この記事は、Ansible Advent Calendar 2024 の2日目のエントリです。
はじめに
Ansibleで、AWS TransferFamily経由でS3にアクセスするためのロールとそれにアタッチするポリシーを作ります。
Transfer Familyの作成もコード化したかったのですが、現時点ではモジュールがありませんでした。
なお、削除するには削除用のPlaybookを用意することになります。例えば、state:absentに変えただけでは削除順番でエラーになるため入れ替えたり、インスタンスプロファイルが残るので削除するためのモジュールを追加することになるかと思います。
まぁそれもこれもやってみないとわからなかったし、TransferFamily 以外にも流用できるのでヨシ!!
環境とパラメータ
- ansible : core 2.18.0
- バケット名 : advent-server
- ロール名 : TransferFamilyS3AccessRole
- ポリシー名 : TransferFamilyS3AccessPolicy
Playbook
ポリシーはPlaybookに直接記載しています。
--- - name: Set up role for Transfer Family hosts: localhost gather_facts: no vars: bucket_name: advent-server role_name: TransferFamilyS3AccessRole policy_name: TransferFamilyS3AccessPolicy tasks: # - name: Create S3 bucket # パブリックアクセスはデフォルトですべてブロック # amazon.aws.s3_bucket: # name: "{{ bucket_name }}" # state: present - name: Create a role # Transfer Familyにアクセスする amazon.aws.iam_role: name: "{{ role_name }}" assume_role_policy_document: | { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } state: present - name: Create a policy for s3 access # S3アクセスポリシーを作成し、ロールに付与する amazon.aws.iam_policy: iam_name: "{{ role_name }}" iam_type: "role" policy_name: "{{ policy_name }}" policy_json: | { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ bucket_name }}" ] }, { "Sid": "Statement2", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::{{ bucket_name }}/*" } ] } state: present register: iam_policy - ansible.builtin.debug: msg: "{{ iam_policy }}"
実行ログ
いくつかワーニングが出ていますが、動作に影響はないです。
$ ansible-playbook playbook.yml [WARNING]: No inventory was parsed, only implicit localhost is available [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [Set up role for Transfer Family] ******************************************************************* TASK [Create a role] ************************************************************************************* [DEPRECATION WARNING]: In a release after 2026-05-01 iam_role.assume_role_policy_document_raw will no longer be returned. Since release 8.0.0 assume_role_policy_document has been returned with the same format as iam_role.assume_role_policy_document_raw. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: In a release after 2026-05-01 the 'create_instance_profile' option will be removed. The amazon.aws.iam_instance_profile module can be used to manage instance profiles instead. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: In a release after 2026-05-01 the 'delete_instance_profile' option will be removed. The amazon.aws.iam_instance_profile module can be used to manage and delete instance profiles instead. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. changed: [localhost] TASK [Create a policy for s3 access] ******************************************************************** changed: [localhost] TASK [ansible.builtin.debug] **************************************************************************** ok: [localhost] => { "msg": { "changed": true, "diff": { "after": { "TransferFamilyS3AccessPolicy": { "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::advent-server" ], "Sid": "Statement1" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::advent-server/*", "Sid": "Statement2" } ], "Version": "2012-10-17" } }, "before": {} }, "failed": false, "policy_names": [ "TransferFamilyS3AccessPolicy" ], "role_name": "TransferFamilyS3AccessRole" } } PLAY RECAP ***************************************************************************************************** localhost : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 $
登録の確認
作成したポリシーが、同じく作成したロールにアタッチされています。
$ aws iam list-role-policies --role-name TransferFamilyS3AccessRole { "PolicyNames": [ "TransferFamilyS3AccessPolicy" ] }
その他
ansible11.0.0のデフォルトコレクション
$ ansible-galaxy collection list # /home/ubuntu/.local/lib/python3.12/site-packages/ansible_collections Collection Version ---------------------------------------- ------- amazon.aws 9.0.0 ansible.netcommon 7.1.0 ansible.posix 1.6.2 ansible.utils 5.1.2 ansible.windows 2.5.0 arista.eos 10.0.1 awx.awx 24.6.1 azure.azcollection 3.0.0 check_point.mgmt 6.2.1 chocolatey.chocolatey 1.5.3 cisco.aci 2.10.1 cisco.asa 6.0.0 cisco.dnac 6.22.0 cisco.intersight 2.0.20 cisco.ios 9.0.3 cisco.iosxr 10.2.2 cisco.ise 2.9.5 cisco.meraki 2.18.3 cisco.mso 2.9.0 cisco.nxos 9.2.1 cisco.ucs 1.14.0 cloud.common 4.0.0 cloudscale_ch.cloud 2.4.0 community.aws 9.0.0 community.ciscosmb 1.0.9 community.crypto 2.22.3 community.digitalocean 1.27.0 community.dns 3.0.7 community.docker 4.0.1 community.general 10.0.1 community.grafana 2.1.0 community.hashi_vault 6.2.0 community.hrobot 2.0.2 community.library_inventory_filtering_v1 1.0.2 community.libvirt 1.3.0 community.mongodb 1.7.8 community.mysql 3.10.3 community.network 5.1.0 community.okd 4.0.0 community.postgresql 3.7.0 community.proxysql 1.6.0 community.rabbitmq 1.3.0 community.routeros 3.0.0 community.sap_libs 1.4.2 community.sops 2.0.0 community.vmware 5.1.0 community.windows 2.3.0 community.zabbix 3.1.2 containers.podman 1.16.2 cyberark.conjur 1.3.1 cyberark.pas 1.0.27 dellemc.enterprise_sonic 2.5.1 dellemc.openmanage 9.8.0 dellemc.powerflex 2.5.0 dellemc.unity 2.0.0 f5networks.f5_modules 1.32.1 fortinet.fortimanager 2.7.0 fortinet.fortios 2.3.8 google.cloud 1.4.1 grafana.grafana 5.6.0 hetzner.hcloud 4.2.1 ibm.qradar 4.0.0 ibm.spectrum_virtualize 2.0.0 ibm.storage_virtualize 2.5.0 ieisystem.inmanage 3.0.0 infinidat.infinibox 1.4.5 infoblox.nios_modules 1.7.0 inspur.ispim 2.2.3 junipernetworks.junos 9.1.0 kaytus.ksmanage 2.0.0 kubernetes.core 5.0.0 kubevirt.core 2.1.0 lowlydba.sqlserver 2.3.4 microsoft.ad 1.7.1 netapp.cloudmanager 21.24.0 netapp.ontap 22.12.0 netapp.storagegrid 21.13.0 netapp_eseries.santricity 1.4.1 netbox.netbox 3.20.0 ngine_io.cloudstack 2.5.0 openstack.cloud 2.2.0 ovirt.ovirt 3.2.0 purestorage.flasharray 1.31.1 purestorage.flashblade 1.19.1 sensu.sensu_go 1.14.0 splunk.es 4.0.0 telekom_mms.icinga_director 2.2.0 theforeman.foreman 4.2.0 vmware.vmware 1.6.0 vmware.vmware_rest 4.2.0 vultr.cloud 1.13.0 vyos.vyos 5.0.0 wti.remote 1.0.10
iam_roleモジュールの戻り値の変更
iam_role.assume_role_policy_document_rawは戻り値から削除される。
[DEPRECATION WARNING]: In a release after 2026-05-01 iam_role.assume_role_policy_document_raw will no longer be returned. Since release 8.0.0 assume_role_policy_document has been returned with the same format as iam_role.assume_role_policy_document_raw. This feature will be removed from amazon.aws in a release after 2026-05-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
Playbookで作成したロールとポリシーを削除する
同じPlaybookを流用する場合の手順です。
ポリシーをabsentにして実行、ロールをabsentにして実行(ポリシーでエラーが出るが気にしない)します。
最後に、インスタンスプロファイルをコマンドで削除します。
aws iam delete-instance-profile --instance-profile-name TransferFamilyS3AccessRole ↑プロファイル名(ここではロール名と同じ)
