Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam_instance_profile: missing functionality #1842

Closed
1 task done
sean-freeman opened this issue Jun 12, 2023 · 6 comments · Fixed by ansible-collections/amazon.aws#1614
Closed
1 task done

iam_instance_profile: missing functionality #1842

sean-freeman opened this issue Jun 12, 2023 · 6 comments · Fixed by ansible-collections/amazon.aws#1614
Labels
needs_triage

Comments

@sean-freeman
Copy link

sean-freeman commented Jun 12, 2023
edited
Loading

Summary

Use of AWS IAM Instance Profiles for managing policies for specified AWS EC2 Instances is missing functionality.

This is not a feature request, it is missing functionality not handled by Ansible Modules iam_policy and iam_user that is necessary for proper management of AWS IAM for AWS EC2 resources.

API Reference documents:

Workaround sample code block using AWS CLI:

- name: Ansible Task block
  environment:
    AWS_ACCESS_KEY_ID: "{{aws_access_key}}"
    AWS_SECRET_ACCESS_KEY: "{{aws_secret_access_key}}"
    AWS_REGION: "{{aws_region}}"
  block:

    - name: AWS IAM Instance Profile - Create
      ansible.builtin.command: aws iam create-instance-profile
        --instance-profile-name "IAM-Instance-Profile-Test"
      ignore_errors: true

    - name: AWS IAM Instance Profile - Attach AWS IAM Role
      ansible.builtin.command: aws iam add-role-to-instance-profile
        --role-name "IAM-Role-Test"
        --instance-profile-name "IAM-Instance-Profile-Test"
      ignore_errors: true

    - name: AWS EC2 Instances - Attach AWS IAM Instance Profile
      ansible.builtin.command: aws ec2 associate-iam-instance-profile
        --iam-instance-profile "Name=IAM-Instance-Profile-Test"
        --instance-id {{hostvars['hostname'].ansible_board_asset_tag}}
      ignore_errors: true

Issue Type

Bug Report

Component Name

iam_instance_profile

Ansible Version

2.15.0

Collection Versions

5.4.0

AWS SDK versions

Name: boto3
Version: 1.26.143
---
Name: botocore
Version: 1.29.143

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@tremble
Copy link
Contributor

tremble commented Jun 13, 2023

@sean-freeman,

Thank you for taking the time to open this issue.

I think this functionality would be very helpful to have in a standalone module. The community.aws.iam_role module has some support for creating Instance Profiles (by default creating an IAM role will create an Instance Profile), but has limited functionality.

Given that this is much more related to iam_role than iam_user (or iam_policy), this RFE is currently better suited to community.aws. community.aws is also where new modules are usually first added.

@tremble tremble transferred this issue from ansible-collections/amazon.aws Jun 13, 2023
This was referenced Jun 14, 2023
Closed
Merged
softwarefactory-project-zuul bot pushed a commit to ansible-collections/amazon.aws that referenced this issue Jun 27, 2023
@tremble
New modules: iam_instance_profile(_info) (#1614)
6a1f875 
New modules: iam_instance_profile(_info)

SUMMARY
New modules for listing/managing IAM Instance Profiles
ISSUE TYPE

New Module Pull Request

COMPONENT NAME
iam_instance_profile
iam_instance_profile_info
ADDITIONAL INFORMATION
Fixes: ansible-collections/community.aws#1842

Reviewed-by: Alina Buzachis
Reviewed-by: Mark Chappell
patchback bot pushed a commit to ansible-collections/amazon.aws that referenced this issue Jun 27, 2023
@tremble @patchback
New modules: iam_instance_profile(_info) (#1614)
ff9e7ce 
New modules: iam_instance_profile(_info)

SUMMARY
New modules for listing/managing IAM Instance Profiles
ISSUE TYPE

New Module Pull Request

COMPONENT NAME
iam_instance_profile
iam_instance_profile_info
ADDITIONAL INFORMATION
Fixes: ansible-collections/community.aws#1842

Reviewed-by: Alina Buzachis
Reviewed-by: Mark Chappell
(cherry picked from commit 6a1f875)
@patchback patchback bot mentioned this issue Jun 27, 2023
Merged
@sean-freeman
Copy link
Author

@tremble GH Issue should not be closed, as the PR does contain any Ansible Module changes to use the AWS IAM Instance Profile and attach to an AWS EC2 instance as a replacement for the following AWS CLI commands:

    - name: AWS EC2 Instances - Attach AWS IAM Instance Profile
      ansible.builtin.command: aws ec2 associate-iam-instance-profile
        --iam-instance-profile "Name=IAM-Instance-Profile-Test"
        --instance-id {{hostvars['hostname'].ansible_board_asset_tag}}
      ignore_errors: true

@tremble
Copy link
Contributor

tremble commented Jun 28, 2023

@sean-freeman I'm not sure what functionality you're saying is missing, could you help me understand?

The initial description mentions iam_policy (which is used for managing the inline policies for Users, Roles and Groups), and iam_user (which is used for managing Users). So I'm not sure why they're relevant.

Because IAM instance profiles can be attached to multiple EC2 instances, it's something we'd generally manage from the instance side rather than the profile side. (Managing them from the profile side means you need to know all instances mapped to the profile to add/delete an association)

@sean-freeman
Copy link
Author

@tremble For what you describe, it only allows for two scenarios:

  • 1 - an Instance Profile must be created first, before the AWS EC2 instance is created
  • 2 - or re-defining the AWS EC2 instance with the exact same configuration in Ansible (so no alterations are made when executed) to append the Instance Profile to an existing AWS EC2 instance

I agree, it should be managed from the instance side and this is my concern.

There is no separated method in the Ansible Collection, which matches to the AWS CLI command shown above and allows:

  • 3 - create a new AWS IAM Instance Profile, and then associate this new AWS IAM Instance Profile with an existing AWS EC2 Virtual Server.

Summary = amazon.aws.ec2_associate_iam_instance_profile should be provided in the Ansible Collection.

softwarefactory-project-zuul bot pushed a commit to ansible-collections/amazon.aws that referenced this issue Jun 30, 2023
@patchback
New modules: iam_instance_profile(_info) (#1614) (#1630)
9beb993 
[PR #1614/6a1f875e backport][stable-6] New modules: iam_instance_profile(_info)

This is a backport of PR #1614 as merged into main (6a1f875).
SUMMARY
New modules for listing/managing IAM Instance Profiles
ISSUE TYPE

New Module Pull Request

COMPONENT NAME
iam_instance_profile
iam_instance_profile_info
ADDITIONAL INFORMATION
Fixes: ansible-collections/community.aws#1842

Reviewed-by: Alina Buzachis
@tremble
Copy link
Contributor

tremble commented Jun 30, 2023

It shouldn't be necessary to fully redefine the attributes, if an attribute isn't set then it shouldn't be changed., as such it should be possible to attach an existing profile to an existing instance with something as simple as:

- ec2_instance:
    instance_ids: "i-0123456789ab"
    iam_instance_profile: "my_profile_name"

This would make ec2_associate_iam_instance_profile redundant.

@sean-freeman
Copy link
Author

Will attempt this approach. Would suggest this specific example is noted as an example in the documentation, so it can be seen how to associate an IAM Instance Profile to the EC2 instance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

New modules: iam_instance_profile(_info) tremble/amazon.aws
2 participants
@tremble @sean-freeman