この記事は、Ansible Advent Calendar 2024 の2日目のエントリです。
はじめに
Ansibleで、AWS TransferFamily経由でS3にアクセスするためのロールとそれにアタッチするポリシーを作ります。
Transfer Familyの作成もコード化したかったのですが、現時点ではモジュールがありませんでした。
なお、削除するには削除用のPlaybookを用意することになります。例えば、state:absentに変えただけでは削除順番でエラーになるため入れ替えたり、インスタンスプロファイルが残るので削除するためのモジュールを追加することになるかと思います。
まぁそれもこれもやってみないとわからなかったし、TransferFamily 以外にも流用できるのでヨシ!!
環境とパラメータ
- ansible : core 2.18.0
- バケット名 : advent-server
- ロール名 : TransferFamilyS3AccessRole
- ポリシー名 : TransferFamilyS3AccessPolicy
Playbook
ポリシーはPlaybookに直接記載しています。
---
- name: Set up role for Transfer Family
hosts: localhost
gather_facts: no
vars:
bucket_name: advent-server
role_name: TransferFamilyS3AccessRole
policy_name: TransferFamilyS3AccessPolicy
tasks:
- name: Create a role
amazon.aws.iam_role:
name: "{{ role_name }}"
assume_role_policy_document: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
state: present
- name: Create a policy for s3 access
amazon.aws.iam_policy:
iam_name: "{{ role_name }}"
iam_type: "role"
policy_name: "{{ policy_name }}"
policy_json: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::{{ bucket_name }}"
]
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::{{ bucket_name }}/*"
}
]
}
state: present
register: iam_policy
- ansible.builtin.debug:
msg: "{{ iam_policy }}"
実行ログ
いくつかワーニングが出ていますが、動作に影響はないです。
$ ansible-playbook playbook.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Set up role for Transfer Family] *******************************************************************
TASK [Create a role] *************************************************************************************
[DEPRECATION WARNING]: In a release after 2026-05-01 iam_role.assume_role_policy_document_raw will no longer be returned. Since release 8.0.0 assume_role_policy_document has been
returned with the same format as iam_role.assume_role_policy_document_raw. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: In a release after 2026-05-01 the 'create_instance_profile' option will be removed. The amazon.aws.iam_instance_profile module can be used to manage instance
profiles instead. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
[DEPRECATION WARNING]: In a release after 2026-05-01 the 'delete_instance_profile' option will be removed. The amazon.aws.iam_instance_profile module can be used to manage and delete
instance profiles instead. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
changed: [localhost]
TASK [Create a policy for s3 access] ********************************************************************
changed: [localhost]
TASK [ansible.builtin.debug] ****************************************************************************
ok: [localhost] => {
"msg": {
"changed": true,
"diff": {
"after": {
"TransferFamilyS3AccessPolicy": {
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::advent-server"
],
"Sid": "Statement1"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::advent-server/*",
"Sid": "Statement2"
}
],
"Version": "2012-10-17"
}
},
"before": {}
},
"failed": false,
"policy_names": [
"TransferFamilyS3AccessPolicy"
],
"role_name": "TransferFamilyS3AccessRole"
}
}
PLAY RECAP *****************************************************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
登録の確認
作成したポリシーが、同じく作成したロールにアタッチされています。
$ aws iam list-role-policies --role-name TransferFamilyS3AccessRole
{
"PolicyNames": [
"TransferFamilyS3AccessPolicy"
]
}
その他
ansible11.0.0のデフォルトコレクション
$ ansible-galaxy collection list
Collection Version
---------------------------------------- -------
amazon.aws 9.0.0
ansible.netcommon 7.1.0
ansible.posix 1.6.2
ansible.utils 5.1.2
ansible.windows 2.5.0
arista.eos 10.0.1
awx.awx 24.6.1
azure.azcollection 3.0.0
check_point.mgmt 6.2.1
chocolatey.chocolatey 1.5.3
cisco.aci 2.10.1
cisco.asa 6.0.0
cisco.dnac 6.22.0
cisco.intersight 2.0.20
cisco.ios 9.0.3
cisco.iosxr 10.2.2
cisco.ise 2.9.5
cisco.meraki 2.18.3
cisco.mso 2.9.0
cisco.nxos 9.2.1
cisco.ucs 1.14.0
cloud.common 4.0.0
cloudscale_ch.cloud 2.4.0
community.aws 9.0.0
community.ciscosmb 1.0.9
community.crypto 2.22.3
community.digitalocean 1.27.0
community.dns 3.0.7
community.docker 4.0.1
community.general 10.0.1
community.grafana 2.1.0
community.hashi_vault 6.2.0
community.hrobot 2.0.2
community.library_inventory_filtering_v1 1.0.2
community.libvirt 1.3.0
community.mongodb 1.7.8
community.mysql 3.10.3
community.network 5.1.0
community.okd 4.0.0
community.postgresql 3.7.0
community.proxysql 1.6.0
community.rabbitmq 1.3.0
community.routeros 3.0.0
community.sap_libs 1.4.2
community.sops 2.0.0
community.vmware 5.1.0
community.windows 2.3.0
community.zabbix 3.1.2
containers.podman 1.16.2
cyberark.conjur 1.3.1
cyberark.pas 1.0.27
dellemc.enterprise_sonic 2.5.1
dellemc.openmanage 9.8.0
dellemc.powerflex 2.5.0
dellemc.unity 2.0.0
f5networks.f5_modules 1.32.1
fortinet.fortimanager 2.7.0
fortinet.fortios 2.3.8
google.cloud 1.4.1
grafana.grafana 5.6.0
hetzner.hcloud 4.2.1
ibm.qradar 4.0.0
ibm.spectrum_virtualize 2.0.0
ibm.storage_virtualize 2.5.0
ieisystem.inmanage 3.0.0
infinidat.infinibox 1.4.5
infoblox.nios_modules 1.7.0
inspur.ispim 2.2.3
junipernetworks.junos 9.1.0
kaytus.ksmanage 2.0.0
kubernetes.core 5.0.0
kubevirt.core 2.1.0
lowlydba.sqlserver 2.3.4
microsoft.ad 1.7.1
netapp.cloudmanager 21.24.0
netapp.ontap 22.12.0
netapp.storagegrid 21.13.0
netapp_eseries.santricity 1.4.1
netbox.netbox 3.20.0
ngine_io.cloudstack 2.5.0
openstack.cloud 2.2.0
ovirt.ovirt 3.2.0
purestorage.flasharray 1.31.1
purestorage.flashblade 1.19.1
sensu.sensu_go 1.14.0
splunk.es 4.0.0
telekom_mms.icinga_director 2.2.0
theforeman.foreman 4.2.0
vmware.vmware 1.6.0
vmware.vmware_rest 4.2.0
vultr.cloud 1.13.0
vyos.vyos 5.0.0
wti.remote 1.0.10
iam_roleモジュールの戻り値の変更
iam_role.assume_role_policy_document_rawは戻り値から削除される。
[DEPRECATION WARNING]: In a release after 2026-05-01 iam_role.assume_role_policy_document_raw will no longer be returned. Since release 8.0.0 assume_role_policy_document has been
returned with the same format as iam_role.assume_role_policy_document_raw. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
Playbookで作成したロールとポリシーを削除する
同じPlaybookを流用する場合の手順です。
ポリシーをabsentにして実行、ロールをabsentにして実行(ポリシーでエラーが出るが気にしない)します。
最後に、インスタンスプロファイルをコマンドで削除します。
aws iam delete-instance-profile --instance-profile-name TransferFamilyS3AccessRole
↑プロファイル名(ここではロール名と同じ)