Aurora backup validation pr devel 2.x (#2699)

* Fixing-email-title-for-backup-validation (#2657)

Co-authored-by: Matej Stajduhar <[email protected]>

* Adding-task-to-create-aurora-cluster (#2659)

* Adding-task-to-create-aurora-cluster

* Adding-region-profile-and-tags-to-aurora-cluster

* Updating-engine-for-aurora-cluster

* Updating-parameter-group-engine

* Updating-engine-version

* Updating-engine-version-2

* Disabling-automated-backups

* Disabling-automated-backups-2

* Disabling-automated-backups-3

* Disabling-automated-backups-4

* Skipping-task-if-not-aurora

* Adding-subnet-group-to-instances

* Adding-subnet-group-to-instances

* Updating-SG-return-values

* Updating-SG-return-values-2

* Updating-SG-return-values-3

* Updating-SG-return-values-4

* Updating-SG-return-value-debug

* Updating-SG-return-value-debug-2

* Updating-SG-return-value-debug-3

* Removing-debug-tasks

* Removing-init-var-for-SG-list

* Adding-character-set-option

---------

Co-authored-by: Matej Stajduhar <[email protected]>

* Fixing truthy variable mistakes. (#2662)

* Fixing installer variable bug.

* Fixing tests for external PRs.

* Testing with a fork.

* Adding repo owner's username into installer string.

* Refactoring config repo detection to simplify.

* No longer permitted to use an integer as a truthy value.

* No longer permitted to use existence check as a truthy value.

* Can't see a reason why linotp var shouldn't be a boolean.

* No longer permitted to use existence check as a truthy value.

* Fixing truthy errors in ce_deploy role.

* No longer permitted to use an integer as a truthy value.

* feat(php): Add FPM slow logrotate (#2625)

* feat(php): Support removal of APCU, add FPM slow logrotate

* simplify condition

* revert apcu installed setting, not needed

* r73458-install-php-gmp-by-default2 (#2667)

* r73458-install-php-gmp-by-default2

* re-add required packages

* Wazuh-mitre-report-setup (#2588)

* Wazuh-mitre-report-setup

* Wazuh-mitre-shellshock-longurl-block

* Fixing-vars

* Wazuh-mitre-report-setup-PR-2.x

* Wazuh mitre report setup pr 2.x (#2669)

* Wazuh-mitre-report-setup

* Wazuh-mitre-shellshock-longurl-block

* Fixing-vars

* Wazuh-mitre-report-setup-PR-2.x

* Wazuh-mitre-report-setup-PR-2.x

* pin_ansible_version (#2671)

* pin_ansible_version

* pin_ansible_version

* pin_ansible_version

* pin_ansible_version

* pin_ansible_version_fix_upgrade_timer

* pin_ansible_version_fix_upgrade_timer

* pin_ansible_version_fix_upgrade_timer

* pin_ansible_version_disable_upgrade_timer

* pin_ansible_version_disable_upgrade_timer

* pin_ansible_version_disable_upgrade_timer

* pin_ansible_version_disable_upgrade_timer

* Fixing-ce-provision-vars (#2678)

* Updating-string (#2507)

* Updating-string

* Updating-string-3

---------

Co-authored-by: Matej Stajduhar <[email protected]>

* Added-tasks-to-backup-Aurora-and-copy-AMI-to-safe-region (#2682)

* Added-tasks-to-backup-Aurora-and-copy-AMI-to-safe-region

* Fixing-aurora-backup-tasks

* Fixing-aurora-backup-tasks-2

* Fixing-aurora-backup-tasks-3

* Fixing-aurora-backup-tasks-5

* Adding-aurora-template

* Updating-aurora-vars

* Adding-handler-to-defaults-for-CF

---------

Co-authored-by: Matej Stajduhar <[email protected]>

* SG-creation-update (#2605)

* SG-creation-update

* Updating-lambda-tasks-to-handle-various-file-options

* Updating-lambda-tasks-for-url-handling

* Updating-aws_admin_tools-for-aws_lambda

* Updating-aws_admin_tools-for-aws_lambda

* Setting-loop-item

* Setting-loop-item-2

* Updating-vpc-sec-group-vars

* Removing-extra-vars-for-git-module

* Adding-default-for-git_url

* Cleaning-up-tasks

* Updating-ansible-lint

* Updating-ansible-lint

* Ommiting-name-if-no-sec_group-name-defined

* Removing-loop-var

---------

Co-authored-by: Matej Stajduhar <[email protected]>

* Fixing-copy-AMI-to-backup-region (#2684)

Co-authored-by: Matej Stajduhar <[email protected]>

* Fixing-ami-copy-task (#2686)

Co-authored-by: Matej Stajduhar <[email protected]>

* Bug fixes pr 2.x (#2690)

* Fixing installer variable bug.

* Fixing tests for external PRs.

* Testing with a fork.

* Adding repo owner's username into installer string.

* Refactoring config repo detection to simplify.

* No longer permitted to use an integer as a truthy value.

* No longer permitted to use existence check as a truthy value.

* Can't see a reason why linotp var shouldn't be a boolean.

* No longer permitted to use existence check as a truthy value.

* Fixing truthy errors in ce_deploy role.

* No longer permitted to use an integer as a truthy value.

* Updating clamav command to use flock avoiding duplicate processes running.

* 73569 allowing webp nginx pr 2.x (#2692)

* allowing webp extension

* adding webp mime type

---------

Co-authored-by: filip <[email protected]>

* extending provision.sh to support tags in plays (#2431)

Co-authored-by: filip <[email protected]>

* Adding-option-for-Aurora-RDS-for-backup-validation (#2635)

Co-authored-by: Matej Stajduhar <[email protected]>

* Fixing-aws_vpc-override (#2688)

* Fixing-aws_vpc-override

* Adding-defaults

* Fixing-register-command

* Defaulting-tags

* Defaulting-tags-2

* Updating-region

* Updating-iam_role-vars

* Updating-iam_role-vars-2

* Updating-when-statement

* Updating-when-statement-for-backups

* Updating-when-statement-for-iam-policy

* Updating-when-statement-for-iam-policy

* Updating-vars-for-SG-creation

* Updating-when-statement-for-iam-role

* Updating-handle-git-url

* Updating-handle-git-url-2

* Updating-handle-git-url-3

* Updating-handle-git-url-4

* Updating-handle-git-url-5

* Updating-handle-git-url-6

* Updating-handle-git-url-7

* Fixing-indentation

---------

Co-authored-by: Matej Stajduhar <[email protected]>

* Updating-pam-ldap-condition (#2695)

* Updating-pam-ldap-condition

* Updating-pam-ldap-condition-PR-2.x

* Fixing-when-statement

* Updating-LE-tasks

* Adding-from_json-for-systemd-timers

* Adding-from_json-for-systemd-timers-2

* Removin-from_json-for-systemd-timers

* Updating-pam_ldap-when-statements

* Updating-pam_ldap-when-statements-2

* Updated-Backup-validation-role

* Updated-trusted-entity-file-name

* Updated-event-patterns

* Dropped-default-aurora-retention-to-1

* Bug-fixes

* Moving-iam-policy

* Updating-tasks

* Updating-tasks-2

* Updating-return-value

* Updating-file-names

* Updating-file-names-2

* Updating-file-names-3

* Updating-file-names-4

* Adding-debug

* Adding-debug-2

* Adding-debug-3

* Updating-source-for-iam

* Removing-handle-zip-for-lambda

* Updating-regex-search

* Updating-regex-search

* Updating-lambda-function-handling

* Updating-lambda-function-handling

* Updating-lambda-function-handling-2

* Updating-event-bridge-role-arn

* Moving-functions-to-gitlab

* Updating-event-pattern

* Updating-iam-role

* Updating-defaults

* Reverting-wazuh-changes

* Removing-files

* Adding-LE-vars-for-apache

---------

Co-authored-by: drazenCE <[email protected]>
Co-authored-by: Matej Stajduhar <[email protected]>
Co-authored-by: Greg Harvey <[email protected]>
Co-authored-by: Klaus Purer <[email protected]>
Co-authored-by: nfawbert <[email protected]>
Co-authored-by: tymofiisobchenko <[email protected]>
Co-authored-by: Filip Rupic <[email protected]>
Co-authored-by: filip <[email protected]>

Author: 9 people

roles/aws/aws_admin_tools/templates/api_get_list_of_ec2.py.j2

@@ -8,6 +8,46 @@ aws_backup_validation:
   runtime: "python3.12"
   handler: "lambda_handler"
   resources:
-    - EC2
-    - RDS
+    - name: ec2_test_instance
+      git_url: [email protected]:functions/ec2_test_instance.git
+      type: EC2
+      lambda_policy:
+        - "backup:PutRestoreValidationResult"
+        - "ssm:GetCommandInvocation"
+        - "ssm:GetConnectionStatus"
+        - "ssm:SendCommand"
+        - "ec2:DescribeInstances"
+    - name: rds_test_instance
+      git_url: [email protected]:functions/rds_test_instance.git
+      type:  RDS
+      lambda_policy:
+        - "backup:PutRestoreValidationResult"
+        - "ssm:GetCommandInvocation"
+        - "ssm:SendCommand"
+        - "ec2:DescribeInstances"
+        - "rds:DescribeDBInstances"
+    - name: aurora_create_instance
+      git_url: [email protected]:functions/aurora_create_instance.git
+      type: Aurora
+      lambda_policy:
+        - "lambda:InvokeFunction"
+    - name: aurora_test_instance
+      git_url: [email protected]:functions/aurora_test_instance.git
+      type: Aurora
+      event_pattern: '{ "source": ["aws.rds"], "detail-type": ["RDS DB Instance Event"], "resources": [{ "prefix": "arn:aws:rds:eu-west-1:{{ _acc_id }}:db:restoretest" }], "detail": { "EventID": ["RDS-EVENT-0005"] } }'
+      lambda_policy:
+        - "backup:PutRestoreValidationResult"
+        - "ec2:DescribeInstances"
+        - "rds:DescribeDBInstances"
+        - "rds:DescribeDBClusters"
+        - "rds:DeleteDBInstance"
+    - name: validation_report
+      git_url: [email protected]:functions/validation_report.git
+      type: Schedule
+      schedule: "cron(0 0 ? * MON *)"
+      lambda_policy:
+        - "backup:ListRestoreJobs"
+        - "ses:SendEmail"
+        - "ec2:DescribeImages"
+        - "rds:DescribeDbSnapshots"
     #- EFS

roles/aws/aws_admin_tools/templates/default_s3_object.j2

@@ -1,36 +1,100 @@
 ---
-- name: Create a role and attach policies for Lambda backup validation.
+- name: Get account ID for ARN.
+  ansible.builtin.command: >-
+    aws sts get-caller-identity
+    --query Account
+    --output text
+  register: _acc_id
+
+- name: Setting previous command output into variable.
+  ansible.builtin.set_fact:
+    _acc_id: "{{ _acc_id.stdout | from_json }}"
+
+# Passing Api throug the resource ( triger )
+
+- name: Configure API Gateway if defined.
+  ansible.builtin.include_tasks: create_mock.yml
+  when: _api_index | length == 0
+
+- name: Create a role and attach policies for events.
   ansible.builtin.include_role:
     name: aws/aws_iam_role
   vars:
     aws_iam_role:
-      name: LambdaBackupRestoreRole
+      name: "{{ item.name }}_event"
+      source: "{{ item.name}}"
+      aws_profile: "{{ _aws_profile }}"
+      inline_policies:
+        name: "{{ item.name }}_event"
+        resource: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:{{ item.name }}"
+        action:
+          - "lambda:InvokeFunction"
+      policy_document: "{{ lookup('template', 'event_document_policy.json.j2') }}"
+  loop: "{{ aws_backup_validation.resources }}"
+  loop_control:
+    extended: true
+    extended_allitems: false
+
+- name: Create a role and attach policies for Lambda functions.
+  ansible.builtin.include_role:
+    name: aws/aws_iam_role
+  vars:
+    aws_iam_role:
+      name: "{{ item.name}}_lambda"
+      source: "{{ item.name}}"
       aws_profile: "{{ _aws_profile }}"
       managed_policies:
-        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
-        - arn:aws:iam::aws:policy/AWSBackupFullAccess
-        - arn:aws:iam::aws:policy/AmazonRDSFullAccess
         - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
-        - arn:aws:iam::aws:policy/AmazonSSMFullAccess
-        - arn:aws:iam::aws:policy/AmazonSESFullAccess
-      policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}"
+      inline_policies:
+        name: "{{ item.name }}_lambda"
+        resource: "*"
+        action: "{{ item.lambda_policy }}"
+      policy_document: "{{ lookup('template', 'trusted_entitites.json.j2') }}"
+  loop: "{{ aws_backup_validation.resources }}"
+  loop_control:
+    extended: true
+    extended_allitems: false
+
+- name: Get info about newly created restore testing plan.
+  ansible.builtin.command: >
+    aws backup list-restore-testing-plans --region {{ _aws_region }}
+  register: _testing_plans
+
+- name: Create Lambda functions from templates.
+  ansible.builtin.include_role:
+    name: aws/aws_lambda
+  vars:
+    aws_lambda:
+      name: "{{ item.name }}"
+      description: "Lambda functions for {{ item.type }} validation."
+      timeout: "{{ aws_backup_validation.timeout }}"
+      role: "{{ aws_iam_role._result[item.name + '_lambda'] }}"
+      runtime: "{{ aws_backup_validation.runtime }}"
+      function_file: "{{ lookup('template', item.name + '.py.j2') }}"
+      s3_bucket: "{{ aws_backup_validation.s3_bucket }}"
+      s3_bucket_prefix: "lambda-functions"
+      tags:
+        Name: "{{ item.name }}"
+  loop: "{{ aws_backup_validation.resources }}"
+  when: item.git_url is not defined
 
-- name: Create backup validation Lambda functions.
+- name: Create Lambda functions from git url.
   ansible.builtin.include_role:
     name: aws/aws_lambda
   vars:
     aws_lambda:
-      name: "{{ aws_backup_validation.name }}_{{ item }}"
-      description: "{{ aws_backup_validation.description }}"
+      name: "{{ item.name }}"
+      description: "Lambda functions for {{ item.type }} validation."
       timeout: "{{ aws_backup_validation.timeout }}"
-      role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}"
+      role: "{{ aws_iam_role._result[item.name + '_lambda'] }}"
       runtime: "{{ aws_backup_validation.runtime }}"
-      function_file: "{{ lookup('template', item + '_validation.py.j2') }}"
+      function_file: "{{ item.git_url }}"
       s3_bucket: "{{ aws_backup_validation.s3_bucket }}"
       s3_bucket_prefix: "lambda-functions"
       tags:
-        Name: "{{ item }}_backup_validation"
+        Name: "{{ item.name }}"
   loop: "{{ aws_backup_validation.resources }}"
+  when: item.git_url is defined
 
 - name: Create an IAM Managed Policy for passing roles and setup IAM role.
   ansible.builtin.include_role:
@@ -53,79 +117,52 @@
 #- name: Get verified domain.
 #  ansible.builtin.include_tasks: get_valid_email.yml
 
-- name: Get info about newly created restore testing plan.
-  ansible.builtin.command: >
-    aws backup list-restore-testing-plans --region {{ _aws_region }}
-  register: _testing_plans
-
-- name: Create validation report function.
-  ansible.builtin.include_role:
-    name: aws/aws_lambda
-  vars:
-    aws_lambda:
-      name: "validation_report"
-      description: "{{ aws_backup_validation.description }}"
-      timeout: "30"
-      role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}"
-      runtime: "{{ aws_backup_validation.runtime }}"
-      function_file: "{{ lookup('template', 'validation_report.py.j2') }}"
-      s3_bucket: "{{ aws_backup_validation.s3_bucket }}"
-      s3_bucket_prefix: "lambda-functions"
-      tags:
-        Name: "validation_report"
-
-- name: Get account ID for ARN.
-  ansible.builtin.command: >-
-    aws sts get-caller-identity
-    --query Account
-    --output text
-  register: _acc_id
-
-- name: Setting previous command output into variable.
-  ansible.builtin.set_fact:
-    _acc_id: "{{ _acc_id.stdout | from_json }}"
-
-- name: Create EventBridge for validation functions.
+- name: Create EventBridge with lambda functions.
   amazon.aws.cloudwatchevent_rule:
-    name: "RestoreValidation_{{ item }}"
+    name: "{{ item.name }}"
     description: "{{ aws_backup_validation.description }}"
     state: present
     region: "{{ _aws_region }}"
-    event_pattern: '{ "source": ["aws.backup"], "detail-type": ["Restore Job State Change"], "detail": { "resourceType": ["{{ item }}"], "status": ["COMPLETED"] } }'
+    role_arn: "arn:aws:iam::{{ _acc_id }}:role/{{ item.name }}_event"
+    event_pattern: >-
+      {{ item.event_pattern | default(
+        {
+          "source": ["aws.backup"],
+          "detail-type": ["Restore Job State Change"],
+          "detail": {
+            "resourceType": [ item.type ],
+            "status": ["COMPLETED"]
+          }
+        } | to_json
+      ) }}
     targets:
-      - id: "RestoreValidation_{{ item }}"
-        arn: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:RestoreValidation_{{ item }}"
+      - id: "{{ item.name }}"
+        arn: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:{{ item.name }}"
   loop: "{{ aws_backup_validation.resources }}"
+  when: item.type != "Schedule"
   register: _event_bridges
 
 - name: Create schedule for validation reports.
   amazon.aws.cloudwatchevent_rule:
-    name: validation_report
-    schedule_expression: "cron(0 0 ? * MON *)"
-    description: Run validation reporting
+    name: "{{ item.name }}"
+    schedule_expression: "{{ item.schedule }}"
+    description: "Run validation reporting."
     region: "{{ _aws_region }}"
+    role_arn: "arn:aws:iam::{{ _acc_id }}:role/{{ item.name }}_event"
     targets:
       - id: validation_report
-        arn: "{{ (aws_lambda._result['validation_report'].configuration.function_arn.split(':') | map('trim'))[:-1] | join(':') }}" # Remove the version number from ARN
+        arn: "arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:{{ item.name }}"
+  loop: "{{ aws_backup_validation.resources }}"
+  when: item.type == "Schedule"
   register: _validation_event
 
-- name: Update Lambda policy.
+- name: Update Lambda policies.
   amazon.aws.lambda_policy:
     state: present
-    function_name: "{{ item.rule.name }}"
-    statement_id: "{{ item.rule.name }}"
+    function_name: "{{ item.name }}"
+    statement_id: "{{ item.name }}"
     action: lambda:InvokeFunction
     principal: events.amazonaws.com
-    source_arn: "{{ item.rule.arn }}"
-    region: "{{ _aws_region }}"
-  loop: "{{ _event_bridges.results }}"
-
-- name: Update lambda validation report policy.
-  amazon.aws.lambda_policy:
-    state: present
-    function_name: "validation_report"
-    statement_id: "validation_report"
-    action: lambda:InvokeFunction
-    principal: events.amazonaws.com
-    source_arn: "{{ _validation_event.rule.arn }}"
+    source_arn:  "arn:aws:events:{{ _aws_region }}:{{ _acc_id }}:rule/{{ item.name }}"
     region: "{{ _aws_region }}"
+  loop: "{{ aws_backup_validation.resources }}"

roles/aws/aws_admin_tools/templates/get_infra_data_from_s3.py.j2

@@ -68,34 +68,26 @@
       instance: "EC2"
       file-system: "EFS"
       db: "RDS"
-      cluster: "AURORA"
+      cluster: "Aurora"
 
 - name: Set instance type for template.
   ansible.builtin.set_fact:
     _instance_type_restore: "{{ instance_type[backup.resource_type] }}"
-    _template_prefix: "{{ instance_type[backup.resource_type] }}"
   when: backup.resource_type != 'file-system'
 
-- name: Set instance type to Aurora if defined.
-  ansible.builtin.set_fact:
-    _instance_type_restore: "Aurora"
-  when:
-    - backup.resource_type == 'db'
-    - "'aurora' in aws_rds.engine"
-
 - name: Create restore testing query file.
   ansible.builtin.template:
-    src: "{{ _template_prefix }}_restore_testing.j2"
+    src: "{{ _instance_type_restore }}_restore_testing.j2"
     dest: /tmp/restore_testing.json
   register: _restore_testing_query
-  when: _template_prefix is defined
+  when: _instance_type_restore is defined
 
 - name: Check if protected reource exist.
   ansible.builtin.command: >
     aws backup list-protected-resources --query "Results[?ResourceArn=='{{ _resource_arn }}']" --region {{ _aws_region }}
   register: _protected_res
 
-- name: Assign {{ _template_prefix }} resource to AWS restore testing plan.
+- name: Assign {{ _instance_type_restore }} resource to AWS restore testing plan.
   ansible.builtin.command: >
     aws backup create-restore-testing-selection --cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }}
-  when: _template_prefix is defined and _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0
+  when: _instance_type_restore is defined and _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0