Bug fixes 2.x pr 2.x

docs/roles/debian/ansible.md

@@ -11,9 +11,10 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip`
 ```yaml
 ---
 ce_ansible:
-  # These are usually set within another role using _venv_path and _venv_command but can be overridden.
+  # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden.
   #venv_path: "/home/{{ ce_provision.username }}/ansible"
   #venv_command: /usr/bin/python3.11 -m venv
+  #install_username: deploy # user to become when creating venv
   upgrade:
     enabled: true # create systemd timer to auto-upgrade Ansible
     command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too

docs/roles/debian/ce_deploy.md

@@ -14,6 +14,7 @@ ce_deploy:
   # Location of Ansible installation and components.
   venv_path: "/home/{{ _ce_deploy.username }}/ansible"
   venv_command: /usr/bin/python3 -m venv
+  install_username: "{{ _ce_deploy.username }}"
   # Other ce-deploy settings.
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user
   key_name: id_rsa.pub # existing users may have a key of a different name

docs/roles/debian/ce_provision.md

@@ -15,6 +15,7 @@ ce_provision:
   # Location of Ansible installation and components.
   venv_path: "/home/{{ _ce_provision.username }}/ansible"
   venv_command: /usr/bin/python3 -m venv
+  install_username: "{{ _ce_provision.username }}"
   # Other ce-provision settings.
   username: "{{ _ce_provision.username }}"
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user

docs/roles/debian/gitlab_runner.md

@@ -48,6 +48,7 @@ gitlab_runner:
   # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs
   fargate:
     cluster: "my-cluster" # ECS cluster name
+    profile: "{{ _aws_profile }}"
     region: "eu-west-1" # AWS region name
     subnet: "subnet-abcdef123456" # subnet ID
     security_group: "my-security-group" # SG name

roles/debian/ansible/README.md

@@ -11,9 +11,10 @@ Note, it is vitally important that Ansible is *not* installed via `apt` or `pip`
 ```yaml
 ---
 ce_ansible:
-  # These are usually set within another role using _venv_path and _venv_command but can be overridden.
+  # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden.
   #venv_path: "/home/{{ ce_provision.username }}/ansible"
   #venv_command: /usr/bin/python3.11 -m venv
+  #install_username: deploy # user to become when creating venv
   upgrade:
     enabled: true # create systemd timer to auto-upgrade Ansible
     command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too

roles/debian/ansible/defaults/main.yml

@@ -1,8 +1,9 @@
 ---
 ce_ansible:
-  # These are usually set within another role using _venv_path and _venv_command but can be overridden.
+  # These are usually set within another role using _venv_path, _venv_command and _install_username but can be overridden.
   #venv_path: "/home/{{ ce_provision.username }}/ansible"
   #venv_command: /usr/bin/python3.11 -m venv
+  #install_username: deploy # user to become when creating venv
   upgrade:
     enabled: true # create systemd timer to auto-upgrade Ansible
     command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too

roles/debian/ansible/tasks/main.yml

@@ -10,6 +10,7 @@
     state: absent
     executable: pip3
   when: ansible_distribution_major_version | int < 12
+  failed_when: false # don't stop the build if there's no system pip
 
 - name: Set up Python packages.
   ansible.builtin.include_role:
@@ -23,7 +24,7 @@
     virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}"
     virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}"
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ ce_ansible.install_username | default(_install_username) }}"
 
 - name: Install Ansible.
   ansible.builtin.pip:
@@ -32,7 +33,7 @@
     virtualenv: "{{ ce_ansible.venv_path | default(_venv_path) }}"
     virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}"
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ ce_ansible.install_username | default(_install_username) }}"
 
 - name: Install linters.
   ansible.builtin.pip:
@@ -43,7 +44,7 @@
     virtualenv_command: "{{ ce_ansible.venv_command | default(_venv_command) }}"
   when: ce_ansible.linters.enabled
   become: true
-  become_user: "{{ ce_provision.username }}"
+  become_user: "{{ ce_ansible.install_username | default(_install_username) }}"
 
 - name: Add the venv to $PATH using profile.d.
   ansible.builtin.copy:

roles/debian/ce_deploy/README.md

@@ -14,6 +14,7 @@ ce_deploy:
   # Location of Ansible installation and components.
   venv_path: "/home/{{ _ce_deploy.username }}/ansible"
   venv_command: /usr/bin/python3 -m venv
+  install_username: "{{ _ce_deploy.username }}"
   # Other ce-deploy settings.
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user
   key_name: id_rsa.pub # existing users may have a key of a different name

roles/debian/ce_deploy/defaults/main.yml

@@ -6,6 +6,7 @@ ce_deploy:
   # Location of Ansible installation and components.
   venv_path: "/home/{{ _ce_deploy.username }}/ansible"
   venv_command: /usr/bin/python3 -m venv
+  install_username: "{{ _ce_deploy.username }}"
   # Other ce-deploy settings.
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user
   key_name: id_rsa.pub # existing users may have a key of a different name

roles/debian/ce_deploy/tasks/main.yml

@@ -132,6 +132,7 @@
   ansible.builtin.set_fact:
     _venv_path: "{{ ce_deploy.venv_path }}"
     _venv_command: "{{ ce_deploy.venv_command }}"
+    _install_username: "{{ ce_deploy.install_username }}"
 
 - name: Install Ansible.
   ansible.builtin.include_role:

roles/debian/ce_provision/README.md

@@ -15,6 +15,7 @@ ce_provision:
   # Location of Ansible installation and components.
   venv_path: "/home/{{ _ce_provision.username }}/ansible"
   venv_command: /usr/bin/python3 -m venv
+  install_username: "{{ _ce_provision.username }}"
   # Other ce-provision settings.
   username: "{{ _ce_provision.username }}"
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user

roles/debian/ce_provision/defaults/main.yml

@@ -7,6 +7,7 @@ ce_provision:
   # Location of Ansible installation and components.
   venv_path: "/home/{{ _ce_provision.username }}/ansible"
   venv_command: /usr/bin/python3 -m venv
+  install_username: "{{ _ce_provision.username }}"
   # Other ce-provision settings.
   username: "{{ _ce_provision.username }}"
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user

roles/debian/ce_provision/tasks/main.yml

@@ -140,6 +140,7 @@
   ansible.builtin.set_fact:
     _venv_path: "{{ ce_provision.venv_path }}"
     _venv_command: "{{ ce_provision.venv_command }}"
+    _install_username: "{{ ce_provision.install_username }}"
 
 - name: Install Ansible.
   ansible.builtin.include_role:

roles/debian/gitlab_runner/README.md

@@ -48,6 +48,7 @@ gitlab_runner:
   # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs
   fargate:
     cluster: "my-cluster" # ECS cluster name
+    profile: "{{ _aws_profile }}"
     region: "eu-west-1" # AWS region name
     subnet: "subnet-abcdef123456" # subnet ID
     security_group: "my-security-group" # SG name

roles/debian/gitlab_runner/defaults/main.yml

@@ -36,6 +36,7 @@ gitlab_runner:
   # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs
   fargate:
     cluster: "my-cluster" # ECS cluster name
+    profile: "{{ _aws_profile }}"
     region: "eu-west-1" # AWS region name
     subnet: "subnet-abcdef123456" # subnet ID
     security_group: "my-security-group" # SG name

roles/debian/gitlab_runner/tasks/main.yml

@@ -35,21 +35,19 @@
 # gitlab-runner register --url https://gitlab.com/ --registration-token TOKEN_HERE --name fargate-test-runner --run-untagged --executor custom -n
 # This will automatically update /etc/gitlab-runner/config.toml
 
-# @TODO this needs rethinking, we cannot delegate include_role!
-# Replace security_group in template with _aws_security_group_list[0] when resolved
-
 # Populates the _aws_security_group_list variable used in fargate.toml.j2
-#- name: Generate security group information.
-#  ansible.builtin.include_role:
-#    name: aws/aws_security_groups
-#  vars:
-#    profile: "{{ gitlab_runner.fargate.region }}"
-#    region: "{{ gitlab_runner.fargate.region }}"
-#    group_names:
-#      - "{{ gitlab_runner.fargate.security_group }}"
-#    return_type: ids
-#  when: gitlab_runner.install_fargate
-#  delegate_to: localhost
+- name: Generate security group information.
+  ansible.builtin.include_role:
+    name: aws/aws_security_groups
+    apply:
+      delegate_to: localhost # this is how you delegate the include_role module
+  vars:
+    profile: "{{ gitlab_runner.fargate.profile }}"
+    region: "{{ gitlab_runner.fargate.region }}"
+    group_names:
+      - "{{ gitlab_runner.fargate.security_group }}"
+    return_type: ids
+  when: gitlab_runner.install_fargate
 
 - name: Create the Fargate driver directory if it does not exist.
   ansible.builtin.file:

roles/debian/gitlab_runner/templates/fargate.toml.j2

@@ -5,7 +5,7 @@ LogFormat = "text"
   Cluster = "{{ gitlab_runner.fargate.cluster }}"
   Region = "{{ gitlab_runner.fargate.region }}"
   Subnet = "{{ gitlab_runner.fargate.subnet }}"
-  SecurityGroup = "{{ gitlab_runner.fargate.security_group }}"
+  SecurityGroup = "{{ _aws_security_group_list[0] }}"
   TaskDefinition = "{{ gitlab_runner.fargate.task_definition }}"
   EnablePublicIP = {{ gitlab_runner.fargate.public_ip }}
   PlatformVersion = "{{ gitlab_runner.fargate.version }}"