Add the identitystore_user module #2325
Conversation
Add the community.aws.identitystore_user module, for managing users in the an identity store (used by the IAM Identity Center).
Docs Build 📝Thank you for contribution!✨ The docsite for this PR is available for download as an artifact from this run: You can compare to the docs for the File changes:
Click to see the diff comparison.NOTE: only file modifications are shown here. New and deleted files are excluded. diff --git a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/community/aws/iam_server_certificate_info_module.html b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/community/aws/iam_server_certificate_info_module.html
index f33c5c4..93ae00a 100644
--- a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/community/aws/iam_server_certificate_info_module.html
+++ b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/community/aws/iam_server_certificate_info_module.html
@@ -22,7 +22,7 @@
<script src="../../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../../_static/js/theme.js"></script>
<link rel="search" title="Search" href="../../../search.html" />
- <link rel="next" title="community.aws.inspector_target module – Create, Update and Delete Amazon Inspector Assessment Targets" href="inspector_target_module.html" />
+ <link rel="next" title="community.aws.identitystore_user module – Manage users in Identity Store (IAM Identity Center)" href="identitystore_user_module.html" />
<link rel="prev" title="community.aws.iam_server_certificate module – Manage IAM server certificates for use on ELBs and CloudFront" href="iam_server_certificate_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
@@ -427,7 +427,7 @@ see <a class="reference internal" href="#ansible-collections-community-aws-iam-s
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="iam_server_certificate_module.html" class="btn btn-neutral float-left" title="community.aws.iam_server_certificate module – Manage IAM server certificates for use on ELBs and CloudFront" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
- <a href="inspector_target_module.html" class="btn btn-neutral float-right" title="community.aws.inspector_target module – Create, Update and Delete Amazon Inspector Assessment Targets" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
+ <a href="identitystore_user_module.html" class="btn btn-neutral float-right" title="community.aws.identitystore_user module – Manage users in Identity Store (IAM Identity Center)" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
diff --git a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/community/aws/index.html b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/community/aws/index.html
index 75011d0..16b8aed 100644
--- a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/community/aws/index.html
+++ b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/community/aws/index.html
@@ -261,6 +261,7 @@
<li><p><a class="reference internal" href="iam_saml_federation_module.html#ansible-collections-community-aws-iam-saml-federation-module"><span class="std std-ref">iam_saml_federation module</span></a> – Maintain IAM SAML federation configuration.</p></li>
<li><p><a class="reference internal" href="iam_server_certificate_module.html#ansible-collections-community-aws-iam-server-certificate-module"><span class="std std-ref">iam_server_certificate module</span></a> – Manage IAM server certificates for use on ELBs and CloudFront</p></li>
<li><p><a class="reference internal" href="iam_server_certificate_info_module.html#ansible-collections-community-aws-iam-server-certificate-info-module"><span class="std std-ref">iam_server_certificate_info module</span></a> – Retrieve the information of a server certificate</p></li>
+<li><p><a class="reference internal" href="identitystore_user_module.html#ansible-collections-community-aws-identitystore-user-module"><span class="std std-ref">identitystore_user module</span></a> – Manage users in Identity Store (IAM Identity Center)</p></li>
<li><p><a class="reference internal" href="inspector_target_module.html#ansible-collections-community-aws-inspector-target-module"><span class="std std-ref">inspector_target module</span></a> – Create, Update and Delete Amazon Inspector Assessment Targets</p></li>
<li><p><a class="reference internal" href="kinesis_stream_module.html#ansible-collections-community-aws-kinesis-stream-module"><span class="std std-ref">kinesis_stream module</span></a> – Manage a Kinesis Stream.</p></li>
<li><p><a class="reference internal" href="lightsail_module.html#ansible-collections-community-aws-lightsail-module"><span class="std std-ref">lightsail module</span></a> – Manage instances in AWS Lightsail</p></li>
diff --git a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/community/aws/inspector_target_module.html b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/community/aws/inspector_target_module.html
index 3e16ee2..569a603 100644
--- a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/community/aws/inspector_target_module.html
+++ b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/community/aws/inspector_target_module.html
@@ -23,7 +23,7 @@
<script src="../../../_static/js/theme.js"></script>
<link rel="search" title="Search" href="../../../search.html" />
<link rel="next" title="community.aws.kinesis_stream module – Manage a Kinesis Stream." href="kinesis_stream_module.html" />
- <link rel="prev" title="community.aws.iam_server_certificate_info module – Retrieve the information of a server certificate" href="iam_server_certificate_info_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
+ <link rel="prev" title="community.aws.identitystore_user module – Manage users in Identity Store (IAM Identity Center)" href="identitystore_user_module.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
@@ -447,7 +447,7 @@ see <a class="reference internal" href="#ansible-collections-community-aws-inspe
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
- <a href="iam_server_certificate_info_module.html" class="btn btn-neutral float-left" title="community.aws.iam_server_certificate_info module – Retrieve the information of a server certificate" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
+ <a href="identitystore_user_module.html" class="btn btn-neutral float-left" title="community.aws.identitystore_user module – Manage users in Identity Store (IAM Identity Center)" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="kinesis_stream_module.html" class="btn btn-neutral float-right" title="community.aws.kinesis_stream module – Manage a Kinesis Stream." accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
diff --git a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/index_module.html b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/index_module.html
index 4c73fae..d443a04 100644
--- a/home/runner/work/community.aws/community.aws/docsbuild/base/collections/index_module.html
+++ b/home/runner/work/community.aws/community.aws/docsbuild/head/collections/index_module.html
@@ -204,6 +204,7 @@
<li><p><a class="reference internal" href="community/aws/iam_saml_federation_module.html#ansible-collections-community-aws-iam-saml-federation-module"><span class="std std-ref">community.aws.iam_saml_federation</span></a> – Maintain IAM SAML federation configuration.</p></li>
<li><p><a class="reference internal" href="community/aws/iam_server_certificate_module.html#ansible-collections-community-aws-iam-server-certificate-module"><span class="std std-ref">community.aws.iam_server_certificate</span></a> – Manage IAM server certificates for use on ELBs and CloudFront</p></li>
<li><p><a class="reference internal" href="community/aws/iam_server_certificate_info_module.html#ansible-collections-community-aws-iam-server-certificate-info-module"><span class="std std-ref">community.aws.iam_server_certificate_info</span></a> – Retrieve the information of a server certificate</p></li>
+<li><p><a class="reference internal" href="community/aws/identitystore_user_module.html#ansible-collections-community-aws-identitystore-user-module"><span class="std std-ref">community.aws.identitystore_user</span></a> – Manage users in Identity Store (IAM Identity Center)</p></li>
<li><p><a class="reference internal" href="community/aws/inspector_target_module.html#ansible-collections-community-aws-inspector-target-module"><span class="std std-ref">community.aws.inspector_target</span></a> – Create, Update and Delete Amazon Inspector Assessment Targets</p></li>
<li><p><a class="reference internal" href="community/aws/kinesis_stream_module.html#ansible-collections-community-aws-kinesis-stream-module"><span class="std std-ref">community.aws.kinesis_stream</span></a> – Manage a Kinesis Stream.</p></li>
<li><p><a class="reference internal" href="community/aws/lightsail_module.html#ansible-collections-community-aws-lightsail-module"><span class="std std-ref">community.aws.lightsail</span></a> – Manage instances in AWS Lightsail</p></li>
|
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 40s (non-voting) |
This project has an unusually long line length limit, and this patch reformats the code accordingly, using the "format" label defined in the tox.ini file.
|
Build succeeded. ❌ ansible-galaxy-importer FAILURE in 4m 15s (non-voting) |
| access_key: "{{ aws_access_key }}" | ||
| secret_key: "{{ aws_secret_key }}" | ||
| session_token: "{{ security_token | default(omit) }}" | ||
| region: "{{ aws_region }}" |
There was a problem hiding this comment.
@vonschultz Thank you for this contribution. Since there isn’t currently a module available to retrieve the Identity Store ID, I believe it would be better to add a task that uses the AWS CLI to list all instances and then extract the identity_store_id from the output of that task. I'm not familiar with this service, but, what do you think about this suggestion?
There was a problem hiding this comment.
If an identity store was created specifically for the test, certainly, then we should try to find its ID automatically. Currently, there's no way to create an identity store in Ansible (except maybe through CloudFormation?), and furthermore, I believe it's a global resource where you can only have one for a given account. Now, here's the rub: The user running the test might very well be using the IAM Identity Center to manage logins to their AWS account, which means that we'd be creating real users in a real identity store (and if the test fails during development of some feature, potentially even leaving them in there). This might surprise the user running the test, and possibly has some real security consequences. How do we ensure that the user running the test is OK with users being created in their identity store? How do we ensure that the user knows where they should go to clean up things manually if things go awry? It seemed like the natural way to do that would be to let the user themselves specify the identity_store_id when running the test — that way, the user has actively consented to us doing tests with that identity store (and should things go awry, the user knows where to find the identity store and see if there's anything that shouldn't be there).
By the way, I think it would be awesome if we could run the test in the CI for community.aws, but for that to happen, someone would have to set up an identity store we can use. The tests are pretty fast, and I only disabled them because they need external resources (in the form of an identity store that can't be created from Ansible at the time of writing).
Co-authored-by: Alina Buzachis <abuzachis@redhat.com>
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 5m 00s (non-voting) |
Add the community.aws.identitystore_user module, for managing users in an identity store (used by the IAM Identity Center).
SUMMARY
Ansible is currently lacking a way to interact with the AWS IdentityStore API, https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/identitystore.html. This change adds support for adding and removing users, and setting the most important attributes on those users. This could potentially be extended in the future to include things like group creation, group membership and more user attributes.
There is currently no way to create an identity store in Ansible, so I made the integration tests "disabled", since they rely on that external resource. You can create it in the IAM Identity Center, and maybe the
AWS::SSO::InstanceCloudFormation resource also produces identity stores that could be used for this (at most one per account, according to the docs).ISSUE TYPE
COMPONENT NAME
identitystore_user
ADDITIONAL INFORMATION