And the output of "Attach WAF to ALBs"?
Sent from Gmail Mobile
On Fri, 25 Aug 2023 at 06:52, Shivani Arora <shivania...@gmail.com> wrote:
> Hey Dick,
>
> Thanks for responding.
>
> Please find the attached debug output as requested
>
> TASK [Display ALB ARNs]
> ************************************************************************************
> Thursday 24 August 2023 13:04:34 -0700 (0:00:00.338) 0:00:24.776
> *******
> ok: [localhost] => {
> "alb_map_arns": {
> "eu-central-1": [
>
> "arn:aws:elasticloadbalancing:eu-central-1:<profile>:loadbalancer/app/Web-QAtest/78c12741885fcfbb",
>
> "arn:aws:elasticloadbalancing:eu-central-1:<profile>:loadbalancer/app/Service-QAtest/a22b43074f64f9d7",
>
> "arn:aws:elasticloadbalancing:eu-central-1:<profile>:loadbalancer/app/ServiceInt-QAtest/2f7fff2fb7d354a7"
> ],
> "us-east-1": [
>
> "arn:aws:elasticloadbalancing:us-east-1:<profile>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447",
>
> "arn:aws:elasticloadbalancing:us-east-1:<profile>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98",
>
> "arn:aws:elasticloadbalancing:us-east-1:<profile>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1"
> ]
> }
> }
>
> On Friday, August 25, 2023 at 3:06:14 AM UTC+5:30 Dick Visser wrote:
>
>> Hii
>>
>> You left out important information. For instance the output of the
>> "Display ALB ARNs" debug task.
>> That is used in your shell command at " for alb_arn in {{
>> alb_map_arns[item] }}; do", so that is important.
>> Post that debug output.
>> Or, post the output of the "Attach WAF to ALBs" task with -vv.
>>
>>
>> On Thu, 24 Aug 2023 at 21:45, Shivani Arora <shiva...@gmail.com> wrote:
>>
>>> Hi Team,
>>>
>>> I'm trying the below code to attach region-specific waf to
>>> region-specific alb's. But the below code doesn't seem to be working for
>>> associating the waf to alb's. The last shell module is having issues,
>>> "$alb_arn" value is not getting interpreted and getting the error mentioned
>>> below.
>>>
>>> tasks:
>>>
>>> - block:
>>> - name: Get service alb info
>>> community.aws.elb_application_lb_info:
>>> profile: "{{ aws_profile_name }}"
>>> region: "{{ region }}"
>>> names:
>>> - "Service-{{ ec2_tag_environment }}"
>>> - "ServiceInt-{{ ec2_tag_environment }}"
>>> - "Web-{{ ec2_tag_environment }}"
>>> register: alb_info
>>> loop: "{{ aws_cloud_regions }}"
>>> loop_control:
>>> loop_var: region
>>>
>>> - debug:
>>> var=alb_info
>>>
>>> - name: Extract ALB ARNs
>>> set_fact:
>>> alb_arns: "{{ alb_arns | default([]) + item.load_balancers |
>>> map(attribute='load_balancer_arn') | list }}"
>>> loop: "{{ alb_info.results }}"
>>>
>>> - name: Extract ALB map ARNs
>>> set_fact:
>>> alb_map_arns: "{{ alb_map_arns | default({}) |
>>> combine({item.region: item.load_balancers |
>>> map(attribute='load_balancer_arn') | list}) }}"
>>> loop: "{{ alb_info.results }}"
>>>
>>>
>>> - name: Display ALB ARNs
>>> debug:
>>> var: alb_map_arns
>>>
>>> - name: Get WAF WebACL ARN
>>> shell: |
>>> aws wafv2 list-web-acls --scope REGIONAL --profile "{{
>>> aws_profile_name }}" --region "{{ region }}" --query 'WebACLs[?Name==`{{
>>> ec2_tag_environment }}-ALB`].ARN' --output text
>>> register: waf_acl
>>> changed_when: false
>>> loop: "{{ aws_cloud_regions }}"
>>> loop_control:
>>> loop_var: region
>>>
>>> - debug:
>>> var=waf_acl
>>>
>>> - name: Print WebACL ARN
>>> set_fact:
>>> waf_arn: "{{ waf_arn | default({}) | combine({item.region:
>>> item.stdout}) }}"
>>> loop: "{{ waf_acl.results }}"
>>>
>>> - debug:
>>> var=waf_arn
>>>
>>> - name: Attach WAF to ALBs
>>> shell: |
>>> for alb_arn in {{ alb_map_arns[item] }}; do
>>> aws wafv2 associate-web-acl \
>>> --web-acl-arn "{{ waf_arn[item] }}" \
>>> --resource-arn "$alb_arn" \
>>> --profile "{{ aws_profile_name }}" \
>>> --region "{{ item }}"
>>> done
>>> loop: "{{ waf_arn.keys() | list }}"
>>> when: item in alb_map_arns
>>>
>>>
>>> below $alb_arn is not getting interpreted
>>>
>>> do\n aws wafv2 associate-web-acl --web-acl-arn
>>> \"arn:aws:wafv2:eu-central-1:<profile>:regional/webacl/QAtest-ALB/a6dda4d3-9973-4b88-bc49-a7cbad91a302\"
>>> --resource-arn \"$alb_arn\"
>>>
>>> error reason: The ARN isn't valid. A valid ARN begins with arn: and
>>> includes other information separated by colons or slashes., field:
>>> RESOURCE_ARN
>>> An error occurred (WAFNonexistentItemException) when calling the
>>> AssociateWebACL operation: AWS WAF couldn’t perform the operation because
>>> your resource doesn’t exist
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ansible-proje...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/72172b94-528b-4828-b586-836160a318a3n%40googlegroups.com
>>> <https://groups.google.com/d/msgid/ansible-project/72172b94-528b-4828-b586-836160a318a3n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/dd7b503e-267e-496c-a8bf-bdba785850adn%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/dd7b503e-267e-496c-a8bf-bdba785850adn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZ_T8upQiDtt6%3DD_Z-%2BBqku-CmQPqSke4uoR4MBop5RYg%40mail.gmail.com.
