Reverting-changes (#2395)

* Reverting-changes

* Updating-iam-tasks

* Updating-iam-tasks-2

* Updating-iam-tasks-3

* Updating-iam-tasks-4

* Reverting-meta-tasks

---------

Co-authored-by: Matej Stajduhar <[email protected]>

Author: matej5

roles/_meta/aws_region/meta/main.yml

@@ -8,4 +8,4 @@ dependencies:
   - role: aws/aws_cloudwatch_log_group
   - role: aws/aws_backup
   - role: aws/aws_backup_sns
-#  - role: aws/aws_admin_tools
+  - role: aws/aws_admin_tools

roles/aws/aws_admin_tools/tasks/lambda_iam.yml

@@ -3,7 +3,11 @@
     _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}"
 
 - name: Create a role and attach policies.
-  amazon.aws.iam_role:
-    name: "API_{{ item.name }}"
-    assume_role_policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}"
-    managed_policies: "{{ _policies }}"
+  ansible.builtin.include_role:
+    name: aws/aws_iam_role
+  vars:
+    aws_iam_role:
+      name: "API_{{ item.name }}"
+      aws_profile: "{{ _aws_profile }}"
+      managed_policies: "{{ _policies }}"
+      policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}"

roles/aws/aws_backup_validation/tasks/main.yml

@@ -12,6 +12,7 @@
         - arn:aws:iam::aws:policy/AmazonRDSFullAccess
         - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
         - arn:aws:iam::aws:policy/AmazonSSMFullAccess
+        - arn:aws:iam::aws:policy/AmazonSESFullAccess
       policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}"
 
 - name: Create backup validation Lambda functions.
@@ -34,21 +35,21 @@
 #  ansible.builtin.set_fact:
 #    aws_lambda: "{{ aws_lambda | ansible.utils.remove_keys(target=['response_metadata', 'function_file']) }}"
 
-#- name: Create an IAM Managed Policy for passing roles and setup IAM role.
-#  ansible.builtin.include_role:
-#    name: aws/aws_iam_role
-#  vars:
-#    aws_iam_role:
-#      name: AWSBackupDefaultServiceRole
-#      aws_profile: "{{ _aws_profile }}"
-#      inline_policies:
-#        name: "PassRole"
-#        resource: "*"
-#        action: "iam:PassRole"
-#      policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}"
-#      managed_policies:
-#        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
-#        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
+- name: Create an IAM Managed Policy for passing roles and setup IAM role.
+  ansible.builtin.include_role:
+    name: aws/aws_iam_role
+  vars:
+    aws_iam_role:
+      name: AWSBackupDefaultServiceRole
+      aws_profile: "{{ _aws_profile }}"
+      inline_policies:
+        name: "PassRole"
+        resource: "*"
+        action: "iam:PassRole"
+      policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}"
+      managed_policies:
+        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
+        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
 
 # TODO: Not all clients have verified identity
 #- name: Get verified domain.

roles/aws/aws_iam_role/tasks/main.yml

@@ -1,9 +1,42 @@
+- name: Create an IAM Managed Policy if defined.
+  amazon.aws.iam_managed_policy:
+    policy_name: "inline_{{ aws_iam_role.name }}_policy"
+    policy:
+      Version: "2012-10-17"
+      Statement:
+        - Effect: "Allow"
+          Action: "{{ aws_iam_role.inline_policies.action }}"
+          Resource: "{{ aws_iam_role.inline_policies.resource }}"
+    state: present
+  register: _inline_iam_policy
+  when: inline_policies.action is defined and inline_policies.action > 0
+
+- name: Join managed and inline policy.
+  ansible.builtin.set_fact:
+    _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}"
+  when: inline_policies.action is defined and inline_policies.action > 0
+
+- name: Create combined var if inline policy is not defined or empty.
+  ansible.builtin.set_fact:
+    _combined_policies: "{{ aws_iam_role.managed_policies }}"
+  when: inline_policies.action is not defined or inline_policies.action == 0
+
+- name: Create assume role policy document if predefined string is passed.
+  ansible.builtin.set_fact:
+    _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}"
+  when: aws_iam_role.policy_document | type_debug == 'AnsibleUnicode'
+
+- name: Create assume role policy document if template is provided.
+  ansible.builtin.set_fact:
+    _assume_role_policy: "{{ aws_iam_role.policy_document }}"
+  when: aws_iam_role.policy_document | type_debug != 'AnsibleUnicode'
+
 - name: Create an IAM role.
   amazon.aws.iam_role:
     profile: "{{ aws_iam_role.aws_profile }}"
     name: "{{ aws_iam_role.name }}"
-    assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}"
-    managed_policies: "{{ aws_iam_role.managed_policies }}"
+    assume_role_policy_document: "{{ _assume_role_policy }}"
+    managed_policies: "{{ _combined_policies }}"
     purge_policies: "{{ aws_iam_role.purge_policies }}"
     tags: "{{ aws_iam_role.tags }}"
     create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}"