Fixing aws vpc override pr devel 2.x (#2687)

matej5 · drazenCE · Matej Stajduhar · web-flow · commit 6ef594dc1039 · 2025-09-24T12:33:13.000+02:00
* Fixing-email-title-for-backup-validation (#2657) Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * Adding-task-to-create-aurora-cluster (#2659) * Adding-task-to-create-aurora-cluster * Adding-region-profile-and-tags-to-aurora-cluster * Updating-engine-for-aurora-cluster * Updating-parameter-group-engine * Updating-engine-version * Updating-engine-version-2 * Disabling-automated-backups * Disabling-automated-backups-2 * Disabling-automated-backups-3 * Disabling-automated-backups-4 * Skipping-task-if-not-aurora * Adding-subnet-group-to-instances * Adding-subnet-group-to-instances * Updating-SG-return-values * Updating-SG-return-values-2 * Updating-SG-return-values-3 * Updating-SG-return-values-4 * Updating-SG-return-value-debug * Updating-SG-return-value-debug-2 * Updating-SG-return-value-debug-3 * Removing-debug-tasks * Removing-init-var-for-SG-list * Adding-character-set-option --------- Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * Fixing truthy variable mistakes. (#2662) * Fixing installer variable bug. * Fixing tests for external PRs. * Testing with a fork. * Adding repo owner's username into installer string. * Refactoring config repo detection to simplify. * No longer permitted to use an integer as a truthy value. * No longer permitted to use existence check as a truthy value. * Can't see a reason why linotp var shouldn't be a boolean. * No longer permitted to use existence check as a truthy value. * Fixing truthy errors in ce_deploy role. * No longer permitted to use an integer as a truthy value. * feat(php): Add FPM slow logrotate (#2625) * feat(php): Support removal of APCU, add FPM slow logrotate * simplify condition * revert apcu installed setting, not needed * r73458-install-php-gmp-by-default2 (#2667) * r73458-install-php-gmp-by-default2 * re-add required packages * Wazuh-mitre-report-setup (#2588) * Wazuh-mitre-report-setup * Wazuh-mitre-shellshock-longurl-block * Fixing-vars * Wazuh-mitre-report-setup-PR-2.x * Wazuh mitre report setup pr 2.x (#2669) * Wazuh-mitre-report-setup * Wazuh-mitre-shellshock-longurl-block * Fixing-vars * Wazuh-mitre-report-setup-PR-2.x * Wazuh-mitre-report-setup-PR-2.x * pin_ansible_version (#2671) * pin_ansible_version * pin_ansible_version * pin_ansible_version * pin_ansible_version * pin_ansible_version_fix_upgrade_timer * pin_ansible_version_fix_upgrade_timer * pin_ansible_version_fix_upgrade_timer * pin_ansible_version_disable_upgrade_timer * pin_ansible_version_disable_upgrade_timer * pin_ansible_version_disable_upgrade_timer * pin_ansible_version_disable_upgrade_timer * Fixing-ce-provision-vars (#2678) * Updating-string (#2507) * Updating-string * Updating-string-3 --------- Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * Added-tasks-to-backup-Aurora-and-copy-AMI-to-safe-region (#2682) * Added-tasks-to-backup-Aurora-and-copy-AMI-to-safe-region * Fixing-aurora-backup-tasks * Fixing-aurora-backup-tasks-2 * Fixing-aurora-backup-tasks-3 * Fixing-aurora-backup-tasks-5 * Adding-aurora-template * Updating-aurora-vars * Adding-handler-to-defaults-for-CF --------- Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * SG-creation-update (#2605) * SG-creation-update * Updating-lambda-tasks-to-handle-various-file-options * Updating-lambda-tasks-for-url-handling * Updating-aws_admin_tools-for-aws_lambda * Updating-aws_admin_tools-for-aws_lambda * Setting-loop-item * Setting-loop-item-2 * Updating-vpc-sec-group-vars * Removing-extra-vars-for-git-module * Adding-default-for-git_url * Cleaning-up-tasks * Updating-ansible-lint * Updating-ansible-lint * Ommiting-name-if-no-sec_group-name-defined * Removing-loop-var --------- Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * Fixing-copy-AMI-to-backup-region (#2684) Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * Fixing-ami-copy-task (#2686) Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> * Fixing-aws_vpc-override * Adding-defaults * Fixing-register-command * Defaulting-tags * Defaulting-tags-2 * Updating-region * Updating-iam_role-vars * Updating-iam_role-vars-2 * Updating-when-statement * Updating-when-statement-for-backups * Updating-when-statement-for-iam-policy * Updating-when-statement-for-iam-policy * Reverting-wazuh-changes * Updating-vars-for-SG-creation * Updating-when-statement-for-iam-role * Updating-handle-git-url * Updating-handle-git-url-2 * Updating-handle-git-url-3 * Updating-handle-git-url-4 * Updating-handle-git-url-5 * Updating-handle-git-url-6 * Updating-handle-git-url-7 * Updating-task * Fixing-tasks --------- Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com> Co-authored-by: Greg Harvey <greg.harvey@gmail.com> Co-authored-by: Klaus Purer <klaus.purer@protonmail.ch> Co-authored-by: nfawbert <62660788+nfawbert@users.noreply.github.com> Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com>
diff --git a/roles/aws/aws_ami/tasks/repack.yml b/roles/aws/aws_ami/tasks/repack.yml
@@ -13,7 +13,7 @@
     name: aws/aws_vpc
     tasks_from: security_group
   vars:
-    aws_vpc:
+    aws_vpc_sg:
       profile: "{{ aws_ami.aws_profile }}"
       region: "{{ aws_ami.region }}"
       name: "{{ aws_ami.repack.cluster_name }}-repacker"
diff --git a/roles/aws/aws_backup/tasks/main.yml b/roles/aws/aws_backup/tasks/main.yml
@@ -64,7 +64,7 @@
   with_items: "{{ aws_backup.plans }}"
   loop_control:
     loop_var: plan
-  when: aws_backup.plans | length
+  when: aws_backup.plans | length > 0
 
 - name: Include aws backup validation role.
   ansible.builtin.include_role:
diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml
@@ -34,7 +34,7 @@
     name: aws/aws_vpc
     tasks_from: security_group
   vars:
-    aws_vpc:
+    aws_vpc_sg:
       name: "Restore_testing"
       region: "{{ aws_ec2_autoscale_cluster.region }}"
       id: "{{ _main_vpc_info.vpcs[0].vpc_id }}"
@@ -55,7 +55,7 @@
 
 - name: Construct AWS instance type dict.
   ansible.builtin.set_fact:
-    _restore_testing_sg: "{{ aws_vpc._result['Restore_testing'] }}"
+    _restore_testing_sg: "{{ aws_vpc_sg._result['Restore_testing'] }}"
 
 - name: Remove restore testing query file.
   ansible.builtin.file:
diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml
@@ -52,7 +52,7 @@
 
 - name: Set _aws_ec2_autoscale_cluster_security_group variable.
   ansible.builtin.set_fact:
-    _aws_ec2_autoscale_cluster_security_group: "{{ aws_vpc._result[aws_ec2_autoscale_cluster.name] }}"
+    _aws_ec2_autoscale_cluster_security_group: "{{ aws_vpc_sg._result[aws_ec2_autoscale_cluster.name] }}"
 
 - name: Reset subnets lists.
   ansible.builtin.set_fact:
diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml
@@ -21,24 +21,28 @@
     _combined_policies: "{{ aws_iam_role.managed_policies }}"
   when: aws_iam_role.inline_policies.action is not defined or aws_iam_role.inline_policies.action | length == 0
 
+- name: Create list of strings for predefined policies.
+  ansible.builtin.set_fact:
+    allowed_strings: ["ec2", "ecs", "backup"]
+
 - name: Create assume role policy document if predefined string is passed.
   ansible.builtin.set_fact:
     _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}"
-  when: aws_iam_role.policy_document | type_debug == 'AnsibleUnicode'
+  when: aws_iam_role.policy_document in allowed_strings
 
 - name: Create assume role policy document if template is provided.
   ansible.builtin.set_fact:
     _assume_role_policy: "{{ aws_iam_role.policy_document }}"
-  when: aws_iam_role.policy_document | type_debug != 'AnsibleUnicode'
+  when: aws_iam_role.policy_document not in allowed_strings
 
 - name: Create an IAM role.
   amazon.aws.iam_role:
     profile: "{{ aws_iam_role.aws_profile }}"
     name: "{{ aws_iam_role.name }}"
     assume_role_policy_document: "{{ _assume_role_policy }}"
     managed_policies: "{{ _combined_policies }}"
-    purge_policies: "{{ aws_iam_role.purge_policies }}"
-    tags: "{{ aws_iam_role.tags }}"
+    purge_policies: "{{ aws_iam_role.purge_policies | default(true) }}"
+    tags: "{{ aws_iam_role.tags | default({}) }}"
     create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}"
     wait: true
   register: _aws_iam_role_result
diff --git a/roles/aws/aws_lambda/tasks/handle_url.yml b/roles/aws/aws_lambda/tasks/handle_url.yml
@@ -2,10 +2,14 @@
   ansible.builtin.git:
     repo: "{{ aws_lambda.function_file }}"
     dest: /tmp/funct
+    update: true
+    accept_hostkey: true
+  become: true
+  become_user: "{{ ce_provision.username }}"
 
 - name: Find all .j2 template files.
   ansible.builtin.find:
-    paths: "{{ work_dir }}/{{ repo_name }}"
+    paths: "/tmp/funct"
     patterns: "*.j2"
     recurse: true
   register: _j2_files
@@ -28,6 +32,11 @@
 
 - name: Copy a zip archive of Lambda function.
   community.general.archive:
-    path: "/tmp/funct"
+    path: "/tmp/funct/"
     dest: "{{ _ce_provision_build_dir }}/{{ aws_lambda.name }}.zip"
     format: zip
+
+- name: Remove function directory
+  ansible.builtin.file:
+    path: /tmp/funct
+    state: absent
diff --git a/roles/aws/aws_vpc/defaults/main.yml b/roles/aws/aws_vpc/defaults/main.yml
@@ -1,3 +1,9 @@
+aws_vpc_sg:
+  aws_profile: "{{ _aws_profile }}"
+  region: "{{ _aws_region }}"
+  tags: {}
+  state: present
+  description: ""
 aws_vpc:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
diff --git a/roles/aws/aws_vpc/tasks/main.yml b/roles/aws/aws_vpc/tasks/main.yml
@@ -12,7 +12,7 @@
 - name: Ensure default Security group is tagged.
   ansible.builtin.include_tasks: "security_group.yml"
   vars:
-    aws_vpc:
+    aws_vpc_sg:
       name: "default"
       id: "{{ _aws_vpc_vpc.vpc.id }}"
       description: "default VPC security group"
diff --git a/roles/aws/aws_vpc/tasks/security_group.yml b/roles/aws/aws_vpc/tasks/security_group.yml
@@ -1,6 +1,6 @@
 - name: Configure vars if looping over list.
   ansible.builtin.set_fact:
-    aws_vpc:
+    aws_vpc_sg:
       name: "{{ _sec_group.name | default('') }}"
       tags: "{{ _aws_vpc_vpc.vpc.tags | combine({'Name': _sec_group.name}) }}"
       id: "{{ _aws_vpc_vpc.vpc.id }}"
@@ -11,18 +11,18 @@
 
 - name: Create Security Group.
   amazon.aws.ec2_security_group:
-    name: "{{ aws_vpc.name }}"
-    profile: "{{ aws_vpc.aws_profile }}"
-    region: "{{ aws_vpc.region }}"
-    tags: "{{ aws_vpc.tags }}"
-    state: "{{ aws_vpc.state }}"
-    vpc_id: "{{ aws_vpc.id }}"
-    description: "{{ aws_vpc.description | default('') }}"
-    rules: "{{ aws_vpc.rules | default(omit) }}"
-    rules_egress: "{{ aws_vpc.rules_egress | default(omit) }}"
-    purge_rules: "{{ aws_vpc.purge_rules | default(omit) }}"
+    name: "{{ aws_vpc_sg.name }}"
+    profile: "{{ aws_vpc_sg.aws_profile }}"
+    region: "{{ aws_vpc_sg.region }}"
+    tags: "{{ aws_vpc_sg.tags }}"
+    state: "{{ aws_vpc_sg.state }}"
+    vpc_id: "{{ aws_vpc_sg.id }}"
+    description: "{{ aws_vpc_sg.description }}"
+    rules: "{{ aws_vpc_sg.rules | default(omit) }}"
+    rules_egress: "{{ aws_vpc_sg.rules_egress | default(omit) }}"
+    purge_rules: "{{ aws_vpc_sg.purge_rules | default(omit) }}"
   register: _aws_vpc_result
 
 - name: Register aws_vpc SG results.
   ansible.builtin.set_fact:
-    aws_vpc: "{{ aws_vpc | combine({'_result': {aws_vpc.name: _aws_vpc_result}}, recursive=True) }}"
+    aws_vpc_sg: "{{ aws_vpc_sg | combine({'_result': {aws_vpc_sg.name: _aws_vpc_result}}, recursive=True) }}"
diff --git a/roles/aws/aws_vpc_subnet/tasks/subnet.yml b/roles/aws/aws_vpc_subnet/tasks/subnet.yml
@@ -27,7 +27,7 @@
     name: aws/aws_vpc
     tasks_from: security_group
   vars:
-    aws_vpc:
+    aws_vpc_sg:
       name: "{{ subnet.name }}"
       profile: "{{ aws_vpc_subnet.aws_profile }}"
       region: "{{ aws_vpc_subnet.region }}"
