add util methods/waiters for ensuring iam roles to db instance

ansible-collections · Mar 17, 2022 · a651952 · a651952
1 parent f76b4ef
commit a651952
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 1 deletion.
diff --git a/plugins/module_utils/rds.py b/plugins/module_utils/rds.py
@@ -32,7 +32,8 @@
     'create_db_instance', 'restore_db_instance_to_point_in_time', 'restore_db_instance_from_s3',
     'restore_db_instance_from_db_snapshot', 'create_db_instance_read_replica', 'modify_db_instance',
     'delete_db_instance', 'add_tags_to_resource', 'remove_tags_from_resource', 'list_tags_for_resource',
-    'promote_read_replica', 'stop_db_instance', 'start_db_instance', 'reboot_db_instance'
+    'promote_read_replica', 'stop_db_instance', 'start_db_instance', 'reboot_db_instance', 'add_role_to_db_instance',
+    'remove_role_from_db_instance'
 ]
 
 
@@ -52,6 +53,10 @@ def get_rds_method_attribute(method_name, module):
             waiter = 'db_instance_deleted'
         elif method_name == 'stop_db_instance':
             waiter = 'db_instance_stopped'
+        elif method_name == 'add_role_to_db_instance':
+            waiter = 'role_associated'
+        elif method_name == 'remove_role_from_db_instance':
+            waiter = 'role_disassociated'
         else:
             waiter = 'db_instance_available'
     else:
@@ -233,3 +238,46 @@ def ensure_tags(client, module, resource_arn, existing_tags, tags, purge_tags):
             parameters={'ResourceName': resource_arn, 'TagKeys': tags_to_remove}
         )
     return changed
+
+
+def compare_iam_roles(existing_roles, target_roles, purge_roles):
+    roles_to_add = []
+    roles_to_remove = []
+    for target_role in target_roles:
+        found = False
+        for existing_role in existing_roles:
+            if target_role['role_arn'] == existing_role['RoleArn'] and target_role['feature_name'] == existing_role['FeatureName']:
+                found = True
+                break
+        if not found:
+            roles_to_add.append(target_role)
+
+    if purge_roles:
+        for existing_role in existing_roles:
+            found = False
+            for target_role in target_roles:
+                if target_role['role_arn'] == existing_role['RoleArn'] and target_role['feature_name'] == existing_role['FeatureName']:
+                    found = True
+                    break
+            if not found:
+                roles_to_remove.append(existing_role)
+
+    return roles_to_add, roles_to_remove
+
+
+def ensure_iam_roles(client, module, instance, instance_id, iam_roles, purge_iam_roles):
+    if iam_roles is None:
+        iam_roles = []
+    roles_to_add, roles_to_remove = compare_iam_roles(instance['AssociatedRoles'], iam_roles, purge_iam_roles)
+    changed = bool(roles_to_add or roles_to_remove)
+    for role in roles_to_remove:
+        params = {'DBInstanceIdentifier': instance_id,
+                  'RoleArn': role['RoleArn'],
+                  'FeatureName': role['FeatureName']}
+        result, changed = call_method(client, module, method_name='remove_role_from_db_instance', parameters=params)
+    for role in roles_to_add:
+        params = {'DBInstanceIdentifier': instance_id,
+                  'RoleArn': role['role_arn'],
+                  'FeatureName': role['feature_name']}
+        result, changed = call_method(client, module, method_name='add_role_to_db_instance', parameters=params)
+    return changed
diff --git a/plugins/module_utils/waiters.py b/plugins/module_utils/waiters.py
@@ -685,6 +685,50 @@
                 }
             ]
         },
+        "RoleAssociated": {
+            "delay": 5,
+            "maxAttempts": 40,
+            "operation": "DescribeDBInstances",
+            "acceptors": [
+                {
+                    "state": "success",
+                    "matcher": "pathAll",
+                    "argument": "DBInstances[].AssociatedRoles[].Status",
+                    "expected": "ACTIVE"
+                },
+                {
+                    "state": "retry",
+                    "matcher": "pathAny",
+                    "argument": "DBInstances[].AssociatedRoles[].Status",
+                    "expected": "PENDING"
+                }
+            ]
+        },
+        "RoleDisassociated": {
+            "delay": 5,
+            "maxAttempts": 40,
+            "operation": "DescribeDBInstances",
+            "acceptors": [
+                {
+                    "state": "success",
+                    "matcher": "pathAll",
+                    "argument": "DBInstances[].AssociatedRoles[].Status",
+                    "expected": "ACTIVE"
+                },
+                {
+                    "state": "retry",
+                    "matcher": "pathAny",
+                    "argument": "DBInstances[].AssociatedRoles[].Status",
+                    "expected": "PENDING"
+                },
+                {
+                    "state": "success",
+                    "matcher": "path",
+                    "argument": "length(DBInstances[].AssociatedRoles[]) == `0`",
+                    "expected": True
+                },
+            ]
+        }
     }
 }
 
@@ -993,6 +1037,18 @@ def route53_model(name):
         core_waiter.NormalizedOperationMethod(
             rds.describe_db_clusters
         )),
+    ('RDS', 'role_associated'): lambda rds: core_waiter.Waiter(
+        'role_associated',
+        rds_model('RoleAssociated'),
+        core_waiter.NormalizedOperationMethod(
+            rds.describe_db_instances
+        )),
+    ('RDS', 'role_disassociated'): lambda rds: core_waiter.Waiter(
+        'role_disassociated',
+        rds_model('RoleDisassociated'),
+        core_waiter.NormalizedOperationMethod(
+            rds.describe_db_instances
+        )),
     ('Route53', 'resource_record_sets_changed'): lambda route53: core_waiter.Waiter(
         'resource_record_sets_changed',
         route53_model('ResourceRecordSetsChanged'),