From c6f1ae93b0cdb886553c918de3755695143b8f4e Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 11:49:11 +0100 Subject: [PATCH 1/8] Reverting-changes --- roles/_meta/aws_region/meta/main.yml | 18 ++++---- .../aws/aws_backup_validation/tasks/main.yml | 30 +++++++------- roles/aws/aws_iam_role/tasks/main.yml | 41 ++++++++++++++++++- 3 files changed, 63 insertions(+), 26 deletions(-) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 0c13ab2e9..9fd95f4d9 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -1,11 +1,11 @@ --- dependencies: - - role: aws/aws_provision_ec2_keypair - - role: aws/aws_vpc - - role: aws/aws_vpc_subnet - - role: aws/aws_iam_role - - role: aws/aws_acl - - role: aws/aws_cloudwatch_log_group - - role: aws/aws_backup - - role: aws/aws_backup_sns -# - role: aws/aws_admin_tools +# - role: aws/aws_provision_ec2_keypair +# - role: aws/aws_vpc +# - role: aws/aws_vpc_subnet +# - role: aws/aws_iam_role +# - role: aws/aws_acl +# - role: aws/aws_cloudwatch_log_group +# - role: aws/aws_backup +# - role: aws/aws_backup_sns + - role: aws/aws_admin_tools diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 08b5f17e6..37366f4b2 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -34,21 +34,21 @@ # ansible.builtin.set_fact: # aws_lambda: "{{ aws_lambda | ansible.utils.remove_keys(target=['response_metadata', 'function_file']) }}" -#- name: Create an IAM Managed Policy for passing roles and setup IAM role. -# ansible.builtin.include_role: -# name: aws/aws_iam_role -# vars: -# aws_iam_role: -# name: AWSBackupDefaultServiceRole -# aws_profile: "{{ _aws_profile }}" -# inline_policies: -# name: "PassRole" -# resource: "*" -# action: "iam:PassRole" -# policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" -# managed_policies: -# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup -# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores +- name: Create an IAM Managed Policy for passing roles and setup IAM role. + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: AWSBackupDefaultServiceRole + aws_profile: "{{ _aws_profile }}" + inline_policies: + name: "PassRole" + resource: "*" + action: "iam:PassRole" + policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" + managed_policies: + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores # TODO: Not all clients have verified identity #- name: Get verified domain. diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 4dbb3dc60..541b04a64 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,9 +1,46 @@ +- name: Create an IAM Managed Policy if defined. + amazon.aws.iam_managed_policy: + policy_name: "inline_{{ aws_iam_role.name }}_policy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "{{ aws_iam_role.inline_policies.action }}" + Resource: "{{ aws_iam_role.inline_policies.resource }}" + state: present + register: _inline_iam_policy + when: inline_policies.action is defined and inline_policies.action > 0 + +- name: Join managed and inline policy. + ansible.builtin.set_fact: + _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}" + when: inline_policies.action is defined and inline_policies.action > 0 + +- name: Create combined var if inline policy is not defined or empty. + ansible.builtin.set_fact: + _combined_policies: "{{ aws_iam_role.managed_policies }}" + when: inline_policies.action is not defined or inline_policies.action == 0 + +- name: Check polcy document + ansible.builtin.debug: + msg: "{{ aws_iam_role.policy_document | type_debug }}" + +- name: Create assume role policy document if predefined string is passed. + ansible.builtin.set_fact: + _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" + when: aws_iam_role.policy_document | type_debug == 'string' + +- name: Create assume role policy document if template is provided. + ansible.builtin.set_fact: + _assume_role_policy: "{{ aws_iam_role.policy_document }}" + when: aws_iam_role.policy_document | type_debug != 'string' + - name: Create an IAM role. amazon.aws.iam_role: profile: "{{ aws_iam_role.aws_profile }}" name: "{{ aws_iam_role.name }}" - assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" - managed_policies: "{{ aws_iam_role.managed_policies }}" + assume_role_policy_document: "{{ _assume_role_policy }}" + managed_policies: "{{ _combined_policies }}" purge_policies: "{{ aws_iam_role.purge_policies }}" tags: "{{ aws_iam_role.tags }}" create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}" From f2414aa81d2300570021dcbfc92a16e0dd5d9c45 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 12:00:42 +0100 Subject: [PATCH 2/8] Updating-iam-tasks --- roles/_meta/aws_region/meta/main.yml | 2 +- roles/aws/aws_admin_tools/tasks/lambda_iam.yml | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 9fd95f4d9..207b201a6 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -6,6 +6,6 @@ dependencies: # - role: aws/aws_iam_role # - role: aws/aws_acl # - role: aws/aws_cloudwatch_log_group -# - role: aws/aws_backup + - role: aws/aws_backup # - role: aws/aws_backup_sns - role: aws/aws_admin_tools diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index f5ac58341..5e5e5d400 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -3,7 +3,11 @@ _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" - name: Create a role and attach policies. - amazon.aws.iam_role: - name: "API_{{ item.name }}" - assume_role_policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" - managed_policies: "{{ _policies }}" + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: "API_{{ item.name }}" + aws_profile: "{{ _aws_profile }}" + managed_policies: "{{ _policies }}" + policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" From 45d6d784763218ce24fb1f3776fd5e903a7f6f50 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 12:14:56 +0100 Subject: [PATCH 3/8] Updating-iam-tasks-2 --- roles/aws/aws_iam_role/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 541b04a64..e7a2fda0b 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -28,12 +28,12 @@ - name: Create assume role policy document if predefined string is passed. ansible.builtin.set_fact: _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" - when: aws_iam_role.policy_document | type_debug == 'string' + when: aws_iam_role.policy_document | type_debug == 'AnsibleUnicode' - name: Create assume role policy document if template is provided. ansible.builtin.set_fact: _assume_role_policy: "{{ aws_iam_role.policy_document }}" - when: aws_iam_role.policy_document | type_debug != 'string' + when: aws_iam_role.policy_document | type_debug != 'AnsibleUnicode' - name: Create an IAM role. amazon.aws.iam_role: From 69e1133b2066a742e6b2c1579ea10879d05f321c Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 13:34:01 +0100 Subject: [PATCH 4/8] Updating-iam-tasks-3 --- roles/aws/aws_backup/tasks/resource.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 5dc3c359a..94e85ff66 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -33,7 +33,7 @@ managed_policies: - "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" - "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores" - policy_document: backup + policy_document: "backup" when: aws_backup.backup.iam_role_arn == "Default" - name: Set IAM role ARN for backups. From 2440aa92b548fdc6cc45e84d6af664e4e661049e Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 13:56:16 +0100 Subject: [PATCH 5/8] Updating-iam-tasks-4 --- roles/aws/aws_backup/tasks/resource.yml | 2 +- roles/aws/aws_backup_validation/tasks/main.yml | 1 + roles/aws/aws_iam_role/tasks/main.yml | 4 ---- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 94e85ff66..5dc3c359a 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -33,7 +33,7 @@ managed_policies: - "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup" - "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores" - policy_document: "backup" + policy_document: backup when: aws_backup.backup.iam_role_arn == "Default" - name: Set IAM role ARN for backups. diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 37366f4b2..57b7c2cf9 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -12,6 +12,7 @@ - arn:aws:iam::aws:policy/AmazonRDSFullAccess - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess - arn:aws:iam::aws:policy/AmazonSSMFullAccess + - arn:aws:iam::aws:policy/AmazonSESFullAccess policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}" - name: Create backup validation Lambda functions. diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index e7a2fda0b..79d7e562d 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -21,10 +21,6 @@ _combined_policies: "{{ aws_iam_role.managed_policies }}" when: inline_policies.action is not defined or inline_policies.action == 0 -- name: Check polcy document - ansible.builtin.debug: - msg: "{{ aws_iam_role.policy_document | type_debug }}" - - name: Create assume role policy document if predefined string is passed. ansible.builtin.set_fact: _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" From fe69f1fb0736f0562558c864ff69f483493c7c95 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 13:58:48 +0100 Subject: [PATCH 6/8] Reverting-meta-tasks --- roles/_meta/aws_region/meta/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 207b201a6..a11491c0e 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -1,11 +1,11 @@ --- dependencies: -# - role: aws/aws_provision_ec2_keypair -# - role: aws/aws_vpc -# - role: aws/aws_vpc_subnet -# - role: aws/aws_iam_role -# - role: aws/aws_acl -# - role: aws/aws_cloudwatch_log_group + - role: aws/aws_provision_ec2_keypair + - role: aws/aws_vpc + - role: aws/aws_vpc_subnet + - role: aws/aws_iam_role + - role: aws/aws_acl + - role: aws/aws_cloudwatch_log_group - role: aws/aws_backup -# - role: aws/aws_backup_sns + - role: aws/aws_backup_sns - role: aws/aws_admin_tools From 65ded1bc14c43d881e379b361436dfed9630f315 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 14:16:58 +0100 Subject: [PATCH 7/8] Updating-iam-inline-policy --- roles/aws/aws_admin_tools/defaults/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index 10c07da2f..a08ccd5d8 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -6,8 +6,11 @@ aws_admin_tools: functions: - name: "GetForecastedCosts" type: GET - policies: - - "arn:aws:iam::{{ _acc_id }}:policy/CEBillingPolicy" # Custom policy + inline_policies: + name: "{{ _aws_profile }}Billing" + resource: "*" + acton: + - "ce:*" - name: "ChangeASGScaling" type: POST policies: From 2ce54f8ba84f9478aa38b22e688d222f24ba5d56 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 26 Mar 2025 14:56:15 +0100 Subject: [PATCH 8/8] Adding-empty-policies --- roles/aws/aws_admin_tools/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index a08ccd5d8..2ba6159df 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -11,6 +11,7 @@ aws_admin_tools: resource: "*" acton: - "ce:*" + policies: [] - name: "ChangeASGScaling" type: POST policies: