SG-creation-update

.ansible-lint

@@ -14,5 +14,8 @@ skip_list:
   - template-instead-of-copy # to skip over roles/ssl/tasks/copy.yml errors, temporarily.
   - name[template] # it doesn't like Jinja templates being in the middle of a task name, which seems silly to me.
   - name[casing] # sometimes included Galaxy roles break linting rules and cause failures
+  - args[module] # causing odd issue with ACL role
+  - jinja[spacing] # pendantic! we get these from GitHub Actions anyway
+  - latest[git] # Breaks if there is no version control in task
 exclude_paths:
   - roles/contrib/ # we don't control these roles

roles/aws/aws_admin_tools/defaults/main.yml

@@ -7,6 +7,7 @@ aws_admin_tools:
     - name: "change_asg_scaling" # Name used for creating API Gateway and Lambda functions
       resource: api # Refers to type of resource for needed function (can be api, schedule and s3)
       type: POST # Type of HTTP method, can be GET and POST
+      git_url: "git@codeenigma.net:functions/example_function.git" # If git_url is provided it will be used to download code from gitlab/github
       policies: [] # List of policies to use for lambda function
       inline_policies: # Inline policies to allow defining least privilages access
         name: "change_asg_scaling" # Name of inline policies

roles/aws/aws_admin_tools/tasks/lambda_functions.yml

@@ -3,6 +3,16 @@
     name: "{{ item.resource }}_{{ item.name }}"
   register: _iam_lambda
 
+- name: Set previous command output into variable.
+  ansible.builtin.set_fact:
+    _function_file: "{{ lookup('template', item.resource + '_' + item.name + '.py.j2') }}"
+  when: item.git_url is not defined
+
+- name: Set previous command output into variable.
+  ansible.builtin.set_fact:
+    _function_file: "{{ item.git_url }}"
+  when: item.git_url is defined
+
 - name: Create Lambda function.
   ansible.builtin.include_role:
     name: aws/aws_lambda
@@ -13,7 +23,7 @@
       timeout: "{{ item.timeout | default(aws_admin_tools.timeout) }}"
       role: "{{ aws_iam_role._result[item.resource + '_' + item.name] }}"
       runtime: "{{ aws_admin_tools.runtime }}"
-      function_file: "{{ lookup('template', item.resource + '_' + item.name + '.py.j2') }}"
+      function_file: "{{ _function_file }}"
       s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}"
       s3_bucket_prefix: "lambda-functions"
       tags:

roles/aws/aws_ami/tasks/repack.yml

@@ -9,21 +9,25 @@
   register: aws_ami_running_instances
 
 - name: Create a Security Group to access the controller.
-  amazon.aws.ec2_security_group:
-    profile: "{{ aws_ami.aws_profile }}"
-    region: "{{ aws_ami.region }}"
-    name: "{{ aws_ami.repack.cluster_name }}-repacker"
-    tags: "{{ aws_ami.tags }}"
-    state: present
-    vpc_id: "{{ aws_ami.repack.vpc_id }}"
-    description: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance"
-    rules:
-      - proto: tcp
-        ports:
-          - 22
-        cidr_ip: "{{ aws_ami.repack.controller_cidr }}"
-        rule_desc: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance"
-    rules_egress: []
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
+      profile: "{{ aws_ami.aws_profile }}"
+      region: "{{ aws_ami.region }}"
+      name: "{{ aws_ami.repack.cluster_name }}-repacker"
+      tags: "{{ aws_ami.tags }}"
+      state: present
+      id: "{{ aws_ami.repack.vpc_id }}"
+      description: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance"
+      rules:
+        - proto: tcp
+          ports:
+            - 22
+          cidr_ip: "{{ aws_ami.repack.controller_cidr }}"
+          rule_desc: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance"
+      rules_egress: []
 
 - name: Create an AMI with an existing EC2 instance.
   amazon.aws.ec2_ami:

roles/aws/aws_backup_validation/tasks/testing_resources.yml

@@ -30,26 +30,32 @@
   register: _main_subnets_info
 
 - name: Create SG for restored instances.
-  amazon.aws.ec2_security_group:
-    name: Restore_testing
-    description: This SG is used to allow SSM and SSH access to the server
-    region: "{{ _aws_region }}"
-    vpc_id: "{{ _main_vpc_info.vpcs[0].vpc_id }}"
-    rules:
-      - proto: tcp
-        from_port: 80
-        to_port: 80
-        cidr_ip: 0.0.0.0/0
-      - proto: tcp
-        from_port: 443
-        to_port: 443
-        cidr_ip: 0.0.0.0/0
-      - proto: tcp
-        from_port: 22
-        to_port: 22
-        cidr_ip: 0.0.0.0/0
-    rules_egress: []
-  register: _restore_testing_sg
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
+      name: "Restore_testing"
+      region: "{{ aws_ec2_autoscale_cluster.region }}"
+      id: "{{ _main_vpc_info.vpcs[0].vpc_id }}"
+      description: "This SG is used to allow SSM and SSH access to the server"
+      rules:
+        - proto: tcp
+          from_port: 80
+          to_port: 80
+          cidr_ip: 0.0.0.0/0
+        - proto: tcp
+          from_port: 443
+          to_port: 443
+          cidr_ip: 0.0.0.0/0
+        - proto: tcp
+          from_port: 22
+          to_port: 22
+          cidr_ip: 0.0.0.0/0
+
+- name: Construct AWS instance type dict.
+  ansible.builtin.set_fact:
+    _restore_testing_sg: "{{ aws_vpc._result['Restore_testing'] }}"
 
 - name: Remove restore testing query file.
   ansible.builtin.file:

roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml

@@ -30,23 +30,29 @@
   when: aws_ec2_autoscale_cluster.vpc_name is not defined or (aws_ec2_autoscale_cluster.vpc_name | length) == 0
 
 - name: Create matching Security Group.
-  amazon.aws.ec2_security_group:
-    profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
-    region: "{{ aws_ec2_autoscale_cluster.region }}"
-    name: "{{ aws_ec2_autoscale_cluster.name }}"
-    tags: "{{ aws_ec2_autoscale_cluster.tags | combine({'Name': aws_ec2_autoscale_cluster.name}) }}"
-    state: "{{ aws_ec2_autoscale_cluster.state }}"
-    vpc_id: "{{ _aws_ec2_autoscale_cluster_vpc_id }}"
-    description: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}"
-    rules:
-      - proto: all
-        group_name: "{{ aws_ec2_autoscale_cluster.name }}"
-        rule_desc: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}"
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
+      name: "{{ aws_ec2_autoscale_cluster.name }}"
+      profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
+      region: "{{ aws_ec2_autoscale_cluster.region }}"
+      tags: "{{ aws_ec2_autoscale_cluster.tags | combine({'Name': aws_ec2_autoscale_cluster.name}) }}"
+      state: "{{ aws_ec2_autoscale_cluster.state }}"
+      id: "{{ _aws_ec2_autoscale_cluster_vpc_id }}"
+      description: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}"
+      rules:
+        - proto: all
+          group_name: "{{ aws_ec2_autoscale_cluster.name }}"
     rules_egress:
       - proto: all
         group_name: "{{ aws_ec2_autoscale_cluster.name }}"
         rule_desc: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}"
-  register: _aws_ec2_autoscale_cluster_security_group
+
+- name: Set _aws_ec2_autoscale_cluster_security_group variable.
+  ansible.builtin.set_fact:
+    _aws_ec2_autoscale_cluster_security_group: "{{ aws_vpc._result[aws_ec2_autoscale_cluster.name] }}"
 
 - name: Reset subnets lists.
   ansible.builtin.set_fact:

roles/aws/aws_lambda/tasks/handle_single.yml

@@ -0,0 +1,15 @@
+- name: Check and clean previous Lambda function.
+  ansible.builtin.file:
+    path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py"
+    state: absent
+
+- name: Write Lambda function.
+  ansible.builtin.copy:
+    content: "{{ aws_lambda.function_file }}"
+    dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py"
+
+- name: Create a zip archive of Lambda function.
+  community.general.archive:
+    path: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.py"
+    dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip"
+    format: zip