Thanks, Todd. I'm majorly facing issues with looping. I want to create
regional_account_rules
for us-east-1 and eu-central-1 and want to make sure correct "acc_statements"
get created for each region with respective blocked accounts. Could you
provide some suggestions how to achieve this?
On Saturday, September 2, 2023 at 2:38:48 AM UTC+5:30 Todd Lewis wrote:
> Your first task is replacing blocked_account_list each time through the
> loop, so you end up with only those blocked accounts listed for the last
> region.
>
> However, you are also registering the results, so you can create a loop
> that retains all the blocked accounts along with their associated region.
>
> - name: Tie region to the blocked accounts
> ansible.builtin.debug:
> msg: "{{ item }}"
> vars:
> ba_query: '[].{region: region, blocked_accounts:
> ansible_facts.blocked_account_list}'
> loop:
> - "{{ blocked_accounts.results | json_query(ba_query) }}"
>
> This result in the following output. (Note, I'm running with
> ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook …
> and I've inserted the region into the account numbers so I can tell which
> accounts came from which region.):
>
> TASK [Tie region to the blocked accounts]
> ************************************************************************************************************************************
> ok: [localhost] => (item=[{'region': 'us-east-1', 'blocked_accounts':
> ['20ea8d-us-east-1-bfbafa5', 'c7a19f-us-east-1-33e64c5']}, {'region':
> 'eu-central-1', 'blocked_accounts': ['5afabf-eu-central-1-ae02',
> '5c46e3-eu-central-1-1a7c']}]) =>
> msg:
> - blocked_accounts:
> - 20ea8d-us-east-1-bfbafa5
> - c7a19f-us-east-1-33e64c5
> region: us-east-1
> - blocked_accounts:
> - 5afabf-eu-central-1-ae02
> - 5c46e3-eu-central-1-1a7c
> region: eu-central-1
>
> After that, it isn't particularly clear to me how the region is supposed
> to play into the following tasks. But perhaps this will help get past the
> first problem.
> --
> Todd
>
>
> On 9/1/23 2:54 PM, Shivani Arora wrote:
>
> Hi Team,
>
> I'm having issues with looping in Ansible. The background of what I'm
> trying to do is -
> I have 2 regions in aws_cloud_regions and their respective
> waf_blocked_accounts list, which looks like the one below.
>
> I want to create regional_account_rules in waf for both the regions (as in
> us-east-1 blocked_account_list gets attached to regional_account_rules
> for US East and the same for another region) but facing issues while
> looping over regions and blocked_account_list together.
>
>
> Also note, that search_string in "Create statements" accepts a string
> list, so we have to create one outer loop and one inner loop, an outer
> loop for regions, and an inner for adding blocked account lists one by one.
>
>
>
> -bash-4.2$ cat environment/QAtest/us-east-1/waf_blocked_accounts.yml
>
> blocked_account_list:
>
> - 5afabfb36d6c356772d8ae02
>
> - 5c46e33273766a3634f91a7c
>
>
>
> "aws_cloud_regions": [
> "us-east-1",
> "eu-central-1"
> ]
>
>
> The playbook which needs modification, it is not region-specific as of now:
>
> - name: Loop over AWS regions
>
> include_vars:
>
> file: "environment/QAtest/{{ region }}/waf_blocked_accounts.yml"
>
> loop: "{{ aws_cloud_regions }}"
>
> loop_control:
>
> loop_var: region
>
> register: blocked_accounts
>
>
> - name: Create statements
>
> set_fact:
>
> acc_statements: "{{ acc_statements + [loop_statement] }}"
>
> vars:
>
> loop_statement:
>
> byte_match_statement:
>
> search_string: "{{ acc_id }}"
>
> positional_constraint: EXACTLY
>
> field_to_match:
>
> single_header:
>
> name: "accountmoid"
>
> text_transformations:
>
> - type: NONE
>
> priority: 0
>
> loop: "{{ blocked_account_list }}"
>
> loop_control:
>
> loop_var: acc_id
>
>
>
> - set_fact:
>
> regional_account_rules:
>
> - name: "BlockedAccounts"
>
> priority: 3
>
> action:
>
> block: {}
>
> visibility_config:
>
> sampled_requests_enabled: yes
>
> cloud_watch_metrics_enabled: yes
>
> metric_name: "BlockedAccounts"
>
> statement:
>
> or_statement:
>
> statements: "{{ acc_statements }}"
>
> - set_fact:
>
> regional_account_rules: "{{ regional_account_rules | default([]) }}"
>
>
>
> Any help is appreciated. Thanks in advance.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/cd18c106-b3c0-4f3b-8e6c-60c52ee3e5e6n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/cd18c106-b3c0-4f3b-8e6c-60c52ee3e5e6n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
> --
> Todd
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0a4b1d00-7637-4b12-a226-8a4703e475d4n%40googlegroups.com.
