Updating-aws-iam-tasks (#2727)

matej5 · Matej Stajduhar · web-flow · commit 976485a5e6f1 · 2025-10-02T13:16:50.000+02:00
* Updating-aws-iam-tasks

* Updating-aws-backup-defaults

* Adding-profile-to-task

* Changing-when-statements

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;
diff --git a/roles/aws/aws_admin_tools/tasks/create_schedule.yml b/roles/aws/aws_admin_tools/tasks/create_schedule.yml
@@ -6,7 +6,7 @@
     region: "{{ _aws_region }}"
     targets:
       - id: "{{ 'schedule_' + item.name }}"
-        arn: "{{ (aws_lambda._result['schedule_' + item.name].configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN
+        arn: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:{{ item.name }}"
   register: _schedule_result
 
 - name: Update Lambda policy.
diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml
@@ -12,3 +12,7 @@
       managed_policies: "{{ _policies }}"
       inline_policies: "{{ item.inline_policies | default(omit) }}"
       policy_document: "{{ lookup('template', 'trust_lambda.j2') }}"
+
+- name: Wait for 6 seconds for IAM to be ready.
+  ansible.builtin.wait_for:
+    timeout: 6
diff --git a/roles/aws/aws_admin_tools/tasks/main.yml b/roles/aws/aws_admin_tools/tasks/main.yml
@@ -92,6 +92,10 @@
         - "s3:GetObject"
       policy_document: "{{ lookup('template', 'trust_apigateway.j2') }}"
 
+- name: Wait for 6 seconds for IAM to be ready.
+  ansible.builtin.wait_for:
+    timeout: 6
+
 - name: Configure Lambda IAM policies.
   ansible.builtin.include_tasks: lambda_iam.yml
   loop: "{{ _api_without_s3 }}"
diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml
@@ -36,6 +36,10 @@
       policy_document: backup
   when: aws_backup.backup.iam_role_arn == "Default"
 
+- name: Wait for 6 seconds for IAM to be ready.
+  ansible.builtin.wait_for:
+    timeout: 6
+
 - name: Set IAM role ARN for backups.
   ansible.builtin.set_fact:
     _iam_role_arn: "{{ _aws_iam_role_result.iam_role.arn }}"
diff --git a/roles/aws/aws_backup_validation/defaults/main.yml b/roles/aws/aws_backup_validation/defaults/main.yml
@@ -2,14 +2,15 @@
 aws_backup_validation:
   s3_bucket: "{{ _general_bucket }}"
   s3_bucket_prefix: "backup-validation" # Prefix used for storing backup validation info
-  name: "RestoreValidation"
   description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM"
   timeout: 60
   runtime: "python3.12"
+  main_file: "app"
   handler: "lambda_handler"
+  git_url: example.git-url.codeenigma.com # Can be overwritten by git_url in item
   resources:
     - name: ec2_test_instance
-      git_url: true
+      git: true # if true, it will build git url to download repo
       type: EC2
       lambda_policy:
         - "backup:PutRestoreValidationResult"
@@ -18,7 +19,7 @@ aws_backup_validation:
         - "ssm:SendCommand"
         - "ec2:DescribeInstances"
     - name: rds_test_instance
-      git_url: true
+      git: true
       type:  RDS
       lambda_policy:
         - "backup:PutRestoreValidationResult"
@@ -27,12 +28,14 @@ aws_backup_validation:
         - "ec2:DescribeInstances"
         - "rds:DescribeDBInstances"
     - name: aurora_create_instance
-      git_url: true
+      git: true
       type: Aurora
       lambda_policy:
-        - "lambda:InvokeFunction"
+        - "rds:DescribeDbClusters"
+        - "rds:CreateDbInstance"
+        - "rds:AddTagsToResource"
     - name: aurora_test_instance
-      git_url: true
+      git: true
       type: Aurora
       event_pattern: '{ "source": ["aws.rds"], "detail-type": ["RDS DB Instance Event"], "resources": [{ "prefix": "arn:aws:rds:eu-west-1:{{ _acc_id }}:db:restoretest" }], "detail": { "EventID": ["RDS-EVENT-0005"] } }'
       lambda_policy:
@@ -42,7 +45,7 @@ aws_backup_validation:
         - "rds:DescribeDBClusters"
         - "rds:DeleteDBInstance"
     - name: validation_report
-      git_url: true
+      git: true
       type: Schedule
       schedule: "cron(0 0 ? * MON *)"
       lambda_policy:
diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml
@@ -8,15 +8,15 @@
 
 - name: Setting previous command output into variable.
   ansible.builtin.set_fact:
-    _acc_id: "{{ _acc_id.stdout | from_json }}"
+    _acc_id: "{{ _acc_id.stdout }}"
 
 - name: Create a role and attach policies for events.
   ansible.builtin.include_role:
     name: aws/aws_iam_role
   vars:
     aws_iam_role:
       name: "{{ item.name }}_event"
-      source: "{{ item.name}}"
+      source: "{{ item.name }}"
       aws_profile: "{{ _aws_profile }}"
       inline_policies:
         name: "{{ item.name }}_event"
@@ -25,17 +25,14 @@
           - "lambda:InvokeFunction"
       policy_document: "{{ lookup('template', 'event_document_policy.json.j2') }}"
   loop: "{{ aws_backup_validation.resources }}"
-  loop_control:
-    extended: true
-    extended_allitems: false
 
 - name: Create a role and attach policies for Lambda functions.
   ansible.builtin.include_role:
     name: aws/aws_iam_role
   vars:
     aws_iam_role:
       name: "{{ item.name}}_lambda"
-      source: "{{ item.name}}"
+      source: "{{ item.name }}"
       aws_profile: "{{ _aws_profile }}"
       managed_policies:
         - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
@@ -45,9 +42,10 @@
         action: "{{ item.lambda_policy }}"
       policy_document: "{{ lookup('template', 'trusted_entitites.json.j2') }}"
   loop: "{{ aws_backup_validation.resources }}"
-  loop_control:
-    extended: true
-    extended_allitems: false
+
+- name: Wait for 6 seconds for IAM to be ready.
+  ansible.builtin.wait_for:
+    timeout: 6
 
 - name: Get info about newly created restore testing plan.
   ansible.builtin.command: >
@@ -70,7 +68,7 @@
       tags:
         Name: "{{ item.name }}"
   loop: "{{ aws_backup_validation.resources }}"
-  when: item.git_url is not defined
+  when: item.git is not defined
 
 - name: Create Lambda functions from git url.
   ansible.builtin.include_role:
@@ -88,7 +86,7 @@
       tags:
         Name: "{{ item.name }}"
   loop: "{{ aws_backup_validation.resources }}"
-  when: item.git_url is defined
+  when: item.git is defined and item.git
 
 - name: Create an IAM Managed Policy for passing roles and setup IAM role.
   ansible.builtin.include_role:
@@ -107,6 +105,10 @@
         - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
         - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores
 
+- name: Wait for 6 seconds for IAM to be ready.
+  ansible.builtin.wait_for:
+    timeout: 6
+
 # TODO: Not all clients have verified identity
 #- name: Get verified domain.
 #  ansible.builtin.include_tasks: get_valid_email.yml
diff --git a/roles/aws/aws_cloudfront_distribution/tasks/create_lambda_function.yml b/roles/aws/aws_cloudfront_distribution/tasks/create_lambda_function.yml
@@ -14,6 +14,10 @@
         - "lambda:GetFunction"
       policy_document: "{{ lookup('template', 'lambda_policy.json') }}"
 
+- name: Wait for 6 seconds for IAM to be ready.
+  ansible.builtin.wait_for:
+    timeout: 6
+
 - name: Create Lambda function.
   ansible.builtin.include_role:
     name: aws/aws_lambda
diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml
@@ -1,5 +1,6 @@
 - name: Create an inline IAM Managed Policy if defined.
   amazon.aws.iam_managed_policy:
+    profile: "{{ aws_iam_role.aws_profile }}"
     policy_name: "inline_{{ aws_iam_role.inline_policies.name }}_policy"
     policy:
       Version: "2012-10-17"
@@ -47,11 +48,6 @@
     wait: true
   register: _aws_iam_role_result
 
-- name: Wait for 6 seconds for IAM to be ready.
-  ansible.builtin.wait_for:
-    timeout: 6
-  when: ansible_loop.last is defined and ansible_loop.last
-
 - name: Register aws_iam_role results.
   ansible.builtin.set_fact:
     aws_iam_role: "{{ aws_iam_role | combine({'_result': {aws_iam_role.name: _aws_iam_role_result}}, recursive=True) }}"
