diff --git a/.ansible-lint b/.ansible-lint index 02d2d1c31..040449dff 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -14,5 +14,8 @@ skip_list: - template-instead-of-copy # to skip over roles/ssl/tasks/copy.yml errors, temporarily. - name[template] # it doesn't like Jinja templates being in the middle of a task name, which seems silly to me. - name[casing] # sometimes included Galaxy roles break linting rules and cause failures + - args[module] # causing odd issue with ACL role + - jinja[spacing] # pendantic! we get these from GitHub Actions anyway + - latest[git] # Breaks if there is no version control in task exclude_paths: - roles/contrib/ # we don't control these roles diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index fd0767895..bf156085e 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -7,6 +7,7 @@ aws_admin_tools: - name: "change_asg_scaling" # Name used for creating API Gateway and Lambda functions resource: api # Refers to type of resource for needed function (can be api, schedule and s3) type: POST # Type of HTTP method, can be GET and POST + git_url: "git@codeenigma.net:functions/example_function.git" # If git_url is provided it will be used to download code from gitlab/github policies: [] # List of policies to use for lambda function inline_policies: # Inline policies to allow defining least privilages access name: "change_asg_scaling" # Name of inline policies diff --git a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml index f89141c09..387091112 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml @@ -3,6 +3,16 @@ name: "{{ item.resource }}_{{ item.name }}" register: _iam_lambda +- name: Set previous command output into variable. + ansible.builtin.set_fact: + _function_file: "{{ lookup('template', item.resource + '_' + item.name + '.py.j2') }}" + when: item.git_url is not defined + +- name: Set previous command output into variable. + ansible.builtin.set_fact: + _function_file: "{{ item.git_url }}" + when: item.git_url is defined + - name: Create Lambda function. ansible.builtin.include_role: name: aws/aws_lambda @@ -13,7 +23,7 @@ timeout: "{{ item.timeout | default(aws_admin_tools.timeout) }}" role: "{{ aws_iam_role._result[item.resource + '_' + item.name] }}" runtime: "{{ aws_admin_tools.runtime }}" - function_file: "{{ lookup('template', item.resource + '_' + item.name + '.py.j2') }}" + function_file: "{{ _function_file }}" s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" s3_bucket_prefix: "lambda-functions" tags: diff --git a/roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2 b/roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2 deleted file mode 100644 index 2cfc32e09..000000000 --- a/roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2 +++ /dev/null @@ -1,30 +0,0 @@ -import json -import boto3 - -asg_cli = boto3.client('autoscaling', region_name="{{ _aws_region }}") - -def lambda_handler(event, context): - - policies = asg_cli.describe_policies( - AutoScalingGroupName=event['asg_name'] - ) - - if policies['ScalingPolicies'][0]['Enabled']: - enable = False - else: - enable = True - - for inst in policies['ScalingPolicies']: - put_result = asg_cli.put_scaling_policy( - AutoScalingGroupName=inst['AutoScalingGroupName'], - PolicyName=inst['PolicyName'], - PolicyType=inst['PolicyType'], - AdjustmentType=inst['AdjustmentType'], - ScalingAdjustment=inst['ScalingAdjustment'], - Enabled=enable - ) - - return { - 'statusCode': 200, - 'body': event - } diff --git a/roles/aws/aws_admin_tools/templates/api_get_acl_list.py.j2 b/roles/aws/aws_admin_tools/templates/api_get_acl_list.py.j2 deleted file mode 100644 index 6271f2acf..000000000 --- a/roles/aws/aws_admin_tools/templates/api_get_acl_list.py.j2 +++ /dev/null @@ -1,63 +0,0 @@ -import json -import boto3 - -waf_regional = boto3.client("wafv2", region_name="{{ _aws_region }}") -waf_cf = boto3.client("wafv2", region_name="us-east-1") -cf_client = boto3.client('cloudfront', region_name="us-east-1") - -def get_rules(waf_client, acl_name, acl_id, scope): - rule_details = waf_client.get_web_acl(Name=acl_name, Scope=scope, Id=acl_id) - return [ - { - 'Name': rule['Name'], - 'Priority': rule['Priority'] - } - for rule in rule_details['WebACL']['Rules'] - ] - -def get_cf_associations(cf_client, web_acl_arn): - dist_list = cf_client.list_distributions_by_web_acl_id(WebACLId=web_acl_arn) - return [item['DomainName'] for item in dist_list.get('DistributionList', {}).get('Items', [])] - -def get_regional_associations(waf_client, web_acl_arn): - associations = [] - for res_type in ['APPLICATION_LOAD_BALANCER', 'API_GATEWAY']: - res_list = waf_client.list_resources_for_web_acl(WebACLArn=web_acl_arn, ResourceType=res_type) - if res_list.get('ResourceArns'): - associations.append({res_type: res_list['ResourceArns']}) - return associations - -def get_web_acls(waf_client, scope, include_cf_associations=False, cf_client=None): - response = waf_client.list_web_acls(Scope=scope) - web_acls = [] - - for acl in response['WebACLs']: - rules = get_rules(waf_client, acl['Name'], acl['Id'], scope) - associations = ( - get_cf_associations(cf_client, acl['ARN']) if include_cf_associations - else get_regional_associations(waf_client, acl['ARN']) - ) - web_acls.append({ - 'Name': acl['Name'], - 'Id': acl['Id'], - 'Rules': rules, - 'Association': associations - }) - return web_acls - -def lambda_handler(event, context): - # CloudFront ACLs (Global Scope) - cf_acls = get_web_acls(waf_cf, scope='CLOUDFRONT', include_cf_associations=True, cf_client=cf_client) - - # Regional ACLs (EU-West-1) - regional_acls = get_web_acls(waf_regional, scope='REGIONAL') - - return { - 'statusCode': 200, - 'ACLs': { - 'CloudFront': cf_acls, - 'Regional': { - "{{ _aws_region }}": regional_acls - } - } - } diff --git a/roles/aws/aws_admin_tools/templates/api_get_forecasted_costs.py.j2 b/roles/aws/aws_admin_tools/templates/api_get_forecasted_costs.py.j2 deleted file mode 100644 index 6bed7668b..000000000 --- a/roles/aws/aws_admin_tools/templates/api_get_forecasted_costs.py.j2 +++ /dev/null @@ -1,39 +0,0 @@ -import json -import calendar -from datetime import datetime -import boto3 - -costExpl = boto3.client('ce') - -def lambda_handler(event, context): - currDay=datetime.now().day - currMonth=datetime.now().month - print(currMonth) - currYear=datetime.now().year - print(currYear) - lastDay=calendar.monthrange(currYear, currMonth) - - if currMonth < 10: - currMonth = '0' + str(currMonth) - nextDay = currDay + 1 - if currDay < 10: - currDay = '0' + str(currDay) - if nextDay < 10: - nextDay = '0' + str(nextDay) - - startDate=str(currYear) + '-' + str(currMonth) + '-' + str(currDay) - endDate=str(currYear) + '-' + str(currMonth) + '-' + str(nextDay) - - estimatedCost = costExpl.get_cost_forecast( - TimePeriod={ - 'Start': startDate, - 'End': endDate - }, - Granularity='MONTHLY', - Metric='BLENDED_COST' - ) - return { - 'statusCode': 200, - 'Amount': estimatedCost['Total']['Amount'] + ' ' + estimatedCost['Total']['Unit'], - 'Between': estimatedCost['ForecastResultsByTime'][0]['TimePeriod']['Start'] + ' - ' + estimatedCost['ForecastResultsByTime'][0]['TimePeriod']['End'] - } diff --git a/roles/aws/aws_admin_tools/templates/api_get_ip_set.py.j2 b/roles/aws/aws_admin_tools/templates/api_get_ip_set.py.j2 deleted file mode 100644 index c44843bda..000000000 --- a/roles/aws/aws_admin_tools/templates/api_get_ip_set.py.j2 +++ /dev/null @@ -1,21 +0,0 @@ -import json -import boto3 - -waf_cli = boto3.client("wafv2") - -def lambda_handler(event, context): - - print("Gathering instance details.") - ip_set=waf_cli.get_ip_set( - Name=event['set_name'], - Scope='REGIONAL', - Id=event['id'] - ) - - return { - 'statusCode': 200, - 'name': ip_set['IPSet']['Name'], - 'id': ip_set['IPSet']['Id'], - 'addresses': ip_set['IPSet']['Addresses'], - 'lock_token': ip_set['LockToken'], - } diff --git a/roles/aws/aws_admin_tools/templates/api_update_ip_set.py.j2 b/roles/aws/aws_admin_tools/templates/api_update_ip_set.py.j2 deleted file mode 100644 index 08781fb2b..000000000 --- a/roles/aws/aws_admin_tools/templates/api_update_ip_set.py.j2 +++ /dev/null @@ -1,19 +0,0 @@ -import json -import boto3 - -waf_cli = boto3.client("wafv2") - -def lambda_handler(event, context): - - response = waf_cli.update_ip_set( - Name=event['name'], - Scope=event['scope'], - Id=event['id'], - Addresses=event['addresses'], - LockToken=event['lock_token'] -) - - return { - 'statusCode': 200, - 'body': response - } diff --git a/roles/aws/aws_ami/tasks/repack.yml b/roles/aws/aws_ami/tasks/repack.yml index 47ba4904d..9a9c899ca 100644 --- a/roles/aws/aws_ami/tasks/repack.yml +++ b/roles/aws/aws_ami/tasks/repack.yml @@ -9,21 +9,25 @@ register: aws_ami_running_instances - name: Create a Security Group to access the controller. - amazon.aws.ec2_security_group: - profile: "{{ aws_ami.aws_profile }}" - region: "{{ aws_ami.region }}" - name: "{{ aws_ami.repack.cluster_name }}-repacker" - tags: "{{ aws_ami.tags }}" - state: present - vpc_id: "{{ aws_ami.repack.vpc_id }}" - description: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance" - rules: - - proto: tcp - ports: - - 22 - cidr_ip: "{{ aws_ami.repack.controller_cidr }}" - rule_desc: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance" - rules_egress: [] + ansible.builtin.include_role: + name: aws/aws_vpc + tasks_from: security_group + vars: + aws_vpc: + profile: "{{ aws_ami.aws_profile }}" + region: "{{ aws_ami.region }}" + name: "{{ aws_ami.repack.cluster_name }}-repacker" + tags: "{{ aws_ami.tags }}" + state: present + id: "{{ aws_ami.repack.vpc_id }}" + description: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance" + rules: + - proto: tcp + ports: + - 22 + cidr_ip: "{{ aws_ami.repack.controller_cidr }}" + rule_desc: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance" + rules_egress: [] - name: Create an AMI with an existing EC2 instance. amazon.aws.ec2_ami: diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 56fd50eda..cba6940fc 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -30,26 +30,32 @@ register: _main_subnets_info - name: Create SG for restored instances. - amazon.aws.ec2_security_group: - name: Restore_testing - description: This SG is used to allow SSM and SSH access to the server - region: "{{ _aws_region }}" - vpc_id: "{{ _main_vpc_info.vpcs[0].vpc_id }}" - rules: - - proto: tcp - from_port: 80 - to_port: 80 - cidr_ip: 0.0.0.0/0 - - proto: tcp - from_port: 443 - to_port: 443 - cidr_ip: 0.0.0.0/0 - - proto: tcp - from_port: 22 - to_port: 22 - cidr_ip: 0.0.0.0/0 - rules_egress: [] - register: _restore_testing_sg + ansible.builtin.include_role: + name: aws/aws_vpc + tasks_from: security_group + vars: + aws_vpc: + name: "Restore_testing" + region: "{{ aws_ec2_autoscale_cluster.region }}" + id: "{{ _main_vpc_info.vpcs[0].vpc_id }}" + description: "This SG is used to allow SSM and SSH access to the server" + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 443 + to_port: 443 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 0.0.0.0/0 + +- name: Construct AWS instance type dict. + ansible.builtin.set_fact: + _restore_testing_sg: "{{ aws_vpc._result['Restore_testing'] }}" - name: Remove restore testing query file. ansible.builtin.file: diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index e8f63de73..67a1b7351 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -30,23 +30,29 @@ when: aws_ec2_autoscale_cluster.vpc_name is not defined or (aws_ec2_autoscale_cluster.vpc_name | length) == 0 - name: Create matching Security Group. - amazon.aws.ec2_security_group: - profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" - region: "{{ aws_ec2_autoscale_cluster.region }}" - name: "{{ aws_ec2_autoscale_cluster.name }}" - tags: "{{ aws_ec2_autoscale_cluster.tags | combine({'Name': aws_ec2_autoscale_cluster.name}) }}" - state: "{{ aws_ec2_autoscale_cluster.state }}" - vpc_id: "{{ _aws_ec2_autoscale_cluster_vpc_id }}" - description: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}" - rules: - - proto: all - group_name: "{{ aws_ec2_autoscale_cluster.name }}" - rule_desc: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}" + ansible.builtin.include_role: + name: aws/aws_vpc + tasks_from: security_group + vars: + aws_vpc: + name: "{{ aws_ec2_autoscale_cluster.name }}" + profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" + region: "{{ aws_ec2_autoscale_cluster.region }}" + tags: "{{ aws_ec2_autoscale_cluster.tags | combine({'Name': aws_ec2_autoscale_cluster.name}) }}" + state: "{{ aws_ec2_autoscale_cluster.state }}" + id: "{{ _aws_ec2_autoscale_cluster_vpc_id }}" + description: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}" + rules: + - proto: all + group_name: "{{ aws_ec2_autoscale_cluster.name }}" rules_egress: - proto: all group_name: "{{ aws_ec2_autoscale_cluster.name }}" rule_desc: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}" - register: _aws_ec2_autoscale_cluster_security_group + +- name: Set _aws_ec2_autoscale_cluster_security_group variable. + ansible.builtin.set_fact: + _aws_ec2_autoscale_cluster_security_group: "{{ aws_vpc._result[aws_ec2_autoscale_cluster.name] }}" - name: Reset subnets lists. ansible.builtin.set_fact: diff --git a/roles/aws/aws_lambda/tasks/handle_single.yml b/roles/aws/aws_lambda/tasks/handle_single.yml new file mode 100644 index 000000000..45afa3fab --- /dev/null +++ b/roles/aws/aws_lambda/tasks/handle_single.yml @@ -0,0 +1,15 @@ +- name: Check and clean previous Lambda function. + ansible.builtin.file: + path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + state: absent + +- name: Write Lambda function. + ansible.builtin.copy: + content: "{{ aws_lambda.function_file }}" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + +- name: Create a zip archive of Lambda function. + community.general.archive: + path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" + format: zip diff --git a/roles/aws/aws_lambda/tasks/handle_url.yml b/roles/aws/aws_lambda/tasks/handle_url.yml new file mode 100644 index 000000000..fa5ca0202 --- /dev/null +++ b/roles/aws/aws_lambda/tasks/handle_url.yml @@ -0,0 +1,33 @@ +- name: Clone git repo. + ansible.builtin.git: + repo: "{{ aws_lambda.function_file }}" + dest: /tmp/funct + +- name: Find all .j2 template files. + ansible.builtin.find: + paths: "{{ work_dir }}/{{ repo_name }}" + patterns: "*.j2" + recurse: true + register: _j2_files + +- name: Template all .j2 files. + ansible.builtin.template: + src: "{{ item.path }}" + dest: "{{ item.path | regex_replace('\\.j2$', '') }}" + loop: "{{ _j2_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: Remove original .j2 files after templating. + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ _j2_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: Copy a zip archive of Lambda function. + community.general.archive: + path: "/tmp/funct" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" + format: zip diff --git a/roles/aws/aws_lambda/tasks/handle_zip.yml b/roles/aws/aws_lambda/tasks/handle_zip.yml new file mode 100644 index 000000000..47be33206 --- /dev/null +++ b/roles/aws/aws_lambda/tasks/handle_zip.yml @@ -0,0 +1,7 @@ +- name: Copy a zip archive of Lambda function. + ansible.builtin.copy: + src: "{{ aws_lambda.function_file }}" + dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" + owner: controller + group: controller + mode: '0644' diff --git a/roles/aws/aws_lambda/tasks/main.yml b/roles/aws/aws_lambda/tasks/main.yml index f39dd2422..c6edc8437 100644 --- a/roles/aws/aws_lambda/tasks/main.yml +++ b/roles/aws/aws_lambda/tasks/main.yml @@ -9,21 +9,30 @@ tags: [] state: "present" -- name: Check and clean previous Lambda function. - ansible.builtin.file: - path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" - state: absent +- name: Check string type using regex + ansible.builtin.set_fact: + _string_type: >- + {%- if input_string | regex_search('^(https?://|git@)') -%} + url + {%- elif input_string | regex_search('\.zip$', ignorecase=True) -%} + zip + {%- else -%} + single + {%- endif -%} + vars: + input_string: "{{ aws_lambda.function_file }}" + +- name: Handle single file. + ansible.builtin.include_tasks: handle_single.yml + when: _string_type == 'single' -- name: Write Lambda function. - ansible.builtin.copy: - content: "{{ aws_lambda.function_file }}" - dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" +- name: Handle zip file. + ansible.builtin.include_tasks: handle_zip.yml + when: _string_type == 'zip' -- name: Create a zip archive of Lambda function. - community.general.archive: - path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py" - dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip" - format: zip +- name: Handle url. + ansible.builtin.include_tasks: handle_url.yml + when: _string_type == 'url' - name: Place Lambda function in S3 bucket. amazon.aws.s3_object: diff --git a/roles/aws/aws_vpc/tasks/main.yml b/roles/aws/aws_vpc/tasks/main.yml index 9901abd85..ad461150c 100644 --- a/roles/aws/aws_vpc/tasks/main.yml +++ b/roles/aws/aws_vpc/tasks/main.yml @@ -10,22 +10,19 @@ register: _aws_vpc_vpc - name: Ensure default Security group is tagged. - amazon.aws.ec2_security_group: - name: "default" - profile: "{{ aws_vpc.aws_profile }}" - region: "{{ aws_vpc.region }}" - tags: "{{ aws_vpc.tags }}" - state: "{{ aws_vpc.state }}" - vpc_id: "{{ _aws_vpc_vpc.vpc.id }}" - description: "default VPC security group" - purge_rules: false + ansible.builtin.include_tasks: "security_group.yml" + vars: + aws_vpc: + name: "default" + id: "{{ _aws_vpc_vpc.vpc.id }}" + description: "default VPC security group" + purge_rules: false - name: Create VPC Security groups. ansible.builtin.include_tasks: "security_group.yml" - with_items: "{{ aws_vpc.security_groups }}" + loop: "{{ aws_vpc.security_groups | list }}" loop_control: - loop_var: security_group - label: "{{ security_group.name }}" + loop_var: _sec_group - name: Create IGW. amazon.aws.ec2_vpc_igw: diff --git a/roles/aws/aws_vpc/tasks/security_group.yml b/roles/aws/aws_vpc/tasks/security_group.yml index 4e737b3cd..9af4121dd 100644 --- a/roles/aws/aws_vpc/tasks/security_group.yml +++ b/roles/aws/aws_vpc/tasks/security_group.yml @@ -1,14 +1,25 @@ +- name: Configure vars if looping over list. + ansible.builtin.set_fact: + aws_vpc: + name: "{{ _sec_group.name | default('') }}" + tags: "{{ _aws_vpc_vpc.vpc.tags | combine({'Name': _sec_group.name}) }}" + id: "{{ _aws_vpc_vpc.vpc.id }}" + description: "{{ _sec_group.description }}" + rules: "{{ _sec_group.rules | default(omit) }}" + rules_egress: "{{ _sec_group.rules_egress | default(omit) }}" + when: _sec_group is defined + - name: Create Security Group. amazon.aws.ec2_security_group: - name: "{{ security_group.name }}" + name: "{{ aws_vpc.name }}" profile: "{{ aws_vpc.aws_profile }}" region: "{{ aws_vpc.region }}" - tags: "{{ aws_vpc.tags | combine({'Name': security_group.name}) }}" + tags: "{{ aws_vpc.tags }}" state: "{{ aws_vpc.state }}" - vpc_id: "{{ _aws_vpc_vpc.vpc.id }}" - description: "{{ security_group.description | default('') }}" - rules: "{{ security_group.rules | default(omit) }}" - rules_egress: "{{ security_group.rules_egress | default(omit) }}" + vpc_id: "{{ aws_vpc.id }}" + description: "{{ aws_vpc.description | default('') }}" + rules: "{{ aws_vpc.rules | default(omit) }}" + rules_egress: "{{ aws_vpc.rules_egress | default(omit) }}" purge_rules: "{{ aws_vpc.purge_rules | default(omit) }}" register: _aws_vpc_result diff --git a/roles/aws/aws_vpc_subnet/tasks/subnet.yml b/roles/aws/aws_vpc_subnet/tasks/subnet.yml index 3d89ccc5e..52ceaa6af 100644 --- a/roles/aws/aws_vpc_subnet/tasks/subnet.yml +++ b/roles/aws/aws_vpc_subnet/tasks/subnet.yml @@ -23,18 +23,21 @@ when: subnet.nat_ipv4 is defined and subnet.nat_ipv4 - name: Create matching Security Group. - amazon.aws.ec2_security_group: - name: "{{ subnet.name }}" - profile: "{{ aws_vpc_subnet.aws_profile }}" - region: "{{ aws_vpc_subnet.region }}" - tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}" - state: "{{ aws_vpc_subnet.state }}" - vpc_id: "{{ _aws_vpc_subnet_vpc_id }}" - description: "Allow internal traffic for subnet {{ subnet.name }}" - rules: - - proto: all - group_name: "{{ subnet.name }}" - rule_desc: "Allow internal traffic for subnet {{ subnet.name }}" + ansible.builtin.include_role: + name: aws/aws_vpc + tasks_from: security_group + vars: + aws_vpc: + name: "{{ subnet.name }}" + profile: "{{ aws_vpc_subnet.aws_profile }}" + region: "{{ aws_vpc_subnet.region }}" + tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}" + state: "{{ aws_vpc_subnet.state }}" + id: "{{ _aws_vpc_subnet_vpc_id }}" + description: "Allow internal traffic for subnet {{ subnet.name }}" + rules: + - proto: all + group_name: "{{ subnet.name }}" rules_egress: - proto: all group_name: "{{ subnet.name }}"