First attempt at provisioning.

2 files changed, 486 insertions, 0 deletions

diff --git a/roles/lib_utils/library/iam_cert23.py b/roles/lib_utils/library/iam_cert23.py
new file mode 100644
index 000000000..07b3d3bdf
--- /dev/null
+++ b/roles/lib_utils/library/iam_cert23.py
@@ -0,0 +1,314 @@
+#!/usr/bin/python
+# pylint: skip-file
+# flake8: noqa
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: iam_cert
+short_description: Manage server certificates for use on ELBs and CloudFront
+description:
+     - Allows for the management of server certificates
+version_added: "2.0"
+options:
+  name:
+    description:
+      - Name of certificate to add, update or remove.
+    required: true
+  new_name:
+    description:
+      - When state is present, this will update the name of the cert.
+      - The cert, key and cert_chain parameters will be ignored if this is defined.
+  new_path:
+    description:
+      - When state is present, this will update the path of the cert.
+      - The cert, key and cert_chain parameters will be ignored if this is defined.
+  state:
+    description:
+      - Whether to create(or update) or delete certificate.
+      - If new_path or new_name is defined, specifying present will attempt to make an update these.
+    required: true
+    choices: [ "present", "absent" ]
+  path:
+    description:
+      - When creating or updating, specify the desired path of the certificate.
+    default: "/"
+  cert_chain:
+    description:
+      - The path to, or content of the CA certificate chain in PEM encoded format.
+        As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content.
+  cert:
+    description:
+      - The path to, or content of the certificate body in PEM encoded format.
+        As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content.
+  key:
+    description:
+      - The path to, or content of the private key in PEM encoded format.
+        As of 2.4 content is accepted. If the parameter is not a file, it is assumed to be content.
+  dup_ok:
+    description:
+      - By default the module will not upload a certificate that is already uploaded into AWS.
+        If set to True, it will upload the certificate as long as the name is unique.
+    default: False
+
+
+requirements: [ "boto" ]
+author: Jonathan I. Davila
+extends_documentation_fragment:
+    - aws
+    - ec2
+'''
+
+EXAMPLES = '''
+# Basic server certificate upload from local file
+- iam_cert:
+    name: very_ssl
+    state: present
+    cert: "{{ lookup('file', 'path/to/cert') }}"
+    key: "{{ lookup('file', 'path/to/key') }}"
+    cert_chain: "{{ lookup('file', 'path/to/certchain') }}"
+
+# Basic server certificate upload
+- iam_cert:
+    name: very_ssl
+    state: present
+    cert: path/to/cert
+    key: path/to/key
+    cert_chain: path/to/certchain
+
+# Server certificate upload using key string
+- iam_cert:
+    name: very_ssl
+    state: present
+    path: "/a/cert/path/"
+    cert: body_of_somecert
+    key: vault_body_of_privcertkey
+    cert_chain: body_of_myverytrustedchain
+
+# Basic rename of existing certificate
+- iam_cert:
+    name: very_ssl
+    new_name: new_very_ssl
+    state: present
+
+'''
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ec2 import ec2_argument_spec, get_aws_connection_info, connect_to_aws
+import os
+
+try:
+    import boto
+    import boto.iam
+    import boto.ec2
+    HAS_BOTO = True
+except ImportError:
+    HAS_BOTO = False
+
+
+def boto_exception(err):
+    '''generic error message handler'''
+    if hasattr(err, 'error_message'):
+        error = err.error_message
+    elif hasattr(err, 'message'):
+        error = err.message
+    else:
+        error = '%s: %s' % (Exception, err)
+
+    return error
+
+
+def cert_meta(iam, name):
+    certificate = iam.get_server_certificate(name).get_server_certificate_result.server_certificate
+    ocert = certificate.certificate_body
+    opath = certificate.server_certificate_metadata.path
+    ocert_id = certificate.server_certificate_metadata.server_certificate_id
+    upload_date = certificate.server_certificate_metadata.upload_date
+    exp = certificate.server_certificate_metadata.expiration
+    arn = certificate.server_certificate_metadata.arn
+    return opath, ocert, ocert_id, upload_date, exp, arn
+
+
+def dup_check(module, iam, name, new_name, cert, orig_cert_names, orig_cert_bodies, dup_ok):
+    update = False
+
+    # IAM cert names are case insensitive
+    names_lower = [n.lower() for n in [name, new_name] if n is not None]
+    orig_cert_names_lower = [ocn.lower() for ocn in orig_cert_names]
+
+    if any(ct in orig_cert_names_lower for ct in names_lower):
+        for i_name in names_lower:
+            if cert is not None:
+                try:
+                    c_index = orig_cert_names_lower.index(i_name)
+                except NameError:
+                    continue
+                else:
+                    # NOTE: remove the carriage return to strictly compare the cert bodies.
+                    slug_cert = cert.replace('\r', '')
+                    slug_orig_cert_bodies = orig_cert_bodies[c_index].replace('\r', '')
+                    if slug_orig_cert_bodies == slug_cert:
+                        update = True
+                        break
+                    elif slug_cert.startswith(slug_orig_cert_bodies):
+                        update = True
+                        break
+                    elif slug_orig_cert_bodies != slug_cert:
+                        module.fail_json(changed=False, msg='A cert with the name %s already exists and'
+                                         ' has a different certificate body associated'
+                                         ' with it. Certificates cannot have the same name' % orig_cert_names[c_index])
+            else:
+                update = True
+                break
+    elif cert in orig_cert_bodies and not dup_ok:
+        for crt_name, crt_body in zip(orig_cert_names, orig_cert_bodies):
+            if crt_body == cert:
+                module.fail_json(changed=False, msg='This certificate already'
+                                                    ' exists under the name %s' % crt_name)
+
+    return update
+
+
+def cert_action(module, iam, name, cpath, new_name, new_path, state,
+                cert, key, cert_chain, orig_cert_names, orig_cert_bodies, dup_ok):
+    if state == 'present':
+        update = dup_check(module, iam, name, new_name, cert, orig_cert_names,
+                           orig_cert_bodies, dup_ok)
+        if update:
+            opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
+            changed = True
+            if new_name and new_path:
+                iam.update_server_cert(name, new_cert_name=new_name, new_path=new_path)
+                module.exit_json(changed=changed, original_name=name, new_name=new_name,
+                                 original_path=opath, new_path=new_path, cert_body=ocert,
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
+            elif new_name and not new_path:
+                iam.update_server_cert(name, new_cert_name=new_name)
+                module.exit_json(changed=changed, original_name=name, new_name=new_name,
+                                 cert_path=opath, cert_body=ocert,
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
+            elif not new_name and new_path:
+                iam.update_server_cert(name, new_path=new_path)
+                module.exit_json(changed=changed, name=new_name,
+                                 original_path=opath, new_path=new_path, cert_body=ocert,
+                                 upload_date=upload_date, expiration_date=exp, arn=arn)
+            else:
+                changed = False
+                module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
+                                 upload_date=upload_date, expiration_date=exp, arn=arn,
+                                 msg='No new path or name specified. No changes made')
+        else:
+            changed = True
+            iam.upload_server_cert(name, cert, key, cert_chain=cert_chain, path=cpath)
+            opath, ocert, ocert_id, upload_date, exp, arn = cert_meta(iam, name)
+            module.exit_json(changed=changed, name=name, cert_path=opath, cert_body=ocert,
+                             upload_date=upload_date, expiration_date=exp, arn=arn)
+    elif state == 'absent':
+        if name in orig_cert_names:
+            changed = True
+            iam.delete_server_cert(name)
+            module.exit_json(changed=changed, deleted_cert=name)
+        else:
+            changed = False
+            module.exit_json(changed=changed, msg='Certificate with the name %s already absent' % name)
+
+
+def load_data(cert, key, cert_chain):
+    # if paths are provided rather than lookups read the files and return the contents
+    if cert and os.path.isfile(cert):
+        cert = open(cert, 'r').read().rstrip()
+    if key and os.path.isfile(key):
+        key = open(key, 'r').read().rstrip()
+    if cert_chain and os.path.isfile(cert_chain):
+        cert_chain = open(cert_chain, 'r').read()
+    return cert, key, cert_chain
+
+
+def main():
+    argument_spec = ec2_argument_spec()
+    argument_spec.update(dict(
+        state=dict(required=True, choices=['present', 'absent']),
+        name=dict(),
+        cert=dict(),
+        key=dict(no_log=True),
+        cert_chain=dict(),
+        new_name=dict(),
+        path=dict(default='/'),
+        new_path=dict(),
+        dup_ok=dict(type='bool')
+    )
+    )
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        mutually_exclusive=[
+            ['new_path', 'key'],
+            ['new_path', 'cert'],
+            ['new_path', 'cert_chain'],
+            ['new_name', 'key'],
+            ['new_name', 'cert'],
+            ['new_name', 'cert_chain'],
+        ],
+    )
+
+    if not HAS_BOTO:
+        module.fail_json(msg="Boto is required for this module")
+
+    region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module)
+
+    try:
+        if region:
+            iam = connect_to_aws(boto.iam, region, **aws_connect_kwargs)
+        else:
+            iam = boto.iam.connection.IAMConnection(**aws_connect_kwargs)
+    except boto.exception.NoAuthHandlerFound as e:
+        module.fail_json(msg=str(e))
+
+    state = module.params.get('state')
+    name = module.params.get('name')
+    path = module.params.get('path')
+    new_name = module.params.get('new_name')
+    new_path = module.params.get('new_path')
+    dup_ok = module.params.get('dup_ok')
+    if state == 'present' and not new_name and not new_path:
+        cert, key, cert_chain = load_data(cert=module.params.get('cert'),
+                                          key=module.params.get('key'),
+                                          cert_chain=module.params.get('cert_chain'))
+    else:
+        cert = key = cert_chain = None
+
+    orig_cert_names = [ctb['server_certificate_name'] for ctb in
+                       iam.get_all_server_certs().list_server_certificates_result.server_certificate_metadata_list]
+    orig_cert_bodies = [iam.get_server_certificate(thing).get_server_certificate_result.certificate_body
+                        for thing in orig_cert_names]
+    if new_name == name:
+        new_name = None
+    if new_path == path:
+        new_path = None
+
+    changed = False
+    try:
+        cert_action(module, iam, name, path, new_name, new_path, state,
+                    cert, key, cert_chain, orig_cert_names, orig_cert_bodies, dup_ok)
+    except boto.exception.BotoServerError as err:
+        module.fail_json(changed=changed, msg=str(err), debug=[cert, key])
+
+
+if __name__ == '__main__':
+    main()
diff --git a/roles/lib_utils/library/oo_iam_kms.py b/roles/lib_utils/library/oo_iam_kms.py
new file mode 100644
index 000000000..c85745f01
--- /dev/null
+++ b/roles/lib_utils/library/oo_iam_kms.py
@@ -0,0 +1,172 @@
+#!/usr/bin/env python
+'''
+ansible module for creating AWS IAM KMS keys
+'''
+# vim: expandtab:tabstop=4:shiftwidth=4
+#
+#   AWS IAM KMS ansible module
+#
+#
+#   Copyright 2016 Red Hat Inc.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# Jenkins environment doesn't have all the required libraries
+# pylint: disable=import-error
+import time
+import boto3
+# Ansible modules need this wildcard import
+# pylint: disable=unused-wildcard-import, wildcard-import, redefined-builtin
+from ansible.module_utils.basic import AnsibleModule
+
+AWS_ALIAS_URL = "http://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html"
+
+
+class AwsIamKms(object):
+    '''
+    ansible module for AWS IAM KMS
+    '''
+
+    def __init__(self):
+        ''' constructor '''
+        self.module = None
+        self.kms_client = None
+        self.aliases = None
+
+    @staticmethod
+    def valid_alias_name(user_alias):
+        ''' AWS KMS aliases must start with 'alias/' '''
+        valid_start = 'alias/'
+        if user_alias.startswith(valid_start):
+            return True
+
+        return False
+
+    def get_all_kms_info(self):
+        '''fetch all kms info and return them
+
+        list_keys doesn't have information regarding aliases
+        list_aliases doesn't have the full kms arn
+
+        fetch both and join them on the targetKeyId
+        '''
+        aliases = self.kms_client.list_aliases()['Aliases']
+        keys = self.kms_client.list_keys()['Keys']
+
+        for alias in aliases:
+            for key in keys:
+                if 'TargetKeyId' in alias and 'KeyId' in key:
+                    if alias['TargetKeyId'] == key['KeyId']:
+                        alias.update(key)
+
+        return aliases
+
+    def get_kms_entry(self, user_alias, alias_list):
+        ''' return single alias details from list of aliases '''
+        for alias in alias_list:
+            if user_alias == alias.get('AliasName', False):
+                return alias
+
+        msg = "Did not find alias {}".format(user_alias)
+        self.module.exit_json(failed=True, results=msg)
+
+    @staticmethod
+    def exists(user_alias, alias_list):
+        ''' Check if KMS alias already exists '''
+        for alias in alias_list:
+            if user_alias == alias.get('AliasName'):
+                return True
+
+        return False
+
+    def main(self):
+        ''' entry point for module '''
+
+        self.module = AnsibleModule(
+            argument_spec=dict(
+                state=dict(default='list', choices=['list', 'present'], type='str'),
+                region=dict(default=None, required=True, type='str'),
+                alias=dict(default=None, type='str'),
+                # description default cannot be None
+                description=dict(default='', type='str'),
+                aws_access_key=dict(default=None, type='str'),
+                aws_secret_key=dict(default=None, type='str'),
+            ),
+        )
+
+        state = self.module.params['state']
+        aws_access_key = self.module.params['aws_access_key']
+        aws_secret_key = self.module.params['aws_secret_key']
+        if aws_access_key and aws_secret_key:
+            boto3.setup_default_session(aws_access_key_id=aws_access_key,
+                                        aws_secret_access_key=aws_secret_key,
+                                        region_name=self.module.params['region'])
+        else:
+            boto3.setup_default_session(region_name=self.module.params['region'])
+
+        self.kms_client = boto3.client('kms')
+
+        aliases = self.get_all_kms_info()
+
+        if state == 'list':
+            if self.module.params['alias'] is not None:
+                user_kms = self.get_kms_entry(self.module.params['alias'],
+                                              aliases)
+                self.module.exit_json(changed=False, results=user_kms,
+                                      state="list")
+            else:
+                self.module.exit_json(changed=False, results=aliases,
+                                      state="list")
+
+        if state == 'present':
+
+            # early sanity check to make sure the alias name conforms with
+            # AWS alias name requirements
+            if not self.valid_alias_name(self.module.params['alias']):
+                self.module.exit_json(failed=True, changed=False,
+                                      results="Alias must start with the prefix " +
+                                      "'alias/'. Please see " + AWS_ALIAS_URL,
+                                      state='present')
+
+            if not self.exists(self.module.params['alias'], aliases):
+                # if we didn't find it, create it
+                response = self.kms_client.create_key(KeyUsage='ENCRYPT_DECRYPT',
+                                                      Description=self.module.params['description'])
+                kid = response['KeyMetadata']['KeyId']
+                response = self.kms_client.create_alias(AliasName=self.module.params['alias'],
+                                                        TargetKeyId=kid)
+                # sleep for a bit so that the KMS data can be queried
+                time.sleep(10)
+                # get details for newly created KMS entry
+                new_alias_list = self.kms_client.list_aliases()['Aliases']
+                user_kms = self.get_kms_entry(self.module.params['alias'],
+                                              new_alias_list)
+
+                self.module.exit_json(changed=True, results=user_kms,
+                                      state='present')
+
+            # already exists, normally we would check whether we need to update it
+            # but this module isn't written to allow changing the alias name
+            # or changing whether the key is enabled/disabled
+            user_kms = self.get_kms_entry(self.module.params['alias'], aliases)
+            self.module.exit_json(changed=False, results=user_kms,
+                                  state="present")
+
+        self.module.exit_json(failed=True,
+                              changed=False,
+                              results='Unknown state passed. %s' % state,
+                              state="unknown")
+
+
+if __name__ == '__main__':
+    AwsIamKms().main()