Fixing iam role when string is passed pr devel 2.x (#2378)

* fix(scripts): Fix git checkout to fetch any new branches (#1655)

* Apt repo role pr 2.x (#1666)

* First pass at APT repo role.

* Adding APT autoremove task to the _exit role.

* Adding systemd timer for APT key renewal.

* Adding role documentation.

* Adding new role to MySQL role to test.

* Adding python-debian dependency for deb822 repo handling.

* Removing obsolete variable check.

* Defaulting the APT 'suites' value to the Ansible-detected release name.

* Adding APT suite to MySQL repo installation.

* Better docs and fixed a syntax error.

* Fixing shell script for refreshing APT keys.

* Ensuring APT clean-up in _exit always runs as root.

* Fixing up MySQL config for 8.0 and tidying vars.

* Adding MySQL repo to unattended upgrades.

* Adding README for Docker CE, Docker Compose support and switching to apt_repository role.

* Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role.

* Updating docs index.

* Adding Docker repo to unattended upgrades.

* Updating MySQL docs.

* Updating repo handling for GitLab and GitLab Runner.

* Ensuring wget is installed.

* wget seems more reliable than cURL for key fetching.

* Updating Jenkins repo handling.

* Fixing openjdk default version and updating nodejs APT repo handling.

* Removing OSSEC, replaced by Wazuh.

* Updating repo handling for the PAM LinOTP role.

* Updating repo handling for the LHCI role.

* Updating repo handling for PHP components.

* Trying out a different config for Jenkins.

* Updating docs.

* Forgot to remove old yarn repo code.

* Adding python3-debian package to python_common defaults to avoid first build failures.

* Adding list format support to APT role.

* Testing list format support with jenkins role.

* Downloading GPG public key.

* Ensuring the _apt_repository.key_filename var exists.

* Fixing SSL vars in Jenkins role.

* Updating repo handling for jitsi role.

* Updating docs.

* Bad SSL var name.

* Making timer name dynamic.

* Adding missing repo format var to all APT repo handling.

* Updating docs.

* Fixing bug where list is passed instead of dict for systemd timer.

* Bug fixes 2.x pr 2.x (#1667)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Bug fixes 2.x pr 2.x (#1670)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Updating-waf-acl-role (#1672)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Setting up proxy vhost pr 2.x (#1674)

* Setting-up-proxy-vhost

* Setting-up-proxy-vhost-2

* Fixing-typo (#1676)

* New-version-of-aws-acl-role (#1683)

* New-version-of-aws-acl-role

* Fixing-jinja-linting

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Updating-nginx-template (#1688)

* Updating-aws_backup-to-register-iam-arn-2 (#1696)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Updating-nginx-htpasswd-task-2 (#1698)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Bug fixes 2.x pr 2.x (#1702)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* r69424-Adding-resource-group-task (#1706)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Adding lock file behaviour to ce-provision. (#1708)

* Adding lock file behaviour to ce-provision.

* Updating documentation.

* Adding extra lock file handling for ASG EC2 machines.

* Moving lock file paths to variables.

* Adding docs about connection management.

* Fixing placement of lock files on ASGs.

* Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone).

* Adding in a lock file removal if we do not replace the ASG.

* Bug fixes 2.x pr 2.x (#1715)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Bug fixes 2.x pr 2.x (#1717)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Creating a ce-provision installer script. (#1724)

* Installer pr 2.x (#1726)

* Creating a ce-provision installer script.

* Updating installation docs.

* Bug fixes 2.x pr 2.x (#1730)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Installer pr 2.x (#1732)

* Creating a ce-provision installer script.

* Updating installation docs.

* Adding pip upgrade line and python-debian.

* Installing certbot in a python venv. (#1659)

* Installing certbot in a python venv.

* Changing default location for Python packages.

* Allowing the ansible role to override venv settings.

* Preventing ce_deploy from installing in an entirely separate venv by default.

* Updating certbot installation to use _init venv variables.

* Updating duplicity role to use _init venv variables by default.

* Ordering pip docs.

* Update documentation.

* Fixing Ansible path in installer.

* Fixing occurrences of path to venv.

* Installer pr 2.x (#1735)

* Creating a ce-provision installer script.

* Updating installation docs.

* Adding pip upgrade line and python-debian.

* Updating docs.

* Some minor installer bug fixes.

* Bug fixes 2.x pr 2.x (#1737)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Bug fixes 2.x pr 2.x (#1738)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Fixing-ACM-SAN-behaviour (#1739)

* Bug fixes 2.x pr 2.x (#1742)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Bug fixes 2.x pr 2.x (#1749)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Bug fixes 2.x pr 2.x (#1752)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Bug fixes 2.x pr 2.x (#1754)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Bug fixes 2.x pr 2.x (#1756)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Redoing-changes-for-aws-acl-role (#1728)

* Redoing-changes-for-aws-acl-role

* retrigger checks

* Fixing-conflicts-4

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Remvoing-scp-extra-args-temporary (#1761)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Bug fixes 2.x pr 2.x (#1765)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Bug fixes 2.x pr 2.x (#1767)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Bug fixes 2.x pr 2.x (#1769)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Bug fixes 2.x pr 2.x (#1771)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Managing-mime-types-nginx (#1773)

* Whitelisting ce vpn ip wazuh pr 2.x (#1775)

* Whitelisting-CE-VPN-IP-wazuh

* Fixing-wazuh-whitelist-variable

* Updating-wazuh-vars (#1777)

* add community.postgresql collection and remove varnish master release (#1779)

* Updating wazuh vars pr 2.x (#1781)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating wazuh vars pr 2.x (#1783)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Updating wazuh vars pr 2.x (#1785)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Fixing-wazuh-broken-pipeline

* Updating wazuh vars pr 2.x (#1787)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Fixing-wazuh-broken-pipeline

* Tweaking-wazuh-vars

* r68065 mattermost role first commit (#1789)

* r68065 mattermost role first commit

* fixing linting/syntax

* reload systemd with ansible.builtin.systemd_service

* handler for postgresql reloads

* default systemd unit file for mattermost role

* r68065 install python psycopg2 (#1791)

* r68065 use psycopg binary package as compiling creates depsolve issues (#1793)

* permissions for postgres setup (#1795)

* r68065 add mattermost group before user (#1797)

* Updating-duplicity (#1804)

* enable mattermost systemd unit (#1810)

* nginx include for mattermost (#1812)

* nginx include for mattermost

* add mattermost project type

* ssl on handled by nginx role (#1814)

* fix mattermost nginx include (#1822)

* remove unsupported nginx option (#1824)

* Restore testing update pr 2.x (#1832)

* Restore-testing-update

* Restore-testing-update-2

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Resolving conflicts pr 2.x (#1834)

* Fixing-conflicts-and-updating-docs

* Fixed-conflicts

* Fixed-conflicts-2

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* initial commit - mattermost local backups (#1838)

* r69995-Updating-vhost-for-LE-validation (#1843)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Changing priority flexibility pr 2.x (#1841)

* Changing-priority-flexibility

* Changing-priority-flexibility-2

* Adding-aws-acl-to-meta

* Adding-cast-to-int-for-priority

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Aws acl role changes for ip set pr 2.x (#1848)

* aws_acl-role-changes-for-ip-set

* aws_acl-role-changes-for-ip-set-docs-update

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* add_php_repo_before_apt_extra_packages_task_from_common_base (#1850)

* fix_opensearch_vars (#1852)

* wait_timeout_for_opensearch_domain_creation (#1854)

* wait_timeout_for_opensearch_domain_creation

* remove trailing space

* Updating-aws-acl-task (#1856)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Bug fixes 2.x pr 2.x (#1859)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Bug fixes 2.x pr 2.x (#1860)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Variable path error.

* Updating linter ignore paths.

* Small-changes-on-aws-acl-and-RDS-validation (#1863)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Updating-user-ansible-vars (#1864)

* Updating user ansible vars pr 2.x (#1867)

* Updating-user-ansible-vars

* Fixing-syntax

* add_vars_to_user_deploy_user_provision (#1869)

* Disabling-general-log-mariadb (#1871)

* Updating-aws_acl-role (#1873)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* r70260-rkhunter-whitelist (#1877)

* fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750)

* fix(nginx): Remove default nginx dummy vhost that could clash with Varnish

* Fix variable naming and comment

* Implement keep_default_vhost setting

* Wazuh-var-update (#1903)

* Wazuh-agent-vars-more-readable (#1905)

* Filebeat-restart-task-wazuh (#1907)

* Filebeat restart task wazuh pr 2.x (#1909)

* Filebeat-restart-task-wazuh

* Fixing-wazuh-filebeat-restart

* Adding-gawk-to-extra-packages (#1910)

* Updating-filebeat-restart-task (#1913)

* Adding motd to exit role pr 2.x (#1915)

* Fixing-backup-validation-role-plicies

* Adding-parts-for-VPC-and-SG

* Adding-region-to-vpc-and-subnet-tasks

* Adding-region-to-vpc-and-subnet-tasks-2

* Updating-vars-for-vpc-and-subnet

* Updating-vars-for-vpc-and-subnet-2

* Updating-vars-for-vpc-and-subnet-3

* Adding-json-file-for-restore-testing

* Changing-user-where-json-file-is-generated

* Updating-json-file-location

* Updating-path-to-j2-file

* Changing-force-valkue

* Testing-file-creation

* Testing-file-creation-via-command-task

* Adding-motd-to-exit-role

* Commenting-out-task-that-will-fail

* Fixing-pipefail

* Fixing-syntax-issue

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Fixing-motd-task (#1917)

* Motd-switch-egrep-with-awk (#1919)

* Motd-task-update (#1922)

* Motd-task-update

* Restoring-deleted-task

* Fixing motd task when running on localhost pr 2.x (#1924)

* Fixing-backup-validation-role-plicies

* Fixing-motd-task-when-running-on-localhost

* Updating-when-statement

* Adding-become-true-on-motd-update

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Apt bug workaround pr 2.x (#1935)

* apt_bug_workaround

* apt_bug_workaround

* apt_bug_workaround

* apt_bug_workaround

* fix_var_logic

* Pushing-aws-backup-validation-role (#1944)

* Pushing-aws-backup-validation-role

* Fixing-linting

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* fix(redis): Convert maxmemory setting to int before comparing (#1897)

* Reverting-nginx-username (#1945)

* Reverting nginx username pr 2.x (#1947)

* Reverting-nginx-username

* Minor-fix-nginx-username

* Updating-nginx-vars (#1950)

* Bug fixes 2.x pr 2.x (#1952)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Variable path error.

* Updating linter ignore paths.

* Making the NGINX test result var private.

* Documentation update.

* Fixing role dependency in NGINX role.

* r70597 new system role for ipv6 disablement (#1954)

* r70597 new system role for ipv6 disa…

Author: 22 people

roles/aws/aws_admin_tools/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: Create API gateway.
+- name: Get account ID for ARN.
   ansible.builtin.command: >-
     aws sts get-caller-identity
     --query Account

roles/aws/aws_backup_validation/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 aws_backup_validation:
-  s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}"
+  s3_bucket: "ce-{{ _aws_profile }}-lambda-functions"
   name: "RestoreValidation"
   description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM"
   timeout: 60

roles/aws/aws_backup_validation/tasks/main.yml

@@ -1,162 +1,102 @@
 ---
-- name: Create a role and attach policies
-  amazon.aws.iam_role:
-    name: LambdaBackupRestoreRole
-    assume_role_policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}"
-    managed_policies:
-      - arn:aws:iam::aws:policy/AmazonEC2FullAccess
-      - arn:aws:iam::aws:policy/AWSBackupFullAccess
-      - arn:aws:iam::aws:policy/AmazonRDSFullAccess
-      - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
-      - arn:aws:iam::aws:policy/AmazonSESFullAccess
-      - arn:aws:iam::aws:policy/AmazonSSMFullAccess
-  register: _created_iam_lambda_role
-
-- name: Create an IAM Managed Policy for passing roles
-  amazon.aws.iam_managed_policy:
-    policy_name: "PassRole"
-    policy:
-      Version: "2012-10-17"
-      Statement:
-        - Effect: "Allow"
-          Action: "iam:PassRole"
-          Resource: "*"
-    state: present
-  register: _pass_role
-
-- name: Update AWSBackupDefaultServiceRole
-  amazon.aws.iam_role:
-    name: AWSBackupDefaultServiceRole
-    assume_role_policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}"
-    managed_policies:
-      - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
-      - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
-      - "{{ _pass_role.policy.arn }}"
+- name: Create a role and attach policies for Lambda backup validation.
+  ansible.builtin.include_role:
+    name: aws/aws_iam_role
+  vars:
+    aws_iam_role:
+      name: LambdaBackupRestoreRole
+      aws_profile: "{{ _aws_profile }}"
+      managed_policies:
+        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
+        - arn:aws:iam::aws:policy/AWSBackupFullAccess
+        - arn:aws:iam::aws:policy/AmazonRDSFullAccess
+        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
+        - arn:aws:iam::aws:policy/AmazonSSMFullAccess
+      policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}"
+
+- name: Create backup validation Lambda functions.
+  ansible.builtin.include_role:
+    name: aws/aws_lambda
+  vars:
+    aws_lambda:
+      name: "{{ aws_backup_validation.name }}_{{ item }}"
+      description: "{{ aws_backup_validation.description }}"
+      timeout: "{{ aws_backup_validation.timeout }}"
+      role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}"
+      runtime: "{{ aws_backup_validation.runtime }}"
+      function_file: "{{ lookup('template', item + '_validation.py.j2')  }}"
+      s3_bucket: "ce-{{ _aws_profile }}-lambda-functions"
+      tags:
+        Name: "{{ item }}_backup_validation"
+  loop: "{{ aws_backup_validation.resources }}"
 
-- name: Sleep for 10 seconds for IAM before Lambda creation
-  ansible.builtin.wait_for:
-    timeout: 10
+#- name: Remove variables containing "-".
+#  ansible.builtin.set_fact:
+#    aws_lambda: "{{ aws_lambda | ansible.utils.remove_keys(target=['response_metadata', 'function_file']) }}"
+
+- name: Create an IAM Managed Policy for passing roles and setup IAM role.
+  ansible.builtin.include_role:
+    name: aws/aws_iam_role
+  vars:
+    aws_iam_role:
+      name: AWSBackupDefaultServiceRole
+      aws_profile: "{{ _aws_profile }}"
+      inline_policies:
+        name: "PassRole"
+        resource: "*"
+        action: "iam:PassRole"
+      policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}"
+      managed_policies:
+        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
+        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
 
 # TODO: Not all clients have verified identity
 #- name: Get verified domain.
 #  ansible.builtin.include_tasks: get_valid_email.yml
 
-- name: Clean and set python functions
-  block:
-    - name: Create S3 bucket for lambda functions
-      amazon.aws.s3_bucket:
-        name: "{{ aws_backup_validation.s3_bucket }}"
-        region: "{{ _aws_region }}"
-        state: present
-
-    - name: Check and clean any previous backup validation files
-      ansible.builtin.file:
-        path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py"
-        state: absent
-      loop: "{{ aws_backup_validation.resources }}"
-
-    - name: Check and clean any previous validation report files
-      ansible.builtin.file:
-        path: "{{ _ce_provision_build_dir }}/validation_report.py"
-        state: absent
-
-    - name: Write Lambda functions
-      ansible.builtin.template:
-        src: "{{ item }}_validation.py.j2"
-        dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py"
-      loop: "{{ aws_backup_validation.resources }}"
-
-    - name: Get info about newly created restore testing plan.
-      ansible.builtin.command: >
-        aws backup list-restore-testing-plans --region {{ _aws_region }}
-      register: _testing_plans
-
-    - name: Print return information from the previous task
-      ansible.builtin.debug:
-        var: _testing_plans
-
-    - name: Write validation report functions
-      ansible.builtin.template:
-        src: "validation_report.j2"
-        dest: "{{ _ce_provision_build_dir }}/validation_report.py"
-
-    - name: Create a zip archive of Lambda functions
-      community.general.archive:
-        path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py"
-        dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip"
-        format: zip
-      loop: "{{ aws_backup_validation.resources }}"
-
-    - name: Create a zip archive of validation report
-      community.general.archive:
-        path: "{{ _ce_provision_build_dir }}/validation_report.py"
-        dest: "{{ _ce_provision_build_dir }}/validation_report.zip"
-        format: zip
-
-    - name: Place backup validation functions in S3 bucket
-      amazon.aws.s3_object:
-        bucket: "{{ aws_backup_validation.s3_bucket }}"
-        object: "lambda-functions/{{ item }}_validation.zip"
-        src: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip"
-        mode: put
-      loop: "{{ aws_backup_validation.resources }}"
-
-    - name: Place report function in S3 bucket
-      amazon.aws.s3_object:
-        bucket: "{{ aws_backup_validation.s3_bucket }}"
-        object: "lambda-functions/validation_report.zip"
-        src: "{{ _ce_provision_build_dir }}/validation_report.zip"
-        mode: put
-      loop: "{{ aws_backup_validation.resources }}"
-
-- name: Create Lambda functions
-  amazon.aws.lambda:
-    name: "{{ aws_backup_validation.name }}_{{ item }}"
-    description: "{{ aws_backup_validation.description }}"
-    region: "{{ _aws_region }}"
-    timeout: "{{ aws_backup_validation.timeout }}"
-    s3_bucket: "{{ aws_backup_validation.s3_bucket }}"
-    s3_key: "lambda-functions/{{ item }}_validation.zip"
-    state: present
-    runtime: "{{ aws_backup_validation.runtime }}"
-    role: "{{ _created_iam_lambda_role.iam_role.arn }}"
-    handler: "{{ item }}_validation.{{ aws_backup_validation.handler }}"
-    tags:
-      Name: "{{ item }}_backup_validation"
-  register: _lambda_functions
-  loop: "{{ aws_backup_validation.resources }}"
-
-- name: Create validation report functions
-  amazon.aws.lambda:
-    name: "validation_report"
-    description: "{{ aws_backup_validation.description }}"
-    region: "{{ _aws_region }}"
-    timeout: 30
-    s3_bucket: "{{ aws_backup_validation.s3_bucket }}"
-    s3_key: "lambda-functions/validation_report.zip"
-    state: present
-    runtime: "{{ aws_backup_validation.runtime }}"
-    role: "{{ _created_iam_lambda_role.iam_role.arn }}"
-    handler: "validation_report.{{ aws_backup_validation.handler }}"
-  register: _validation_report
-
-- name: Remove non UTF-8 item
+- name: Get info about newly created restore testing plan.
+  ansible.builtin.command: >
+    aws backup list-restore-testing-plans --region {{ _aws_region }}
+  register: _testing_plans
+
+- name: Create validation report function.
+  ansible.builtin.include_role:
+    name: aws/aws_lambda
+  vars:
+    aws_lambda:
+      name: "validation_report"
+      description: "{{ aws_backup_validation.description }}"
+      timeout: "30"
+      role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}"
+      runtime: "{{ aws_backup_validation.runtime }}"
+      function_file: "{{ lookup('template', 'validation_report.py.j2') }}"
+      s3_bucket: "ce-{{ _aws_profile }}-lambda-functions"
+      tags:
+        Name: "validation_report"
+
+- name: Get account ID for ARN.
+  ansible.builtin.command: >-
+    aws sts get-caller-identity
+    --query Account
+    --output text
+  register: _acc_id
+
+- name: Setting previous command output into variable.
   ansible.builtin.set_fact:
-    _lambda_functions: "{{ _lambda_functions | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}"
-    _validation_report: "{{ _validation_report | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}"
+    _acc_id: "{{ _acc_id.stdout | from_json }}"
 
-- name: Create EventBridge for validations
+- name: Create EventBridge for validation functions.
   amazon.aws.cloudwatchevent_rule:
-    name: "{{ item.configuration.function_name }}"
-    description: "{{ item.configuration.description }}"
+    name: "RestoreValidation_{{ item }}"
+    description: "{{ aws_backup_validation.description }}"
     state: present
     region: "{{ _aws_region }}"
-    event_pattern: '{ "source": ["aws.backup"], "detail-type": ["Restore Job State Change"], "detail": { "resourceType": ["{{ item.item }}"], "status": ["COMPLETED"] } }'
+    event_pattern: '{ "source": ["aws.backup"], "detail-type": ["Restore Job State Change"], "detail": { "resourceType": ["{{ item }}"], "status": ["COMPLETED"] } }'
     targets:
-      - id: "{{ item.configuration.function_name }}"
-        arn: "{{ (item.configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN
+      - id: "RestoreValidation_{{ item }}"
+        arn: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:RestoreValidation_{{ item }}"
+  loop: "{{ aws_backup_validation.resources }}"
   register: _event_bridges
-  loop: "{{ _lambda_functions.results }}"
 
 - name: Create schedule for validation reports
   amazon.aws.cloudwatchevent_rule:
@@ -166,7 +106,7 @@
     region: "{{ _aws_region }}"
     targets:
       - id: validation_report
-        arn: "{{ (_validation_report.configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN
+        arn: "{{ (aws_lambda._result['validation_report'].configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN
   register: _validation_event
 
 - name: Generate unique string
@@ -176,8 +116,8 @@
 - name: Update Lambda policy
   amazon.aws.lambda_policy:
     state: present
-    function_name: "{{ item.item.configuration.function_name }}"
-    statement_id: "{{ item.item.configuration.function_name }}_{{ _rand_str }}"
+    function_name: "{{ item.rule.name }}"
+    statement_id: "{{ item.rule.name }}_{{ _rand_str }}"
     action: lambda:InvokeFunction
     principal: events.amazonaws.com
     source_arn: "{{ item.rule.arn }}"
@@ -188,7 +128,7 @@
   amazon.aws.lambda_policy:
     state: present
     function_name: "validation_report"
-    statement_id: "{{ _validation_report.configuration.function_name }}_{{ _rand_str }}"
+    statement_id: "validation_report_{{ _rand_str }}"
     action: lambda:InvokeFunction
     principal: events.amazonaws.com
     source_arn: "{{ _validation_event.rule.arn }}"

roles/aws/aws_backup_validation/templates/validation_report.j2 renamed to roles/aws/aws_backup_validation/templates/validation_report.py.j2

@@ -98,9 +98,9 @@ failed_job = backup_cli.list_restore_jobs(
   {% endfor %}
 
   if len(failed_jobs) > 0:
-    mail_title = "Failed!"
+    mail_title = "🔴 Failed!"
   else:
-    mail_title = "Success!"
+    mail_title = "🟢 Success!"
   print("Successful restore jobs:")
   print(completed_jobs)
 

roles/aws/aws_iam_role/defaults/main.yml

@@ -3,6 +3,10 @@ aws_iam_role:
   aws_profile: "{{ _aws_profile }}"
   # Pass either names or ARNs for the role.
   managed_policies: []
+  inline_policies:
+    name: "example_inline_polcy" # Name of inline policy
+    resource: "*"
+    action: []
   # Which document policy to apply.
   # Current options are 'ec2', 'ecs' or 'backup'
   policy_document: ec2

roles/aws/aws_iam_role/tasks/main.yml

@@ -1,9 +1,42 @@
+- name: Create an IAM Managed Policy if defined.
+  amazon.aws.iam_managed_policy:
+    policy_name: "inline_{{ aws_iam_role.name }}_policy"
+    policy:
+      Version: "2012-10-17"
+      Statement:
+        - Effect: "Allow"
+          Action: "{{ aws_iam_role.inline_policies.action }}"
+          Resource: "{{ aws_iam_role.inline_policies.resource }}"
+    state: present
+  register: _inline_iam_policy
+  when: inline_policies.action is defined and inline_policies.action > 0
+
+- name: Join managed and inline policy.
+  ansible.builtin.set_fact:
+    _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}"
+  when: inline_policies.action is defined and inline_policies.action > 0
+
+- name: Create combined var if inline policy is not defined or empty.
+  ansible.builtin.set_fact:
+    _combined_policies: "{{ aws_iam_role.managed_policies }}"
+  when: inline_policies.action is not defined or inline_policies.action == 0
+
+- name: Create assume role policy document if predefined string is passed.
+  ansible.builtin.set_fact:
+    _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}"
+  when: aws_iam_role.policy_document | type_debug == 'string'
+
+- name: Create assume role policy document if template is provided.
+  ansible.builtin.set_fact:
+    _assume_role_policy: "{{ aws_iam_role.policy_document }}"
+  when: aws_iam_role.policy_document | type_debug != 'string'
+
 - name: Create an IAM role.
   amazon.aws.iam_role:
     profile: "{{ aws_iam_role.aws_profile }}"
     name: "{{ aws_iam_role.name }}"
-    assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}"
-    managed_policies: "{{ aws_iam_role.managed_policies }}"
+    assume_role_policy_document: "{{ _assume_role_policy }}"
+    managed_policies: "{{ _combined_policies }}"
     purge_policies: "{{ aws_iam_role.purge_policies }}"
     tags: "{{ aws_iam_role.tags }}"
     create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}"
@@ -12,4 +45,4 @@
 
 - name: Register aws_iam_role results.
   ansible.builtin.set_fact:
-    aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}) }}"
+    aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}, recursive=True) }}"

roles/aws/aws_lambda/defaults/main.yml

@@ -0,0 +1,10 @@
+aws_lambda:
+  name: "lambda_function_name"
+  description: "Description for AWS Lambda function"
+  timeout: "20" # Maximum number of seconds before function times out
+  handler: "lambda_handler" # Name of main function
+  s3_bucket: "ce-{{ _aws_profile }}-lambda-functions"
+  function_file: "" # template to pass in S3 bucket
+  runtime: "python3.12"
+  role: ""
+  tags: []