ended up using the policy lookup method
---
- name: test
hosts: localhost
tasks:
- name: Create IAM Managed Policy
amazon.aws.iam_policy:
iam_type: role
iam_name: "aws_test_role"
policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
policy_json: "{{ lookup('template','policy.json.j2') }}"
works but I guess the whole policy needs to be replaced instead of appended
On Thu, Feb 16, 2023 at 8:11 AM Tony Wong <tdubb...@gmail.com> wrote:
> ok this is more ansible problem.
>
> I like to put my policy changes in a vars file
>
> so I got a policy.yaml file like this
>
>
> policy.yaml
>
> acm-pca:ListTags
> acm-pca:GetPolicy
> acm-pca:GetPolicy
>
> ---
> - name: test
> hosts: localhost
> vars_files:
> - policy.yml
> tasks:
> - name: Create IAM Managed Policy
> amazon.aws.iam_policy:
> iam_type: role
> iam_name: "aws_test_role"
> policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
> policy_json: "{{ policy | to_json }}"
> state: present
> policy: |
> Version: "2012-10-17"
> Statement:
> {% for action in actions %}
> - Action: {{ action }}
> Effect: Allow
> Resource: "*"
> {% endfor %}
>
>
> but when i run the pb it says
>
> ERROR! variable files must contain either a dictionary of variables, or a
> list of dictionaries. Got: acm-pca:ListTags acm-pca:GetPolicy
> acm-pca:GetPolicy (<class 'ansible.parsing.yaml.objects.AnsibleUnicode'>)
>
>
> On Tue, Feb 14, 2023 at 5:05 AM 'Rowe, Walter P. (Fed)' via Ansible
> Project <ansible-project@googlegroups.com> wrote:
>
>> This is not an ansible problem. You need to ready the AWS docs on
>> specifying IAM policies and make sure your policy adheres to their format
>> and only includes the key:value pairs they accept.
>>
>> Walter
>> --
>> Walter Rowe, Division Chief
>> Infrastructure Services, OISM
>> Mobile: 202.355.4123
>>
>> On Feb 13, 2023, at 1:47 PM, Tony Wong <tdubb...@gmail.com> wrote:
>>
>> tried but it failed
>>
>> fatal: [localhost]: FAILED! => {
>> "boto3_version": "1.24.27",
>> "botocore_version": "1.27.27",
>> "changed": false,
>> "error": {
>> "code": "MalformedPolicyDocument",
>> "message": "Syntax errors in policy.",
>> "type": "Sender"
>> },
>> "invocation": {
>> "module_args": {
>> "access_key": null,
>> "aws_ca_bundle": null,
>> "aws_config": null,
>> "debug_botocore_endpoint_logs": false,
>> "endpoint_url": null,
>> "iam_name": "aws_test_role",
>> "iam_type": "role",
>> "policy_json": "\"Version: \\\"2012-10-17\\\"\\nStatement:\\n
>> - Action: acm-pca:ListTags\\n Effect: Allow\\n Resource:
>> \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n
>> Resource: \\\"*\\\"\\n - Action: acm-pca:GetPolicy\\n Effect: Allow\\n
>> Resource: \\\"*\\\"\\n\"",
>> "policy_name": "PrismaCloud-IAM-ReadOnly-Policy",
>> "profile": null,
>> "region": null,
>> "secret_key": null,
>> "session_token": null,
>> "skip_duplicates": false,
>> "state": "present",
>> "validate_certs": true
>> }
>> },
>> "msg": "An error occurred (MalformedPolicyDocument) when calling the
>> PutRolePolicy operation: Syntax errors in policy.",
>> "response_metadata": {
>> "http_headers": {
>> "connection": "close",
>> "content-length": "279",
>> "content-type": "text/xml",
>> "date": "Mon, 13 Feb 2023 16:10:28 GMT",
>> "x-amzn-requestid": "8ab06377-a416-45ea-a132-328cd03d329f"
>> },
>> "http_status_code": 400,
>> "request_id": "8ab06377-a416-45ea-a132-328cd03d329f",
>> "retry_attempts": 0
>> }
>> }
>>
>> On Mon, Feb 13, 2023 at 8:02 AM Dick Visser <dnmvis...@gmail.com> wrote:
>>
>>> On Mon, 13 Feb 2023 at 15:55, Tony Wong <tdubb...@gmail.com> wrote:
>>>
>>> > "msg": "Failed to decode the policy as valid JSON: Expecting
>>> value: line 1 column 1 (char 0)"
>>>
>>> So, you will need to use proper JSON.
>>> Give this a try:
>>>
>>> ---
>>> - name: test
>>> hosts: localhost
>>> tasks:
>>> - name: Create IAM Managed Policy
>>> amazon.aws.iam_policy:
>>> iam_type: role
>>> iam_name: "aws_test_role"
>>> policy_name: "PrismaCloud-IAM-ReadOnly-Policy"
>>> policy_json: "{{ policy | to_json }}"
>>> state: present
>>> vars:
>>> actions:
>>> - acm-pca:ListTags
>>> - acm-pca:GetPolicy
>>> - acm-pca:GetPolicy
>>> policy: |
>>> Version: "2012-10-17"
>>> Statement:
>>> {% for action in actions %}
>>> - Action: {{ action }}
>>> Effect: Allow
>>> Resource: "*"
>>> {% endfor %}
>>>
>>> --
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "Ansible Project" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe
>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Ftopic%2Fansible-project%2FWZzXL_z_teA%2Funsubscribe&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=e%2FNOwupdFzY3H15tdGDbr6PuX12pncg9mxXov%2F3bnVQ%3D&reserved=0>
>>> .
>>> To unsubscribe from this group and all its topics, send an email to
>>> ansible-project+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%40mail.gmail.com
>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAF8BbLZKn4GQEjnRUGTTsZ358_mJ6a1cpqyRPtbXvMzoUNtvJQ%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EuSwkNcE7j3a%2Bn0vV5Ol0dXRJ76F75n2ngxddqtPWfU%3D&reserved=0>
>>> .
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%40mail.gmail.com
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCALmkhkqvQmg4x-M3nQUNigO4PQ_Et765EP4tOHkJiUYvf4ftZg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7Cb5e72445a8d84e76a10b08db0df2c681%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638119108586448983%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJKNMtgOTIjhmny5MpwC3KHIDw0CPQZGWv6JmYF8VpA%3D&reserved=0>
>> .
>>
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Ansible Project" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ansible-project/WZzXL_z_teA/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov
>> <https://groups.google.com/d/msgid/ansible-project/4E6822FF-DEB2-42B5-B18A-A4BCECED47F1%40nist.gov?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CALmkhkpueNbC61BmoXDs9z7A%2BJpVfTp5LcqEoHbLhspQ9e__Pg%40mail.gmail.com.
