user has access to log in from AWS default console. + returned: always + type: bool + sample: "true" """ from ansible_collections.amazon.aws.plugins.module_utils.iam import AnsibleIAMError @@ -111,8 +116,6 @@ from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule -##import of botocore -from botocore.exceptions import ClientError ##add function to check if a user has or not access to login via console def check_console_access(connection, user_name): From 233e5c3f8e0015f6f0b6b8b2ad38e090abbb2f2f Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:53:34 +0100 Subject: [PATCH 06/16] add changelog info for pr --- changelogs/fragments/20240321-iam-user-info.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelogs/fragments/20240321-iam-user-info.yml diff --git a/changelogs/fragments/20240321-iam-user-info.yml b/changelogs/fragments/20240321-iam-user-info.yml new file mode 100644 index 00000000000..f76eefec7b1 --- /dev/null +++ b/changelogs/fragments/20240321-iam-user-info.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - iam_user_info - Add console_access to return info that is get from a user, to know if they can login from AWS console (https://github.com/ansible-collections/amazon.aws/pull/2012). From f21d5907e3e7c128362b48b71958b85ed264e9f1 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:06:53 +0100 Subject: [PATCH 07/16] remove whitespace and add is_boto3_error_code --- plugins/modules/iam_user_info.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index f79cf60a803..853e4716673 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -115,15 +115,15 @@ from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_user from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user -from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule +from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule, is_boto3_error_code -##add function to check if a user has or not access to login via console +#add function to check if a user has or not access to login via console def check_console_access(connection, user_name): try: return connection.get_login_profile(UserName=user_name)['LoginProfile'] except is_boto3_error_code("NoSuchEntity"): return {} - + def _list_users(connection, name, group, path): # name but not path or group if name and not (path or group): From 00780e8a9ef0a9e0ac8f448f80b6d56cb634a05b Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:11:12 +0100 Subject: [PATCH 08/16] change comment --- plugins/modules/iam_user_info.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 853e4716673..f44eca79f18 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -117,8 +117,8 @@ from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule, is_boto3_error_code -#add function to check if a user has or not access to login via console def check_console_access(connection, user_name): +# add function to check if a user has or not access to login via console try: return connection.get_login_profile(UserName=user_name)['LoginProfile'] except is_boto3_error_code("NoSuchEntity"): From fa407a18c666dcb1df160119311ceeedf2f0ae75 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 17:35:12 +0100 Subject: [PATCH 09/16] Update plugins/modules/iam_user_info.py Co-authored-by: Mark Chappell --- plugins/modules/iam_user_info.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index f44eca79f18..0f0ab6f7484 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -115,7 +115,8 @@ from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_user from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user -from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule, is_boto3_error_code +from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule +from ansible_collections.amazon.aws.plugins.module_utils.retries import AWSRetry def check_console_access(connection, user_name): # add function to check if a user has or not access to login via console From 59e81f7e622ce5ad2c996f58acdb22f621ecf681 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 17:50:08 +0100 Subject: [PATCH 10/16] Update plugins/modules/iam_user_info.py Co-authored-by: Mark Chappell --- plugins/modules/iam_user_info.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 0f0ab6f7484..f9b40bccda6 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -111,6 +111,7 @@ """ from ansible_collections.amazon.aws.plugins.module_utils.iam import AnsibleIAMError +from ansible_collections.amazon.aws.plugins.module_utils.iam import IAMErrorHandler from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_group from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_user from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users From c5e7da6544dbae6aaa6d8617ae599b8d71165544 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 18:07:35 +0100 Subject: [PATCH 11/16] Update plugins/modules/iam_user_info.py instead of boolean it returns user info so if a user has console access info will be returned Co-authored-by: Mark Chappell --- plugins/modules/iam_user_info.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index f9b40bccda6..1c09cbaa40a 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -119,12 +119,11 @@ from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule from ansible_collections.amazon.aws.plugins.module_utils.retries import AWSRetry + +@IAMErrorHandler.list_error_handler("get login profile", {}) +@AWSRetry.jittered_backoff() def check_console_access(connection, user_name): -# add function to check if a user has or not access to login via console - try: - return connection.get_login_profile(UserName=user_name)['LoginProfile'] - except is_boto3_error_code("NoSuchEntity"): - return {} + return connection.get_login_profile(UserName=user_name)['LoginProfile'] def _list_users(connection, name, group, path): # name but not path or group From 8e5c340117236afa3f52636a2dfe52e89551b6e7 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Thu, 21 Mar 2024 18:35:20 +0100 Subject: [PATCH 12/16] add login_profile to RETURN info --- plugins/modules/iam_user_info.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 1c09cbaa40a..97bdf7e167a 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -103,11 +103,11 @@ type: dict returned: if user exists sample: '{"Env": "Prod"}' - console_access: - description: If user has access to log in from AWS default console. + login_profile: + description: Detailed login profile information if the user has access to log in from AWS default console. Returns an empty object {} if no access. returned: always - type: bool - sample: "true" + type: dict + sample: {"create_date": "2024-03-20T12:50:56+00:00", "password_reset_required": false, "user_name": "i_am_a_user"} """ from ansible_collections.amazon.aws.plugins.module_utils.iam import AnsibleIAMError From 1a33fb49b9c3ac7165ad7f26716272ec84322165 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Fri, 22 Mar 2024 08:15:22 +0100 Subject: [PATCH 13/16] Update changelogs/fragments/20240321-iam-user-info.yml Co-authored-by: Bikouo Aubin <79859644+abikouo@users.noreply.github.com> --- changelogs/fragments/20240321-iam-user-info.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/20240321-iam-user-info.yml b/changelogs/fragments/20240321-iam-user-info.yml index f76eefec7b1..5c5c3677e62 100644 --- a/changelogs/fragments/20240321-iam-user-info.yml +++ b/changelogs/fragments/20240321-iam-user-info.yml @@ -1,3 +1,3 @@ --- minor_changes: - - iam_user_info - Add console_access to return info that is get from a user, to know if they can login from AWS console (https://github.com/ansible-collections/amazon.aws/pull/2012). + - iam_user_info - Add ``login_profile`` to return info that is get from a user, to know if they can login from AWS console (https://github.com/ansible-collections/amazon.aws/pull/2012). From 02234c09e2f5773e0ebb064fe0b105a916147885 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Fri, 22 Mar 2024 08:25:02 +0100 Subject: [PATCH 14/16] fix whitespaces and lines issue --- plugins/modules/iam_user_info.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 97bdf7e167a..b592e6a4fa6 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -120,11 +120,12 @@ from ansible_collections.amazon.aws.plugins.module_utils.retries import AWSRetry -@IAMErrorHandler.list_error_handler("get login profile", {}) +@IAMErrorHandler.list_error_handler("get login profile", {}) @AWSRetry.jittered_backoff() def check_console_access(connection, user_name): return connection.get_login_profile(UserName=user_name)['LoginProfile'] + def _list_users(connection, name, group, path): # name but not path or group if name and not (path or group): From 07d9d29c94e94e54838636f09e531eed6d70f4d7 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Fri, 22 Mar 2024 09:06:05 +0100 Subject: [PATCH 15/16] apply black suggerations --- plugins/modules/iam_user_info.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index b592e6a4fa6..8d3b8825989 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -123,7 +123,7 @@ @IAMErrorHandler.list_error_handler("get login profile", {}) @AWSRetry.jittered_backoff() def check_console_access(connection, user_name): - return connection.get_login_profile(UserName=user_name)['LoginProfile'] + return connection.get_login_profile(UserName=user_name)["LoginProfile"] def _list_users(connection, name, group, path): @@ -150,7 +150,7 @@ def list_users(connection, name, group, path): users = _list_users(connection, name, group, path) users = [u for u in users if u is not None] for user in users: - user['LoginProfile'] = check_console_access(connection, user['UserName']) + user["LoginProfile"] = check_console_access(connection, user["UserName"]) return [normalize_iam_user(user) for user in users] @@ -162,7 +162,9 @@ def main(): ) module = AnsibleAWSModule( - argument_spec=argument_spec, mutually_exclusive=[["group", "path_prefix"]], supports_check_mode=True + argument_spec=argument_spec, + mutually_exclusive=[["group", "path_prefix"]], + supports_check_mode=True, ) name = module.params.get("name") @@ -171,7 +173,9 @@ def main(): connection = module.client("iam") try: - module.exit_json(changed=False, iam_users=list_users(connection, name, group, path)) + module.exit_json( + changed=False, iam_users=list_users(connection, name, group, path) + ) except AnsibleIAMError as e: module.fail_json_aws_error(e) From 2dfd377c44db2a7172aacfd6f971830f7e1afe44 Mon Sep 17 00:00:00 2001 From: VALKIRIA ACUATICA <56233573+valkiriaaquatica@users.noreply.github.com> Date: Fri, 22 Mar 2024 09:23:50 +0100 Subject: [PATCH 16/16] tox changes --- plugins/modules/iam_user_info.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/plugins/modules/iam_user_info.py b/plugins/modules/iam_user_info.py index 8d3b8825989..2ddbe1d5a1b 100644 --- a/plugins/modules/iam_user_info.py +++ b/plugins/modules/iam_user_info.py @@ -173,9 +173,7 @@ def main(): connection = module.client("iam") try: - module.exit_json( - changed=False, iam_users=list_users(connection, name, group, path) - ) + module.exit_json(changed=False, iam_users=list_users(connection, name, group, path)) except AnsibleIAMError as e: module.fail_json_aws_error(e)