| Server IP : 85.214.239.14 / Your IP : 3.143.237.203 Web Server : Apache/2.4.62 (Debian) System : Linux h2886529.stratoserver.net 4.9.0 #1 SMP Tue Jan 9 19:45:01 MSK 2024 x86_64 User : www-data ( 33) PHP Version : 7.4.18 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : OFF | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /lib/python3/dist-packages/ansible_collections/community/aws/plugins/modules/ |
Upload File : |
#!/usr/bin/python
# Copyright: (c) 2018, Aaron Smith <ajsmith10381@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: config_rule
version_added: 1.0.0
short_description: Manage AWS Config rule resources
description:
- Module manages AWS Config rules.
- Prior to release 5.0.0 this module was called C(community.aws.aws_config_rule).
The usage did not change.
author:
- "Aaron Smith (@slapula)"
options:
name:
description:
- The name of the AWS Config resource.
required: true
type: str
state:
description:
- Whether the Config rule should be present or absent.
default: present
choices: ['present', 'absent']
type: str
description:
description:
- The description that you provide for the AWS Config rule.
type: str
scope:
description:
- Defines which resources can trigger an evaluation for the rule.
suboptions:
compliance_types:
description:
- The resource types of only those AWS resources that you want to trigger an evaluation for the rule.
You can only specify one type if you also specify a resource ID for I(compliance_id).
compliance_id:
description:
- The ID of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID,
you must specify one resource type for I(compliance_types).
tag_key:
description:
- The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule.
tag_value:
description:
- The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
If you specify a value for I(tag_value), you must also specify a value for I(tag_key).
type: dict
source:
description:
- Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to
evaluate your AWS resources.
suboptions:
owner:
description:
- The resource types of only those AWS resources that you want to trigger an evaluation for the rule.
You can only specify one type if you also specify a resource ID for I(compliance_id).
identifier:
description:
- The ID of the only AWS resource that you want to trigger an evaluation for the rule.
If you specify a resource ID, you must specify one resource type for I(compliance_types).
details:
description:
- Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
- This parameter expects a list of dictionaries. Each dictionary expects the following key/value pairs.
- Key C(EventSource) The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources.
- Key C(MessageType) The type of notification that triggers AWS Config to run an evaluation for a rule.
- Key C(MaximumExecutionFrequency) The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic trigger.
type: dict
required: true
input_parameters:
description:
- A string, in JSON format, that is passed to the AWS Config rule Lambda function.
type: str
execution_frequency:
description:
- The maximum frequency with which AWS Config runs evaluations for a rule.
choices: ['One_Hour', 'Three_Hours', 'Six_Hours', 'Twelve_Hours', 'TwentyFour_Hours']
type: str
extends_documentation_fragment:
- amazon.aws.aws
- amazon.aws.ec2
- amazon.aws.boto3
'''
EXAMPLES = '''
- name: Create Config Rule for AWS Config
community.aws.config_rule:
name: test_config_rule
state: present
description: 'This AWS Config rule checks for public write access on S3 buckets'
scope:
compliance_types:
- 'AWS::S3::Bucket'
source:
owner: AWS
identifier: 'S3_BUCKET_PUBLIC_WRITE_PROHIBITED'
'''
RETURN = '''#'''
try:
import botocore
except ImportError:
pass # handled by AnsibleAWSModule
from ansible.module_utils.common.dict_transformations import camel_dict_to_snake_dict
from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
from ansible_collections.amazon.aws.plugins.module_utils.core import is_boto3_error_code
from ansible_collections.amazon.aws.plugins.module_utils.ec2 import AWSRetry
def rule_exists(client, module, params):
try:
rule = client.describe_config_rules(
ConfigRuleNames=[params['ConfigRuleName']],
aws_retry=True,
)
return rule['ConfigRules'][0]
except is_boto3_error_code('NoSuchConfigRuleException'):
return
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: # pylint: disable=duplicate-except
module.fail_json_aws(e)
def create_resource(client, module, params, result):
try:
client.put_config_rule(
ConfigRule=params
)
result['changed'] = True
return result
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Couldn't create AWS Config rule")
def update_resource(client, module, params, result):
current_params = client.describe_config_rules(
ConfigRuleNames=[params['ConfigRuleName']],
aws_retry=True,
)
del current_params['ConfigRules'][0]['ConfigRuleArn']
del current_params['ConfigRules'][0]['ConfigRuleId']
del current_params['ConfigRules'][0]['EvaluationModes']
if params != current_params['ConfigRules'][0]:
try:
client.put_config_rule(
ConfigRule=params
)
result['changed'] = True
result['rule'] = camel_dict_to_snake_dict(rule_exists(client, module, params))
return result
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Couldn't create AWS Config rule")
def delete_resource(client, module, params, result):
try:
response = client.delete_config_rule(
ConfigRuleName=params['ConfigRuleName'],
aws_retry=True,
)
result['changed'] = True
result['rule'] = {}
return result
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Couldn't delete AWS Config rule")
def main():
module = AnsibleAWSModule(
argument_spec={
'name': dict(type='str', required=True),
'state': dict(type='str', choices=['present', 'absent'], default='present'),
'description': dict(type='str'),
'scope': dict(type='dict'),
'source': dict(type='dict', required=True),
'input_parameters': dict(type='str'),
'execution_frequency': dict(
type='str',
choices=[
'One_Hour',
'Three_Hours',
'Six_Hours',
'Twelve_Hours',
'TwentyFour_Hours'
]
),
},
supports_check_mode=False,
)
result = {
'changed': False
}
name = module.params.get('name')
resource_type = module.params.get('resource_type')
state = module.params.get('state')
params = {}
if name:
params['ConfigRuleName'] = name
if module.params.get('description'):
params['Description'] = module.params.get('description')
if module.params.get('scope'):
params['Scope'] = {}
if module.params.get('scope').get('compliance_types'):
params['Scope'].update({
'ComplianceResourceTypes': module.params.get('scope').get('compliance_types')
})
if module.params.get('scope').get('tag_key'):
params['Scope'].update({
'TagKey': module.params.get('scope').get('tag_key')
})
if module.params.get('scope').get('tag_value'):
params['Scope'].update({
'TagValue': module.params.get('scope').get('tag_value')
})
if module.params.get('scope').get('compliance_id'):
params['Scope'].update({
'ComplianceResourceId': module.params.get('scope').get('compliance_id')
})
if module.params.get('source'):
params['Source'] = {}
if module.params.get('source').get('owner'):
params['Source'].update({
'Owner': module.params.get('source').get('owner')
})
if module.params.get('source').get('identifier'):
params['Source'].update({
'SourceIdentifier': module.params.get('source').get('identifier')
})
if module.params.get('source').get('details'):
params['Source'].update({
'SourceDetails': module.params.get('source').get('details')
})
if module.params.get('input_parameters'):
params['InputParameters'] = module.params.get('input_parameters')
if module.params.get('execution_frequency'):
params['MaximumExecutionFrequency'] = module.params.get('execution_frequency')
params['ConfigRuleState'] = 'ACTIVE'
client = module.client('config', retry_decorator=AWSRetry.jittered_backoff())
existing_rule = rule_exists(client, module, params)
if state == 'present':
if not existing_rule:
create_resource(client, module, params, result)
else:
update_resource(client, module, params, result)
if state == 'absent':
if existing_rule:
delete_resource(client, module, params, result)
module.exit_json(**result)
if __name__ == '__main__':
main()