From 6c9c9c268b974d58424e6f3b9b4be57f3a68c6d5 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 15:09:49 +0100 Subject: [PATCH 01/47] n10-Creating-new-role-for-administration --- .../vars/provision/galaxy-requirements.yml | 4 +-- roles/aws/aws_admin_tools/tasks/main.yml | 10 ++++++ roles/aws/aws_admin_tools/templates/swag.yml | 33 +++++++++++++++++++ 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 roles/aws/aws_admin_tools/tasks/main.yml create mode 100644 roles/aws/aws_admin_tools/templates/swag.yml diff --git a/ce-dev/ansible/vars/provision/galaxy-requirements.yml b/ce-dev/ansible/vars/provision/galaxy-requirements.yml index 94dcc9df5..8c33b95ff 100644 --- a/ce-dev/ansible/vars/provision/galaxy-requirements.yml +++ b/ce-dev/ansible/vars/provision/galaxy-requirements.yml @@ -2,8 +2,8 @@ roles: - name: geerlingguy.solr - name: geerlingguy.java - - name: cloudalchemy.process_exporter - - name: cloudalchemy.grafana + - name: prometheus.prometheus.process_exporter + - name: grafana.grafana.grafana collections: - name: community.grafana - name: prometheus.prometheus diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml new file mode 100644 index 000000000..8eb52bfd4 --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -0,0 +1,10 @@ +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.api_gateway: + name: "{{ _aws_profile }}_AdminAPI" + region: "{{ _aws_region }}" + swagger_file: "swag.yml" + stage: prod + tracing_enabled: true + endpoint_type: REGIONAL + state: present + diff --git a/roles/aws/aws_admin_tools/templates/swag.yml b/roles/aws/aws_admin_tools/templates/swag.yml new file mode 100644 index 000000000..f564a954c --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/swag.yml @@ -0,0 +1,33 @@ +--- +swagger: "2.0" +info: + #version: "2025-03-03T11:47:22Z" + title: "dummy_admin_tools" +#host: "8p1tbwdddi.execute-api.us-east-1.amazonaws.com" +basePath: "/" +schemes: +- "https" +paths: + /GetMonthForecast: + get: + produces: + - "application/json" + responses: + "200": + description: "200 response" + schema: + $ref: "#/definitions/Empty" + x-amazon-apigateway-integration: + type: "aws" + httpMethod: "POST" + uri: "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:444471199298:function:getBilling/invocations" + responses: + default: + statusCode: "200" + passthroughBehavior: "when_no_match" + timeoutInMillis: 29000 + contentHandling: "CONVERT_TO_TEXT" +definitions: + Empty: + type: "object" + title: "Empty Schema" From 2450389edd2bd7d0ee50ad3dc0bf437503e7e8bd Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 15:11:53 +0100 Subject: [PATCH 02/47] Adding-role-in-meta-tasks --- roles/_meta/aws_region/meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 935fc8939..a11491c0e 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -8,3 +8,4 @@ dependencies: - role: aws/aws_cloudwatch_log_group - role: aws/aws_backup - role: aws/aws_backup_sns + - role: aws/aws_admin_tools From d5617c657fde44f1a5c6b55fec23f089ab2d32a5 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 15:26:32 +0100 Subject: [PATCH 03/47] Moving-swag-file --- .../aws_admin_tools/{templates/swag.yml => files/swag.yml.j2} | 0 roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/aws/aws_admin_tools/{templates/swag.yml => files/swag.yml.j2} (100%) diff --git a/roles/aws/aws_admin_tools/templates/swag.yml b/roles/aws/aws_admin_tools/files/swag.yml.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/swag.yml rename to roles/aws/aws_admin_tools/files/swag.yml.j2 diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 8eb52bfd4..2b04ab0fe 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -2,7 +2,7 @@ community.aws.api_gateway: name: "{{ _aws_profile }}_AdminAPI" region: "{{ _aws_region }}" - swagger_file: "swag.yml" + swagger_file: "{{ lookup('template', 'swag.yml.j2') }}" stage: prod tracing_enabled: true endpoint_type: REGIONAL From 19f2cb950d71b863d0c344be525894acffa06fef Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 15:35:21 +0100 Subject: [PATCH 04/47] Moving-swag-file-2 --- roles/aws/aws_admin_tools/{files => templates}/swag.yml.j2 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/aws/aws_admin_tools/{files => templates}/swag.yml.j2 (100%) diff --git a/roles/aws/aws_admin_tools/files/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 similarity index 100% rename from roles/aws/aws_admin_tools/files/swag.yml.j2 rename to roles/aws/aws_admin_tools/templates/swag.yml.j2 From d6e41d36f6477e8fae355059da21f7c0f386a4d1 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 15:48:26 +0100 Subject: [PATCH 05/47] Changing-from-swagger-file-to-text --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 2b04ab0fe..e02908a1a 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -2,7 +2,7 @@ community.aws.api_gateway: name: "{{ _aws_profile }}_AdminAPI" region: "{{ _aws_region }}" - swagger_file: "{{ lookup('template', 'swag.yml.j2') }}" + swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" stage: prod tracing_enabled: true endpoint_type: REGIONAL From 8b0f6810c4e19e152605e09ad71f74bb543133a3 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 16:20:23 +0100 Subject: [PATCH 06/47] Adding-API-lookup-prior-to-creation --- roles/aws/aws_admin_tools/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index e02908a1a..d9694e219 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,3 +1,15 @@ +- name: List all for a specific function + community.aws.api_gateway_info: + register: _api_gateways + +- name: Find the index of all firewalls using the type key + ansible.builtin.set_fact: + _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateway['rest_apis'], 'eq', _aws_profile'_AdminAPI', 'name') }}" + +- name: Find the index of all firewalls, use in a loop + ansible.builtin.debug: + msg: "{{ _admin_api_gateway }}" + - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: name: "{{ _aws_profile }}_AdminAPI" From 6318134f17f91b7152d362454a21d66485137914 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 16:48:21 +0100 Subject: [PATCH 07/47] Adding-API-lookup-prior-to-creation-2 --- roles/aws/aws_admin_tools/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index d9694e219..c680dc740 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,5 +1,6 @@ - name: List all for a specific function community.aws.api_gateway_info: + region: "{{ _aws_region }}" register: _api_gateways - name: Find the index of all firewalls using the type key From 642557d57d9e76154980738639c6b38701c37397 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 17:15:52 +0100 Subject: [PATCH 08/47] Adding-API-lookup-prior-to-creation-3 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index c680dc740..87746c9b2 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -5,7 +5,7 @@ - name: Find the index of all firewalls using the type key ansible.builtin.set_fact: - _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateway['rest_apis'], 'eq', _aws_profile'_AdminAPI', 'name') }}" + _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateway['rest_apis'], 'eq', _aws_profile + '_AdminAPI', 'name') }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: From 7fbec9718ecb41d8d9ef3632197e793e57591d47 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 17:21:28 +0100 Subject: [PATCH 09/47] Adding-API-lookup-prior-to-creation-4 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 87746c9b2..d2578307e 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -5,7 +5,7 @@ - name: Find the index of all firewalls using the type key ansible.builtin.set_fact: - _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateway['rest_apis'], 'eq', _aws_profile + '_AdminAPI', 'name') }}" + _admin_api_gateway: "{{ lookup('ansible.utils.index_of', s['rest_apis'], 'eq', _aws_profile + '_AdminAPI', 'name') }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: From 8fa230a97589a9e76972b497d17620c6d7f41370 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 17:27:08 +0100 Subject: [PATCH 10/47] Adding-API-lookup-prior-to-creation-5 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index d2578307e..564f037dd 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -5,7 +5,7 @@ - name: Find the index of all firewalls using the type key ansible.builtin.set_fact: - _admin_api_gateway: "{{ lookup('ansible.utils.index_of', s['rest_apis'], 'eq', _aws_profile + '_AdminAPI', 'name') }}" + _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_AdminAPI', 'name') }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: From f693aedf55394dd56a99168f09622e10b30ae682 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 17:35:08 +0100 Subject: [PATCH 11/47] Adding-API-lookup-prior-to-creation-6 --- roles/aws/aws_admin_tools/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 564f037dd..432448db9 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -5,7 +5,7 @@ - name: Find the index of all firewalls using the type key ansible.builtin.set_fact: - _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_AdminAPI', 'name') }}" + _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name') }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: @@ -13,7 +13,7 @@ - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: - name: "{{ _aws_profile }}_AdminAPI" + name: "{{ _aws_profile }}_admin_tools" region: "{{ _aws_region }}" swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" stage: prod From c2de109f6b130414e59423d74802bc8fe1cfeae7 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 17:41:42 +0100 Subject: [PATCH 12/47] Adding-API-lookup-prior-to-creation-7 --- roles/aws/aws_admin_tools/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 432448db9..fa9a76f25 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -7,6 +7,10 @@ ansible.builtin.set_fact: _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name') }}" +- name: Find the index of all firewalls, use in a loop + ansible.builtin.debug: + msg: "{{ _api_gateways }}" + - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: msg: "{{ _admin_api_gateway }}" From 27ec0c594fe8bde43ab1b404baaa5488259c3c19 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 17:49:47 +0100 Subject: [PATCH 13/47] Updating-tasks --- roles/_meta/aws_region/meta/main.yml | 16 ++++++++-------- roles/aws/aws_admin_tools/templates/swag.yml.j2 | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index a11491c0e..9fd95f4d9 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -1,11 +1,11 @@ --- dependencies: - - role: aws/aws_provision_ec2_keypair - - role: aws/aws_vpc - - role: aws/aws_vpc_subnet - - role: aws/aws_iam_role - - role: aws/aws_acl - - role: aws/aws_cloudwatch_log_group - - role: aws/aws_backup - - role: aws/aws_backup_sns +# - role: aws/aws_provision_ec2_keypair +# - role: aws/aws_vpc +# - role: aws/aws_vpc_subnet +# - role: aws/aws_iam_role +# - role: aws/aws_acl +# - role: aws/aws_cloudwatch_log_group +# - role: aws/aws_backup +# - role: aws/aws_backup_sns - role: aws/aws_admin_tools diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 index f564a954c..d61b9f48c 100644 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ b/roles/aws/aws_admin_tools/templates/swag.yml.j2 @@ -2,7 +2,7 @@ swagger: "2.0" info: #version: "2025-03-03T11:47:22Z" - title: "dummy_admin_tools" + title: "dummytesting_admin_tools" #host: "8p1tbwdddi.execute-api.us-east-1.amazonaws.com" basePath: "/" schemes: From 33e416451023e0a52f800e2512542fb4018dd641 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:03:35 +0100 Subject: [PATCH 14/47] Updating-tasks --- roles/aws/aws_admin_tools/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index fa9a76f25..f6e8a1386 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -3,13 +3,13 @@ region: "{{ _aws_region }}" register: _api_gateways -- name: Find the index of all firewalls using the type key +- name: Find the index of admin tools API ansible.builtin.set_fact: - _admin_api_gateway: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name') }}" + _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name') }}" -- name: Find the index of all firewalls, use in a loop +- name: Print admin_api ansible.builtin.debug: - msg: "{{ _api_gateways }}" + msg: "{{ _api_gateways[_index_admin_api[0]] }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: From aeac7761ea5b10b90f9063ec352920093708645a Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:07:30 +0100 Subject: [PATCH 15/47] Updating-tasks-2 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index f6e8a1386..929855bd9 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -9,7 +9,7 @@ - name: Print admin_api ansible.builtin.debug: - msg: "{{ _api_gateways[_index_admin_api[0]] }}" + msg: "{{ _api_gateways['rest_apis'][_index_admin_api[0]] }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: From 6d24b7b8bb7fe01ba69cc8b79cf8e9b67dcea281 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:12:24 +0100 Subject: [PATCH 16/47] Updating-tasks-3 --- roles/aws/aws_admin_tools/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 929855bd9..f0a1048ad 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -7,6 +7,14 @@ ansible.builtin.set_fact: _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name') }}" +- name: Print admin_api + ansible.builtin.debug: + msg: "{{ _index_admin_api }}" + +- name: Print admin_api + ansible.builtin.debug: + msg: "{{ _api_gateways['rest_apis'] }}" + - name: Print admin_api ansible.builtin.debug: msg: "{{ _api_gateways['rest_apis'][_index_admin_api[0]] }}" From 71881faf49f92bd74899be056be97b9e7a43dd1f Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:20:30 +0100 Subject: [PATCH 17/47] Updating-tasks-4 --- roles/aws/aws_admin_tools/tasks/main.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index f0a1048ad..437261c71 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -5,19 +5,11 @@ - name: Find the index of admin tools API ansible.builtin.set_fact: - _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name') }}" + _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_toolsaa', 'name', wantlist=True) }}" - name: Print admin_api ansible.builtin.debug: - msg: "{{ _index_admin_api }}" - -- name: Print admin_api - ansible.builtin.debug: - msg: "{{ _api_gateways['rest_apis'] }}" - -- name: Print admin_api - ansible.builtin.debug: - msg: "{{ _api_gateways['rest_apis'][_index_admin_api[0]] }}" + msg: "{{ _api_gateways['rest_apis'][_index_admin_api] }}" - name: Find the index of all firewalls, use in a loop ansible.builtin.debug: @@ -32,4 +24,5 @@ tracing_enabled: true endpoint_type: REGIONAL state: present + when: _index_admin_api | length > 0 From 7fe971ca6e4d28c7678c1ec1851f7bc6021761db Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:26:14 +0100 Subject: [PATCH 18/47] Updating-tasks-4 --- roles/aws/aws_admin_tools/tasks/main.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 437261c71..ffe2f0dd8 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -7,14 +7,6 @@ ansible.builtin.set_fact: _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_toolsaa', 'name', wantlist=True) }}" -- name: Print admin_api - ansible.builtin.debug: - msg: "{{ _api_gateways['rest_apis'][_index_admin_api] }}" - -- name: Find the index of all firewalls, use in a loop - ansible.builtin.debug: - msg: "{{ _admin_api_gateway }}" - - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: name: "{{ _aws_profile }}_admin_tools" @@ -26,3 +18,14 @@ state: present when: _index_admin_api | length > 0 +- name: Update API definitions and settings and deploy as canary + community.aws.api_gateway: + api_id: "{{ _index_admin_api['rest_apis']['id'] }}" + name: "{{ _aws_profile }}_admin_tools" + region: "{{ _aws_region }}" + swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" + stage: prod + tracing_enabled: true + endpoint_type: REGIONAL + state: present + when: _index_admin_api | length == 0 From aa622472bc8e2b6a5b0eb9c9428a439d88d76c51 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:32:42 +0100 Subject: [PATCH 19/47] Updating-tasks-5 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index ffe2f0dd8..313bcfd73 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -20,7 +20,7 @@ - name: Update API definitions and settings and deploy as canary community.aws.api_gateway: - api_id: "{{ _index_admin_api['rest_apis']['id'] }}" + api_id: "{{ _api_gateways['rest_apis']['id'] }}" name: "{{ _aws_profile }}_admin_tools" region: "{{ _aws_region }}" swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" From c449201d9a3b64c0b6956eff6621bb5997aae736 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 18:36:01 +0100 Subject: [PATCH 20/47] Updating-tasks-6 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 313bcfd73..e4c551673 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -20,7 +20,7 @@ - name: Update API definitions and settings and deploy as canary community.aws.api_gateway: - api_id: "{{ _api_gateways['rest_apis']['id'] }}" + api_id: "{{ _api_gateways['rest_apis'][_index_admin_api]['id'] }}" name: "{{ _aws_profile }}_admin_tools" region: "{{ _aws_region }}" swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" From 97c9c4850806f8fad8b0b51738099972d2cb70a3 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 4 Mar 2025 19:23:07 +0100 Subject: [PATCH 21/47] Updating-tasks-7 --- roles/aws/aws_admin_tools/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index e4c551673..86e62d3dd 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -16,7 +16,7 @@ tracing_enabled: true endpoint_type: REGIONAL state: present - when: _index_admin_api | length > 0 + when: _index_admin_api | length == 0 - name: Update API definitions and settings and deploy as canary community.aws.api_gateway: @@ -28,4 +28,4 @@ tracing_enabled: true endpoint_type: REGIONAL state: present - when: _index_admin_api | length == 0 + when: _index_admin_api | length > 0 From 3aaa16d9b52a3a6564b4af0ff02ce9e8459c742b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 12:19:30 +0100 Subject: [PATCH 22/47] Adding-for-loop-for-lambda-functions --- roles/aws/aws_admin_tools/templates/swag.yml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 index d61b9f48c..1889b9187 100644 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ b/roles/aws/aws_admin_tools/templates/swag.yml.j2 @@ -2,13 +2,14 @@ swagger: "2.0" info: #version: "2025-03-03T11:47:22Z" - title: "dummytesting_admin_tools" + title: "{{ _aws_profile }}_admin_tools" #host: "8p1tbwdddi.execute-api.us-east-1.amazonaws.com" basePath: "/" schemes: - "https" paths: - /GetMonthForecast: + {% for funct in ['GetMonthForecast', 'test1', 'test2'] %} + /{{ funct }}: get: produces: - "application/json" @@ -27,6 +28,7 @@ paths: passthroughBehavior: "when_no_match" timeoutInMillis: 29000 contentHandling: "CONVERT_TO_TEXT" + {% endfor %} definitions: Empty: type: "object" From cf1295e470a2a510dde13c5a943a2a81ca2f4952 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 12:25:57 +0100 Subject: [PATCH 23/47] Adding-for-loop-for-lambda-functions-2 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- roles/aws/aws_admin_tools/templates/swag.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 86e62d3dd..33e5e1425 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -5,7 +5,7 @@ - name: Find the index of admin tools API ansible.builtin.set_fact: - _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_toolsaa', 'name', wantlist=True) }}" + _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 index 1889b9187..0d9f4a656 100644 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ b/roles/aws/aws_admin_tools/templates/swag.yml.j2 @@ -8,7 +8,7 @@ basePath: "/" schemes: - "https" paths: - {% for funct in ['GetMonthForecast', 'test1', 'test2'] %} + {% for funct in ['GetMonthForecast'] %} /{{ funct }}: get: produces: From fb23ca0c424abfe03555871eda8985bb4b501bbb Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 13:17:37 +0100 Subject: [PATCH 24/47] Adding-for-loop-for-lambda-functions-3 --- roles/aws/aws_admin_tools/templates/swag.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 index 0d9f4a656..3019b7ae2 100644 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ b/roles/aws/aws_admin_tools/templates/swag.yml.j2 @@ -8,7 +8,7 @@ basePath: "/" schemes: - "https" paths: - {% for funct in ['GetMonthForecast'] %} + {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling'] %} /{{ funct }}: get: produces: From d89cd205f321e4076fd2ccfb480de9c7b8d53e70 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 13:36:59 +0100 Subject: [PATCH 25/47] Adding-for-loop-for-lambda-functions-4 --- roles/aws/aws_admin_tools/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 33e5e1425..b6df6e550 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -7,6 +7,10 @@ ansible.builtin.set_fact: _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" +- name: Get list of APIs + debug: + msg: "{{ _api_gateways }}" + - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: name: "{{ _aws_profile }}_admin_tools" From 0c1c28b93c8cad30574c91fdcbbcfe2463f765dc Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 13:43:26 +0100 Subject: [PATCH 26/47] Adding-for-loop-for-lambda-functions-5 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index b6df6e550..b96035480 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -24,7 +24,7 @@ - name: Update API definitions and settings and deploy as canary community.aws.api_gateway: - api_id: "{{ _api_gateways['rest_apis'][_index_admin_api]['id'] }}" + api_id: "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" name: "{{ _aws_profile }}_admin_tools" region: "{{ _aws_region }}" swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" From 356b39ab2e4d53c0a959772f6f36247d929fcf7b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 14:07:16 +0100 Subject: [PATCH 27/47] Adding-for-loop-for-lambda-functions-6 --- roles/aws/aws_admin_tools/templates/swag.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 index 3019b7ae2..55353e922 100644 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ b/roles/aws/aws_admin_tools/templates/swag.yml.j2 @@ -8,7 +8,7 @@ basePath: "/" schemes: - "https" paths: - {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling'] %} + {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling', 'Test'] %} /{{ funct }}: get: produces: From 6becf4768a2e0fd502341b10ee4100fa6e84ffe0 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 14:21:00 +0100 Subject: [PATCH 28/47] Adding-for-loop-for-lambda-functions-7 --- roles/aws/aws_admin_tools/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index b96035480..9e029dc76 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -7,9 +7,9 @@ ansible.builtin.set_fact: _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" -- name: Get list of APIs +- name: print swagger file debug: - msg: "{{ _api_gateways }}" + msg: "{{ lookup('template', 'swag.yml.j2') }}" - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: From 37e18b67f203a5f73dc9bcc681ca3f6bfabbec48 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 14:25:42 +0100 Subject: [PATCH 29/47] Adding-for-loop-for-lambda-functions-8 --- roles/aws/aws_admin_tools/templates/swag.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 index 55353e922..48c5aed58 100644 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ b/roles/aws/aws_admin_tools/templates/swag.yml.j2 @@ -9,7 +9,7 @@ schemes: - "https" paths: {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling', 'Test'] %} - /{{ funct }}: +/{{ funct }}: get: produces: - "application/json" From 82e9f8b227259d5baa9149f8a52d1af02f1e4293 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 15:14:22 +0100 Subject: [PATCH 30/47] Adding-for-loop-for-lambda-functions-9 --- roles/aws/aws_admin_tools/tasks/main.yml | 6 +-- .../aws_admin_tools/templates/swag.json.j2 | 45 +++++++++++++++++++ .../aws/aws_admin_tools/templates/swag.yml.j2 | 35 --------------- 3 files changed, 48 insertions(+), 38 deletions(-) create mode 100644 roles/aws/aws_admin_tools/templates/swag.json.j2 delete mode 100644 roles/aws/aws_admin_tools/templates/swag.yml.j2 diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 9e029dc76..48ad31b5d 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -9,13 +9,13 @@ - name: print swagger file debug: - msg: "{{ lookup('template', 'swag.yml.j2') }}" + msg: "{{ lookup('template', 'swag.json.j2') }}" - name: Setup AWS API Gateway setup on AWS and deploy API definition community.aws.api_gateway: name: "{{ _aws_profile }}_admin_tools" region: "{{ _aws_region }}" - swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" + swagger_text: "{{ lookup('template', 'swag.json.j2') }}" stage: prod tracing_enabled: true endpoint_type: REGIONAL @@ -27,7 +27,7 @@ api_id: "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" name: "{{ _aws_profile }}_admin_tools" region: "{{ _aws_region }}" - swagger_text: "{{ lookup('template', 'swag.yml.j2') }}" + swagger_text: "{{ lookup('template', 'swag.json.j2') }}" stage: prod tracing_enabled: true endpoint_type: REGIONAL diff --git a/roles/aws/aws_admin_tools/templates/swag.json.j2 b/roles/aws/aws_admin_tools/templates/swag.json.j2 new file mode 100644 index 000000000..ccf6963b0 --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/swag.json.j2 @@ -0,0 +1,45 @@ +{ + "swagger" : "2.0", + "info" : { + "description" : "API for administration functions made automatically by ansible", + "title" : "dummy_admin_tools" + }, + "basePath" : "/prod", + "schemes" : [ "https" ], + "paths" : { + {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling', 'Test'] %} + "/{{ funct }}" : { + "get" : { + "produces" : [ "application/json" ], + "responses" : { + "200" : { + "description" : "200 response", + "schema" : { + "$ref" : "#/definitions/Empty" + } + } + }, + "x-amazon-apigateway-integration" : { + "type" : "aws", + "httpMethod" : "POST", + "uri" : "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:444471199298:function:getBilling/invocations", + "responses" : { + "default" : { + "statusCode" : "200" + } + }, + "passthroughBehavior" : "when_no_match", + "timeoutInMillis" : 29000, + "contentHandling" : "CONVERT_TO_TEXT" + } + } + }, + {% endfor %} + }, + "definitions" : { + "Empty" : { + "type" : "object", + "title" : "Empty Schema" + } + } +} diff --git a/roles/aws/aws_admin_tools/templates/swag.yml.j2 b/roles/aws/aws_admin_tools/templates/swag.yml.j2 deleted file mode 100644 index 48c5aed58..000000000 --- a/roles/aws/aws_admin_tools/templates/swag.yml.j2 +++ /dev/null @@ -1,35 +0,0 @@ ---- -swagger: "2.0" -info: - #version: "2025-03-03T11:47:22Z" - title: "{{ _aws_profile }}_admin_tools" -#host: "8p1tbwdddi.execute-api.us-east-1.amazonaws.com" -basePath: "/" -schemes: -- "https" -paths: - {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling', 'Test'] %} -/{{ funct }}: - get: - produces: - - "application/json" - responses: - "200": - description: "200 response" - schema: - $ref: "#/definitions/Empty" - x-amazon-apigateway-integration: - type: "aws" - httpMethod: "POST" - uri: "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:444471199298:function:getBilling/invocations" - responses: - default: - statusCode: "200" - passthroughBehavior: "when_no_match" - timeoutInMillis: 29000 - contentHandling: "CONVERT_TO_TEXT" - {% endfor %} -definitions: - Empty: - type: "object" - title: "Empty Schema" From 77e3ba568709bff8309f11e26892fce456735cd3 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 15:21:16 +0100 Subject: [PATCH 31/47] Adding-for-loop-for-lambda-functions-10 --- roles/aws/aws_admin_tools/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 48ad31b5d..74b3b4060 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -26,6 +26,7 @@ community.aws.api_gateway: api_id: "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" name: "{{ _aws_profile }}_admin_tools" + deploy_desc: "API for administration functions made automatically by ansible" region: "{{ _aws_region }}" swagger_text: "{{ lookup('template', 'swag.json.j2') }}" stage: prod From 163b82ea080f6e07cc8adf03730f1b95889ffa33 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 15:53:01 +0100 Subject: [PATCH 32/47] Adding-for-loop-for-lambda-functions-11 --- roles/aws/aws_admin_tools/tasks/main.yml | 61 ++++++++++++++++-------- 1 file changed, 40 insertions(+), 21 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 74b3b4060..9f19e6491 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -11,26 +11,45 @@ debug: msg: "{{ lookup('template', 'swag.json.j2') }}" -- name: Setup AWS API Gateway setup on AWS and deploy API definition - community.aws.api_gateway: - name: "{{ _aws_profile }}_admin_tools" - region: "{{ _aws_region }}" - swagger_text: "{{ lookup('template', 'swag.json.j2') }}" - stage: prod - tracing_enabled: true - endpoint_type: REGIONAL - state: present +- name: Delete swag file + file: + path: /tmp/swag.json + state: absent + +- name: Write swag file + ansible.builtin.template: + src: swag.json.j2 + dest: /tmp/swag.json + +- name: Write swag file + ansible.builtin.shell: > + aws apigateway create-rest-api \ + --region "{{ _aws_region }}" \ + --name "{{ _aws_profile }}_admin_tools" \ + --description "API for administration functions made automatically by ansible" \ + --endpoint-configuration "{\"types\": [\"REGIONAL\"]}" when: _index_admin_api | length == 0 -- name: Update API definitions and settings and deploy as canary - community.aws.api_gateway: - api_id: "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" - name: "{{ _aws_profile }}_admin_tools" - deploy_desc: "API for administration functions made automatically by ansible" - region: "{{ _aws_region }}" - swagger_text: "{{ lookup('template', 'swag.json.j2') }}" - stage: prod - tracing_enabled: true - endpoint_type: REGIONAL - state: present - when: _index_admin_api | length > 0 +#- name: Setup AWS API Gateway setup on AWS and deploy API definition +# community.aws.api_gateway: +# name: "{{ _aws_profile }}_admin_tools" +# region: "{{ _aws_region }}" +# swagger_text: "{{ lookup('template', 'swag.json.j2') }}" +# stage: prod +# tracing_enabled: true +# endpoint_type: REGIONAL +# state: present +# when: _index_admin_api | length == 0 +# +#- name: Update API definitions and settings and deploy as canary +# community.aws.api_gateway: +# api_id: "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" +# name: "{{ _aws_profile }}_admin_tools" +# deploy_desc: "API for administration functions made automatically by ansible" +# region: "{{ _aws_region }}" +# swagger_text: "{{ lookup('template', 'swag.json.j2') }}" +# stage: prod +# tracing_enabled: true +# endpoint_type: REGIONAL +# state: present +# when: _index_admin_api | length > 0 From 34286b7eda719ba57f6bfaa83e5e543ec2243b44 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 17:37:59 +0100 Subject: [PATCH 33/47] Switching-role-to-use-aws-cli --- roles/aws/aws_admin_tools/tasks/main.yml | 26 +++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 9f19e6491..4c3885b5b 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -21,13 +21,37 @@ src: swag.json.j2 dest: /tmp/swag.json -- name: Write swag file +- name: Create API gateway ansible.builtin.shell: > aws apigateway create-rest-api \ --region "{{ _aws_region }}" \ --name "{{ _aws_profile }}_admin_tools" \ --description "API for administration functions made automatically by ansible" \ --endpoint-configuration "{\"types\": [\"REGIONAL\"]}" + register: _api_gateway + when: _index_admin_api | length == 0 + +- name: Get list of API gateway resources + ansible.builtin.shell: > + aws apigateway get-resources \ + --region "{{ _aws_region }}" \ + --rest-api-id "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" + register: _api_gateway_resources + when: _index_admin_api | length == 0 + +- name: Get index of main resource from API gateway + ansible.builtin.set_fact: + _index_api_main_resource: "{{ lookup('ansible.utils.index_of', _api_gateway_resources['items'], 'eq', '/', 'path', wantlist=True) }}" + when: _index_admin_api | length == 0 + +- name: Get main resource from API gateway + ansible.builtin.shell: > + aws apigateway create-resource \ + --rest-api-id "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" + --parent-id "{{ _api_gateway_resources['items'][_index_api_main_resource[0]]['id'] }}" + --path-part "GetBills" + --region "{{ _aws_region }}" + register: _main_api_resource when: _index_admin_api | length == 0 #- name: Setup AWS API Gateway setup on AWS and deploy API definition From eb12ddcae3deb24e17c809d7841b124293a175c1 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 17:46:34 +0100 Subject: [PATCH 34/47] Switching-role-to-use-aws-cli-2 --- roles/aws/aws_admin_tools/tasks/main.yml | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 4c3885b5b..c3b37f0ac 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,4 +1,4 @@ -- name: List all for a specific function +- name: List all API gateways community.aws.api_gateway_info: region: "{{ _aws_region }}" register: _api_gateways @@ -7,20 +7,6 @@ ansible.builtin.set_fact: _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" -- name: print swagger file - debug: - msg: "{{ lookup('template', 'swag.json.j2') }}" - -- name: Delete swag file - file: - path: /tmp/swag.json - state: absent - -- name: Write swag file - ansible.builtin.template: - src: swag.json.j2 - dest: /tmp/swag.json - - name: Create API gateway ansible.builtin.shell: > aws apigateway create-rest-api \ @@ -32,12 +18,12 @@ when: _index_admin_api | length == 0 - name: Get list of API gateway resources - ansible.builtin.shell: > + ansible.builtin.shell: > aws apigateway get-resources \ --region "{{ _aws_region }}" \ - --rest-api-id "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" + --rest-api-id "{{ _api_gateway['id'] }}" register: _api_gateway_resources - when: _index_admin_api | length == 0 + when: _index_admin_api | length > 0 - name: Get index of main resource from API gateway ansible.builtin.set_fact: From f753c72895f1a747cfd637eacffd66ba6cc6d0e3 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 17:52:33 +0100 Subject: [PATCH 35/47] Switching-role-to-use-aws-cli-3 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index c3b37f0ac..4b6efed39 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -18,7 +18,7 @@ when: _index_admin_api | length == 0 - name: Get list of API gateway resources - ansible.builtin.shell: > + ansible.builtin.shell: > aws apigateway get-resources \ --region "{{ _aws_region }}" \ --rest-api-id "{{ _api_gateway['id'] }}" From bc461a183eedb78fec9df9aedcd68f3446411863 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 17:58:36 +0100 Subject: [PATCH 36/47] Switching-role-to-use-aws-cli-4 --- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 4b6efed39..60fd41cf9 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -23,7 +23,7 @@ --region "{{ _aws_region }}" \ --rest-api-id "{{ _api_gateway['id'] }}" register: _api_gateway_resources - when: _index_admin_api | length > 0 + when: _index_admin_api | length == 0 - name: Get index of main resource from API gateway ansible.builtin.set_fact: From de317748686f821d671bbb79c9142bdde17e4a0e Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 5 Mar 2025 18:05:27 +0100 Subject: [PATCH 37/47] Switching-role-to-use-aws-cli-5 --- roles/aws/aws_admin_tools/tasks/main.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 60fd41cf9..af9e0b1b0 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -17,6 +17,10 @@ register: _api_gateway when: _index_admin_api | length == 0 +- name: Print return information from the previous task + ansible.builtin.debug: + var: _api_gateway + - name: Get list of API gateway resources ansible.builtin.shell: > aws apigateway get-resources \ @@ -25,11 +29,19 @@ register: _api_gateway_resources when: _index_admin_api | length == 0 +- name: Print return information from the previous task + ansible.builtin.debug: + var: _api_gateway_resources + - name: Get index of main resource from API gateway ansible.builtin.set_fact: _index_api_main_resource: "{{ lookup('ansible.utils.index_of', _api_gateway_resources['items'], 'eq', '/', 'path', wantlist=True) }}" when: _index_admin_api | length == 0 +- name: Print return information from the previous task + ansible.builtin.debug: + var: _index_api_main_resource + - name: Get main resource from API gateway ansible.builtin.shell: > aws apigateway create-resource \ @@ -40,6 +52,10 @@ register: _main_api_resource when: _index_admin_api | length == 0 +- name: Print return information from the previous task + ansible.builtin.debug: + var: _main_api_resource + #- name: Setup AWS API Gateway setup on AWS and deploy API definition # community.aws.api_gateway: # name: "{{ _aws_profile }}_admin_tools" From b74746888c4c06b3f836c325a6355978805d085b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 17:56:49 +0100 Subject: [PATCH 38/47] New-admin-tools-role --- roles/aws/aws_acl/defaults/main.yml | 1 + roles/aws/aws_acl/tasks/create_acl.yml | 2 +- roles/aws/aws_admin_tools/defaults/main.yml | 19 +++ roles/aws/aws_admin_tools/tasks/create.yml | 74 ++++++++ .../aws_admin_tools/tasks/create_methods.yml | 80 +++++++++ .../aws/aws_admin_tools/tasks/create_mock.yml | 42 +++++ .../tasks/lambda_functions.yml | 48 ++++++ .../aws/aws_admin_tools/tasks/lambda_iam.yml | 9 + roles/aws/aws_admin_tools/tasks/main.yml | 161 ++++++++++-------- roles/aws/aws_admin_tools/tasks/update.yml | 4 + .../templates/API_ChangeASGScaling.py.j2 | 39 +++++ .../templates/API_GetForecastedCosts.py.j2 | 39 +++++ .../templates/API_GetListOfEC2.py.j2 | 49 ++++++ .../aws/aws_admin_tools/templates/API_tmp.j2 | 8 + .../templates/trusted_entitites.j2 | 12 ++ roles/aws/aws_ec2_with_eip/tasks/main.yml | 23 +-- 16 files changed, 524 insertions(+), 86 deletions(-) create mode 100644 roles/aws/aws_admin_tools/defaults/main.yml create mode 100644 roles/aws/aws_admin_tools/tasks/create.yml create mode 100644 roles/aws/aws_admin_tools/tasks/create_methods.yml create mode 100644 roles/aws/aws_admin_tools/tasks/create_mock.yml create mode 100644 roles/aws/aws_admin_tools/tasks/lambda_functions.yml create mode 100644 roles/aws/aws_admin_tools/tasks/lambda_iam.yml create mode 100644 roles/aws/aws_admin_tools/tasks/update.yml create mode 100644 roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 create mode 100644 roles/aws/aws_admin_tools/templates/API_GetForecastedCosts.py.j2 create mode 100644 roles/aws/aws_admin_tools/templates/API_GetListOfEC2.py.j2 create mode 100644 roles/aws/aws_admin_tools/templates/API_tmp.j2 create mode 100644 roles/aws/aws_admin_tools/templates/trusted_entitites.j2 diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index d74402f89..e71b98ac7 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -6,6 +6,7 @@ aws_acl: region: "us-east-1" tags: "{{ _aws_tags }}" recreate: false # set to true to creating the ACL + default_action: "Allow" # Default action if no rules are triggered, can be Block rules: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml index 57ca9b287..26cc6c6f1 100644 --- a/roles/aws/aws_acl/tasks/create_acl.yml +++ b/roles/aws/aws_acl/tasks/create_acl.yml @@ -92,7 +92,7 @@ description: "{{ _acl.description }}" scope: "{{ _acl.scope }}" region: "{{ _acl.region }}" - default_action: Allow # or "Block" + default_action: "{{ _acl.default_action }}" # or "Block" sampled_requests: false cloudwatch_metrics: true # or "false" to disable metrics metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml new file mode 100644 index 000000000..32db74918 --- /dev/null +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -0,0 +1,19 @@ +aws_admin_tools: + runtime: "python3.12" + timeout: 20 + allowed_ips: + - 188.129.46.157/32 + - 3.11.82.252/32 + functions: + - name: "GetForecastedCosts" + type: GET + policies: + - arn:aws:iam::444471199298:policy/CEBillingPolicy + - name: "ChangeASGScaling" + type: POST + policies: + - arn:aws:iam::aws:policy/AmazonEC2FullAccess + - name: "GetListOfEC2" + type: GET + policies: + - arn:aws:iam::aws:policy/AmazonEC2FullAccess diff --git a/roles/aws/aws_admin_tools/tasks/create.yml b/roles/aws/aws_admin_tools/tasks/create.yml new file mode 100644 index 000000000..35c993285 --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/create.yml @@ -0,0 +1,74 @@ +- name: Create stage on API gateway + ansible.builtin.command: >- + aws apigateway create-stage + --rest-api-id "{{ _api_gate.id }}" + --stage-name "prod" + --deployment-id "{{ _main_api_deploy.id }}" + --region "{{ _aws_region }}" + register: _main_api_stage + when: _api_index | length == 0 + +- name: Create resources and set methods on API Gateway. + ansible.builtin.include_tasks: create_methods.yml + loop: "{{ aws_admin_tools.functions }}" + +- name: Obtain all information for a single WAF + community.aws.wafv2_web_acl_info: + name: "{{ _aws_profile }}_admin_tools" + scope: "REGIONAL" + region: "{{ _aws_region }}" + register: _main_waf + +- name: Get list of API gateway resources + ansible.builtin.command: >- + aws apigateway get-resources + --region "{{ _aws_region }}" + --rest-api-id "{{ _api_gate.id }}" + register: _api_res_list + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _api_res_list: "{{ _api_res_list.stdout | from_json | json_query('items') }}" + +- name: Get index of DelMe resource from API gateway + ansible.builtin.set_fact: + _api_res_index_list: "{{ lookup('ansible.utils.index_of', _api_res_list, 'eq', '/DelMe', 'path', wantlist=True) }}" + when: _api_index | length == 0 + +- name: Delete the initial resource + ansible.builtin.command: >- + aws apigateway delete-resource + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_res_list[_api_res_index_list[0]].id }}" + --region "{{ _aws_region }}" + when: _api_index | length == 0 + +- name: Deploy API gateway prior to attaching WAF + ansible.builtin.command: >- + aws apigateway create-deployment + --rest-api-id "{{ _api_gate.id }}" + --stage-name "prod" + --region "{{ _aws_region }}" + +- name: Add API gateway to waf + community.aws.wafv2_resources: + name: "{{ _aws_profile }}_admin_tools" + scope: REGIONAL + state: present + region: "{{ _aws_region }}" + arn: "arn:aws:apigateway:{{ _aws_region }}::/restapis/{{ _api_gate.id }}/stages/prod" + +- name: Generate unique string + ansible.builtin.set_fact: + _rand_str: "{{ lookup('community.general.random_string', length=8, special=false, min_lower=2, min_numeric=2, min_upper=2) }}" + +- name: Update Lambda triggers + ansible.builtin.command: >- + aws lambda add-permission + --function-name "API_{{ item.name }}" + --statement-id "{{ item.name }}_{{ _rand_str }}" + --action "lambda:InvokeFunction" + --principal apigateway.amazonaws.com + --source-arn arn:aws:execute-api:{{ _aws_region }}:444471199298:{{ _api_gate.id }}/*/{{ item.type }}/{{ item.name }} + --region {{ _aws_region }} + loop: "{{ aws_admin_tools.functions }}" diff --git a/roles/aws/aws_admin_tools/tasks/create_methods.yml b/roles/aws/aws_admin_tools/tasks/create_methods.yml new file mode 100644 index 000000000..915c94c1a --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/create_methods.yml @@ -0,0 +1,80 @@ +- name: Get resources + ansible.builtin.command: >- + aws apigateway get-resources + --rest-api-id "{{ _api_gate.id }}" + --region "{{ _aws_region }}" + register: _api_old_resource + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _api_old_resource: "{{ _api_old_resource.stdout | from_json }}" + +- name: Find the index of existing resource + ansible.builtin.set_fact: + _api_old_resource_index: "{{ lookup('ansible.utils.index_of', _api_old_resource['items'], 'eq', '/' + item.name, 'path', wantlist=True) }}" + +- name: Delete resource + ansible.builtin.command: >- + aws apigateway delete-resource + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_old_resource['items'][_api_old_resource_index[0]].id }}" + --region "{{ _aws_region }}" + register: _api_old_resource + when: _api_old_resource_index | length > 0 + +- name: Create resource on API gateway + ansible.builtin.command: >- + aws apigateway create-resource + --rest-api-id "{{ _api_gate.id }}" + --parent-id "{{ _api_res_list[_api_res_index_list[0]].id }}" + --path-part "{{ item.name }}" + --region "{{ _aws_region }}" + register: _api_resource + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _api_resource: "{{ _api_resource.stdout | from_json }}" + +- name: Put method on API gateway + ansible.builtin.command: >- + aws apigateway put-method + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_resource.id }}" + --http-method "{{ item.type }}" + --authorization-type "NONE" + --no-api-key-required + --region "{{ _aws_region }}" + +- name: Add Lambda for method. + ansible.builtin.command: >- + aws apigateway put-integration + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_resource.id }}" + --http-method "{{ item.type }}" + --type AWS + --content-handling CONVERT_TO_TEXT + --request-templates '{ "application/json": "{\"statusCode\": 200}" }' + --integration-http-method POST + --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:444471199298:function:API_{{ item.name }}/invocations" + --region {{ _aws_region }} + +- name: Add method response + ansible.builtin.command: >- + aws apigateway put-method-response + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_resource.id }}" + --http-method "{{ item.type }}" + --status-code "200" + --response-models '{"application/json":"Empty"}' + --region {{ _aws_region }} + +- name: Add integration response + ansible.builtin.command: >- + aws apigateway put-integration-response + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_resource.id }}" + --http-method "{{ item.type }}" + --status-code "200" + --selection-pattern "" + --content-handling "CONVERT_TO_TEXT" + --region {{ _aws_region }} diff --git a/roles/aws/aws_admin_tools/tasks/create_mock.yml b/roles/aws/aws_admin_tools/tasks/create_mock.yml new file mode 100644 index 000000000..9f590784e --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/create_mock.yml @@ -0,0 +1,42 @@ +- name: Create MOCK resource on API gateway + ansible.builtin.command: >- + aws apigateway create-resource + --rest-api-id "{{ _api_gate.id }}" + --parent-id "{{ _api_res_list[_api_res_index_list[0]].id }}" + --path-part "DelMe" + --region "{{ _aws_region }}" + register: _api_resource + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _api_resource: "{{ _api_resource.stdout | from_json }}" + +- name: Put method on API gateway + ansible.builtin.command: >- + aws apigateway put-method + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_resource.id }}" + --http-method "GET" + --authorization-type "NONE" + --no-api-key-required + --region "{{ _aws_region }}" + +- name: Add mock integration. + ansible.builtin.command: >- + aws apigateway put-integration + --rest-api-id "{{ _api_gate.id }}" + --resource-id "{{ _api_resource.id }}" + --http-method GET + --type MOCK + --region {{ _aws_region }} + +- name: Create initial deployent for API gateway + ansible.builtin.command: >- + aws apigateway create-deployment + --rest-api-id "{{ _api_gate.id }}" + --region "{{ _aws_region }}" + register: _main_api_deploy + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _main_api_deploy: "{{ _main_api_deploy.stdout | from_json }}" diff --git a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml new file mode 100644 index 000000000..eb295660a --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml @@ -0,0 +1,48 @@ +- name: Create S3 bucket for lambda functions + amazon.aws.s3_bucket: + name: "{{ _aws_profile }}-lambda-api-functions" + region: "{{ _aws_region }}" + state: present + +- name: Check and clean any previous python files + ansible.builtin.file: + path: "/tmp/{{ item.name }}.py" + state: absent + +- name: Write Lambda functions + ansible.builtin.template: + src: "API_{{ item.name }}.py.j2" + dest: "/tmp/API_{{ item.name }}.py" + +- name: Create a zip archive of Lambda functions + community.general.archive: + path: "/tmp/API_{{ item.name }}.py" + dest: "/tmp/API_{{ item.name }}.zip" + format: zip + +- name: Place Lambda functions in S3 bucket + amazon.aws.s3_object: + bucket: "{{ _aws_profile }}-lambda-api-functions" + object: "lambda-functions/API-{{ item.name }}.zip" + src: "/tmp/API_{{ item.name }}.zip" + mode: put + +- name: Get appropriate IAM role for Lambda + amazon.aws.iam_role_info: + name: "API_{{ item.name }}" + register: _iam_api_lambda + +- name: Create Lambda functions + amazon.aws.lambda: + name: "API_{{ item.name }}" + description: "Lambda function for {{ item.name }}" + region: "{{ _aws_region }}" + timeout: "{{ aws_admin_tools.timeout }}" + s3_bucket: "{{ _aws_profile }}-lambda-api-functions" + s3_key: "lambda-functions/API-{{ item.name }}.zip" + state: present + runtime: "{{ aws_admin_tools.runtime }}" + role: "{{ _iam_api_lambda.iam_roles[0].arn }}" + handler: "API_{{ item.name }}.lambda_handler" + tags: + Name: "API_{{ item.name }}" diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml new file mode 100644 index 000000000..4b6e8e8c7 --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -0,0 +1,9 @@ +- name: Attach CloudWatch policy + ansible.builtin.set_fact: + _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" + +- name: Create a role and attach policies + amazon.aws.iam_role: + name: "API_{{ item.name }}" + assume_role_policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" + managed_policies: "{{ _policies }}" diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index af9e0b1b0..e52359619 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,81 +1,106 @@ -- name: List all API gateways +- name: List all API gateways. community.aws.api_gateway_info: region: "{{ _aws_region }}" - register: _api_gateways + register: _api_gate_list - name: Find the index of admin tools API ansible.builtin.set_fact: - _index_admin_api: "{{ lookup('ansible.utils.index_of', _api_gateways['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" + _api_index: "{{ lookup('ansible.utils.index_of', _api_gate_list['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" - name: Create API gateway - ansible.builtin.shell: > - aws apigateway create-rest-api \ - --region "{{ _aws_region }}" \ - --name "{{ _aws_profile }}_admin_tools" \ - --description "API for administration functions made automatically by ansible" \ + ansible.builtin.command: >- + aws apigateway create-rest-api + --region "{{ _aws_region }}" + --name "{{ _aws_profile }}_admin_tools" + --description "API for administration functions made automatically by ansible" --endpoint-configuration "{\"types\": [\"REGIONAL\"]}" - register: _api_gateway - when: _index_admin_api | length == 0 + register: _api_gate + when: _api_index | length == 0 -- name: Print return information from the previous task - ansible.builtin.debug: - var: _api_gateway +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _api_gate: "{{ _api_gate.stdout | from_json }}" + when: _api_index | length == 0 + +- name: Setting _api_index if API already exists + ansible.builtin.set_fact: + _api_gate: "{{ _api_gate_list.rest_apis[_api_index[0]] }}" + when: _api_index | length > 0 - name: Get list of API gateway resources - ansible.builtin.shell: > - aws apigateway get-resources \ - --region "{{ _aws_region }}" \ - --rest-api-id "{{ _api_gateway['id'] }}" - register: _api_gateway_resources - when: _index_admin_api | length == 0 - -- name: Print return information from the previous task - ansible.builtin.debug: - var: _api_gateway_resources - -- name: Get index of main resource from API gateway + ansible.builtin.command: >- + aws apigateway get-resources + --region "{{ _aws_region }}" + --rest-api-id "{{ _api_gate.id }}" + register: _api_res_list + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _api_res_list: "{{ _api_res_list.stdout | from_json | json_query('items') }}" + +- name: Get index of / resource from API gateway ansible.builtin.set_fact: - _index_api_main_resource: "{{ lookup('ansible.utils.index_of', _api_gateway_resources['items'], 'eq', '/', 'path', wantlist=True) }}" - when: _index_admin_api | length == 0 - -- name: Print return information from the previous task - ansible.builtin.debug: - var: _index_api_main_resource - -- name: Get main resource from API gateway - ansible.builtin.shell: > - aws apigateway create-resource \ - --rest-api-id "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" - --parent-id "{{ _api_gateway_resources['items'][_index_api_main_resource[0]]['id'] }}" - --path-part "GetBills" + _api_res_index_list: "{{ lookup('ansible.utils.index_of', _api_res_list, 'eq', '/', 'path', wantlist=True) }}" + +- name: Create MOCK deployment. + ansible.builtin.include_tasks: create_mock.yml + when: _api_index | length == 0 + +- name: Get all deployments from API gateway + ansible.builtin.command: >- + aws apigateway get-deployments + --rest-api-id "{{ _api_gate.id }}" --region "{{ _aws_region }}" - register: _main_api_resource - when: _index_admin_api | length == 0 - -- name: Print return information from the previous task - ansible.builtin.debug: - var: _main_api_resource - -#- name: Setup AWS API Gateway setup on AWS and deploy API definition -# community.aws.api_gateway: -# name: "{{ _aws_profile }}_admin_tools" -# region: "{{ _aws_region }}" -# swagger_text: "{{ lookup('template', 'swag.json.j2') }}" -# stage: prod -# tracing_enabled: true -# endpoint_type: REGIONAL -# state: present -# when: _index_admin_api | length == 0 -# -#- name: Update API definitions and settings and deploy as canary -# community.aws.api_gateway: -# api_id: "{{ _api_gateways['rest_apis'][_index_admin_api[0]]['id'] }}" -# name: "{{ _aws_profile }}_admin_tools" -# deploy_desc: "API for administration functions made automatically by ansible" -# region: "{{ _aws_region }}" -# swagger_text: "{{ lookup('template', 'swag.json.j2') }}" -# stage: prod -# tracing_enabled: true -# endpoint_type: REGIONAL -# state: present -# when: _index_admin_api | length > 0 + register: _main_api_deploy + when: _api_index | length > 0 + +- name: Set prevoius command output into variable + ansible.builtin.set_fact: + _main_api_deploy_tmp: "{{ _main_api_deploy.stdout | from_json }}" + when: _api_index | length > 0 + +- name: Set prevoius command output into variable + ansible.builtin.set_fact: + _main_api_deploy: "{{ _main_api_deploy_tmp['items'] | last }}" + when: _api_index | length > 0 + +- name: Configure Lambda IAM policies. + ansible.builtin.include_tasks: lambda_iam.yml + loop: "{{ aws_admin_tools.functions }}" + +- name: Sleep for 5 seconds for IAM roles. + ansible.builtin.wait_for: + timeout: 5 + +- name: Configure Lambda functions. + ansible.builtin.include_tasks: lambda_functions.yml + loop: "{{ aws_admin_tools.functions }}" + +- name: Create WAF for API Gateway + ansible.builtin.include_role: + name: aws/aws_acl + vars: + aws_acl: + - name: "{{ _aws_profile }}_admin_tools" + description: "ACL rules for API Gateway" + scope: REGIONAL + region: "{{ _aws_region }}" + tags: "{{ _aws_tags }}" + recreate: true + default_action: "Block" + rules: + ip_sets: + - rule_name: "{{ _aws_profile }}_admin_tools" + set_name: "{{ _aws_profile }}_admin_tools" + description: "List of IPs to allow using API - Ansible managed" + action: allow + priority: 1 + list: "{{ aws_admin_tools.allowed_ips }}" + +- name: Create API Gateway. + ansible.builtin.include_tasks: create.yml + when: _api_index | length == 0 + +- name: Update API Gateway. + ansible.builtin.include_tasks: create.yml + when: _api_index | length > 0 diff --git a/roles/aws/aws_admin_tools/tasks/update.yml b/roles/aws/aws_admin_tools/tasks/update.yml new file mode 100644 index 000000000..fdace500a --- /dev/null +++ b/roles/aws/aws_admin_tools/tasks/update.yml @@ -0,0 +1,4 @@ +- name: Setting _api_gate if API already exists + ansible.builtin.set_fact: + _api_gate: "{{ _api_gate_list.rest_apis[_api_index[0]] }}" + when: _api_index | length > 0 diff --git a/roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 b/roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 new file mode 100644 index 000000000..6bed7668b --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 @@ -0,0 +1,39 @@ +import json +import calendar +from datetime import datetime +import boto3 + +costExpl = boto3.client('ce') + +def lambda_handler(event, context): + currDay=datetime.now().day + currMonth=datetime.now().month + print(currMonth) + currYear=datetime.now().year + print(currYear) + lastDay=calendar.monthrange(currYear, currMonth) + + if currMonth < 10: + currMonth = '0' + str(currMonth) + nextDay = currDay + 1 + if currDay < 10: + currDay = '0' + str(currDay) + if nextDay < 10: + nextDay = '0' + str(nextDay) + + startDate=str(currYear) + '-' + str(currMonth) + '-' + str(currDay) + endDate=str(currYear) + '-' + str(currMonth) + '-' + str(nextDay) + + estimatedCost = costExpl.get_cost_forecast( + TimePeriod={ + 'Start': startDate, + 'End': endDate + }, + Granularity='MONTHLY', + Metric='BLENDED_COST' + ) + return { + 'statusCode': 200, + 'Amount': estimatedCost['Total']['Amount'] + ' ' + estimatedCost['Total']['Unit'], + 'Between': estimatedCost['ForecastResultsByTime'][0]['TimePeriod']['Start'] + ' - ' + estimatedCost['ForecastResultsByTime'][0]['TimePeriod']['End'] + } diff --git a/roles/aws/aws_admin_tools/templates/API_GetForecastedCosts.py.j2 b/roles/aws/aws_admin_tools/templates/API_GetForecastedCosts.py.j2 new file mode 100644 index 000000000..6bed7668b --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/API_GetForecastedCosts.py.j2 @@ -0,0 +1,39 @@ +import json +import calendar +from datetime import datetime +import boto3 + +costExpl = boto3.client('ce') + +def lambda_handler(event, context): + currDay=datetime.now().day + currMonth=datetime.now().month + print(currMonth) + currYear=datetime.now().year + print(currYear) + lastDay=calendar.monthrange(currYear, currMonth) + + if currMonth < 10: + currMonth = '0' + str(currMonth) + nextDay = currDay + 1 + if currDay < 10: + currDay = '0' + str(currDay) + if nextDay < 10: + nextDay = '0' + str(nextDay) + + startDate=str(currYear) + '-' + str(currMonth) + '-' + str(currDay) + endDate=str(currYear) + '-' + str(currMonth) + '-' + str(nextDay) + + estimatedCost = costExpl.get_cost_forecast( + TimePeriod={ + 'Start': startDate, + 'End': endDate + }, + Granularity='MONTHLY', + Metric='BLENDED_COST' + ) + return { + 'statusCode': 200, + 'Amount': estimatedCost['Total']['Amount'] + ' ' + estimatedCost['Total']['Unit'], + 'Between': estimatedCost['ForecastResultsByTime'][0]['TimePeriod']['Start'] + ' - ' + estimatedCost['ForecastResultsByTime'][0]['TimePeriod']['End'] + } diff --git a/roles/aws/aws_admin_tools/templates/API_GetListOfEC2.py.j2 b/roles/aws/aws_admin_tools/templates/API_GetListOfEC2.py.j2 new file mode 100644 index 000000000..cc6253de3 --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/API_GetListOfEC2.py.j2 @@ -0,0 +1,49 @@ +import json +import boto3 + +# Defining Clients +ec2_cli = boto3.client("ec2", region_name="{{ _aws_region }}") + +def lambda_handler(event, context): + + print("Gathering instance details.") + ec2_instances=ec2_cli.describe_instances() + + instance_exist = False + Ec2_info_list=[] + + for reservation in ec2_instances["Reservations"]: + for instance in reservation["Instances"]: + pub_ip = "" + priv_ip = "" + inst_name = "" + + if "PublicIpAddress" in instance: + pub_ip = instance['PublicIpAddress'] + else: + pub_ip = "-" + if "PrivateIpAddress" in instance: + priv_ip = instance['PrivateIpAddress'] + else: + priv_ip = "-" + + if "Tags" in instance: + for name in instance['Tags']: + if name['Key'] == 'Name': + inst_name = name['Value'] + else: + inst_name = "-" + + new_dict={ + 'EC2 name': inst_name, + 'State': instance['State'], + 'Public IP': pub_ip, + 'Private IP': priv_ip, + 'Instance type': instance['InstanceType'] + } + Ec2_info_list.append(new_dict) + + return { + 'statusCode': 200, + 'EC2 info': Ec2_info_list + } diff --git a/roles/aws/aws_admin_tools/templates/API_tmp.j2 b/roles/aws/aws_admin_tools/templates/API_tmp.j2 new file mode 100644 index 000000000..83608d358 --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/API_tmp.j2 @@ -0,0 +1,8 @@ +import json + +def lambda_handler(event, context): + + return { + 'statusCode': 200, + 'body': "Yey" + } diff --git a/roles/aws/aws_admin_tools/templates/trusted_entitites.j2 b/roles/aws/aws_admin_tools/templates/trusted_entitites.j2 new file mode 100644 index 000000000..fb84ae9de --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/trusted_entitites.j2 @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/roles/aws/aws_ec2_with_eip/tasks/main.yml b/roles/aws/aws_ec2_with_eip/tasks/main.yml index fea2c4ecb..8e0e5be7b 100644 --- a/roles/aws/aws_ec2_with_eip/tasks/main.yml +++ b/roles/aws/aws_ec2_with_eip/tasks/main.yml @@ -163,23 +163,12 @@ tag:Name: "{{ aws_ec2_with_eip.instance_name }}" register: _aws_ec2_with_eip_instances_eip -- name: Generate Terraform template. - ansible.builtin.template: - src: eip.tf.j2 - dest: "{{ _ce_provision_build_tmp_dir }}/main.tf" - mode: "0666" - when: not _aws_ec2_with_eip_instances_eip.addresses - -- name: Init Terraform. - ansible.builtin.command: - cmd: terraform init - chdir: "{{ _ce_provision_build_tmp_dir }}" - when: not _aws_ec2_with_eip_instances_eip.addresses - -- name: Create EIP with Terraform if we don't have one. - ansible.builtin.command: - cmd: terraform apply -auto-approve - chdir: "{{ _ce_provision_build_tmp_dir }}" +- name: allocate a new elastic IP inside a VPC + amazon.aws.ec2_eip: + region: "{{ aws_ec2_with_eip.region }}" + in_vpc: true + tag_name: "Name" + tag_value: "{{ aws_ec2_with_eip.instance_name }}" when: not _aws_ec2_with_eip_instances_eip.addresses - name: Re-register EIP. From cc2d378d363f598e8109275103c5abddcc59699b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 17:57:08 +0100 Subject: [PATCH 39/47] New-admin-tools-role-2 --- .../aws_admin_tools/templates/swag.json.j2 | 45 ------------------- 1 file changed, 45 deletions(-) delete mode 100644 roles/aws/aws_admin_tools/templates/swag.json.j2 diff --git a/roles/aws/aws_admin_tools/templates/swag.json.j2 b/roles/aws/aws_admin_tools/templates/swag.json.j2 deleted file mode 100644 index ccf6963b0..000000000 --- a/roles/aws/aws_admin_tools/templates/swag.json.j2 +++ /dev/null @@ -1,45 +0,0 @@ -{ - "swagger" : "2.0", - "info" : { - "description" : "API for administration functions made automatically by ansible", - "title" : "dummy_admin_tools" - }, - "basePath" : "/prod", - "schemes" : [ "https" ], - "paths" : { - {% for funct in ['GetMonthForecast', 'EnableDisableAutoscaling', 'Test'] %} - "/{{ funct }}" : { - "get" : { - "produces" : [ "application/json" ], - "responses" : { - "200" : { - "description" : "200 response", - "schema" : { - "$ref" : "#/definitions/Empty" - } - } - }, - "x-amazon-apigateway-integration" : { - "type" : "aws", - "httpMethod" : "POST", - "uri" : "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:444471199298:function:getBilling/invocations", - "responses" : { - "default" : { - "statusCode" : "200" - } - }, - "passthroughBehavior" : "when_no_match", - "timeoutInMillis" : 29000, - "contentHandling" : "CONVERT_TO_TEXT" - } - } - }, - {% endfor %} - }, - "definitions" : { - "Empty" : { - "type" : "object", - "title" : "Empty Schema" - } - } -} From b9f256bb32748abe379d41111d47242eed2cf099 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 18:06:44 +0100 Subject: [PATCH 40/47] New-admin-tools-role-3 --- roles/aws/aws_admin_tools/tasks/create.yml | 2 +- roles/aws/aws_admin_tools/tasks/create_methods.yml | 2 +- roles/aws/aws_admin_tools/tasks/main.yml | 13 ++++++++++++- roles/aws/aws_admin_tools/tasks/update.yml | 4 ---- 4 files changed, 14 insertions(+), 7 deletions(-) delete mode 100644 roles/aws/aws_admin_tools/tasks/update.yml diff --git a/roles/aws/aws_admin_tools/tasks/create.yml b/roles/aws/aws_admin_tools/tasks/create.yml index 35c993285..f6ccef783 100644 --- a/roles/aws/aws_admin_tools/tasks/create.yml +++ b/roles/aws/aws_admin_tools/tasks/create.yml @@ -69,6 +69,6 @@ --statement-id "{{ item.name }}_{{ _rand_str }}" --action "lambda:InvokeFunction" --principal apigateway.amazonaws.com - --source-arn arn:aws:execute-api:{{ _aws_region }}:444471199298:{{ _api_gate.id }}/*/{{ item.type }}/{{ item.name }} + --source-arn arn:aws:execute-api:{{ _aws_region }}:{{ _acc_id }}:{{ _api_gate.id }}/*/{{ item.type }}/{{ item.name }} --region {{ _aws_region }} loop: "{{ aws_admin_tools.functions }}" diff --git a/roles/aws/aws_admin_tools/tasks/create_methods.yml b/roles/aws/aws_admin_tools/tasks/create_methods.yml index 915c94c1a..d1658426e 100644 --- a/roles/aws/aws_admin_tools/tasks/create_methods.yml +++ b/roles/aws/aws_admin_tools/tasks/create_methods.yml @@ -55,7 +55,7 @@ --content-handling CONVERT_TO_TEXT --request-templates '{ "application/json": "{\"statusCode\": 200}" }' --integration-http-method POST - --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:444471199298:function:API_{{ item.name }}/invocations" + --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:API_{{ item.name }}/invocations" --region {{ _aws_region }} - name: Add method response diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index e52359619..6b3614af2 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,4 +1,15 @@ -- name: List all API gateways. +- name: Create API gateway + ansible.builtin.command: >- + aws sts get-caller-identity + --query Account + --output text + register: _acc_id + +- name: Setting prevoius command output into variable + ansible.builtin.set_fact: + _acc_id: "{{ _acc_id.stdout | from_json }}" + + - name: List all API gateways. community.aws.api_gateway_info: region: "{{ _aws_region }}" register: _api_gate_list diff --git a/roles/aws/aws_admin_tools/tasks/update.yml b/roles/aws/aws_admin_tools/tasks/update.yml deleted file mode 100644 index fdace500a..000000000 --- a/roles/aws/aws_admin_tools/tasks/update.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Setting _api_gate if API already exists - ansible.builtin.set_fact: - _api_gate: "{{ _api_gate_list.rest_apis[_api_index[0]] }}" - when: _api_index | length > 0 From af20fa562cc7848f571227a97edad9dd0376a3c5 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 18:09:24 +0100 Subject: [PATCH 41/47] New-admin-tools-role-4 --- roles/aws/aws_admin_tools/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 6b3614af2..b13abbb83 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,3 +1,4 @@ +--- - name: Create API gateway ansible.builtin.command: >- aws sts get-caller-identity From 6bd86e05ea3e60b50858f2dd1099d1f3bb0bc3f3 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 19:15:33 +0100 Subject: [PATCH 42/47] New-admin-tools-role --- roles/aws/aws_admin_tools/defaults/main.yml | 5 ++- roles/aws/aws_admin_tools/tasks/create.yml | 20 +++++------ .../aws_admin_tools/tasks/create_methods.yml | 16 ++++----- .../aws/aws_admin_tools/tasks/create_mock.yml | 10 +++--- .../tasks/lambda_functions.yml | 14 ++++---- .../aws/aws_admin_tools/tasks/lambda_iam.yml | 4 +-- roles/aws/aws_admin_tools/tasks/main.yml | 35 ++++++++----------- roles/aws/aws_ec2_with_eip/tasks/main.yml | 2 +- roles/aws/aws_sg_iptables/tasks/main.yml | 4 +-- 9 files changed, 52 insertions(+), 58 deletions(-) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index 32db74918..10c07da2f 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -2,13 +2,12 @@ aws_admin_tools: runtime: "python3.12" timeout: 20 allowed_ips: - - 188.129.46.157/32 - - 3.11.82.252/32 + - 192.168.1.1/32 # Ip of server with access to API-s functions: - name: "GetForecastedCosts" type: GET policies: - - arn:aws:iam::444471199298:policy/CEBillingPolicy + - "arn:aws:iam::{{ _acc_id }}:policy/CEBillingPolicy" # Custom policy - name: "ChangeASGScaling" type: POST policies: diff --git a/roles/aws/aws_admin_tools/tasks/create.yml b/roles/aws/aws_admin_tools/tasks/create.yml index f6ccef783..45b72a3ca 100644 --- a/roles/aws/aws_admin_tools/tasks/create.yml +++ b/roles/aws/aws_admin_tools/tasks/create.yml @@ -1,4 +1,4 @@ -- name: Create stage on API gateway +- name: Create stage on API gateway. ansible.builtin.command: >- aws apigateway create-stage --rest-api-id "{{ _api_gate.id }}" @@ -12,30 +12,30 @@ ansible.builtin.include_tasks: create_methods.yml loop: "{{ aws_admin_tools.functions }}" -- name: Obtain all information for a single WAF +- name: Obtain all information for a single WAF. community.aws.wafv2_web_acl_info: name: "{{ _aws_profile }}_admin_tools" scope: "REGIONAL" region: "{{ _aws_region }}" register: _main_waf -- name: Get list of API gateway resources +- name: Get list of API gateway resources. ansible.builtin.command: >- aws apigateway get-resources --region "{{ _aws_region }}" --rest-api-id "{{ _api_gate.id }}" register: _api_res_list -- name: Setting prevoius command output into variable +- name: Setting previous command output into variable. ansible.builtin.set_fact: _api_res_list: "{{ _api_res_list.stdout | from_json | json_query('items') }}" -- name: Get index of DelMe resource from API gateway +- name: Get index of DelMe resource from API gateway. ansible.builtin.set_fact: _api_res_index_list: "{{ lookup('ansible.utils.index_of', _api_res_list, 'eq', '/DelMe', 'path', wantlist=True) }}" when: _api_index | length == 0 -- name: Delete the initial resource +- name: Delete the initial resource. ansible.builtin.command: >- aws apigateway delete-resource --rest-api-id "{{ _api_gate.id }}" @@ -43,14 +43,14 @@ --region "{{ _aws_region }}" when: _api_index | length == 0 -- name: Deploy API gateway prior to attaching WAF +- name: Deploy API gateway prior to attaching WAF. ansible.builtin.command: >- aws apigateway create-deployment --rest-api-id "{{ _api_gate.id }}" --stage-name "prod" --region "{{ _aws_region }}" -- name: Add API gateway to waf +- name: Add API gateway to waf. community.aws.wafv2_resources: name: "{{ _aws_profile }}_admin_tools" scope: REGIONAL @@ -58,11 +58,11 @@ region: "{{ _aws_region }}" arn: "arn:aws:apigateway:{{ _aws_region }}::/restapis/{{ _api_gate.id }}/stages/prod" -- name: Generate unique string +- name: Generate unique string. ansible.builtin.set_fact: _rand_str: "{{ lookup('community.general.random_string', length=8, special=false, min_lower=2, min_numeric=2, min_upper=2) }}" -- name: Update Lambda triggers +- name: Update Lambda triggers. ansible.builtin.command: >- aws lambda add-permission --function-name "API_{{ item.name }}" diff --git a/roles/aws/aws_admin_tools/tasks/create_methods.yml b/roles/aws/aws_admin_tools/tasks/create_methods.yml index d1658426e..481dc152c 100644 --- a/roles/aws/aws_admin_tools/tasks/create_methods.yml +++ b/roles/aws/aws_admin_tools/tasks/create_methods.yml @@ -1,19 +1,19 @@ -- name: Get resources +- name: Get resources. ansible.builtin.command: >- aws apigateway get-resources --rest-api-id "{{ _api_gate.id }}" --region "{{ _aws_region }}" register: _api_old_resource -- name: Setting prevoius command output into variable +- name: Setting prevoius command output into variable. ansible.builtin.set_fact: _api_old_resource: "{{ _api_old_resource.stdout | from_json }}" -- name: Find the index of existing resource +- name: Find the index of existing resource. ansible.builtin.set_fact: _api_old_resource_index: "{{ lookup('ansible.utils.index_of', _api_old_resource['items'], 'eq', '/' + item.name, 'path', wantlist=True) }}" -- name: Delete resource +- name: Delete resource. ansible.builtin.command: >- aws apigateway delete-resource --rest-api-id "{{ _api_gate.id }}" @@ -22,7 +22,7 @@ register: _api_old_resource when: _api_old_resource_index | length > 0 -- name: Create resource on API gateway +- name: Create resource on API gateway. ansible.builtin.command: >- aws apigateway create-resource --rest-api-id "{{ _api_gate.id }}" @@ -31,7 +31,7 @@ --region "{{ _aws_region }}" register: _api_resource -- name: Setting prevoius command output into variable +- name: Setting prevoius command output into variable. ansible.builtin.set_fact: _api_resource: "{{ _api_resource.stdout | from_json }}" @@ -58,7 +58,7 @@ --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:API_{{ item.name }}/invocations" --region {{ _aws_region }} -- name: Add method response +- name: Add method response. ansible.builtin.command: >- aws apigateway put-method-response --rest-api-id "{{ _api_gate.id }}" @@ -68,7 +68,7 @@ --response-models '{"application/json":"Empty"}' --region {{ _aws_region }} -- name: Add integration response +- name: Add integration response. ansible.builtin.command: >- aws apigateway put-integration-response --rest-api-id "{{ _api_gate.id }}" diff --git a/roles/aws/aws_admin_tools/tasks/create_mock.yml b/roles/aws/aws_admin_tools/tasks/create_mock.yml index 9f590784e..e55bf8280 100644 --- a/roles/aws/aws_admin_tools/tasks/create_mock.yml +++ b/roles/aws/aws_admin_tools/tasks/create_mock.yml @@ -1,4 +1,4 @@ -- name: Create MOCK resource on API gateway +- name: Create MOCK resource on API gateway. ansible.builtin.command: >- aws apigateway create-resource --rest-api-id "{{ _api_gate.id }}" @@ -7,11 +7,11 @@ --region "{{ _aws_region }}" register: _api_resource -- name: Setting prevoius command output into variable +- name: Setting previous command output into variable. ansible.builtin.set_fact: _api_resource: "{{ _api_resource.stdout | from_json }}" -- name: Put method on API gateway +- name: Put method on API gateway. ansible.builtin.command: >- aws apigateway put-method --rest-api-id "{{ _api_gate.id }}" @@ -30,13 +30,13 @@ --type MOCK --region {{ _aws_region }} -- name: Create initial deployent for API gateway +- name: Create initial deployent for API gateway. ansible.builtin.command: >- aws apigateway create-deployment --rest-api-id "{{ _api_gate.id }}" --region "{{ _aws_region }}" register: _main_api_deploy -- name: Setting prevoius command output into variable +- name: Setting previous command output into variable. ansible.builtin.set_fact: _main_api_deploy: "{{ _main_api_deploy.stdout | from_json }}" diff --git a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml index eb295660a..0297d3279 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml @@ -1,38 +1,38 @@ -- name: Create S3 bucket for lambda functions +- name: Create S3 bucket for lambda functions. amazon.aws.s3_bucket: name: "{{ _aws_profile }}-lambda-api-functions" region: "{{ _aws_region }}" state: present -- name: Check and clean any previous python files +- name: Check and clean any previous python files. ansible.builtin.file: path: "/tmp/{{ item.name }}.py" state: absent -- name: Write Lambda functions +- name: Write Lambda functions. ansible.builtin.template: src: "API_{{ item.name }}.py.j2" dest: "/tmp/API_{{ item.name }}.py" -- name: Create a zip archive of Lambda functions +- name: Create a zip archive of Lambda functions. community.general.archive: path: "/tmp/API_{{ item.name }}.py" dest: "/tmp/API_{{ item.name }}.zip" format: zip -- name: Place Lambda functions in S3 bucket +- name: Place Lambda functions in S3 bucket. amazon.aws.s3_object: bucket: "{{ _aws_profile }}-lambda-api-functions" object: "lambda-functions/API-{{ item.name }}.zip" src: "/tmp/API_{{ item.name }}.zip" mode: put -- name: Get appropriate IAM role for Lambda +- name: Get appropriate IAM role for Lambda. amazon.aws.iam_role_info: name: "API_{{ item.name }}" register: _iam_api_lambda -- name: Create Lambda functions +- name: Create Lambda functions. amazon.aws.lambda: name: "API_{{ item.name }}" description: "Lambda function for {{ item.name }}" diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index 4b6e8e8c7..f5ac58341 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -1,8 +1,8 @@ -- name: Attach CloudWatch policy +- name: Attach CloudWatch policy. ansible.builtin.set_fact: _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" -- name: Create a role and attach policies +- name: Create a role and attach policies. amazon.aws.iam_role: name: "API_{{ item.name }}" assume_role_policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index b13abbb83..12da52204 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,25 +1,25 @@ --- -- name: Create API gateway +- name: Create API gateway. ansible.builtin.command: >- aws sts get-caller-identity --query Account --output text register: _acc_id -- name: Setting prevoius command output into variable +- name: Setting previous command output into variable. ansible.builtin.set_fact: _acc_id: "{{ _acc_id.stdout | from_json }}" - - name: List all API gateways. +- name: List all API gateways. community.aws.api_gateway_info: region: "{{ _aws_region }}" register: _api_gate_list -- name: Find the index of admin tools API +- name: Find the index of admin tools API. ansible.builtin.set_fact: _api_index: "{{ lookup('ansible.utils.index_of', _api_gate_list['rest_apis'], 'eq', _aws_profile + '_admin_tools', 'name', wantlist=True) }}" -- name: Create API gateway +- name: Create API gateway. ansible.builtin.command: >- aws apigateway create-rest-api --region "{{ _aws_region }}" @@ -29,28 +29,28 @@ register: _api_gate when: _api_index | length == 0 -- name: Setting prevoius command output into variable +- name: Setting previous command output into variable. ansible.builtin.set_fact: _api_gate: "{{ _api_gate.stdout | from_json }}" when: _api_index | length == 0 -- name: Setting _api_index if API already exists +- name: Setting _api_index if API already exists. ansible.builtin.set_fact: _api_gate: "{{ _api_gate_list.rest_apis[_api_index[0]] }}" when: _api_index | length > 0 -- name: Get list of API gateway resources +- name: Get list of API gateway resources. ansible.builtin.command: >- aws apigateway get-resources --region "{{ _aws_region }}" --rest-api-id "{{ _api_gate.id }}" register: _api_res_list -- name: Setting prevoius command output into variable +- name: Setting previous command output into variable. ansible.builtin.set_fact: _api_res_list: "{{ _api_res_list.stdout | from_json | json_query('items') }}" -- name: Get index of / resource from API gateway +- name: Get index of / resource from API gateway. ansible.builtin.set_fact: _api_res_index_list: "{{ lookup('ansible.utils.index_of', _api_res_list, 'eq', '/', 'path', wantlist=True) }}" @@ -58,7 +58,7 @@ ansible.builtin.include_tasks: create_mock.yml when: _api_index | length == 0 -- name: Get all deployments from API gateway +- name: Get all deployments from API gateway. ansible.builtin.command: >- aws apigateway get-deployments --rest-api-id "{{ _api_gate.id }}" @@ -66,12 +66,12 @@ register: _main_api_deploy when: _api_index | length > 0 -- name: Set prevoius command output into variable +- name: Set previous command output into variable. ansible.builtin.set_fact: _main_api_deploy_tmp: "{{ _main_api_deploy.stdout | from_json }}" when: _api_index | length > 0 -- name: Set prevoius command output into variable +- name: Get last item from deployment list. ansible.builtin.set_fact: _main_api_deploy: "{{ _main_api_deploy_tmp['items'] | last }}" when: _api_index | length > 0 @@ -88,7 +88,7 @@ ansible.builtin.include_tasks: lambda_functions.yml loop: "{{ aws_admin_tools.functions }}" -- name: Create WAF for API Gateway +- name: Create WAF for API Gateway. ansible.builtin.include_role: name: aws/aws_acl vars: @@ -109,10 +109,5 @@ priority: 1 list: "{{ aws_admin_tools.allowed_ips }}" -- name: Create API Gateway. +- name: Create API Gateway resurces. ansible.builtin.include_tasks: create.yml - when: _api_index | length == 0 - -- name: Update API Gateway. - ansible.builtin.include_tasks: create.yml - when: _api_index | length > 0 diff --git a/roles/aws/aws_ec2_with_eip/tasks/main.yml b/roles/aws/aws_ec2_with_eip/tasks/main.yml index 8e0e5be7b..dee50043d 100644 --- a/roles/aws/aws_ec2_with_eip/tasks/main.yml +++ b/roles/aws/aws_ec2_with_eip/tasks/main.yml @@ -163,7 +163,7 @@ tag:Name: "{{ aws_ec2_with_eip.instance_name }}" register: _aws_ec2_with_eip_instances_eip -- name: allocate a new elastic IP inside a VPC +- name: Allocate a new elastic IP inside a VPC. amazon.aws.ec2_eip: region: "{{ aws_ec2_with_eip.region }}" in_vpc: true diff --git a/roles/aws/aws_sg_iptables/tasks/main.yml b/roles/aws/aws_sg_iptables/tasks/main.yml index baa4fc575..826a29494 100644 --- a/roles/aws/aws_sg_iptables/tasks/main.yml +++ b/roles/aws/aws_sg_iptables/tasks/main.yml @@ -7,7 +7,7 @@ - name: Set list of commands for tcp/udp in include_tasks: tcp_udp_string.yml - loop: "{{ q( 'ansible.builtin.subelements', _glob, 'ports', { 'skip_missing': True }) }}" + loop: "{{ q('ansible.builtin.subelements', _glob, 'ports', {'skip_missing': True}) }}" - name: Remove priority element from dict. ansible.builtin.set_fact: @@ -29,7 +29,7 @@ - name: Set list of commands four tcp/udp out include_tasks: tcp_udp_string.yml - loop: "{{ q( 'ansible.builtin.subelements', _glob, 'ports', { 'skip_missing': True }) }}" + loop: "{{ q('ansible.builtin.subelements', _glob, 'ports', {'skip_missing': True}) }}" - name: Set list of commands for icmp in include_tasks: icmp_string.yml From 79837afdd2c9188fbe04fb037e04c7849fe8b189 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 19:16:07 +0100 Subject: [PATCH 43/47] New-admin-tools-role-2 --- roles/_meta/aws_region/meta/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 9fd95f4d9..a11491c0e 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -1,11 +1,11 @@ --- dependencies: -# - role: aws/aws_provision_ec2_keypair -# - role: aws/aws_vpc -# - role: aws/aws_vpc_subnet -# - role: aws/aws_iam_role -# - role: aws/aws_acl -# - role: aws/aws_cloudwatch_log_group -# - role: aws/aws_backup -# - role: aws/aws_backup_sns + - role: aws/aws_provision_ec2_keypair + - role: aws/aws_vpc + - role: aws/aws_vpc_subnet + - role: aws/aws_iam_role + - role: aws/aws_acl + - role: aws/aws_cloudwatch_log_group + - role: aws/aws_backup + - role: aws/aws_backup_sns - role: aws/aws_admin_tools From 8bcea9ade95f74d922336b9be2543606791f1f3b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 19:18:11 +0100 Subject: [PATCH 44/47] New-admin-tools-role-3 --- roles/aws/aws_admin_tools/tasks/create_mock.yml | 4 ++-- roles/aws/aws_admin_tools/tasks/main.yml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/create_mock.yml b/roles/aws/aws_admin_tools/tasks/create_mock.yml index e55bf8280..7f4843592 100644 --- a/roles/aws/aws_admin_tools/tasks/create_mock.yml +++ b/roles/aws/aws_admin_tools/tasks/create_mock.yml @@ -7,7 +7,7 @@ --region "{{ _aws_region }}" register: _api_resource -- name: Setting previous command output into variable. +- name: Setting command output into variable. ansible.builtin.set_fact: _api_resource: "{{ _api_resource.stdout | from_json }}" @@ -37,6 +37,6 @@ --region "{{ _aws_region }}" register: _main_api_deploy -- name: Setting previous command output into variable. +- name: Setting command output into variable. ansible.builtin.set_fact: _main_api_deploy: "{{ _main_api_deploy.stdout | from_json }}" diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 12da52204..10488618d 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,4 +1,3 @@ ---- - name: Create API gateway. ansible.builtin.command: >- aws sts get-caller-identity From c2d3b090893c2764e59a432ef9641a1b1ad658a9 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 12 Mar 2025 19:18:44 +0100 Subject: [PATCH 45/47] New-admin-tools-role-4 --- roles/aws/aws_admin_tools/tasks/create_methods.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/tasks/create_methods.yml b/roles/aws/aws_admin_tools/tasks/create_methods.yml index 481dc152c..c10a1c391 100644 --- a/roles/aws/aws_admin_tools/tasks/create_methods.yml +++ b/roles/aws/aws_admin_tools/tasks/create_methods.yml @@ -5,7 +5,7 @@ --region "{{ _aws_region }}" register: _api_old_resource -- name: Setting prevoius command output into variable. +- name: Setting previous command output into variable. ansible.builtin.set_fact: _api_old_resource: "{{ _api_old_resource.stdout | from_json }}" @@ -31,7 +31,7 @@ --region "{{ _aws_region }}" register: _api_resource -- name: Setting prevoius command output into variable. +- name: Setting previous command output into variable. ansible.builtin.set_fact: _api_resource: "{{ _api_resource.stdout | from_json }}" From 9b961b5d72589aeb56298d0ae669e7dcf28b4858 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 19 Mar 2025 17:12:07 +0100 Subject: [PATCH 46/47] New-api_admin_tools-role --- roles/aws/aws_admin_tools/defaults/main.yml | 4 +- roles/aws/aws_admin_tools/tasks/main.yml | 2 +- .../aws_backup_validation/defaults/main.yml | 2 +- .../aws/aws_backup_validation/tasks/main.yml | 238 +++++++----------- ...tion_report.j2 => validation_report.py.j2} | 4 +- roles/aws/aws_iam_role/defaults/main.yml | 4 + roles/aws/aws_iam_role/tasks/main.yml | 39 ++- roles/aws/aws_lambda/defaults/main.yml | 10 + roles/aws/aws_lambda/tasks/main.yml | 52 ++++ roles/aws/aws_s3_bucket/tasks/main.yml | 10 +- 10 files changed, 202 insertions(+), 163 deletions(-) rename roles/aws/aws_backup_validation/templates/{validation_report.j2 => validation_report.py.j2} (98%) create mode 100644 roles/aws/aws_lambda/defaults/main.yml create mode 100644 roles/aws/aws_lambda/tasks/main.yml diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index 10c07da2f..56cbc7d01 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -2,12 +2,12 @@ aws_admin_tools: runtime: "python3.12" timeout: 20 allowed_ips: - - 192.168.1.1/32 # Ip of server with access to API-s + - 3.11.82.252/32 # Ip of server with access to API-s functions: - name: "GetForecastedCosts" type: GET policies: - - "arn:aws:iam::{{ _acc_id }}:policy/CEBillingPolicy" # Custom policy + - "arn:aws:iam::aws:policy/job-function/Billing" - name: "ChangeASGScaling" type: POST policies: diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml index 10488618d..21c1f0799 100644 --- a/roles/aws/aws_admin_tools/tasks/main.yml +++ b/roles/aws/aws_admin_tools/tasks/main.yml @@ -1,4 +1,4 @@ -- name: Create API gateway. +- name: Get account ID for ARN. ansible.builtin.command: >- aws sts get-caller-identity --query Account diff --git a/roles/aws/aws_backup_validation/defaults/main.yml b/roles/aws/aws_backup_validation/defaults/main.yml index 2e2632376..26f4613d0 100644 --- a/roles/aws/aws_backup_validation/defaults/main.yml +++ b/roles/aws/aws_backup_validation/defaults/main.yml @@ -1,6 +1,6 @@ --- aws_backup_validation: - s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" + s3_bucket: "ce-{{ _aws_profile }}-lambda-functions" name: "RestoreValidation" description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM" timeout: 60 diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 5ebb5d90b..37366f4b2 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -1,162 +1,102 @@ --- -- name: Create a role and attach policies - amazon.aws.iam_role: - name: LambdaBackupRestoreRole - assume_role_policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}" - managed_policies: - - arn:aws:iam::aws:policy/AmazonEC2FullAccess - - arn:aws:iam::aws:policy/AWSBackupFullAccess - - arn:aws:iam::aws:policy/AmazonRDSFullAccess - - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess - - arn:aws:iam::aws:policy/AmazonSESFullAccess - - arn:aws:iam::aws:policy/AmazonSSMFullAccess - register: _created_iam_lambda_role - -- name: Create an IAM Managed Policy for passing roles - amazon.aws.iam_managed_policy: - policy_name: "PassRole" - policy: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: "iam:PassRole" - Resource: "*" - state: present - register: _pass_role - -- name: Update AWSBackupDefaultServiceRole - amazon.aws.iam_role: - name: AWSBackupDefaultServiceRole - assume_role_policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" - managed_policies: - - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup - - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores - - "{{ _pass_role.policy.arn }}" +- name: Create a role and attach policies for Lambda backup validation. + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: LambdaBackupRestoreRole + aws_profile: "{{ _aws_profile }}" + managed_policies: + - arn:aws:iam::aws:policy/AmazonEC2FullAccess + - arn:aws:iam::aws:policy/AWSBackupFullAccess + - arn:aws:iam::aws:policy/AmazonRDSFullAccess + - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess + - arn:aws:iam::aws:policy/AmazonSSMFullAccess + policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}" + +- name: Create backup validation Lambda functions. + ansible.builtin.include_role: + name: aws/aws_lambda + vars: + aws_lambda: + name: "{{ aws_backup_validation.name }}_{{ item }}" + description: "{{ aws_backup_validation.description }}" + timeout: "{{ aws_backup_validation.timeout }}" + role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}" + runtime: "{{ aws_backup_validation.runtime }}" + function_file: "{{ lookup('template', item + '_validation.py.j2') }}" + s3_bucket: "ce-{{ _aws_profile }}-lambda-functions" + tags: + Name: "{{ item }}_backup_validation" + loop: "{{ aws_backup_validation.resources }}" -- name: Sleep for 10 seconds for IAM before Lambda creation - ansible.builtin.wait_for: - timeout: 10 +#- name: Remove variables containing "-". +# ansible.builtin.set_fact: +# aws_lambda: "{{ aws_lambda | ansible.utils.remove_keys(target=['response_metadata', 'function_file']) }}" + +- name: Create an IAM Managed Policy for passing roles and setup IAM role. + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: AWSBackupDefaultServiceRole + aws_profile: "{{ _aws_profile }}" + inline_policies: + name: "PassRole" + resource: "*" + action: "iam:PassRole" + policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" + managed_policies: + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores # TODO: Not all clients have verified identity #- name: Get verified domain. # ansible.builtin.include_tasks: get_valid_email.yml -- name: Clean and set python functions - block: - - name: Create S3 bucket for lambda functions - amazon.aws.s3_bucket: - name: "{{ aws_backup_validation.s3_bucket }}" - region: "{{ _aws_region }}" - state: present - - - name: Check and clean any previous backup validation files - ansible.builtin.file: - path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" - state: absent - loop: "{{ aws_backup_validation.resources }}" - - - name: Check and clean any previous validation report files - ansible.builtin.file: - path: "{{ _ce_provision_build_dir }}/validation_report.py" - state: absent - - - name: Write Lambda functions - ansible.builtin.template: - src: "{{ item }}_validation.py.j2" - dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" - loop: "{{ aws_backup_validation.resources }}" - - - name: Get info about newly created restore testing plan. - ansible.builtin.command: > - aws backup list-restore-testing-plans --region {{ _aws_region }} - register: _testing_plans - - - name: Print return information from the previous task - ansible.builtin.debug: - var: _testing_plans - - - name: Write validation report functions - ansible.builtin.template: - src: "validation_report.j2" - dest: "{{ _ce_provision_build_dir }}/validation_report.py" - - - name: Create a zip archive of Lambda functions - community.general.archive: - path: "{{ _ce_provision_build_dir }}/{{ item }}_validation.py" - dest: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip" - format: zip - loop: "{{ aws_backup_validation.resources }}" - - - name: Create a zip archive of validation report - community.general.archive: - path: "{{ _ce_provision_build_dir }}/validation_report.py" - dest: "{{ _ce_provision_build_dir }}/validation_report.zip" - format: zip - - - name: Place backup validation functions in S3 bucket - amazon.aws.s3_object: - bucket: "{{ aws_backup_validation.s3_bucket }}" - object: "lambda-functions/{{ item }}_validation.zip" - src: "{{ _ce_provision_build_dir }}/{{ item }}_validation.zip" - mode: put - loop: "{{ aws_backup_validation.resources }}" - - - name: Place report function in S3 bucket - amazon.aws.s3_object: - bucket: "{{ aws_backup_validation.s3_bucket }}" - object: "lambda-functions/validation_report.zip" - src: "{{ _ce_provision_build_dir }}/validation_report.zip" - mode: put - loop: "{{ aws_backup_validation.resources }}" - -- name: Create Lambda functions - amazon.aws.lambda: - name: "{{ aws_backup_validation.name }}_{{ item }}" - description: "{{ aws_backup_validation.description }}" - region: "{{ _aws_region }}" - timeout: "{{ aws_backup_validation.timeout }}" - s3_bucket: "{{ aws_backup_validation.s3_bucket }}" - s3_key: "lambda-functions/{{ item }}_validation.zip" - state: present - runtime: "{{ aws_backup_validation.runtime }}" - role: "{{ _created_iam_lambda_role.iam_role.arn }}" - handler: "{{ item }}_validation.{{ aws_backup_validation.handler }}" - tags: - Name: "{{ item }}_backup_validation" - register: _lambda_functions - loop: "{{ aws_backup_validation.resources }}" - -- name: Create validation report functions - amazon.aws.lambda: - name: "validation_report" - description: "{{ aws_backup_validation.description }}" - region: "{{ _aws_region }}" - timeout: 30 - s3_bucket: "{{ aws_backup_validation.s3_bucket }}" - s3_key: "lambda-functions/validation_report.zip" - state: present - runtime: "{{ aws_backup_validation.runtime }}" - role: "{{ _created_iam_lambda_role.iam_role.arn }}" - handler: "validation_report.{{ aws_backup_validation.handler }}" - register: _validation_report - -- name: Remove non UTF-8 item +- name: Get info about newly created restore testing plan. + ansible.builtin.command: > + aws backup list-restore-testing-plans --region {{ _aws_region }} + register: _testing_plans + +- name: Create validation report function. + ansible.builtin.include_role: + name: aws/aws_lambda + vars: + aws_lambda: + name: "validation_report" + description: "{{ aws_backup_validation.description }}" + timeout: "30" + role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}" + runtime: "{{ aws_backup_validation.runtime }}" + function_file: "{{ lookup('template', 'validation_report.py.j2') }}" + s3_bucket: "ce-{{ _aws_profile }}-lambda-functions" + tags: + Name: "validation_report" + +- name: Get account ID for ARN. + ansible.builtin.command: >- + aws sts get-caller-identity + --query Account + --output text + register: _acc_id + +- name: Setting previous command output into variable. ansible.builtin.set_fact: - _lambda_functions: "{{ _lambda_functions | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}" - _validation_report: "{{ _validation_report | ansible.utils.remove_keys(target=['ZipFile', 'location', 'item.invocation']) }}" + _acc_id: "{{ _acc_id.stdout | from_json }}" -- name: Create EventBridge for validations +- name: Create EventBridge for validation functions. amazon.aws.cloudwatchevent_rule: - name: "{{ item.configuration.function_name }}" - description: "{{ item.configuration.description }}" + name: "RestoreValidation_{{ item }}" + description: "{{ aws_backup_validation.description }}" state: present region: "{{ _aws_region }}" - event_pattern: '{ "source": ["aws.backup"], "detail-type": ["Restore Job State Change"], "detail": { "resourceType": ["{{ item.item }}"], "status": ["COMPLETED"] } }' + event_pattern: '{ "source": ["aws.backup"], "detail-type": ["Restore Job State Change"], "detail": { "resourceType": ["{{ item }}"], "status": ["COMPLETED"] } }' targets: - - id: "{{ item.configuration.function_name }}" - arn: "{{ (item.configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN + - id: "RestoreValidation_{{ item }}" + arn: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:RestoreValidation_{{ item }}" + loop: "{{ aws_backup_validation.resources }}" register: _event_bridges - loop: "{{ _lambda_functions.results }}" - name: Create schedule for validation reports amazon.aws.cloudwatchevent_rule: @@ -166,7 +106,7 @@ region: "{{ _aws_region }}" targets: - id: validation_report - arn: "{{ (_validation_report.configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN + arn: "{{ (aws_lambda._result['validation_report'].configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN register: _validation_event - name: Generate unique string @@ -176,8 +116,8 @@ - name: Update Lambda policy amazon.aws.lambda_policy: state: present - function_name: "{{ item.item.configuration.function_name }}" - statement_id: "{{ item.item.configuration.function_name }}_{{ _rand_str }}" + function_name: "{{ item.rule.name }}" + statement_id: "{{ item.rule.name }}_{{ _rand_str }}" action: lambda:InvokeFunction principal: events.amazonaws.com source_arn: "{{ item.rule.arn }}" @@ -188,7 +128,7 @@ amazon.aws.lambda_policy: state: present function_name: "validation_report" - statement_id: "{{ _validation_report.configuration.function_name }}_{{ _rand_str }}" + statement_id: "validation_report_{{ _rand_str }}" action: lambda:InvokeFunction principal: events.amazonaws.com source_arn: "{{ _validation_event.rule.arn }}" diff --git a/roles/aws/aws_backup_validation/templates/validation_report.j2 b/roles/aws/aws_backup_validation/templates/validation_report.py.j2 similarity index 98% rename from roles/aws/aws_backup_validation/templates/validation_report.j2 rename to roles/aws/aws_backup_validation/templates/validation_report.py.j2 index 9c29baea4..bc80f32a7 100644 --- a/roles/aws/aws_backup_validation/templates/validation_report.j2 +++ b/roles/aws/aws_backup_validation/templates/validation_report.py.j2 @@ -98,9 +98,9 @@ failed_job = backup_cli.list_restore_jobs( {% endfor %} if len(failed_jobs) > 0: - mail_title = "Failed!" + mail_title = "🔴 Failed!" else: - mail_title = "Success!" + mail_title = "🟢 Success!" print("Successful restore jobs:") print(completed_jobs) diff --git a/roles/aws/aws_iam_role/defaults/main.yml b/roles/aws/aws_iam_role/defaults/main.yml index 585728d80..c4bc28ad6 100644 --- a/roles/aws/aws_iam_role/defaults/main.yml +++ b/roles/aws/aws_iam_role/defaults/main.yml @@ -3,6 +3,10 @@ aws_iam_role: aws_profile: "{{ _aws_profile }}" # Pass either names or ARNs for the role. managed_policies: [] + inline_policies: + name: "example_inline_polcy" # Name of inline policy + resource: "*" + action: [] # Which document policy to apply. # Current options are 'ec2', 'ecs' or 'backup' policy_document: ec2 diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index daf1ad759..fb6aa3bb0 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,9 +1,42 @@ +- name: Create an IAM Managed Policy if defined. + amazon.aws.iam_managed_policy: + policy_name: "inline_{{ aws_iam_role.name }}_policy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "{{ aws_iam_role.inline_policies.action }}" + Resource: "{{ aws_iam_role.inline_policies.resource }}" + state: present + register: _inline_iam_policy + when: inline_policies.action is defined and inline_policies.action > 0 + +- name: Join managed and inline policy. + ansible.builtin.set_fact: + _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}" + when: inline_policies.action is defined and inline_policies.action > 0 + +- name: Create combined var if inline policy is not defined or empty. + ansible.builtin.set_fact: + _combined_policies: "{{ aws_iam_role.managed_policies }}" + when: inline_policies.action is not defined or inline_policies.action == 0 + +- name: Create assume role policy document if predefined string is passed. + ansible.builtin.set_fact: + _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" + when: aws_iam_role.policy_document | type_debug == 'str' + +- name: Create assume role policy document if template is provided. + ansible.builtin.set_fact: + _assume_role_policy: "{{ aws_iam_role.policy_document }}" + when: aws_iam_role.policy_document | type_debug != 'str' + - name: Create an IAM role. amazon.aws.iam_role: profile: "{{ aws_iam_role.aws_profile }}" name: "{{ aws_iam_role.name }}" - assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" - managed_policies: "{{ aws_iam_role.managed_policies }}" + assume_role_policy_document: "{{ _assume_role_policy }}" + managed_policies: "{{ _combined_policies }}" purge_policies: "{{ aws_iam_role.purge_policies }}" tags: "{{ aws_iam_role.tags }}" create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}" @@ -12,4 +45,4 @@ - name: Register aws_iam_role results. ansible.builtin.set_fact: - aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}) }}" + aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}, recursive=True) }}" diff --git a/roles/aws/aws_lambda/defaults/main.yml b/roles/aws/aws_lambda/defaults/main.yml new file mode 100644 index 000000000..6bcf10abf --- /dev/null +++ b/roles/aws/aws_lambda/defaults/main.yml @@ -0,0 +1,10 @@ +aws_lambda: + name: "lambda_function_name" + description: "Description for AWS Lambda function" + timeout: "20" # Maximum number of seconds before function times out + handler: "lambda_handler" # Name of main function + s3_bucket: "ce-{{ _aws_profile }}-lambda-functions" + function_file: "" # template to pass in S3 bucket + runtime: "python3.12" + role: "" + tags: [] diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml new file mode 100644 index 000000000..27b692c50 --- /dev/null +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -0,0 +1,52 @@ +- name: Create S3 bucket for Lambda functions. + ansible.builtin.include_role: + name: aws/aws_s3_bucket + vars: + aws_s3_bucket: + profile: "{{ _aws_profile }}" + region: "{{ _aws_region }}" + name: "{{ aws_lambda.s3_bucket }}" + tags: [] + state: "present" + +- name: Check and clean previous Lambda function. + ansible.builtin.file: + path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + state: absent + +- name: Write Lambda function. + ansible.builtin.copy: + content: "{{ aws_lambda.function_file }}" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + +- name: Create a zip archive of Lambda function. + community.general.archive: + path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" + format: zip + +- name: Place Lambda function in S3 bucket. + amazon.aws.s3_object: + bucket: "{{ aws_lambda.s3_bucket }}" + object: "{{ aws_lambda.name }}.zip" + src: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" + mode: put + +- name: Create Lambda function. + amazon.aws.lambda: + name: "{{ aws_lambda.name }}" + description: "{{ aws_lambda.description }}" + region: "{{ _aws_region }}" + timeout: "{{ aws_lambda.timeout }}" + s3_bucket: "{{ aws_lambda.s3_bucket }}" + s3_key: "{{ aws_lambda.name }}.zip" + state: present + runtime: "{{ aws_lambda.runtime }}" + role: "{{ aws_lambda.role.iam_role.arn }}" + handler: "{{ aws_lambda.name }}.{{ aws_lambda.handler }}" + tags: "{{ aws_lambda.tags }}" + register: _aws_lambda_result + +- name: Register aws_lambda results. + ansible.builtin.set_fact: + aws_lambda: "{{ aws_lambda | combine({'_result': {aws_lambda.name: _aws_lambda_result}}, recursive=True) }}" diff --git a/roles/aws/aws_s3_bucket/tasks/main.yml b/roles/aws/aws_s3_bucket/tasks/main.yml index 8abcffa76..915b9c09e 100644 --- a/roles/aws/aws_s3_bucket/tasks/main.yml +++ b/roles/aws/aws_s3_bucket/tasks/main.yml @@ -1,15 +1,15 @@ - name: Create an S3 bucket. amazon.aws.s3_bucket: - profile: "{{ aws_s3_bucket.aws_profile }}" + profile: "{{ _aws_profile }}" region: "{{ aws_s3_bucket.region }}" name: "{{ aws_s3_bucket.name }}" tags: "{{ aws_s3_bucket.tags | combine({'Name': aws_s3_bucket.name}) }}" state: present - register: _aws_s3_bucket_bucket + register: _aws_s3_bucket - name: Create a matching policy. amazon.aws.iam_managed_policy: - profile: "{{ aws_s3_bucket.aws_profile }}" + profile: "{{ _aws_profile }}" region: "{{ aws_s3_bucket.region }}" policy_name: "{{ aws_s3_bucket.name }}" policy: @@ -20,8 +20,8 @@ Resource: "arn:aws:s3:::{{ aws_s3_bucket.name }}" make_default: true state: present - register: _aws_s3_bucket_bucket_policy + register: _aws_s3_bucket_policy - name: Register aws_s3_bucket results. ansible.builtin.set_fact: - aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name: {'bucket': _aws_s3_bucket_bucket, 'policy': _aws_s3_bucket_bucket_policy}}}) }}" + aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name | replace('-','_'): {'bucket': _aws_s3_bucket, 'policy': _aws_s3_bucket_policy}}}, recursive=True) }}" From ce0f0d62f1a3ca1a35830b8aed9de7da112a5080 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 19 Mar 2025 17:18:26 +0100 Subject: [PATCH 47/47] Updating-defaults --- roles/aws/aws_admin_tools/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index 56cbc7d01..10c07da2f 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -2,12 +2,12 @@ aws_admin_tools: runtime: "python3.12" timeout: 20 allowed_ips: - - 3.11.82.252/32 # Ip of server with access to API-s + - 192.168.1.1/32 # Ip of server with access to API-s functions: - name: "GetForecastedCosts" type: GET policies: - - "arn:aws:iam::aws:policy/job-function/Billing" + - "arn:aws:iam::{{ _acc_id }}:policy/CEBillingPolicy" # Custom policy - name: "ChangeASGScaling" type: POST policies: