iam_role not idempotent about community.aws HOT 6 CLOSED

I'm unable to tag the author @wimnat

from community.aws.

Oh, it seems tags do work. It just doesn't look like it when I'm typing.

Anyway, I'm trying to look at the code to figure out what's happening.

I think the problem is that compare_policies, called from compare_assume_role_policy_document is comparing a json string to a dictionary.

I find it hard to read Ansible code. But I'm guessing that the call in get_role is calling boto3.client('iam').get_role(), which returns the existing policy as a string, not a dictionary.

If compare_policies is passed two identical policies, except one is a dict and one is a json string, after looking at this, I think it would say that they are different. (As opposed to throwing an exception.)

from community.aws.

I can see that you're testing against 2.9.0, there's been some fairly major surgery to the module between the version in Ansible 2.9 and this collection. Are you able to reproduce the issue using the version from this repo?

from community.aws.

I haven't tested against the latest version.

After the big split, is this collection usable yet? Do I just do pip install ansible --pre and then galaxy install community.aws?

Note that whilst I haven't executed the code to test my PR (due to #120 ) I have read the code in the master branch, and it looks like the bug is still there. Both in terms of functionality, and a missing not from the test.

I'll try executing with the latest release.

from community.aws.

The 'not' in the test is correct. I've done a little testing and I think I've narrowed down the actual bug.

The following results in changed

- hosts: localhost
  collections:
  - amazon.aws
  - community.ws
  tasks:
  - name: "Create role for SMS logging"
    iam_role:
      name: testing-SNSSMSDeliveryStatusLogging
      assume_role_policy_document:
        Statement:
        - Action:
          - "sts:AssumeRole"
          Effect: Allow
          Principal:
            Service:
            - "sns.amazonaws.com"
      managed_policy:
        # let SNS log to CloudWatch
        - "arn:aws:iam::aws:policy/service-role/AmazonSNSRole"
      boundary: "arn:aws:iam::aws:policy/PowerUserAccess" # should be "{{ boundary_policy_arn }}"
      create_instance_profile: False # must be false when assigning a boundary policy

This, however, does not:

- hosts: localhost
  collections:
  - amazon.aws
  - community.ws
  tasks:
  - name: "Create role for SMS logging"
    iam_role:
      name: testing-SNSSMSDeliveryStatusLogging
      assume_role_policy_document:
        Statement:
        - Action:
          - "sts:AssumeRole"
          Effect: Allow
          Principal:
            Service:
            - "sns.amazonaws.com"
        Version: "2008-10-17"
      managed_policy:
        # let SNS log to CloudWatch
        - "arn:aws:iam::aws:policy/service-role/AmazonSNSRole"
      boundary: "arn:aws:iam::aws:policy/PowerUserAccess" # should be "{{ boundary_policy_arn }}"
      create_instance_profile: False # must be false when assigning a boundary policy

Notice the added "Version" in the policy

What's complex is that this would technically be a bug over in amazon.aws (the compare_policy function lives over there)

from community.aws.

After the big split, is this collection usable yet? Do I just do pip install ansible --pre and then galaxy install community.aws?

I believe so, Yes

from community.aws.