Skip to content

Commit

Permalink
add missing password_reset_required parameter (#860)
Browse files Browse the repository at this point in the history
add missing password_reset_required parameter

SUMMARY
password_reset_required parameter is missing in iam_user module.
ISSUE TYPE


Feature Pull Request

COMPONENT NAME
iam_user
ADDITIONAL INFORMATION
Sadly, LoginProfile is only returned on create_login_profile and not on update_login_profile.
Therefor the functionality can only be verified when the user is created, not when the user is udpated.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_login_profile
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.update_login_profile

retval of update_login_profile is just
 0.0s create_or_update_user: 
      {'ResponseMetadata': {'HTTPHeaders': {'content-length': '216', 'content-type': 'text/xml', 'date': 'Wed, 12 Jan 2022 20:18:08 GMT', 'x-amzn-requestid': '11b6fde3-9f28-4265-8fac-88e3f5a238d3'}, 'HTTPStatusCode': 200, 'RequestId': '11b6fde3-9f28-4265-8fac-88e3f5a238d3', 'RetryAttempts': 0}}

Reviewed-by: Mark Woolley <[email protected]>
Reviewed-by: Alina Buzachis <None>
Reviewed-by: Markus Bergholz <[email protected]>
  • Loading branch information
markuman authored Jan 20, 2022
1 parent d295d71 commit c0b3e1b
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 7 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/860-add-missing-parameter.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- iam_user - add parameter ``password_reset_required`` (https://github.com/ansible-collections/community.aws/pull/860).
35 changes: 28 additions & 7 deletions plugins/modules/iam_user.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@
required: false
type: str
version_added: 2.2.0
password_reset_required:
description:
- Defines if the user is required to set a new password after login.
required: false
type: bool
default: false
version_added: 3.1.0
update_password:
default: always
choices: ['always', 'on_create']
Expand Down Expand Up @@ -250,18 +257,20 @@ def create_or_update_login_profile(connection, module):
user_params = dict()
user_params['UserName'] = module.params.get('name')
user_params['Password'] = module.params.get('password')
user_params['PasswordResetRequired'] = module.params.get('password_reset_required')
retval = {}

try:
connection.update_login_profile(**user_params)
retval = connection.update_login_profile(**user_params)
except is_boto3_error_code('NoSuchEntity'):
try:
connection.create_login_profile(**user_params)
retval = connection.create_login_profile(**user_params)
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
module.fail_json_aws(e, msg="Unable to create user login profile")
except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: # pylint: disable=duplicate-except
module.fail_json_aws(e, msg="Unable to update user login profile")

return True
return True, retval


def delete_login_profile(connection, module):
Expand Down Expand Up @@ -296,6 +305,7 @@ def create_or_update_user(connection, module):
user = get_user(connection, module, params['UserName'])

# If user is None, create it
new_login_profile = False
if user is None:
# Check mode means we would create the user
if module.check_mode:
Expand All @@ -312,13 +322,20 @@ def create_or_update_user(connection, module):
wait_iam_exists(connection, module)

if module.params.get('password') is not None:
create_or_update_login_profile(connection, module)
login_profile_result, login_profile_data = create_or_update_login_profile(connection, module)

if login_profile_data.get('LoginProfile', {}).get('PasswordResetRequired', False):
new_login_profile = True
else:
login_profile_result = None
update_result = update_user_tags(connection, module, params, user)

if module.params['update_password'] == "always" and module.params.get('password') is not None:
login_profile_result = create_or_update_login_profile(connection, module)
login_profile_result, login_profile_data = create_or_update_login_profile(connection, module)

if login_profile_data.get('LoginProfile', {}).get('PasswordResetRequired', False):
new_login_profile = True

elif module.params.get('remove_password'):
login_profile_result = delete_login_profile(connection, module)

Expand Down Expand Up @@ -361,6 +378,9 @@ def create_or_update_user(connection, module):

# Get the user again
user = get_user(connection, module, params['UserName'])
if changed and new_login_profile:
# `LoginProfile` is only returned on `create_login_profile` method
user['user']['password_reset_required'] = login_profile_data.get('LoginProfile', {}).get('PasswordResetRequired', False)

module.exit_json(changed=changed, iam_user=user)

Expand Down Expand Up @@ -505,8 +525,9 @@ def main():
argument_spec = dict(
name=dict(required=True, type='str'),
password=dict(type='str', no_log=True),
password_reset_required=dict(type='bool', default=False, no_log=False),
update_password=dict(default='always', choices=['always', 'on_create'], no_log=False),
remove_password=dict(type='bool'),
remove_password=dict(type='bool', no_log=False),
managed_policies=dict(default=[], type='list', aliases=['managed_policy'], elements='str'),
state=dict(choices=['present', 'absent'], required=True),
purge_policies=dict(default=False, type='bool', aliases=['purge_policy', 'purge_managed_policies']),
Expand All @@ -519,7 +540,7 @@ def main():
module = AnsibleAWSModule(
argument_spec=argument_spec,
supports_check_mode=True,
mutually_exclusive=[['password', 'remove_password']]
mutually_exclusive=[['password', 'remove_password']],
)

connection = module.client('iam')
Expand Down
7 changes: 7 additions & 0 deletions tests/integration/targets/iam_user/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -111,13 +111,15 @@
iam_user:
name: "{{ test_user3 }}"
password: "{{ test_password }}"
password_reset_required: yes
state: present
register: iam_user

- name: assert that the second user is created
assert:
that:
- iam_user is changed
- iam_user.iam_user.user.password_reset_required

- name: get info on IAM user(s) on path
iam_user_info:
Expand Down Expand Up @@ -275,12 +277,17 @@
that:
- iam_user_update is not changed

# flakey, there is no waiter for login profiles
# Login Profile for User ansible-user-c cannot be modified while login profile is being created.
- name: update IAM password
iam_user:
name: "{{ test_user3 }}"
password: "{{ test_new_password }}"
state: present
register: iam_user_update
until: iam_user_update.failed == false
delay: 3
retries: 5

- assert:
that:
Expand Down

0 comments on commit c0b3e1b

Please sign in to comment.