Merge pull request #2481 from codeenigma/Updatng-permissions-and-adding-more-functions-PR-devel-2.x

Updatng permissions and adding more functions pr devel 2.x

Author: matej5

roles/aws/aws_admin_tools/defaults/main.yml

@@ -4,19 +4,40 @@ aws_admin_tools:
   allowed_ips:
     - 192.168.1.1/32 # Ip of server with access to API-s
   functions:
-    - name: "GetForecastedCosts"
+    - name: "get_forecasted_costs"
       type: GET
       inline_policies:
         name: "{{ _aws_profile }}Billing"
         resource: "*"
-        acton:
+        action:
           - "ce:*"
       policies: []
-    - name: "ChangeASGScaling"
+    - name: "change_asg_scaling"
       type: POST
       policies:
         - arn:aws:iam::aws:policy/AmazonEC2FullAccess
-    - name: "GetListOfEC2"
+    - name: "get_list_of_ec2"
       type: GET
-      policies:
-        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
+      policies: []
+      inline_policies:
+        name: "list_ec2"
+        resource: "*"
+        action:
+          - "ec2:DescribeAddresses"
+          - "ec2:DescribeInstances"
+    - name: "get_ip_set"
+      type: GET
+      policies: []
+      inline_policies:
+        name: "get_ip_set"
+        resource: "*"
+        action:
+          - "wafv2:GetIPSet"
+    - name: "update_ip_set"
+      type: POST
+      policies: []
+      inline_policies:
+        name: "update_ip_set"
+        resource: "*"
+        action:
+          - "wafv2:UpdateIPSet"

roles/aws/aws_admin_tools/tasks/create.yml

@@ -65,7 +65,7 @@
 - name: Update Lambda triggers.
   ansible.builtin.command: >-
     aws lambda add-permission
-    --function-name "API_{{ item.name }}"
+    --function-name "api_{{ item.name }}"
     --statement-id "{{ item.name }}_{{ _rand_str }}"
     --action "lambda:InvokeFunction"
     --principal apigateway.amazonaws.com

roles/aws/aws_admin_tools/tasks/create_methods.yml

@@ -54,7 +54,7 @@
     --type AWS
     --content-handling CONVERT_TO_TEXT
     --integration-http-method POST
-    --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:API_{{ item.name }}/invocations"
+    --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:api_{{ item.name }}/invocations"
     --region {{ _aws_region }}
 
 - name: Add method response.

roles/aws/aws_admin_tools/tasks/lambda_functions.yml

@@ -12,30 +12,30 @@
 
 - name: Write Lambda functions.
   ansible.builtin.template:
-    src: "API_{{ item.name }}.py.j2"
-    dest: "/tmp/API_{{ item.name }}.py"
+    src: "api_{{ item.name }}.py.j2"
+    dest: "/tmp/api_{{ item.name }}.py"
 
 - name: Create a zip archive of Lambda functions.
   community.general.archive:
-    path: "/tmp/API_{{ item.name }}.py"
-    dest: "/tmp/API_{{ item.name }}.zip"
+    path: "/tmp/api_{{ item.name }}.py"
+    dest: "/tmp/api_{{ item.name }}.zip"
     format: zip
 
 - name: Place Lambda functions in S3 bucket.
   amazon.aws.s3_object:
     bucket: "{{ _aws_profile }}-lambda-api-functions"
     object: "lambda-functions/API-{{ item.name }}.zip"
-    src: "/tmp/API_{{ item.name }}.zip"
+    src: "/tmp/api_{{ item.name }}.zip"
     mode: put
 
 - name: Get appropriate IAM role for Lambda.
   amazon.aws.iam_role_info:
-    name: "API_{{ item.name }}"
+    name: "api_{{ item.name }}"
   register: _iam_api_lambda
 
 - name: Create Lambda functions.
   amazon.aws.lambda:
-    name: "API_{{ item.name }}"
+    name: "api_{{ item.name }}"
     description: "Lambda function for {{ item.name }}"
     region: "{{ _aws_region }}"
     timeout: "{{ aws_admin_tools.timeout }}"
@@ -44,6 +44,6 @@
     state: present
     runtime: "{{ aws_admin_tools.runtime }}"
     role: "{{ _iam_api_lambda.iam_roles[0].arn }}"
-    handler: "API_{{ item.name }}.lambda_handler"
+    handler: "api_{{ item.name }}.lambda_handler"
     tags:
-      Name: "API_{{ item.name }}"
+      Name: "api_{{ item.name }}"

roles/aws/aws_admin_tools/tasks/lambda_iam.yml

@@ -7,7 +7,8 @@
     name: aws/aws_iam_role
   vars:
     aws_iam_role:
-      name: "API_{{ item.name }}"
+      name: "api_{{ item.name }}"
       aws_profile: "{{ _aws_profile }}"
       managed_policies: "{{ _policies }}"
+      inline_policies: "{{ item.inline_policies | default(omit) }}"
       policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}"

…ols/templates/API_ChangeASGScaling.py.j2 …s/templates/api_change_asg_scaling.py.j2roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 renamed to roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2 roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 renamed to roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2

@@ -0,0 +1,21 @@
+import json
+import boto3
+
+waf_cli = boto3.client("wafv2")
+
+def lambda_handler(event, context):
+
+    print("Gathering instance details.")
+    ip_set=waf_cli.get_ip_set(
+        Name=event['ip_set'],
+        Scope='REGIONAL',
+        Id=event['id']
+    )
+
+    return {
+        'statusCode': 200,
+        'name': ip_set['IPSet']['Name'],
+        'id': ip_set['IPSet']['Id'],
+        'addresses': ip_set['IPSet']['Addresses'],
+        'lock_token': ip_set['LockToken'],
+    }