From e94a9d9fbda46f87dfb8ebf7b52ccb8200042538 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Thu, 3 Jul 2025 17:15:36 +0200 Subject: [PATCH 01/12] Adding-tasks-for-cf-function --- .vscode/settings.json | 3 +++ .../defaults/main.yml | 14 +++++++++++ .../tasks/create_function.yml | 24 +++++++++++++++++++ .../tasks/main.yml | 11 +++++++++ .../tasks/proxy_pass.yml | 0 .../templates/config.j2 | 14 +++++++++++ 6 files changed, 66 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/create_function.yml create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/proxy_pass.yml create mode 100644 roles/aws/aws_cloudfront_distribution/templates/config.j2 diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 000000000..862b25a26 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "ansible.python.interpreterPath": "/bin/python3" +} diff --git a/roles/aws/aws_cloudfront_distribution/defaults/main.yml b/roles/aws/aws_cloudfront_distribution/defaults/main.yml index 29687bb52..24fbec0d8 100644 --- a/roles/aws/aws_cloudfront_distribution/defaults/main.yml +++ b/roles/aws/aws_cloudfront_distribution/defaults/main.yml @@ -1,5 +1,19 @@ --- aws_cloudfront_distribution: + functions: + - name: "example-cf-function" + type: "cf" # This can be cf or lambda + description: "This is example function." + runtime: "cloudfront-js-2.0" # Can be either cloudfront-js-2.0 or cloudfront-js-1.0 + kvs: "" # arn of KeyValueStore + code: "function.js" + - name: "example-lambda-edge-function" + type: "lambda" # This can be cf or lambda + description: "This is example lambda function." + timeout: 5 + runtime: "nodejs22.x" # Lambda runtimes are defined here https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html + kvs: "" # arn of KeyValueStore + code: "function.js" aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" tags: {} diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml new file mode 100644 index 000000000..c71a5665d --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml @@ -0,0 +1,24 @@ +- name: Create config for CloudFront function. + ansible.builtin.template: + src: config.j2 + dest: cf_config + owner: controller + group: controller + mode: 0644 + when: _funct.type == cf + +- name: Create CF function. + ansible.builtin.command: + cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_base_dir }}/config/hosts/group_vars/_{{ _aws_profile }}/functions/{{ _funct.code }}" + when: _funct.type == cf + register: _cf_function + +- name: Setting previous command output into variable. + ansible.builtin.set_fact: + _cf_function: "{{ _cf_function.stdout | from_json }}" + when: _funct.type == cf + +- name: Register aws_lambda results. + ansible.builtin.set_fact: + _function_results: "{{ _function_results + [_cf_function] }}" + when: _funct.type == cf diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 34bf41ddb..d2786d9c8 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -29,6 +29,17 @@ include_cookies: false # Set true to add cookies in logs prefix: "cf-logging/" # Prefix for S3 object names +- name: Set empty list for function results. + ansible.builtin.set_fact: + _function_results: [] + +- name: Create CloudFront function if defined. + ansible.builtin.include_tasks: create_function.yml + loop: "{{ aws_cloudfront_distribution.functions }}" + loop_control: + loop_var: _funct + when: aws_cloudfront_distribution.functions is defined + - name: Create a CloudFront distribution. community.aws.cloudfront_distribution: profile: "{{ aws_cloudfront_distribution.aws_profile }}" diff --git a/roles/aws/aws_cloudfront_distribution/tasks/proxy_pass.yml b/roles/aws/aws_cloudfront_distribution/tasks/proxy_pass.yml new file mode 100644 index 000000000..e69de29bb diff --git a/roles/aws/aws_cloudfront_distribution/templates/config.j2 b/roles/aws/aws_cloudfront_distribution/templates/config.j2 new file mode 100644 index 000000000..efbc5b4ae --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/templates/config.j2 @@ -0,0 +1,14 @@ +{ + "Comment": "{{ _funct.description }}", + "Runtime": "{{ _funct.runtime }}", + {% if _funct.kvs %} + "KeyValueStoreAssociations": { + "Quantity": 1, + "Items": [ + { + "KeyValueStoreARN": {{_funct.kvs }} + } + ] + } + {% endif %} +} From 07d27ccbc27c3e0e398f088dcbbc248b5d5f5b8e Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Thu, 3 Jul 2025 17:17:35 +0200 Subject: [PATCH 02/12] Removing-.vscode-folder --- .vscode/settings.json | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 862b25a26..000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "ansible.python.interpreterPath": "/bin/python3" -} From 240f68635920c30011eeb2e0ee8e6b18c0862748 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Thu, 3 Jul 2025 17:23:47 +0200 Subject: [PATCH 03/12] Updating-path-to-function-file --- roles/aws/aws_cloudfront_distribution/tasks/create_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml index c71a5665d..69bfef34c 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml @@ -9,7 +9,7 @@ - name: Create CF function. ansible.builtin.command: - cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_base_dir }}/config/hosts/group_vars/_{{ _aws_profile }}/functions/{{ _funct.code }}" + cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_build_dir }}/vars/_global/functions/{{ _funct.code }}" when: _funct.type == cf register: _cf_function From 68f893ee79e9a52f8555f1633060fba43045dfed Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Thu, 3 Jul 2025 17:44:27 +0200 Subject: [PATCH 04/12] Updating-path-to-function-file-2 --- roles/aws/aws_cloudfront_distribution/tasks/create_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml index 69bfef34c..0c4eef3af 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml @@ -9,7 +9,7 @@ - name: Create CF function. ansible.builtin.command: - cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_build_dir }}/vars/_global/functions/{{ _funct.code }}" + cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_build_dir }}/vars/_global/files/{{ _funct.code }}" when: _funct.type == cf register: _cf_function From cb1769826fb51b91c7784f07d7c02fb3323353a4 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Thu, 3 Jul 2025 17:54:33 +0200 Subject: [PATCH 05/12] Updating-path-to-function-file-3 --- roles/aws/aws_cloudfront_distribution/tasks/create_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml index 0c4eef3af..871615bce 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml @@ -9,7 +9,7 @@ - name: Create CF function. ansible.builtin.command: - cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_build_dir }}/vars/_global/files/{{ _funct.code }}" + cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_build_dir }}/files/{{ _funct.code }}" when: _funct.type == cf register: _cf_function From 2ddef0e8d53b6fd5573c426c3ca3883831a08b6d Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Mon, 7 Jul 2025 21:14:32 +0200 Subject: [PATCH 06/12] Adding-region-to-lambda --- roles/aws/aws_lambda/defaults/main.yml | 1 + roles/aws/aws_lambda/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/aws/aws_lambda/defaults/main.yml b/roles/aws/aws_lambda/defaults/main.yml index 72793abbd..004eb8eaf 100644 --- a/roles/aws/aws_lambda/defaults/main.yml +++ b/roles/aws/aws_lambda/defaults/main.yml @@ -1,6 +1,7 @@ aws_lambda: name: "lambda_function_name" description: "Description for AWS Lambda function" + region: "{{ _aws_region }}" timeout: "20" # Maximum number of seconds before function times out handler: "lambda_handler" # Name of main function s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index f39dd2422..bed05044d 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -36,7 +36,7 @@ amazon.aws.lambda: name: "{{ aws_lambda.name }}" description: "{{ aws_lambda.description }}" - region: "{{ _aws_region }}" + region: "{{ aws_lambda.region }}" timeout: "{{ aws_lambda.timeout }}" s3_bucket: "{{ aws_lambda.s3_bucket }}" s3_key: "{{ aws_lambda.s3_bucket_prefix }}/{{ aws_lambda.name }}.zip" From f4fec93d6eace55f09a7eade57b87b7dd638c167 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 8 Jul 2025 05:41:28 +0200 Subject: [PATCH 07/12] Adding-option-for-adding-zip-file-for-lambda --- roles/aws/aws_lambda/tasks/main.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index bed05044d..1030df27b 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -9,21 +9,46 @@ tags: [] state: "present" +- name: Check string type using regex + ansible.builtin.set_fact: + string_type: >- + {%- if input_string | regex_search('^https?://') -%} + url + {%- elif input_string | regex_search('\.zip$', ignorecase=True) -%} + zip + {%- else -%} + single + {%- endif -%} + vars: + input_string: "{{ aws_lambda.function_file }}" + - name: Check and clean previous Lambda function. ansible.builtin.file: path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" state: absent + when: string_type == 'single' - name: Write Lambda function. ansible.builtin.copy: content: "{{ aws_lambda.function_file }}" dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + when: string_type == 'single' - name: Create a zip archive of Lambda function. community.general.archive: path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" format: zip + when: string_type == 'single' + +- name: Copy a zip archive of Lambda function. + community.general.copy: + src: "{{ aws_lambda.code }}" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" + owner: deploy + group: deploy + mode: '0644' + when: string_type == 'zip' - name: Place Lambda function in S3 bucket. amazon.aws.s3_object: From 555cd668fcd4b2c13d563a8c6ab9112b532a11d6 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 8 Jul 2025 06:01:09 +0200 Subject: [PATCH 08/12] Changing-module-name-for-copy-task --- roles/aws/aws_lambda/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index 1030df27b..be0529e39 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -42,7 +42,7 @@ when: string_type == 'single' - name: Copy a zip archive of Lambda function. - community.general.copy: + ansible.builtin.copy: src: "{{ aws_lambda.code }}" dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" owner: deploy From 96d97d6feb2a6542b638678c8bc83741cf4b8b94 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 8 Jul 2025 06:11:58 +0200 Subject: [PATCH 09/12] Changing-module-name-for-copy-task-2 --- roles/aws/aws_lambda/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index be0529e39..f7cb1945c 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -43,7 +43,7 @@ - name: Copy a zip archive of Lambda function. ansible.builtin.copy: - src: "{{ aws_lambda.code }}" + src: "{{ aws_lambda.function_file }}" dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" owner: deploy group: deploy From 6dd7b6631a726ef5d1a3be1a527bb70de78e9f31 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 8 Jul 2025 06:14:40 +0200 Subject: [PATCH 10/12] Changing-module-name-for-copy-task-3 --- roles/aws/aws_lambda/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index f7cb1945c..c8ebc7376 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -45,8 +45,8 @@ ansible.builtin.copy: src: "{{ aws_lambda.function_file }}" dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" - owner: deploy - group: deploy + owner: controller + group: controller mode: '0644' when: string_type == 'zip' From 7cd944a3e3ac72d56da0f321526159e5d7c1a078 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 8 Jul 2025 06:18:45 +0200 Subject: [PATCH 11/12] Changing-module-name-for-copy-task-4 --- roles/aws/aws_lambda/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index c8ebc7376..e8d1fe95c 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -4,7 +4,7 @@ vars: aws_s3_bucket: profile: "{{ _aws_profile }}" - region: "{{ _aws_region }}" + region: "{{ aws_lambda.region }}" name: "{{ aws_lambda.s3_bucket }}" tags: [] state: "present" From cc192ba70a2049c820620d87550d411180faa450 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 8 Jul 2025 19:15:24 +0200 Subject: [PATCH 12/12] Finished-lambda-edge-t-cloudfront-function --- .../aws/aws_cloudfront_distribution/README.md | 1 - .../defaults/main.yml | 15 ---- .../tasks/add_function.yml | 16 ++++ .../tasks/check_function.yml | 7 ++ .../tasks/create_cf_function.yml | 48 +++++++++++ .../tasks/create_function.yml | 24 ------ .../tasks/create_lambda_function.yml | 32 +++++++ .../tasks/main.yml | 84 ++++++++++++++++++- .../tasks/process_all_behaviors.yml | 28 +++++++ .../tasks/proxy_pass.yml | 0 .../templates/config.j2 | 5 +- .../templates/lambda_policy.json | 15 ++++ 12 files changed, 228 insertions(+), 47 deletions(-) create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/add_function.yml create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/check_function.yml create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/create_cf_function.yml delete mode 100644 roles/aws/aws_cloudfront_distribution/tasks/create_function.yml create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/create_lambda_function.yml create mode 100644 roles/aws/aws_cloudfront_distribution/tasks/process_all_behaviors.yml delete mode 100644 roles/aws/aws_cloudfront_distribution/tasks/proxy_pass.yml create mode 100644 roles/aws/aws_cloudfront_distribution/templates/lambda_policy.json diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md index e9baf31f6..f45a01af6 100644 --- a/roles/aws/aws_cloudfront_distribution/README.md +++ b/roles/aws/aws_cloudfront_distribution/README.md @@ -69,7 +69,6 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. - web_acl: false # Set to true to create Web ACL for WAF. ``` diff --git a/roles/aws/aws_cloudfront_distribution/defaults/main.yml b/roles/aws/aws_cloudfront_distribution/defaults/main.yml index 24fbec0d8..6a015b54b 100644 --- a/roles/aws/aws_cloudfront_distribution/defaults/main.yml +++ b/roles/aws/aws_cloudfront_distribution/defaults/main.yml @@ -1,19 +1,5 @@ --- aws_cloudfront_distribution: - functions: - - name: "example-cf-function" - type: "cf" # This can be cf or lambda - description: "This is example function." - runtime: "cloudfront-js-2.0" # Can be either cloudfront-js-2.0 or cloudfront-js-1.0 - kvs: "" # arn of KeyValueStore - code: "function.js" - - name: "example-lambda-edge-function" - type: "lambda" # This can be cf or lambda - description: "This is example lambda function." - timeout: 5 - runtime: "nodejs22.x" # Lambda runtimes are defined here https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html - kvs: "" # arn of KeyValueStore - code: "function.js" aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" tags: {} @@ -75,4 +61,3 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. - web_acl: false # Set to true to create Web ACL for WAF. diff --git a/roles/aws/aws_cloudfront_distribution/tasks/add_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/add_function.yml new file mode 100644 index 000000000..ae8132cfa --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/add_function.yml @@ -0,0 +1,16 @@ +- name: Set empty list. + ansible.builtin.set_fact: + _lambda_funct_list: [] + +- name: Create dict. + ansible.builtin.set_fact: + _lambda_funct_list: "{{ _lambda_funct_list + [{'event_type': item.event_type, 'lambda_function_arn': aws_lambda._result[item.lambda_name].configuration.function_arn}] }}" + loop: "{{ _behavior.lambda_functions }}" + +- name: Remove lambda_functions and add lambda_function_associations. + ansible.builtin.set_fact: + _processed_behavior: "{{ (_behavior | dict2items | rejectattr('key', 'equalto', 'lambda_functions') | items2dict) | combine({'lambda_function_associations': _lambda_funct_list}) }}" + +- name: Append behaviour to list. + ansible.builtin.set_fact: + _processed_cache_behaviors: "{{ _processed_cache_behaviors + [_processed_behavior] }}" diff --git a/roles/aws/aws_cloudfront_distribution/tasks/check_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/check_function.yml new file mode 100644 index 000000000..8c1e9d151 --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/check_function.yml @@ -0,0 +1,7 @@ +- name: Create CloudFront function. + ansible.builtin.include_tasks: create_cf_function.yml + when: _funct.type == 'cf' + +- name: Create Lambda function. + ansible.builtin.include_tasks: create_lambda_function.yml + when: _funct.type == 'lambda' diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_cf_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_cf_function.yml new file mode 100644 index 000000000..829ad5f1e --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_cf_function.yml @@ -0,0 +1,48 @@ +- name: Check if CF function exists. + ansible.builtin.command: "aws cloudfront list-functions --query \"FunctionList.Items[?Name=='{{ _funct.name }}']\"" + register: _cf_funct_list_result + +- name: Get details of CloudFront function + ansible.builtin.command: "aws cloudfront get-function --name {{ _funct.name }} /tmp/cf_funct" + register: _cf_funct_result + when: (_cf_funct_list_result.stdout | from_json) | length > 0 + +- name: Setting command output into variable. + ansible.builtin.set_fact: + _cf_funct_result: "{{ _cf_funct_result.stdout | from_json }}" + when: (_cf_funct_list_result.stdout | from_json) | length > 0 + +- name: Create config for CloudFront function. + ansible.builtin.template: + src: "config.j2" + dest: "/tmp/cf_config" + owner: controller + group: controller + mode: 0644 + +- name: Create CF function. + ansible.builtin.command: "aws cloudfront create-function --function-config file:///tmp/cf_config --name {{ _funct.name }} --function-code fileb://{{ _ce_provision_build_dir }}/files/{{ _funct.code }}" + register: _cf_function + when: (_cf_funct_list_result.stdout | from_json) | length == 0 + +- name: Setting previous command output into variable. + ansible.builtin.set_fact: + _cf_function: "{{ _cf_function.stdout | from_json }}" + when: (_cf_funct_list_result.stdout | from_json) | length == 0 + +- name: Update CloudFront function. + ansible.builtin.command: "aws cloudfront update-function --name {{ _funct.name }} --if-match {{ _cf_funct_result.ETag }} --function-config file:///tmp/cf_config --function-code fileb://{{ _ce_provision_build_dir }}/files/{{ _funct.code }}" + register: _cf_function + when: (_cf_funct_list_result.stdout | from_json) | length > 0 + +- name: Setting previous command output into variable. + ansible.builtin.set_fact: + _cf_function: "{{ _cf_function.stdout | from_json }}" + when: (_cf_funct_list_result.stdout | from_json) | length > 0 + +- name: Update CloudFront function. + ansible.builtin.command: "aws cloudfront publish-function --name {{ _funct.name }} --if-match {{ _cf_function.ETag }}" + +- name: Register aws_lambda results. + ansible.builtin.set_fact: + _function_results: "{{ _function_results + [_cf_function] }}" diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml deleted file mode 100644 index 871615bce..000000000 --- a/roles/aws/aws_cloudfront_distribution/tasks/create_function.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Create config for CloudFront function. - ansible.builtin.template: - src: config.j2 - dest: cf_config - owner: controller - group: controller - mode: 0644 - when: _funct.type == cf - -- name: Create CF function. - ansible.builtin.command: - cmd: "aws cloudfront create-function --function-config file://cf_config --name new-funct --profile dummy --function-code fileb://{{ _ce_provision_build_dir }}/files/{{ _funct.code }}" - when: _funct.type == cf - register: _cf_function - -- name: Setting previous command output into variable. - ansible.builtin.set_fact: - _cf_function: "{{ _cf_function.stdout | from_json }}" - when: _funct.type == cf - -- name: Register aws_lambda results. - ansible.builtin.set_fact: - _function_results: "{{ _function_results + [_cf_function] }}" - when: _funct.type == cf diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_lambda_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_lambda_function.yml new file mode 100644 index 000000000..4f7c06275 --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/create_lambda_function.yml @@ -0,0 +1,32 @@ +- name: Attach CloudWatch policy. + ansible.builtin.set_fact: + _policies: "{{ ['arn:aws:iam::aws:policy/AWSLambda_FullAccess'] + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" + +- name: Create a Lambda@Edge role. + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: "lambda_edge" + aws_profile: "{{ _aws_profile }}" + managed_policies: "{{ _policies }}" + inline_policies: + - "lambda:GetFunction" + policy_document: "{{ lookup('template', 'lambda_policy.json') }}" + +- name: Create Lambda function. + ansible.builtin.include_role: + name: aws/aws_lambda + vars: + aws_lambda: + name: "{{ _funct.name }}" + region: "us-east-1" + description: "Lambda function for {{ _funct.name }}" + timeout: "5" + role: "{{ aws_iam_role._result['lambda_edge'] }}" + runtime: "{{ _funct.runtime }}" + function_file: "{{ _ce_provision_build_dir }}/files/{{ _funct.code }}" + s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-us-east-1" + s3_bucket_prefix: "lambda-functions" + tags: + Name: "{{ _funct.name }}" diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index d2786d9c8..732b8f671 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.include_role: name: aws/aws_acl when: - - aws_cloudfront_distribution.web_acl +# - aws_cloudfront_distribution.web_acl - aws_acl.name is defined - aws_acl.scope is defined - aws_acl.scope == 'CLOUDFRONT' @@ -34,12 +34,88 @@ _function_results: [] - name: Create CloudFront function if defined. - ansible.builtin.include_tasks: create_function.yml + ansible.builtin.include_tasks: check_function.yml loop: "{{ aws_cloudfront_distribution.functions }}" loop_control: loop_var: _funct when: aws_cloudfront_distribution.functions is defined +- name: Initialize processed cache behaviors list. + ansible.builtin.set_fact: + _processed_cache_behaviors: [] + +- name: Process default cache behavior if it has lambda functions + ansible.builtin.include_tasks: add_function.yml + vars: + _behavior: "{{ aws_cloudfront_distribution.default_cache_behavior }}" + register: default_result + when: aws_cloudfront_distribution.default_cache_behavior.lambda_functions is defined + +- name: Update default cache behavior + ansible.builtin.set_fact: + _default_cache_string: "{{ _processed_behavior }}" + when: aws_cloudfront_distribution.default_cache_behavior.lambda_functions is defined + +- name: Create dict for default cache behavior + ansible.builtin.set_fact: + _default_cache: "{{ _default_cache_string | from_yaml }}" + when: aws_cloudfront_distribution.default_cache_behavior.lambda_functions is defined + +- name: Create dict for default cache behavior + ansible.builtin.set_fact: + _default_cache: "{{ aws_cloudfront_distribution.default_cache_behavior }}" + when: aws_cloudfront_distribution.default_cache_behavior.lambda_functions is not defined + +- name: Initialize processed cache behaviors list. + ansible.builtin.set_fact: + _processed_cache_behaviors: [] + +- name: Extract the cache behaviors with Lambda function. + ansible.builtin.set_fact: + _cache_behavior_with_lambda: "{{ aws_cloudfront_distribution.cache_behaviors | selectattr('lambda_functions', 'defined') | list }}" + +- name: Extract the cache behaviors with Lambda function. + ansible.builtin.set_fact: + _cache_behavior_without_lambda: "{{ aws_cloudfront_distribution.cache_behaviors | selectattr('lambda_functions', 'undefined') | list }}" + +# Process behaviors with lambda functions +- name: Process behavior with lambda functions + ansible.builtin.include_tasks: add_function.yml + loop: "{{ _cache_behavior_with_lambda | default([]) }}" + loop_control: + loop_var: _behavior + when: _cache_behavior_with_lambda | length > 0 + +# Add each behavior to the final list (processed or original) +- name: Add behavior to final list + ansible.builtin.set_fact: + _processed_cache_behaviors: "{{ _processed_cache_behaviors + _cache_behavior_without_lambda }}" + +- name: Update cache behaviors in aws_cloudfront_distribution + ansible.builtin.set_fact: + _cache_behavior_with_lambda: "{{ {'cache_behaviors': _processed_cache_behaviors} }}" + +- name: Extract the Lambda functios. + ansible.builtin.set_fact: + _lambda_functions: "{{ aws_cloudfront_distribution.functions | selectattr('type', '==', 'lambda') | list }}" + +- name: Wait for Lambda function to be Active. + ansible.builtin.command: > + aws lambda get-function + --function-name {{ item.name }} + --query 'Configuration.[State, LastUpdateStatus]' + --region us-east-1 + register: lambda_status + until: (lambda_status.stdout | from_json)[0] == "Active" + retries: 30 + delay: 10 + changed_when: false + loop: "{{ _lambda_functions }}" + +- name: Wait for 10 seconds. + ansible.builtin.wait_for: + timeout: 10 + - name: Create a CloudFront distribution. community.aws.cloudfront_distribution: profile: "{{ aws_cloudfront_distribution.aws_profile }}" @@ -49,8 +125,8 @@ aliases: "{{ aws_cloudfront_distribution.aliases }}" origins: "{{ aws_cloudfront_distribution.origins }}" web_acl_id: "{{ _created_acl.arn | default(omit) }}" - default_cache_behavior: "{{ aws_cloudfront_distribution.default_cache_behavior }}" - cache_behaviors: "{{ aws_cloudfront_distribution.cache_behaviors }}" + default_cache_behavior: "{{ _default_cache }}" + cache_behaviors: "{{ _processed_cache_behaviors }}" validate_certs: "{{ aws_cloudfront_distribution.validate_certs }}" viewer_certificate: "{{ aws_cloudfront_distribution.viewer_certificate }}" purge_origins: "{{ aws_cloudfront_distribution.purge_existing }}" diff --git a/roles/aws/aws_cloudfront_distribution/tasks/process_all_behaviors.yml b/roles/aws/aws_cloudfront_distribution/tasks/process_all_behaviors.yml new file mode 100644 index 000000000..2562efbbb --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/tasks/process_all_behaviors.yml @@ -0,0 +1,28 @@ +- name: Process default cache behavior lambda functions. + when: aws_cloudfront_distribution.default_cache_behavior.lambda_functions is defined + block: + - name: Set empty list for default behavior. + ansible.builtin.set_fact: + _lambda_funct_list: [] + + - name: Create lambda function associations for default behavior. + ansible.builtin.set_fact: + _lambda_funct_list: "{{ _lambda_funct_list + [{'event_type': item.event_type, 'lambda_function_arn': aws_lambda._result[item.lambda_name].configuration.function_arn}] }}" + loop: "{{ aws_cloudfront_distribution.default_cache_behavior.lambda_functions }}" + + - name: Update default cache behavior. + ansible.builtin.set_fact: + aws_cloudfront_distribution: "{{ aws_cloudfront_distribution | combine({'default_cache_behavior': (aws_cloudfront_distribution.default_cache_behavior | dict2items | rejectattr('key', 'equalto', 'lambda_functions') | items2dict) | combine({'lambda_function_associations': _lambda_funct_list})}) }}" + +- name: Process cache behaviors lambda functions. + ansible.builtin.set_fact: + updated_cache_behaviors: "{{ updated_cache_behaviors | default([]) + [processed_behavior] }}" + vars: + lambda_list: "{{ item.lambda_functions | map('combine', {'lambda_function_arn': aws_lambda._result[item.lambda_name].configuration.function_arn}) | map('dict2items') | map('rejectattr', 'key', 'equalto', 'lambda_name') | map('items2dict') | list if item.lambda_functions is defined else [] }}" + processed_behavior: "{{ (item | dict2items | rejectattr('key', 'equalto', 'lambda_functions') | items2dict) | combine({'lambda_function_associations': lambda_list}) if item.lambda_functions is defined else item }}" + loop: "{{ aws_cloudfront_distribution.cache_behaviors | default([]) }}" + +- name: Update cache behaviors in main structure. + ansible.builtin.set_fact: + aws_cloudfront_distribution: "{{ aws_cloudfront_distribution | combine({'cache_behaviors': updated_cache_behaviors}) }}" + when: updated_cache_behaviors is defined diff --git a/roles/aws/aws_cloudfront_distribution/tasks/proxy_pass.yml b/roles/aws/aws_cloudfront_distribution/tasks/proxy_pass.yml deleted file mode 100644 index e69de29bb..000000000 diff --git a/roles/aws/aws_cloudfront_distribution/templates/config.j2 b/roles/aws/aws_cloudfront_distribution/templates/config.j2 index efbc5b4ae..7ddd2a9d0 100644 --- a/roles/aws/aws_cloudfront_distribution/templates/config.j2 +++ b/roles/aws/aws_cloudfront_distribution/templates/config.j2 @@ -1,12 +1,11 @@ { "Comment": "{{ _funct.description }}", - "Runtime": "{{ _funct.runtime }}", - {% if _funct.kvs %} + "Runtime": "{{ _funct.runtime }}"{% if _funct.kvs %}, "KeyValueStoreAssociations": { "Quantity": 1, "Items": [ { - "KeyValueStoreARN": {{_funct.kvs }} + "KeyValueStoreARN": "{{_funct.kvs }}" } ] } diff --git a/roles/aws/aws_cloudfront_distribution/templates/lambda_policy.json b/roles/aws/aws_cloudfront_distribution/templates/lambda_policy.json new file mode 100644 index 000000000..ccb10609a --- /dev/null +++ b/roles/aws/aws_cloudfront_distribution/templates/lambda_policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com", + "edgelambda.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] + }