From 90aeb2c5638643dad10808e36ec9e4b691f38591 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Wed, 22 Nov 2023 18:16:51 +0100 Subject: [PATCH 1/5] Improving AWS subnet docs. --- docs/roles/aws/aws_ec2_autoscale_cluster.md | 2 ++ docs/roles/aws/aws_rds.md | 1 + docs/roles/aws/aws_vpc_subnet.md | 1 + roles/aws/aws_ec2_autoscale_cluster/README.md | 2 ++ roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml | 2 ++ roles/aws/aws_rds/README.md | 1 + roles/aws/aws_rds/defaults/main.yml | 1 + roles/aws/aws_vpc_subnet/README.md | 1 + roles/aws/aws_vpc_subnet/defaults/main.yml | 1 + 9 files changed, 12 insertions(+) diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 5e6909609..49f419391 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -36,6 +36,8 @@ aws_ec2_autoscale_cluster: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc subnets: + # If rds.rds.true is set and you are creating an RDS instance then you must use at least two AZs, this is hard requirement. + # This means your region and environment must also have a minimum of two subnets - see `aws_vpc_subnet` # - az: a # cidr: "10.0.3.0/26" - az: b diff --git a/docs/roles/aws/aws_rds.md b/docs/roles/aws/aws_rds.md index e89cd6e74..1e5287a15 100644 --- a/docs/roles/aws/aws_rds.md +++ b/docs/roles/aws/aws_rds.md @@ -19,6 +19,7 @@ aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" multi_az: true + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb diff --git a/docs/roles/aws/aws_vpc_subnet.md b/docs/roles/aws/aws_vpc_subnet.md index 5d97d303a..1b4ef012b 100644 --- a/docs/roles/aws/aws_vpc_subnet.md +++ b/docs/roles/aws/aws_vpc_subnet.md @@ -11,6 +11,7 @@ aws_vpc_subnet: # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + # If you intend to have RDS instances you must provide at least two subnets. subnets: - cidr_block: "10.0.0.0/24" # ipv6_cidr_block: "1" # This will create something like xxxx:xxxx:xxxx:xxyy::/64 where yy is created using the ansible.utils.ipsubnet filter automatically - DO NOT DEFINE IF IPV6 IS NOT REQUIRED diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 5e6909609..49f419391 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -36,6 +36,8 @@ aws_ec2_autoscale_cluster: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc subnets: + # If rds.rds.true is set and you are creating an RDS instance then you must use at least two AZs, this is hard requirement. + # This means your region and environment must also have a minimum of two subnets - see `aws_vpc_subnet` # - az: a # cidr: "10.0.3.0/26" - az: b diff --git a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml index 5bdd39aef..9af962f5c 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/defaults/main.yml @@ -17,6 +17,8 @@ aws_ec2_autoscale_cluster: vpc_id: vpc-XXXX # One of vpc_id or vpc_name is mandatory. # vpc_name: example-vpc subnets: + # If rds.rds.true is set and you are creating an RDS instance then you must use at least two AZs, this is hard requirement. + # This means your region and environment must also have a minimum of two subnets - see `aws_vpc_subnet` # - az: a # cidr: "10.0.3.0/26" - az: b diff --git a/roles/aws/aws_rds/README.md b/roles/aws/aws_rds/README.md index e89cd6e74..1e5287a15 100644 --- a/roles/aws/aws_rds/README.md +++ b/roles/aws/aws_rds/README.md @@ -19,6 +19,7 @@ aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" multi_az: true + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb diff --git a/roles/aws/aws_rds/defaults/main.yml b/roles/aws/aws_rds/defaults/main.yml index 96b4d4914..faa3ee5bb 100644 --- a/roles/aws/aws_rds/defaults/main.yml +++ b/roles/aws/aws_rds/defaults/main.yml @@ -2,6 +2,7 @@ aws_rds: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" multi_az: true + # You must provide at least two subnets in two different AZs, even for single AZ deployments. subnets: - subnet-aaaaaaaa - subnet-bbbbbbbb diff --git a/roles/aws/aws_vpc_subnet/README.md b/roles/aws/aws_vpc_subnet/README.md index 5d97d303a..1b4ef012b 100644 --- a/roles/aws/aws_vpc_subnet/README.md +++ b/roles/aws/aws_vpc_subnet/README.md @@ -11,6 +11,7 @@ aws_vpc_subnet: # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + # If you intend to have RDS instances you must provide at least two subnets. subnets: - cidr_block: "10.0.0.0/24" # ipv6_cidr_block: "1" # This will create something like xxxx:xxxx:xxxx:xxyy::/64 where yy is created using the ansible.utils.ipsubnet filter automatically - DO NOT DEFINE IF IPV6 IS NOT REQUIRED diff --git a/roles/aws/aws_vpc_subnet/defaults/main.yml b/roles/aws/aws_vpc_subnet/defaults/main.yml index 1e29a7d01..e72b3ae64 100644 --- a/roles/aws/aws_vpc_subnet/defaults/main.yml +++ b/roles/aws/aws_vpc_subnet/defaults/main.yml @@ -3,6 +3,7 @@ aws_vpc_subnet: # vpc_name: example-vpc aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" + # If you intend to have RDS instances you must provide at least two subnets. subnets: - cidr_block: "10.0.0.0/24" # ipv6_cidr_block: "1" # This will create something like xxxx:xxxx:xxxx:xxyy::/64 where yy is created using the ansible.utils.ipsubnet filter automatically - DO NOT DEFINE IF IPV6 IS NOT REQUIRED From 7c31b40ef78d23c459b7c05ed01463edfe756255 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Tue, 12 Dec 2023 18:34:14 +0100 Subject: [PATCH 2/5] Error in timers structure in the SSL role. --- roles/debian/nginx/defaults/main.yml | 1 + roles/debian/ssl/tasks/letsencrypt.yml | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 61f2be571..64dbc76fa 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -57,6 +57,7 @@ nginx: # reload_command: restart # reload: # - nginx + # on_calendar: "Mon *-*-* 04:00:00" ratelimitingcrawlers: true is_default: true basic_auth: diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml index 616040ae1..65ff333b4 100644 --- a/roles/debian/ssl/tasks/letsencrypt.yml +++ b/roles/debian/ssl/tasks/letsencrypt.yml @@ -87,6 +87,5 @@ ansible.builtin.include_role: name: contrib/systemd_timers vars: - timers: - certbot_renewal: "{{ _certbot_renewal_timer }}" + timers: "{{ _certbot_renewal_timer }}" when: ssl.autorenew From b75fe03127d42033ed1b4927f2f89ac78d4a78d4 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Thu, 21 Dec 2023 16:00:54 +0100 Subject: [PATCH 3/5] Removing obsolete backports requirements. --- roles/debian/firewall_config/tasks/main.yml | 10 ------ roles/debian/ldap_server/tasks/main.yml | 11 ------- roles/debian/lhci/tasks/main.yml | 34 --------------------- 3 files changed, 55 deletions(-) diff --git a/roles/debian/firewall_config/tasks/main.yml b/roles/debian/firewall_config/tasks/main.yml index 66941b51a..cf770ab4e 100644 --- a/roles/debian/firewall_config/tasks/main.yml +++ b/roles/debian/firewall_config/tasks/main.yml @@ -1,14 +1,4 @@ --- -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Install iptables with backports. # we have to do this in ce-dev or the contrib role will fail - ansible.builtin.apt: - pkg: ["iptables"] - state: present - default_release: buster-backports - when: - - is_local is defined - - is_local - - name: Shift general firewall settings to expected variables. ansible.builtin.set_fact: firewall_state: "{{ firewall_config.firewall_state }}" diff --git a/roles/debian/ldap_server/tasks/main.yml b/roles/debian/ldap_server/tasks/main.yml index 52fb1ccf4..9a773da58 100644 --- a/roles/debian/ldap_server/tasks/main.yml +++ b/roles/debian/ldap_server/tasks/main.yml @@ -14,21 +14,10 @@ purge: true when: ldap_server.slapd.purge -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Ensure LDAP and dependencies are installed from backports. - ansible.builtin.apt: - pkg: ["slapd", "ldapscripts", "libldap2-dev"] # python-ldap needs libldap2-dev - state: present - default_release: buster-backports - when: - - is_local is defined - - is_local - - name: Ensure LDAP and python-ldap and dependencies are installed. ansible.builtin.apt: pkg: ["slapd", "ldapscripts", "libldap2-dev"] state: present - when: is_local is not defined - name: Ensure additional dependencies for python-ldap are installed. ansible.builtin.apt: diff --git a/roles/debian/lhci/tasks/main.yml b/roles/debian/lhci/tasks/main.yml index c92447d4b..56c1fd9c9 100644 --- a/roles/debian/lhci/tasks/main.yml +++ b/roles/debian/lhci/tasks/main.yml @@ -10,26 +10,6 @@ state: present filename: google-chrome -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Install Google Chrome "headful" mode dependencies from backports. - ansible.builtin.apt: - name: - - xorg - - xvfb - - gtk2-engines-pixbuf - - dbus-x11 - - xfonts-base - - xfonts-100dpi - - xfonts-75dpi - - xfonts-cyrillic - - xfonts-scalable - default_release: buster-backports - state: present - when: - - is_local - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - - name: Install Google Chrome "headful" mode dependencies. ansible.builtin.apt: name: @@ -43,19 +23,6 @@ - xfonts-cyrillic - xfonts-scalable state: present - when: is_local is not defined - -# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done -- name: Install VNC support from backports. - ansible.builtin.apt: - name: x11vnc - default_release: buster-backports - state: present - when: - - lhci.enable_vnc - - is_local - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - name: Install VNC support. ansible.builtin.apt: @@ -63,7 +30,6 @@ state: present when: - lhci.enable_vnc - - is_local is not defined - name: Configure Xvfb to start on boot. ansible.builtin.shell: | From 5b27a8c0f0d7a9f8f1fd8437c96fafe33f98a692 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Thu, 21 Dec 2023 16:46:16 +0100 Subject: [PATCH 4/5] Allow the billing role to access Sustainability information. --- roles/aws/aws_iam_saml/templates/access_billing_policy.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 index cf20372f8..714056642 100644 --- a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 +++ b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 @@ -9,7 +9,8 @@ "freetier:*", "ce:*", "cur:*", - "tax:*" + "tax:*", + "sustainability:*" ], "Effect": "Allow", "Resource": "*" From 9ca4148dddc42a0d5e102562902f2d017500b996 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Thu, 21 Dec 2023 18:27:48 +0100 Subject: [PATCH 5/5] Missing comma in IAM billing policy. --- roles/aws/aws_iam_saml/templates/access_billing_policy.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 index 714056642..b26f9e7c7 100644 --- a/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 +++ b/roles/aws/aws_iam_saml/templates/access_billing_policy.j2 @@ -28,7 +28,7 @@ "tax:BatchPutTaxRegistration", "tax:DeleteTaxRegistration", "tax:PutTaxInheritance" - ] + ], "Effect": "Deny", "Resource": "*" }