codeenigma · gregharvey · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023
diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
@@ -22,6 +22,7 @@
        - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair)
        - [AWS RDS](/roles/aws/aws_rds)
        - [AWS S3 Bucket](/roles/aws/aws_s3_bucket)
+       - [AWS Security Groups](/roles/aws/aws_security_groups)
        - [AWS SNS](/roles/aws/aws_sns)
        - [VPC](/roles/aws/aws_vpc)
        - [Update main route for a given VPC](/roles/aws/aws_vpc_route)

diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md
@@ -142,11 +142,12 @@ aws_ec2_autoscale_cluster:
   max_size: 8
   # Security groups for the instances cluster.
   # An internal one will be created automatically, use these vars to provide additional groups
-  cluster_security_groups: [] # used in launch template, must be SG IDs
-  alb_security_groups: [] # edge case, the module supports SG names or IDs
-  efs_security_groups: [] # must be SG names because the role uses the name to find the ID
-  rds_security_groups: [] # must be SG names because the role uses the name to find the ID
-  elasticache_security_groups: [] # must be SG IDs
+  # All security group lists should be a list of security group names, they will be automatically converted to IDs by the aws_security_groups as necessary
+  cluster_security_groups: []
+  alb_security_groups: []
+  efs_security_groups: []
+  rds_security_groups: []
+  elasticache_security_groups: []
   # ALB health checks - these are health check settings applied to the load balancer
   alb_health_check_type: ELB # Uses ALB health checks, set to EC2 to use default AWS instance status checks
   alb_health_check_period: 1200 # Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health

diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md
@@ -31,7 +31,7 @@ aws_ec2_with_eip:
   root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role
   root_volume_delete_on_termination: true
   ebs_optimized: true
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   tags:
     Name: "{{ _domain_name }}"
   # Add an A record tied to the EIP.

diff --git a/docs/roles/aws/aws_efs.md b/docs/roles/aws/aws_efs.md
@@ -19,8 +19,7 @@ aws_efs:
   wait: true
   # Subnets names.
   subnets: []
-  # SG names - ID lookup is automatic. Note, the assumption is that all subnets have the same SGs.
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   # Whether to encrypt the volume or not.
   encrypt: false
   backup: "{{ _infra_name }}-{{ _env_type }}" # Name of the AWS Backup plan to use to backup the instance.

diff --git a/docs/roles/aws/aws_elasticache.md b/docs/roles/aws/aws_elasticache.md
@@ -22,7 +22,7 @@ aws_elasticache:
   elasticache_node_type: cache.t3.medium
   elasticache_nodes: 1
   elasticache_port: 11211
-  elasticache_security_groups: [] # list of security group IDs, @TODO - support names like the EFS role
+  elasticache_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   #zone: eu-west-1a # AZ where the cluster will reside
 ```
 

diff --git a/docs/roles/aws/aws_opensearch.md b/docs/roles/aws/aws_opensearch.md
@@ -25,7 +25,7 @@ aws_opensearch:
   subnets:
     - "subnet-aaaaaaaa"
     - "subnet-bbbbbbbb"
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   automated_snapshot_start_hour: 3
   auto_tune: "DISABLED" # not supported when t3's are used
   # List of maintenance schedules to use if auto_tune is set to "ENABLED":

diff --git a/docs/roles/aws/aws_rds.md b/docs/roles/aws/aws_rds.md
@@ -42,8 +42,7 @@ aws_rds:
   master_username: hello # The name of the master user for the DB cluster. Must be 1-16 letters or numbers and begin with a letter.
   master_user_password: hellothere
   publicly_accessible: false # Wether to allocate an IP address
-  # SG names - ID lookup is automatic.
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   rds_cloudwatch_alarms: # name will have the RDS identifier prepended.
     - name: "example_free_storage_space_threshold_{{ _env_type }}_asg"
       description: "Average database free storage space over the last 10 minutes too low."

diff --git a/docs/roles/aws/aws_security_groups.md b/docs/roles/aws/aws_security_groups.md
@@ -0,0 +1,32 @@
+# AWS Security Groups
+This is a helper role for managing AWS security groups. Security groups are created in the [`aws_vpc`](https://github.com/codeenigma/ce-provision/tree/2.x/roles/aws/aws_vpc) role, however different roles and modules require different data when working with security groups. This role allows you to feed in a list of security group names and get back, in private variables, the following data for later use in other places:
+
+```yaml
+- name: Set up lists.
+    ansible.builtin.set_fact:
+      _aws_security_groups: [] # a list of all the security group data requested
+      _aws_security_group_ids: [] # a list of security group IDs
+      _aws_security_group_names: "{{ aws_security_groups.group_names }}" # a list of security group names (in a new var for consistency)
+      _aws_security_group_list: [] # a list in the requested format, either a list of names or a list of IDs, so allow for calling a consistent variable name
+```
+
+This role is used by other roles to provide a consistent experience for developers, you can always provide a list of security group names, no matter what the module being called within a role requires.
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+aws_security_groups:
+  aws_profile: "{{ _aws_profile }}"
+  region: "{{ _aws_region }}"
+  group_names:
+    - ssh_open
+    - web_open
+  return_type: ids # can be either 'names' or 'ids'
+
+```
+
+<!--ENDROLEVARS-->
diff --git a/docs/roles/debian/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md
@@ -50,7 +50,7 @@ gitlab_runner:
     cluster: "my-cluster" # ECS cluster name
     region: "eu-west-1" # AWS region name
     subnet: "subnet-abcdef123456" # subnet ID
-    security_group: "sg-abcdef123456" # SG ID
+    security_group: "my-security-group" # SG name
     task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest
     public_ip: "false" # if your containers need a public IP assigning
     version: "1.4.0" # Fargate platform version

diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md
@@ -142,11 +142,12 @@ aws_ec2_autoscale_cluster:
   max_size: 8
   # Security groups for the instances cluster.
   # An internal one will be created automatically, use these vars to provide additional groups
-  cluster_security_groups: [] # used in launch template, must be SG IDs
-  alb_security_groups: [] # edge case, the module supports SG names or IDs
-  efs_security_groups: [] # must be SG names because the role uses the name to find the ID
-  rds_security_groups: [] # must be SG names because the role uses the name to find the ID
-  elasticache_security_groups: [] # must be SG IDs
+  # All security group lists should be a list of security group names, they will be automatically converted to IDs by the aws_security_groups as necessary
+  cluster_security_groups: []
+  alb_security_groups: []
+  efs_security_groups: []
+  rds_security_groups: []
+  elasticache_security_groups: []
   # ALB health checks - these are health check settings applied to the load balancer
   alb_health_check_type: ELB # Uses ALB health checks, set to EC2 to use default AWS instance status checks
   alb_health_check_period: 1200 # Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health

diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml
@@ -123,11 +123,12 @@ aws_ec2_autoscale_cluster:
   max_size: 8
   # Security groups for the instances cluster.
   # An internal one will be created automatically, use these vars to provide additional groups
-  cluster_security_groups: [] # used in launch template, must be SG IDs
-  alb_security_groups: [] # edge case, the module supports SG names or IDs
-  efs_security_groups: [] # must be SG names because the role uses the name to find the ID
-  rds_security_groups: [] # must be SG names because the role uses the name to find the ID
-  elasticache_security_groups: [] # must be SG IDs
+  # All security group lists should be a list of security group names, they will be automatically converted to IDs by the aws_security_groups as necessary
+  cluster_security_groups: []
+  alb_security_groups: []
+  efs_security_groups: []
+  rds_security_groups: []
+  elasticache_security_groups: []
   # ALB health checks - these are health check settings applied to the load balancer
   alb_health_check_type: ELB # Uses ALB health checks, set to EC2 to use default AWS instance status checks
   alb_health_check_period: 1200 # Length of time in seconds after a new EC2 instance comes into service that Auto Scaling starts checking its health

diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml
@@ -116,7 +116,7 @@
       elasticache_node_type: "{{ aws_ec2_autoscale_cluster.elasticache_node_type }}"
       elasticache_nodes: "{{ aws_ec2_autoscale_cluster.elasticache_nodes }}"
       elasticache_port: "{{ aws_ec2_autoscale_cluster.elasticache_port }}"
-      elasticache_security_groups: "{{ aws_ec2_autoscale_cluster.elasticache_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_id] }}"
+      elasticache_security_groups: "{{ aws_ec2_autoscale_cluster.elasticache_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_name] }}"
   when:
     - aws_ec2_autoscale_cluster.elasticache
 
@@ -376,6 +376,18 @@
     - aws_ec2_autoscale_cluster | length
     - aws_ec2_autoscale_cluster.create_elb
 
+- name: Generate security group information for the ALB.
+  ansible.builtin.include_role:
+    name: aws/aws_security_groups
+  vars:
+    profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
+    region: "{{ aws_ec2_autoscale_cluster.region }}"
+    group_names: "{{ aws_ec2_autoscale_cluster.alb_security_groups }}"
+    return_type: ids
+  when:
+    - aws_ec2_autoscale_cluster.alb_security_groups | length > 0
+    - aws_ec2_autoscale_cluster.create_elb
+
 - name: Create the ALB.
   amazon.aws.elb_application_lb:
     name: "{{ aws_ec2_autoscale_cluster.name }}"
@@ -384,7 +396,7 @@
     state: "{{ aws_ec2_autoscale_cluster.state }}"
     tags: "{{ aws_ec2_autoscale_cluster.tags }}"
     subnets: "{{ _aws_ec2_autoscale_cluster_public_subnets_ids }}"
-    security_groups: "{{ aws_ec2_autoscale_cluster.alb_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_id] }}"
+    security_groups: "{{ _aws_security_group_list + [_aws_ec2_autoscale_cluster_security_group.group_id] }}"
     listeners: "{{ _aws_ec2_autoscale_cluster_listeners }}"
     idle_timeout: "{{ aws_ec2_autoscale_cluster.alb_idle_timeout }}"
   register: _aws_ec2_autoscale_cluster_alb
@@ -410,6 +422,20 @@
   with_items: "{{ aws_ec2_autoscale_cluster.ssl_extra_certificate_ARNs }}"
 
 # EC2 - BUILD ASG
+- name: Generate security group information for the ASG.
+  ansible.builtin.include_role:
+    name: aws/aws_security_groups
+  vars:
+    profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
+    region: "{{ aws_ec2_autoscale_cluster.region }}"
+    group_names: "{{ aws_ec2_autoscale_cluster.cluster_security_groups }}"
+    return_type: ids
+  when:
+    - aws_ec2_autoscale_cluster.cluster_security_groups | length > 0
+    - aws_ec2_autoscale_cluster.asg_refresh
+    - aws_ec2_autoscale_cluster.type == "ec2"
+    - aws_ec2_autoscale_cluster.deploy_cluster
+
 - name: Create launch template.
   community.aws.ec2_launch_template:
     profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
@@ -427,7 +453,7 @@
         delete_on_termination: "{{ aws_ec2_autoscale_cluster.instance_nic_delete_on_termination }}"
         subnet_id: "{{ subnet_id }}" # picked randomly from _aws_ec2_autoscale_cluster_subnets_ids, see with_random_choice
         device_index: 0 # must be 0 - see https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-launch-template.html#change-network-interface
-        groups: "{{ aws_ec2_autoscale_cluster.cluster_security_groups + [_aws_ec2_autoscale_cluster_security_group.group_id] }}"
+        groups: "{{ _aws_security_group_list + [_aws_ec2_autoscale_cluster_security_group.group_id] }}"
     block_device_mappings:
       - ebs:
           delete_on_termination: "{{ aws_ec2_autoscale_cluster.root_volume_delete_on_termination }}"

diff --git a/roles/aws/aws_ec2_with_eip/README.md b/roles/aws/aws_ec2_with_eip/README.md
@@ -31,7 +31,7 @@ aws_ec2_with_eip:
   root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role
   root_volume_delete_on_termination: true
   ebs_optimized: true
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   tags:
     Name: "{{ _domain_name }}"
   # Add an A record tied to the EIP.

diff --git a/roles/aws/aws_ec2_with_eip/defaults/main.yml b/roles/aws/aws_ec2_with_eip/defaults/main.yml
@@ -21,7 +21,7 @@ aws_ec2_with_eip:
   root_volume_encrypted: "{{ aws_ami.encrypt_boot }}" # in most cases this should match encrypt_boot in the aws_ami role
   root_volume_delete_on_termination: true
   ebs_optimized: true
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   tags:
     Name: "{{ _domain_name }}"
   # Add an A record tied to the EIP.

diff --git a/roles/aws/aws_ec2_with_eip/tasks/main.yml b/roles/aws/aws_ec2_with_eip/tasks/main.yml
@@ -90,6 +90,17 @@
     dest: "{{ _ce_provision_data_dir + '/' + _aws_resource_name + '/ec2-subnet-id' }}"
     force: true
 
+# Convert security group names to IDs for consistency.
+- name: Generate security group information.
+  ansible.builtin.include_role:
+    name: aws/aws_security_groups
+  vars:
+    profile: "{{ aws_ec2_with_eip.aws_profile }}"
+    region: "{{ aws_ec2_with_eip.region }}"
+    group_names: "{{ aws_ec2_with_eip.security_groups }}"
+    return_type: ids
+  when: aws_ec2_with_eip.security_groups | length > 0
+
 # Do not create an instance if _aws_hostname is not an EC2 generated address unless `force: true`
 - name: Create new EC2 instance.
   amazon.aws.ec2_instance:
@@ -105,7 +116,7 @@
     vpc_subnet_id: "{{ _aws_ec2_with_eip_vpc_subnet_id }}"
     name: "{{ aws_ec2_with_eip.instance_name }}"
     tags: "{{ aws_ec2_with_eip.tags }}"
-    security_groups: "{{ aws_ec2_with_eip.security_groups }}"
+    security_groups: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role
     ebs_optimized: "{{ aws_ec2_with_eip.ebs_optimized }}"
     volumes:
       - device_name: /dev/xvda
@@ -131,7 +142,7 @@
     vpc_subnet_id: "{{ _aws_ec2_with_eip_vpc_subnet_id }}"
     name: "{{ aws_ec2_with_eip.instance_name }}"
     tags: "{{ aws_ec2_with_eip.tags }}"
-    security_groups: "{{ aws_ec2_with_eip.security_groups }}"
+    security_groups: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role
     ebs_optimized: "{{ aws_ec2_with_eip.ebs_optimized }}"
     volumes:
       - device_name: /dev/xvda

diff --git a/roles/aws/aws_efs/README.md b/roles/aws/aws_efs/README.md
@@ -19,8 +19,7 @@ aws_efs:
   wait: true
   # Subnets names.
   subnets: []
-  # SG names - ID lookup is automatic. Note, the assumption is that all subnets have the same SGs.
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   # Whether to encrypt the volume or not.
   encrypt: false
   backup: "{{ _infra_name }}-{{ _env_type }}" # Name of the AWS Backup plan to use to backup the instance.

diff --git a/roles/aws/aws_efs/defaults/main.yml b/roles/aws/aws_efs/defaults/main.yml
@@ -9,8 +9,7 @@ aws_efs:
   wait: true
   # Subnets names.
   subnets: []
-  # SG names - ID lookup is automatic. Note, the assumption is that all subnets have the same SGs.
-  security_groups: []
+  security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   # Whether to encrypt the volume or not.
   encrypt: false
   backup: "{{ _infra_name }}-{{ _env_type }}" # Name of the AWS Backup plan to use to backup the instance.
diff --git a/roles/aws/aws_efs/tasks/main.yml b/roles/aws/aws_efs/tasks/main.yml
@@ -1,6 +1,13 @@
-- name: Reset security groups info
-  ansible.builtin.set_fact:
-    _aws_efs_security_group_ids: []
+---
+- name: Generate security group information.
+  ansible.builtin.include_role:
+    name: aws/aws_security_groups
+  vars:
+    profile: "{{ aws_efs.aws_profile }}"
+    region: "{{ aws_efs.region }}"
+    group_names: "{{ aws_efs.security_groups }}"
+    return_type: ids
+  when: aws_efs.security_groups | length > 0
 
 - name: Reset subnet ids info
   ansible.builtin.set_fact:
@@ -10,12 +17,6 @@
   ansible.builtin.set_fact:
     _aws_efs_targets: {}
 
-- name: Gather security groups info.
-  ansible.builtin.include_tasks: security_group.yml
-  with_items: "{{ aws_efs.security_groups }}"
-  loop_control:
-    loop_var: security_group
-
 - name: Gather subnets info.
   ansible.builtin.include_tasks: subnet.yml
   with_items: "{{ aws_efs.subnets }}"

diff --git a/roles/aws/aws_efs/tasks/security_group.yml b/roles/aws/aws_efs/tasks/security_group.yml
diff --git a/roles/aws/aws_efs/tasks/subnet.yml b/roles/aws/aws_efs/tasks/subnet.yml
@@ -1,3 +1,4 @@
+---
 - name: Gather subnet information
   amazon.aws.ec2_vpc_subnet_info:
     profile: "{{ aws_efs.aws_profile }}"

diff --git a/roles/aws/aws_efs/tasks/target.yml b/roles/aws/aws_efs/tasks/target.yml
@@ -1,3 +1,5 @@
+---
+# _aws_security_group_list variable populated by the aws_security_groups role.
 - name: Add subnet to the list of EFS targets.
   ansible.builtin.set_fact:
-    _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_efs_security_group_ids }}) }}"
+    _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_security_group_list }}) }}"
diff --git a/roles/aws/aws_elasticache/README.md b/roles/aws/aws_elasticache/README.md
@@ -22,7 +22,7 @@ aws_elasticache:
   elasticache_node_type: cache.t3.medium
   elasticache_nodes: 1
   elasticache_port: 11211
-  elasticache_security_groups: [] # list of security group IDs, @TODO - support names like the EFS role
+  elasticache_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   #zone: eu-west-1a # AZ where the cluster will reside
 ```
 

diff --git a/roles/aws/aws_elasticache/defaults/main.yml b/roles/aws/aws_elasticache/defaults/main.yml
@@ -14,5 +14,5 @@ aws_elasticache:
   elasticache_node_type: cache.t3.medium
   elasticache_nodes: 1
   elasticache_port: 11211
-  elasticache_security_groups: [] # list of security group IDs, @TODO - support names like the EFS role
+  elasticache_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   #zone: eu-west-1a # AZ where the cluster will reside
diff --git a/roles/aws/aws_elasticache/tasks/main.yml b/roles/aws/aws_elasticache/tasks/main.yml
@@ -1,4 +1,14 @@
 ---
+- name: Generate security group information.
+  ansible.builtin.include_role:
+    name: aws/aws_security_groups
+  vars:
+    profile: "{{ aws_elasticache.aws_profile }}"
+    region: "{{ aws_elasticache.region }}"
+    group_names: "{{ aws_elasticache.elasticache_security_groups }}"
+    return_type: ids
+  when: aws_elasticache.elasticache_security_groups | length > 0
+
 - name: Create ElastiCache subnet group.
   community.aws.elasticache_subnet_group:
     name: "{{ aws_elasticache.name }}"
@@ -24,7 +34,7 @@
     node_type: "{{ aws_elasticache.elasticache_node_type }}"
     num_nodes: "{{ aws_elasticache.elasticache_nodes }}"
     cache_port: "{{ aws_elasticache.elasticache_port }}"
-    security_group_ids: "{{ aws_elasticache.elasticache_security_groups }}"
+    security_group_ids: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role
     zone: "{{ aws_elasticache.zone | default(omit) }}"
 
 # @TODO grab the endpoint data for the memcached client role
diff --git a/roles/aws/aws_elb/defaults/main.yml b/roles/aws/aws_elb/defaults/main.yml
@@ -23,7 +23,7 @@ aws_elb:
     zone: "example.com"
     record: "*.{{ _domain_name }}"
     aws_profile: "{{ _aws_profile }}" # Not necessarily the same as the "target" one.
-  elb_security_groups: []
+  elb_security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
   target_groups: # list of target groups
     - name: example-target-group
       protocol: http