add delete_policies arg

2024-11-08 01:18:58 +00:00 · 2015-05-28 11:49:15 -07:00 · 2015-05-28 11:49:15 -07:00 · da93f8566c
commit da93f8566c
parent ea413bcb83
1 changed files with 12 additions and 5 deletions
--- a/salt/states/boto_iam_role.py
+++ b/salt/states/boto_iam_role.py
@ -72,6 +72,10 @@ with the role. This is the default behavior of the AWS console.
            - profile:
                key: GKTADJGHEIQSXMKKRBJ08H
                keyid: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
+
+If ``delete_policies: False`` is specified, existing policies that are not in
+the given list of policies will not be deleted. These allow manual
+modifications on the IAM role to be persistent.
 '''
 from __future__ import absolute_import
 import salt.utils.dictupdate as dictupdate
@ -95,7 +99,8 @@ def present(
        region=None,
        key=None,
        keyid=None,
-        profile=None):
+        profile=None,
+        delete_policies=True):
    '''
    Ensure the IAM role exists.

@ -170,7 +175,8 @@ def present(
            ret['result'] = _ret['result']
            if ret['result'] is False:
                return ret
-    _ret = _policies_present(name, _policies, region, key, keyid, profile)
+    _ret = _policies_present(name, _policies, region, key, keyid, profile,
+                             delete_policies)
    ret['changes'] = dictupdate.update(ret['changes'], _ret['changes'])
    ret['comment'] = ' '.join([ret['comment'], _ret['comment']])
    if not _ret['result']:
@ -305,7 +311,8 @@ def _policies_present(
        region=None,
        key=None,
        keyid=None,
-        profile=None):
+        profile=None,
+        delete_policies=True):
    ret = {'result': True, 'comment': '', 'changes': {}}
    policies_to_create = {}
    policies_to_delete = []
@ -318,7 +325,7 @@ def _policies_present(
    _list = __salt__['boto_iam.list_role_policies'](name, region, key, keyid,
                                                    profile)
    for policy_name in _list:
-        if policy_name not in policies:
+        if delete_policies and policy_name not in policies:
            policies_to_delete.append(policy_name)
    if policies_to_create or policies_to_delete:
        _to_modify = list(policies_to_delete)
@ -357,7 +364,7 @@ def _policies_present(
                                                                profile)
                ret['changes']['new'] = {'policies': _list}
                ret['result'] = False
-                msg = 'Failed to add policy {0} to role {1}'
+                msg = 'Failed to remove policy {0} from role {1}'
                ret['comment'] = msg.format(policy_name, name)
                return ret
        _list = __salt__['boto_iam.list_role_policies'](name, region, key,