So first I'll point out that we probably aren't using this the standard
way. I get that. But please tell me another way of doing this without as
much user interaction which gets rid of these deprecation warnings and
we'll try that too.
We use ansible with cloudformation over multiple accounts.
One of our playbooks is to setup security procedures over all accounts. In
the end it will have to be run by security not by a build server, which
would have made this easier. Instead what I did was create a playbook
which iterates over all of them. using the security role as a trusted
entity to the account that is running the script.
My playbook:
- hosts: our-security-rules
roles:
- buckets
- zipfile
- ststoken
group_vars/all.yml:
aws:
accounts:
- 123456789101
- 234567891011
ACCOUNT_ROLE: security
buckets role:
- name: Manage Lambda Bucket CloudFormation Stack
cloudformation:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
...
register: buckets_stack_{{ACCOUNT_ID}}
zipfile role (as the example):
main.yml:
- name: prepare the zipfile
include: zipfile.yml ACCOUNT_ID={{ item }}
with_items: "{{aws.accounts}}"
zipfile.yml:
- name: Assume the sts role
sts_assume_role:
role_arn: "arn:aws:iam::{{ ACCOUNT_ID }}:role/{{ACCOUNT_ROLE}}"
role_session_name: "stsSessionRole"
region: "{{ region }}"
register: assumed_role
- name: find all zip files
find:
paths: "./rendered_templates/lambda/"
patterns: "*.zip"
register: find_zips
- set_fact: buckets_name="[ 'buckets_stack_', {{ACCOUNT_ID}},
'.stack_outputs.LambdaStorageBucket']"
- set_fact: bn="{{buckets_name[0]}}{{buckets_name[1]}}{{buckets_name[2]}}"
# I'm creating the variable name here as the bucket name comes in the form
eg: buckets_stack_123456789101.stack_outputs.LambdaStorageBucket
- name: s3 sync the folder to the selected environment
s3:
aws_access_key: "{{ assumed_role.sts_creds.access_key }}"
aws_secret_key: "{{ assumed_role.sts_creds.secret_key }}"
security_token: "{{ assumed_role.sts_creds.session_token }}"
bucket: "{{ item[1] }}"
object: "/{{ item[0].path|basename }}"
overwrite: different
src: "{{ item[0].path }}"
mode: put
with_nested:
- "{{find_zips.files}}"
- "{{bn}}"
So basically what's happening here, is I build the variable name into bn
using set_fact. Then on the zipfile role with with_nested I use the
variable to pass the variable name into the s3 put to be used as the bucket
and file name.
this allows me to hand this off to security where they only have to run the
one playbook and it iterates through all the different accounts setting up
config rules and lambda functions. But it gives me this nice big warning:
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment
value uses the full variable syntax
('{{buckets_stack_123456789101.stack_outputs.LambdaStorageBucket}}').
This feature will be removed in a future release. Deprecation warnings can
be disabled by setting
deprecation_warnings=False in ansible.cfg.
So now I'm worried that upgrading ansible within the next 2 major releases
this script will stop working.
What should we replace this with?
(My current backup plan is just to use a shell script to do a for loop over
the accounts and then call the ansible-playbook multiple times with an
ACCOUNT_ID variable)
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f9b4eaed-5717-42c0-8dfa-d64211f99d7b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
