From 866cb315416bc6ea50a41ebdd1f1d9edba395dfb Mon Sep 17 00:00:00 2001
From: Matej Stajduhar <matej.stajduhar@codeenigma.com>
Date: Mon, 20 May 2024 08:04:06 +0200
Subject: [PATCH 1/2] New-version-of-aws-acl-role
---
roles/aws/aws_acl/README.md | 68 +++++---
roles/aws/aws_acl/defaults/main.yml | 53 +++---
roles/aws/aws_acl/tasks/bot_control.yml | 21 ++-
roles/aws/aws_acl/tasks/create_acl.yml | 160 +++++++-----------
roles/aws/aws_acl/tasks/cyber_sec.yml | 113 +++++++++++++
roles/aws/aws_acl/tasks/increase_priority.yml | 11 ++
roles/aws/aws_acl/tasks/ip_sets.yml | 39 +++++
roles/aws/aws_acl/tasks/main.yml | 18 +-
roles/aws/aws_acl/tasks/regular_rule.yml | 34 ++++
roles/aws/aws_acl/tasks/set_acl.yml | 6 +-
roles/aws/aws_acl/templates/rate_limit.j2 | 1 +
11 files changed, 350 insertions(+), 174 deletions(-)
create mode 100644 roles/aws/aws_acl/tasks/cyber_sec.yml
create mode 100644 roles/aws/aws_acl/tasks/increase_priority.yml
create mode 100644 roles/aws/aws_acl/tasks/ip_sets.yml
create mode 100644 roles/aws/aws_acl/tasks/regular_rule.yml
create mode 100644 roles/aws/aws_acl/templates/rate_limit.j2
diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md
index 2fb609ca9..535ab39e4 100644
--- a/roles/aws/aws_acl/README.md
+++ b/roles/aws/aws_acl/README.md
@@ -5,40 +5,52 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa
<!--ENDTOC-->
<!--ROLEVARS-->
-## Default variables
+## Default variables for creation of ACL (pass it as a list)
```yaml
---
+---
aws_acl:
- - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
- acl_rules:
- name: example_master_acl # Name of the ACL
- description: "Master ACL for CF"
- scope: CLOUDFRONT # Can be REGIONAL for ALBs
- tags: {}
-
- botControl: false # Set to true to apply bot control
- inspection: "COMMON" # or set to TARGETED inspection level
-
- ip_allow:
- name: "Allowed-ips"
- list: []
- #- 1.1.1.1/32 # list of ip ranges
- #- 2.2.2.2/32
- #- 3.3.3.3/32
-
- ip_block:
- name: "Blocked-ips"
- list: []
- #- 4.4.4.4/32 # list of ip ranges
- #- 5.5.5.5/32
- #- 6.6.6.6/32
+ - name: example_master_acl
+ description: "Master ACL for CF"
+ scope: CLOUDFRONT # Can be REGIONAL for ALBs
+ region: "us-east-1"
+ tags: {}
+ rules:
+ rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+ botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
+
+ ip_sets:
+ - name: "Allowed-ips-example"
+ action: allow
+ list: []
+ #- 1.1.1.1/32 # list of ip ranges
+ #- 2.2.2.2/32
+ #- 3.3.3.3/32
+ - name: "Blocked-ips-example"
+ action: block
+ list: []
+ #- 4.4.4.4/32 # list of ip ranges
+ #- 5.5.5.5/32
+ #- 6.6.6.6/32
cc_block_list: []
- #- BY # Belarus
- #- CN # China
- #- IR # Iran
- #- SA # Saudi Arabia
+ regular_rules:
+ - name: allow_panels
+ action: allow
+ string: "panels/ajax"
+ position: "CONTAINS"
+
+# cyber_sec: #Need to implement task
+```
+
+## Default variables for assigning ACL to CF or ALB
+```yaml
+---
+aws_acl:
+ name: example_master_acl # Name of the ACL to apply
+ scope: CLOUDFRONT # Can be REGIONAL for ALBs
+ region: "us-east-1"
```
<!--ENDROLEVARS-->
diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml
index 00bd71412..7808982f8 100644
--- a/roles/aws/aws_acl/defaults/main.yml
+++ b/roles/aws/aws_acl/defaults/main.yml
@@ -1,31 +1,34 @@
---
aws_acl:
- - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
- acl_rules:
- name: example_master_acl # Name of the ACL
- description: "Master ACL for CF"
- scope: CLOUDFRONT # Can be REGIONAL for ALBs
- tags: {}
+ - name: example_master_acl
+ description: "Master ACL for CF"
+ scope: CLOUDFRONT # Can be REGIONAL for ALBs
+ region: "us-east-1"
+ tags: {}
+ rules:
+ rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+ botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
- botControl: false # Set to true to apply bot control
- inspection: "COMMON" # or set to TARGETED inspection level
+ ip_sets:
+ - name: "Allowed-ips-example"
+ action: allow
+ list: []
+ #- 1.1.1.1/32 # list of ip ranges
+ #- 2.2.2.2/32
+ #- 3.3.3.3/32
+ - name: "Blocked-ips-example"
+ action: block
+ list: []
+ #- 4.4.4.4/32 # list of ip ranges
+ #- 5.5.5.5/32
+ #- 6.6.6.6/32
- ip_allow:
- name: "Allowed-ips"
- list: []
- #- 1.1.1.1/32 # list of ip ranges
- #- 2.2.2.2/32
- #- 3.3.3.3/32
+ cc_block_list: []
- ip_block:
- name: "Blocked-ips"
- list: []
- #- 4.4.4.4/32 # list of ip ranges
- #- 5.5.5.5/32
- #- 6.6.6.6/32
+ regular_rules:
+ - name: allow_panels
+ action: allow
+ string: "panels/ajax"
+ position: "CONTAINS"
- cc_block_list: []
- #- BY # Belarus
- #- CN # China
- #- IR # Iran
- #- SA # Saudi Arabia
+# cyber_sec: #Need to implement task
diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml
index a3c86dda2..66dca0626 100644
--- a/roles/aws/aws_acl/tasks/bot_control.yml
+++ b/roles/aws/aws_acl/tasks/bot_control.yml
@@ -1,3 +1,4 @@
+---
- name: Define empty action rule list
ansible.builtin.set_fact:
_action_rules: []
@@ -59,7 +60,7 @@
action_to_use:
block: {}
- - name: Define empty action rule list
+ - name: Attach common action rules to list
ansible.builtin.set_fact:
_action_rules: "{{ _action_rules | default([]) + _action_rules_common }}"
@@ -69,8 +70,8 @@
- a_w_s_managed_rules_bot_control_rule_set:
inspection_level: "COMMON"
-- name: Define rule actions targeted
- when: aws_acl.inspection == "TARGETED"
+- name: Define targeted actions rules
+ when: _acl.rules.botControl == "TARGETED"
block:
- name: Define targeted actions
ansible.builtin.set_fact:
@@ -97,7 +98,7 @@
action_to_use:
block: {}
- - name: Define empty action rule list
+ - name: Attach targeted action rules to list
ansible.builtin.set_fact:
_action_rules: "{{ _action_rules | default([]) + _action_rules_tgt }}"
@@ -111,8 +112,7 @@
- name: Define Bot Control rule.
ansible.builtin.set_fact:
bot_control:
- - name: bot_control
- priority: 4
+ name: bot_control
# action:
# block: {}
override_action:
@@ -128,6 +128,13 @@
managed_rule_group_configs: "{{ _rule_config }}"
rule_action_overrides: "{{ _action_rules }}"
+- name: Append priority to rule.
+ ansible.builtin.set_fact:
+ bot_control: "{{ bot_control | combine(_priority_dict) }}"
+
- name: Add rule to list.
ansible.builtin.set_fact:
- _acl_rules: "{{ _acl_rules + bot_control}}"
+ _rules: "{{ _rules + [bot_control] }}"
+
+- name: Increase priority.
+ ansible.builtin.include_tasks: increase_priority.yml
diff --git a/roles/aws/aws_acl/tasks/create_acl.yml b/roles/aws/aws_acl/tasks/create_acl.yml
index a4c7b86ff..bba4a4b7d 100644
--- a/roles/aws/aws_acl/tasks/create_acl.yml
+++ b/roles/aws/aws_acl/tasks/create_acl.yml
@@ -1,97 +1,35 @@
+---
- name: Define dict for rules.
ansible.builtin.set_fact:
- _acl_rules: []
+ _rules: []
-- name: Define region if scope is REGIONAL.
- ansible.builtin.set_fact:
- _acl_region: "{{ _aws_region }}"
- when: _acl.acl_rules.scope == "REGIONAL"
+- name: Set priority counter
+ set_fact:
+ _priority: 0
+ _priority_dict: {}
-- name: Define region if scope is CLOUDFRONT.
- ansible.builtin.set_fact:
- _acl_region: "us-east-1"
- when: _acl.acl_rules.scope == "CLOUDFRONT"
+- name: Increase priority and set dict for 1st rule.
+ ansible.builtin.include_tasks: increase_priority.yml
-- name: Set IP block rule.
+# Priority is set to 0 here
+- name: Create IP set rules.
+ ansible.builtin.include_tasks: ip_sets.yml
when:
- - _acl.acl_rules.ip_block is defined
- - _acl.acl_rules.ip_block.list | length > 0
- block:
- - name: Create IP block set for WAF.
- community.aws.wafv2_ip_set:
- name: "{{ _acl.acl_rules.ip_block.name }}"
- state: present
- description: Set of blocked IPs
- scope: "{{ _acl.acl_rules.scope }}"
- region: "{{ _acl_region }}"
- ip_address_version: IPV4
- addresses: "{{ _acl.acl_rules.ip_block.list }}"
- register: _ip_set_info
-
- - name: Create IP block rule.
- ansible.builtin.set_fact:
- ip_block_rule:
- - name: "{{ _acl.acl_rules.ip_block.name }}"
- priority: 0
- action:
- block: {}
- visibility_config:
- sampled_requests_enabled: true
- cloud_watch_metrics_enabled: true
- metric_name: Block_IPs
- statement:
- ip_set_reference_statement:
- arn: "{{ _ip_set_info.arn }}"
-
- - name: Add rule to list.
- ansible.builtin.set_fact:
- _acl_rules: "{{ _acl_rules + ip_block_rule }}"
-
-- name: Set IP allow rule.
- when:
- - _acl.acl_rules.ip_allow is defined
- - _acl.acl_rules.ip_allow.list | length > 0
- block:
- - name: Create IP allow set for WAF.
- community.aws.wafv2_ip_set:
- name: "{{ _acl.acl_rules.ip_allow.name }}"
- state: present
- description: Set of allowed IPs
- scope: "{{ _acl.acl_rules.scope }}"
- region: "{{ _acl_region }}"
- ip_address_version: IPV4
- addresses: "{{ _acl.acl_rules.ip_allow.list }}"
- register: _ip_set_info
-
- - name: Create IP allow rule.
- ansible.builtin.set_fact:
- ip_allow_rule:
- - name: "{{ _acl.acl_rules.ip_allow.name }}"
- priority: 1
- action:
- allow: {}
- visibility_config:
- sampled_requests_enabled: true
- cloud_watch_metrics_enabled: true
- metric_name: Allow_IPs
- statement:
- ip_set_reference_statement:
- arn: "{{ _ip_set_info.arn }}"
-
- - name: Add rule to list.
- ansible.builtin.set_fact:
- _acl_rules: "{{ _acl_rules + ip_allow_rule }}"
+ - _acl.rules.ip_sets is defined
+ - _acl.rules.ip_sets | length > 0
+ loop: "{{ _acl.rules.ip_sets | list }}"
+ loop_control:
+ loop_var: _ip_set
- name: Set country block rule.
when:
- - _acl.acl_rules.cc_block_list is defined
- - _acl.acl_rules.cc_block_list | length > 0
+ - _acl.rules.cc_block_list is defined
+ - _acl.rules.cc_block_list | length > 0
block:
- name: Create country block rule
ansible.builtin.set_fact:
cc_block_rule:
- - name: block_countries
- priority: 2
+ name: block_countries
action:
block: {}
visibility_config:
@@ -100,17 +38,24 @@
metric_name: block_countries
statement:
geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated
- country_codes: "{{ _acl.acl_rules.cc_block_list }}"
+ country_codes: "{{ _acl.rules.cc_block_list }}"
+
+ - name: Append priority to rule.
+ ansible.builtin.set_fact:
+ cc_block_rule: "{{ cc_block_rule | combine(_priority_dict) }}"
- name: Add rule to list
ansible.builtin.set_fact:
- _acl_rules: "{{ _acl_rules + cc_block_rule }}"
+ _rules: "{{ _rules + [cc_block_rule] }}"
+
+ - name: Increase priority.
+ ansible.builtin.include_tasks: increase_priority.yml
# Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int)
- name: Set rate limit variable.
when:
- - _acl.rate_limit is defined
- - _acl.rate_limit > 0
+ - _acl.rules.rate_limit is defined
+ - _acl.rules.rate_limit > 0
block:
- name: Set rate based statement from template
ansible.builtin.set_fact:
@@ -119,8 +64,7 @@
- name: Define rate rule.
ansible.builtin.set_fact:
rate_rule:
- - name: Rate_limit
- priority: 3
+ name: Rate_limit
action:
block: {}
visibility_config:
@@ -130,28 +74,48 @@
statement:
rate_based_statement: "{{ _rbs }}"
+ - name: Append priority to rule.
+ ansible.builtin.set_fact:
+ rate_rule: "{{ rate_rule | combine(_priority_dict) }}"
+
- name: Add rule to list.
ansible.builtin.set_fact:
- _acl_rules: "{{ _acl_rules + rate_rule}}"
+ _rules: "{{ _rules + [rate_rule] }}"
-- name: Include task Bot Control.
- when:
- - _acl.acl_rules.botControl is defined
- - _acl.acl_rules.botControl
+ - name: Increase priority.
+ ansible.builtin.include_tasks: increase_priority.yml
+
+# Priority is set to 4 here
+- name: Create Bot Control rule.
+ when: _acl.rules.botControl is defined
ansible.builtin.include_tasks:
file: bot_control.yml
+# Priority is set to 5 here
+- name: Create regular rules.
+ ansible.builtin.include_tasks: regular_rule.yml
+ when:
+ - _acl.rules.regular_rules is defined
+ - _acl.rules.regular_rules | length > 0
+ loop: "{{ _acl.rules.regular_rules | list }}"
+ loop_control:
+ loop_var: _reg_rule
+
+- name: Create CyberSecurityCloudInc rule.
+ ansible.builtin.include_tasks: cyber_sec.yml
+ when: _acl.rules.cyber_sec is defined
+
- name: Create web acl.
community.aws.wafv2_web_acl:
- name: "{{ _acl.acl_rules.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$
- description: "{{ _acl.acl_rules.description }}"
- scope: "{{ _acl.acl_rules.scope }}"
- region: "{{ _acl_region }}"
+ name: "{{ _acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$
+ description: "{{ _acl.description }}"
+ scope: "{{ _acl.scope }}"
+ region: "{{ _acl.region }}"
default_action: Allow # or "Block"
sampled_requests: false
cloudwatch_metrics: true # or "false" to disable metrics
metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name)
- rules: "{{ _acl_rules }}"
+ rules: "{{ _rules }}"
purge_rules: true
- tags: "{{ _acl.acl_rules.tags }}"
+ tags: "{{ _acl.tags }}"
state: present
diff --git a/roles/aws/aws_acl/tasks/cyber_sec.yml b/roles/aws/aws_acl/tasks/cyber_sec.yml
new file mode 100644
index 000000000..978213b30
--- /dev/null
+++ b/roles/aws/aws_acl/tasks/cyber_sec.yml
@@ -0,0 +1,113 @@
+#{
+# "Name": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-",
+# "Priority": 7,
+# "Statement": {
+# "ManagedRuleGroupStatement": {
+# "VendorName": "Cyber Security Cloud Inc.",
+# "Name": "CyberSecurityCloud-HighSecurityOWASPSet-",
+# "ExcludedRules": [
+# {
+# "Name": "bad_useragent-header-001"
+# },
+# {
+# "Name": "cookie-body-001"
+# },
+# {
+# "Name": "cookie-qs-001"
+# },
+# {
+# "Name": "drupal-multi-001"
+# },
+# {
+# "Name": "drupal-multi-002"
+# },
+# {
+# "Name": "joomla-multi-001"
+# },
+# {
+# "Name": "ldapi-url-001"
+# },
+# {
+# "Name": "nosqli-body-001"
+# },
+# {
+# "Name": "nosqli-qs-001"
+# },
+# {
+# "Name": "oracle-multi-001"
+# },
+# {
+# "Name": "oscommandi-body-001"
+# },
+# {
+# "Name": "oscommandi-qs-001"
+# },
+# {
+# "Name": "pathtraversal-body-001"
+# },
+# {
+# "Name": "pathtraversal-qs-001"
+# },
+# {
+# "Name": "pathtraversal-url-001"
+# },
+# {
+# "Name": "rails-header-001"
+# },
+# {
+# "Name": "sqli-body-001"
+# },
+# {
+# "Name": "sqli-body-002"
+# },
+# {
+# "Name": "sqli-qs-001"
+# },
+# {
+# "Name": "sqli-qs-002"
+# },
+# {
+# "Name": "sqli-url-001"
+# },
+# {
+# "Name": "ssrf-multi-001"
+# },
+# {
+# "Name": "struts-multi-001"
+# },
+# {
+# "Name": "struts-multi-002"
+# },
+# {
+# "Name": "struts-multi-003"
+# },
+# {
+# "Name": "suspicious_access-url-001"
+# },
+# {
+# "Name": "tomcat-multi-001"
+# },
+# {
+# "Name": "xss-body-001"
+# },
+# {
+# "Name": "xss-qs-001"
+# },
+# {
+# "Name": "xxe-ssci-body-001"
+# },
+# {
+# "Name": "xxe-ssci-qs-001"
+# }
+# ]
+# }
+# },
+# "OverrideAction": {
+# "None": {}
+# },
+# "VisibilityConfig": {
+# "SampledRequestsEnabled": true,
+# "CloudWatchMetricsEnabled": true,
+# "MetricName": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-"
+# }
+#}
diff --git a/roles/aws/aws_acl/tasks/increase_priority.yml b/roles/aws/aws_acl/tasks/increase_priority.yml
new file mode 100644
index 000000000..1d305ab25
--- /dev/null
+++ b/roles/aws/aws_acl/tasks/increase_priority.yml
@@ -0,0 +1,11 @@
+- name: Increase counter
+ ansible.builtin.set_fact:
+ _priority: "{{ _priority | default(0) | int + 1 }}"
+
+- name: Set dict string
+ ansible.builtin.set_fact:
+ _priority_dict_string: "{ priority: {{ _priority }} }"
+
+- name: Set dict
+ ansible.builtin.set_fact:
+ _priority_dict: "{{ _priority_dict_string | from_yaml }}"
diff --git a/roles/aws/aws_acl/tasks/ip_sets.yml b/roles/aws/aws_acl/tasks/ip_sets.yml
new file mode 100644
index 000000000..d4ba9b345
--- /dev/null
+++ b/roles/aws/aws_acl/tasks/ip_sets.yml
@@ -0,0 +1,39 @@
+---
+- name: Create IP set for WAF.
+ community.aws.wafv2_ip_set:
+ name: "{{ _ip_set.name }}"
+ state: present
+ description: Set of blocked IPs
+ scope: "{{ _acl.scope }}"
+ region: "{{ _acl.region }}"
+ ip_address_version: IPV4
+ addresses: "{{ _ip_set.list }}"
+ register: _ip_set_info
+
+- name: Set action string
+ ansible.builtin.set_fact:
+ _action: "{ {{ _ip_set.action }}: {} }"
+
+- name: Create IP block rule.
+ ansible.builtin.set_fact:
+ ip_block_rule:
+ name: "{{ _ip_set.name }}"
+ action: "{{ _action | from_yaml }}"
+ visibility_config:
+ sampled_requests_enabled: true
+ cloud_watch_metrics_enabled: true
+ metric_name: "{{ _ip_set.name }}"
+ statement:
+ ip_set_reference_statement:
+ arn: "{{ _ip_set_info.arn }}"
+
+- name: Append priority to rule.
+ ansible.builtin.set_fact:
+ ip_block_rule: "{{ ip_block_rule | combine(_priority_dict) }}"
+
+- name: Add rule to list.
+ ansible.builtin.set_fact:
+ _rules: "{{ _rules + [ip_block_rule] }}"
+
+- name: Increase priority.
+ ansible.builtin.include_tasks: increase_priority.yml
diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml
index 789765587..d432c1d82 100644
--- a/roles/aws/aws_acl/tasks/main.yml
+++ b/roles/aws/aws_acl/tasks/main.yml
@@ -1,21 +1,11 @@
-- name: Define and set _acl_list to true.
- ansible.builtin.set_fact:
- _acl_list: true
-
-- name: Change _acl_list to false if aws_acl is dict.
- ansible.builtin.set_fact:
- _acl_list: false
- when: aws_acl | type_debug == 'dict'
-
+---
- name: Create ACLs when list is passed.
ansible.builtin.include_tasks: create_acl.yml
- when:
- - _acl_list
- loop: "{{ aws_acl }}"
+ when: aws_acl | type_debug == 'list'
+ loop: "{{ aws_acl | list }}"
loop_control:
loop_var: _acl
- name: Set ACL to CF/ALB.
ansible.builtin.include_tasks: set_acl.yml
- when:
- - not _acl_list
+ when: aws_acl | type_debug == 'dict'
diff --git a/roles/aws/aws_acl/tasks/regular_rule.yml b/roles/aws/aws_acl/tasks/regular_rule.yml
new file mode 100644
index 000000000..f0a4ded0b
--- /dev/null
+++ b/roles/aws/aws_acl/tasks/regular_rule.yml
@@ -0,0 +1,34 @@
+---
+- name: Set action string
+ ansible.builtin.set_fact:
+ _action: "{ {{ _reg_rule.action }}: {} }"
+
+- name: Create regular rule
+ ansible.builtin.set_fact:
+ regular_rule:
+ name: "{{ _reg_rule.name }}"
+ action: "{{ _action | from_yaml }}"
+ visibility_config:
+ sampled_requests_enabled: true
+ cloud_watch_metrics_enabled: true
+ metric_name: "{{ _reg_rule.name }}"
+ statement:
+ byte_match_statement:
+ field_to_match:
+ uri_path: {}
+ positional_constraint: "{{ _reg_rule.position }}"
+ search_string: "{{ _reg_rule.string }}"
+ text_transformations:
+ - type: "NONE"
+ priority: 0
+
+- name: Append priority to rule.
+ ansible.builtin.set_fact:
+ regular_rule: "{{ regular_rule | combine(_priority_dict) }}"
+
+- name: Add rule to list
+ ansible.builtin.set_fact:
+ _rules: "{{ _rules + [regular_rule] }}"
+
+- name: Increase priority.
+ ansible.builtin.include_tasks: increase_priority.yml
diff --git a/roles/aws/aws_acl/tasks/set_acl.yml b/roles/aws/aws_acl/tasks/set_acl.yml
index a00143413..3ea9077b1 100644
--- a/roles/aws/aws_acl/tasks/set_acl.yml
+++ b/roles/aws/aws_acl/tasks/set_acl.yml
@@ -1,13 +1,15 @@
-- name: Create web acl.
+---
+- name: Find created web acl.
community.aws.wafv2_web_acl_info:
name: "{{ aws_acl.name }}"
scope: "{{ aws_acl.scope }}"
+ region: "{{ aws_acl.region }}"
register: _created_acl
- name: Add WAF to ALB.
community.aws.wafv2_resources:
name: "{{ aws_acl.name }}"
- scope: REGIONAL
+ scope: REGIONAL # WAF for ALBs are regional only
state: present
region: "{{ _aws_region }}"
arn: "{{ _aws_ec2_elb.load_balancer_arn }}"
diff --git a/roles/aws/aws_acl/templates/rate_limit.j2 b/roles/aws/aws_acl/templates/rate_limit.j2
new file mode 100644
index 000000000..410b0026f
--- /dev/null
+++ b/roles/aws/aws_acl/templates/rate_limit.j2
@@ -0,0 +1 @@
+{ limit: {{ _acl.rules.rate_limit }}, aggregate_key_type: IP }
From 3b0874b3d4eb58328d7815f981e1313d6ed88358 Mon Sep 17 00:00:00 2001
From: Matej Stajduhar <matej.stajduhar@codeenigma.com>
Date: Mon, 20 May 2024 11:19:17 +0200
Subject: [PATCH 2/2] Fixing-jinja-linting
---
roles/aws/_aws_network_info/tasks/subnet.yml | 2 +-
roles/aws/aws_efs/tasks/subnet.yml | 2 +-
roles/aws/aws_efs/tasks/target.yml | 2 +-
roles/aws/aws_elb/tasks/main.yml | 2 +-
roles/aws/aws_elb/tasks/subnet.yml | 2 +-
roles/aws/aws_elb/tasks/target_group_instances.yml | 2 +-
roles/aws/aws_iam_role/tasks/main.yml | 2 +-
roles/aws/aws_rds/tasks/main.yml | 8 ++++----
roles/aws/aws_s3_bucket/tasks/main.yml | 4 ++--
roles/aws/aws_security_groups/tasks/main.yml | 2 +-
roles/aws/aws_vpc/tasks/main.yml | 2 +-
roles/aws/aws_vpc/tasks/security_group.yml | 2 +-
roles/aws/aws_vpc_route/tasks/route.yml | 2 +-
roles/aws/aws_vpc_route/tasks/subnet.yml | 4 ++--
roles/aws/aws_vpc_route/tasks/vpc.yml | 4 ++--
roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml | 4 ++--
roles/aws/aws_vpc_subnet/tasks/subnet.yml | 4 ++--
roles/debian/ansible/tasks/main.yml | 2 +-
roles/debian/apt_repository/tasks/main.yml | 2 +-
roles/debian/ce_deploy/tasks/main.yml | 4 ++--
roles/debian/ce_provision/tasks/main.yml | 4 ++--
roles/debian/clamav/tasks/main.yml | 2 +-
roles/debian/docker_ce/tasks/main.yml | 2 +-
roles/debian/gitlab/tasks/main.yml | 4 ++--
roles/debian/gitlab_runner/tasks/main.yml | 2 +-
roles/debian/mysql_server_oracle_ce/tasks/main.yml | 2 +-
roles/debian/nginx/defaults/main.yml | 2 +-
roles/debian/nodejs/tasks/main.yml | 2 +-
roles/debian/php-common/tasks/main.yml | 2 +-
roles/debian/python_boto/tasks/main.yml | 2 +-
roles/debian/ssl/tasks/letsencrypt.yml | 4 ++--
roles/debian/ssl/tasks/main.yml | 2 +-
roles/debian/ssl/tasks/manual.yml | 2 +-
roles/debian/ssl/tasks/selfsigned.yml | 2 +-
roles/debian/ssl/tasks/unmanaged.yml | 2 +-
roles/debian/varnish_config/tasks/main.yml | 4 ++--
36 files changed, 49 insertions(+), 49 deletions(-)
diff --git a/roles/aws/_aws_network_info/tasks/subnet.yml b/roles/aws/_aws_network_info/tasks/subnet.yml
index beaa03606..68b8a3610 100644
--- a/roles/aws/_aws_network_info/tasks/subnet.yml
+++ b/roles/aws/_aws_network_info/tasks/subnet.yml
@@ -9,4 +9,4 @@
- name: Add public subnet to the list.
ansible.builtin.set_fact:
- _aws_ecs_cluster_public_subnets_ids: "{{ _aws_ecs_cluster_public_subnets_ids + [ _aws_ecs_cluster_public_subnet.subnets[0].subnet_id ] }}"
+ _aws_ecs_cluster_public_subnets_ids: "{{ _aws_ecs_cluster_public_subnets_ids + [_aws_ecs_cluster_public_subnet.subnets[0].subnet_id] }}"
diff --git a/roles/aws/aws_efs/tasks/subnet.yml b/roles/aws/aws_efs/tasks/subnet.yml
index 5daa24026..ca7eae818 100644
--- a/roles/aws/aws_efs/tasks/subnet.yml
+++ b/roles/aws/aws_efs/tasks/subnet.yml
@@ -9,4 +9,4 @@
- name: Add subnet id to the ids list.
ansible.builtin.set_fact:
- _aws_efs_subnets_ids: "{{ _aws_efs_subnets_ids + [ _aws_efs_subnet.subnets[0].subnet_id ] }}"
+ _aws_efs_subnets_ids: "{{ _aws_efs_subnets_ids + [_aws_efs_subnet.subnets[0].subnet_id] }}"
diff --git a/roles/aws/aws_efs/tasks/target.yml b/roles/aws/aws_efs/tasks/target.yml
index 117b9161f..5262e1f07 100644
--- a/roles/aws/aws_efs/tasks/target.yml
+++ b/roles/aws/aws_efs/tasks/target.yml
@@ -2,4 +2,4 @@
# _aws_security_group_list variable populated by the aws_security_groups role.
- name: Add subnet to the list of EFS targets.
ansible.builtin.set_fact:
- _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_security_group_list }}) }}"
+ _aws_efs_targets: "{{ _aws_efs_targets | combine({target: {'subnet_id': target, 'security_groups': _aws_security_group_list}}) }}"
diff --git a/roles/aws/aws_elb/tasks/main.yml b/roles/aws/aws_elb/tasks/main.yml
index 59443e1b3..39286bf35 100644
--- a/roles/aws/aws_elb/tasks/main.yml
+++ b/roles/aws/aws_elb/tasks/main.yml
@@ -99,7 +99,7 @@
- name: Add HTTPS Listener.
ansible.builtin.set_fact:
- _aws_ec2_listeners: "{{ [ _aws_ec2_listeners_redirect, _aws_ec2_listeners_https ] }}"
+ _aws_ec2_listeners: "{{ [_aws_ec2_listeners_redirect, _aws_ec2_listeners_https] }}"
when: _ssl_certificate_ARN | length > 1
- name: Add custom Listeners.
diff --git a/roles/aws/aws_elb/tasks/subnet.yml b/roles/aws/aws_elb/tasks/subnet.yml
index 102a0417a..bc2f0b63b 100644
--- a/roles/aws/aws_elb/tasks/subnet.yml
+++ b/roles/aws/aws_elb/tasks/subnet.yml
@@ -9,4 +9,4 @@
- name: Add public subnet to the list.
ansible.builtin.set_fact:
- _aws_ec2_elb_public_subnets_ids: "{{ _aws_ec2_elb_public_subnets_ids + [ _aws_ec2_elb_public_subnet.subnets[0].subnet_id ] }}"
+ _aws_ec2_elb_public_subnets_ids: "{{ _aws_ec2_elb_public_subnets_ids + [_aws_ec2_elb_public_subnet.subnets[0].subnet_id] }}"
diff --git a/roles/aws/aws_elb/tasks/target_group_instances.yml b/roles/aws/aws_elb/tasks/target_group_instances.yml
index cf2aed0b1..50e066af8 100644
--- a/roles/aws/aws_elb/tasks/target_group_instances.yml
+++ b/roles/aws/aws_elb/tasks/target_group_instances.yml
@@ -9,4 +9,4 @@
- name: Add instance to target group list.
ansible.builtin.set_fact:
- _targets: "{{ _targets + [ {'Id': _aws_ec2_target_group_instance.instances[0].instance_id, 'Port': target_group.targets_port} ] }}"
+ _targets: "{{ _targets + [{'Id': _aws_ec2_target_group_instance.instances[0].instance_id, 'Port': target_group.targets_port}] }}"
diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml
index e82a47acb..2c2973e93 100644
--- a/roles/aws/aws_iam_role/tasks/main.yml
+++ b/roles/aws/aws_iam_role/tasks/main.yml
@@ -12,4 +12,4 @@
- name: Register aws_iam_role results.
ansible.builtin.set_fact:
- aws_iam_role: "{{ aws_iam_role | combine( { '_result': { aws_iam_role.name : _aws_iam_role_result } } ) }}"
+ aws_iam_role: "{{ aws_iam_role | combine({'_result': { aws_iam_role.name : _aws_iam_role_result}}) }}"
diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml
index bac008c02..bf4720f5e 100644
--- a/roles/aws/aws_rds/tasks/main.yml
+++ b/roles/aws/aws_rds/tasks/main.yml
@@ -34,7 +34,7 @@
copy_tags_to_snapshot: true
publicly_accessible: "{{ aws_rds.publicly_accessible }}"
profile: "{{ aws_rds.aws_profile }}"
- tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name + '-' + aws_rds.aurora_suffix }) }}"
+ tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name + '-' + aws_rds.aurora_suffix}) }}"
allow_major_version_upgrade: false
apply_immediately: true
wait: true
@@ -54,7 +54,7 @@
copy_tags_to_snapshot: true
publicly_accessible: "{{ aws_rds.publicly_accessible }}"
profile: "{{ aws_rds.aws_profile }}"
- tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name + '-' + aws_rds.aurora_reader_suffix }) }}"
+ tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name + '-' + aws_rds.aurora_reader_suffix}) }}"
allow_major_version_upgrade: false
apply_immediately: true
wait: true
@@ -103,7 +103,7 @@
preferred_maintenance_window: "{{ aws_rds.preferred_maintenance_window | default(omit) }}"
allow_major_version_upgrade: "{{ aws_rds.allow_major_version_upgrade }}"
auto_minor_version_upgrade: "{{ aws_rds.auto_minor_version_upgrade | default(omit) }}"
- tags: "{{ aws_rds.tags | combine({ 'Name': aws_rds.name }) }}"
+ tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name}) }}"
state: "{{ aws_rds.state }}"
apply_immediately: true
wait: true
@@ -199,7 +199,7 @@
- name: Add instance info.
ansible.builtin.set_fact:
- aws_rds_facts: "{{ aws_rds_facts | combine( {aws_rds.name: _rds_instance_info} ) }}"
+ aws_rds_facts: "{{ aws_rds_facts | combine({aws_rds.name: _rds_instance_info}) }}"
- name: Assign resource to backup plan.
ansible.builtin.include_role:
diff --git a/roles/aws/aws_s3_bucket/tasks/main.yml b/roles/aws/aws_s3_bucket/tasks/main.yml
index d5ae0ce71..8abcffa76 100644
--- a/roles/aws/aws_s3_bucket/tasks/main.yml
+++ b/roles/aws/aws_s3_bucket/tasks/main.yml
@@ -3,7 +3,7 @@
profile: "{{ aws_s3_bucket.aws_profile }}"
region: "{{ aws_s3_bucket.region }}"
name: "{{ aws_s3_bucket.name }}"
- tags: "{{ aws_s3_bucket.tags | combine( { 'Name': aws_s3_bucket.name } ) }}"
+ tags: "{{ aws_s3_bucket.tags | combine({'Name': aws_s3_bucket.name}) }}"
state: present
register: _aws_s3_bucket_bucket
@@ -24,4 +24,4 @@
- name: Register aws_s3_bucket results.
ansible.builtin.set_fact:
- aws_s3_bucket: "{{ aws_s3_bucket | combine( { '_result': { aws_s3_bucket.name : { 'bucket': _aws_s3_bucket_bucket, 'policy': _aws_s3_bucket_bucket_policy } } } ) }}"
+ aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name: {'bucket': _aws_s3_bucket_bucket, 'policy': _aws_s3_bucket_bucket_policy}}}) }}"
diff --git a/roles/aws/aws_security_groups/tasks/main.yml b/roles/aws/aws_security_groups/tasks/main.yml
index 1076d586f..c356e05a6 100644
--- a/roles/aws/aws_security_groups/tasks/main.yml
+++ b/roles/aws/aws_security_groups/tasks/main.yml
@@ -16,7 +16,7 @@
- name: Create list of security group IDs.
ansible.builtin.set_fact:
- _aws_security_group_ids: "{{ _aws_security_group_ids + [ item.group_id ] }}"
+ _aws_security_group_ids: "{{ _aws_security_group_ids + [item.group_id] }}"
with_items: "{{ _aws_security_groups.security_groups }}"
- name: Set return variable to SG names.
diff --git a/roles/aws/aws_vpc/tasks/main.yml b/roles/aws/aws_vpc/tasks/main.yml
index 40a4b899a..b800f039e 100644
--- a/roles/aws/aws_vpc/tasks/main.yml
+++ b/roles/aws/aws_vpc/tasks/main.yml
@@ -33,7 +33,7 @@
region: "{{ aws_vpc.region }}"
vpc_id: "{{ _aws_vpc_vpc.vpc.id }}"
state: present
- tags: "{{ aws_vpc.tags | combine({ 'Name': aws_vpc.name }) }}"
+ tags: "{{ aws_vpc.tags | combine({'Name': aws_vpc.name}) }}"
register: _aws_vpc_gateway
- name: Update Main route table.
diff --git a/roles/aws/aws_vpc/tasks/security_group.yml b/roles/aws/aws_vpc/tasks/security_group.yml
index d86ca9463..0c63b1063 100644
--- a/roles/aws/aws_vpc/tasks/security_group.yml
+++ b/roles/aws/aws_vpc/tasks/security_group.yml
@@ -3,7 +3,7 @@
name: "{{ security_group.name }}"
profile: "{{ aws_vpc.aws_profile }}"
region: "{{ aws_vpc.region }}"
- tags: "{{ aws_vpc.tags | combine({ 'Name': security_group.name }) }}"
+ tags: "{{ aws_vpc.tags | combine({'Name': security_group.name}) }}"
state: "{{ aws_vpc.state }}"
vpc_id: "{{ _aws_vpc_vpc.vpc.id }}"
description: "{{ security_group.description }}"
diff --git a/roles/aws/aws_vpc_route/tasks/route.yml b/roles/aws/aws_vpc_route/tasks/route.yml
index e353623af..b54349ac7 100644
--- a/roles/aws/aws_vpc_route/tasks/route.yml
+++ b/roles/aws/aws_vpc_route/tasks/route.yml
@@ -13,5 +13,5 @@
- name: Add route to the list.
ansible.builtin.set_fact:
- _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine( { _aws_vpc_route_route.dest: _aws_vpc_route_route } ) }}"
+ _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine({_aws_vpc_route_route.dest: _aws_vpc_route_route}) }}"
when: ( route.gateway_id is undefined or route.gateway_id != 'local' )
diff --git a/roles/aws/aws_vpc_route/tasks/subnet.yml b/roles/aws/aws_vpc_route/tasks/subnet.yml
index 051396b1f..c905ae540 100644
--- a/roles/aws/aws_vpc_route/tasks/subnet.yml
+++ b/roles/aws/aws_vpc_route/tasks/subnet.yml
@@ -21,14 +21,14 @@
- name: Add/replace subnets CIDR block routes.
ansible.builtin.set_fact:
- _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine( { new_route.dest: new_route } ) }}"
+ _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine({new_route.dest: new_route}) }}"
with_items: "{{ aws_vpc_route.routes }}"
loop_control:
loop_var: new_route
- name: Construct final routes list.
ansible.builtin.set_fact:
- _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [ item.value ] }}"
+ _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [item.value] }}"
with_items: "{{ _aws_vpc_route_routes | dict2items() }}"
- name: Create new route table.
diff --git a/roles/aws/aws_vpc_route/tasks/vpc.yml b/roles/aws/aws_vpc_route/tasks/vpc.yml
index c6a1ca8c3..bd14e4d66 100644
--- a/roles/aws/aws_vpc_route/tasks/vpc.yml
+++ b/roles/aws/aws_vpc_route/tasks/vpc.yml
@@ -20,14 +20,14 @@
- name: Add/replace subnets CIDR block routes.
ansible.builtin.set_fact:
- _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine( { new_route.dest: new_route } ) }}"
+ _aws_vpc_route_routes: "{{ _aws_vpc_route_routes | combine({new_route.dest: new_route}) }}"
with_items: "{{ aws_vpc_route.routes }}"
loop_control:
loop_var: new_route
- name: Construct final routes list.
ansible.builtin.set_fact:
- _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [ item.value ] }}"
+ _aws_vpc_route_new_routes: "{{ _aws_vpc_route_new_routes + [item.value] }}"
with_items: "{{ _aws_vpc_route_routes | dict2items() }}"
- name: Add routes to route table.
diff --git a/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml b/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml
index 651692b68..d00bf8daf 100644
--- a/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml
+++ b/roles/aws/aws_vpc_subnet/tasks/gateway.ipv4.nat.yml
@@ -12,7 +12,7 @@
amazon.aws.ec2_vpc_nat_gateway:
profile: "{{ aws_vpc_subnet.aws_profile }}"
region: "{{ aws_vpc_subnet.region }}"
- tags: "{{ aws_vpc_subnet.tags | combine({ 'Name': subnet.name }) }}"
+ tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}"
subnet_id: "{{ _aws_vpc_subnet_subnet.subnet.id }}"
wait: true
allocation_id: "{{ _aws_vpc_subnet_eip.addresses[0].allocation_id | default(omit) }}"
@@ -22,6 +22,6 @@
- name: Ensure EIP is tagged properly.
amazon.aws.ec2_tag:
resource: "{{ _aws_vpc_subnet_gateway.nat_gateway_addresses[0].allocation_id }}"
- tags: "{{ aws_vpc_subnet.tags | combine({ 'Name': subnet.name }) }}"
+ tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}"
profile: "{{ aws_vpc_subnet.aws_profile }}"
region: "{{ aws_vpc_subnet.region }}"
diff --git a/roles/aws/aws_vpc_subnet/tasks/subnet.yml b/roles/aws/aws_vpc_subnet/tasks/subnet.yml
index f486d1f17..53bc94f4b 100644
--- a/roles/aws/aws_vpc_subnet/tasks/subnet.yml
+++ b/roles/aws/aws_vpc_subnet/tasks/subnet.yml
@@ -22,7 +22,7 @@
cidr: "{{ subnet.cidr_block }}"
ipv6_cidr: "{{ _ipv6_subnet_cidr if subnet.ipv6_cidr_block is defined and subnet.ipv6_cidr_block | length > 0 else '' }}"
region: "{{ aws_vpc_subnet.region }}"
- tags: "{{ aws_vpc_subnet.tags | combine( { 'Name': subnet.name } ) }}"
+ tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}"
az: "{{ aws_vpc_subnet.region }}{{ subnet.az }}"
state: "{{ aws_vpc_subnet.state }}"
vpc_id: "{{ _aws_vpc_subnet_vpc_id }}"
@@ -38,7 +38,7 @@
name: "{{ subnet.name }}"
profile: "{{ aws_vpc_subnet.aws_profile }}"
region: "{{ aws_vpc_subnet.region }}"
- tags: "{{ aws_vpc_subnet.tags | combine( { 'Name': subnet.name } ) }}"
+ tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}"
state: "{{ aws_vpc_subnet.state }}"
vpc_id: "{{ _aws_vpc_subnet_vpc_id }}"
description: "Allow internal traffic for subnet {{ subnet.name }}"
diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml
index 55ddd724d..e94c9eaaf 100644
--- a/roles/debian/ansible/tasks/main.yml
+++ b/roles/debian/ansible/tasks/main.yml
@@ -68,7 +68,7 @@
- name: Turn the timer string into a dictionary.
ansible.builtin.set_fact:
- _timer: "{{ _timer.splitlines()|map('from_yaml')|list }}"
+ _timer: "{{ _timer.splitlines() | map('from_yaml') | list }}"
- name: Create systemd timer to upgrade Ansible.
ansible.builtin.include_role:
diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml
index 5d78f0853..df016422b 100644
--- a/roles/debian/apt_repository/tasks/main.yml
+++ b/roles/debian/apt_repository/tasks/main.yml
@@ -81,7 +81,7 @@
- name: Turn the timer string into a dictionary.
ansible.builtin.set_fact:
- _apt_repo_timer: "{{ _apt_repo_timer.splitlines()|map('from_yaml')|list }}"
+ _apt_repo_timer: "{{ _apt_repo_timer.splitlines() | map('from_yaml') | list }}"
- name: Set up a systemd timer to refresh APT repository key.
ansible.builtin.include_role:
diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml
index fa94e8eaa..05611bf13 100644
--- a/roles/debian/ce_deploy/tasks/main.yml
+++ b/roles/debian/ce_deploy/tasks/main.yml
@@ -46,7 +46,7 @@
ansible.builtin.git:
repo: "{{ ce_deploy.own_repository | default('https://github.com/codeenigma/ce-deploy.git') }}"
dest: "{{ ce_deploy.local_dir }}"
- version: "{{ ce_deploy.own_repository_branch | default('master') }}"
+ version: "{{ ce_deploy.own_repository_branch | default('master') }}"
update: true
accept_hostkey: true
become: true
@@ -57,7 +57,7 @@
repo: "{{ ce_deploy.config_repository }}"
accept_hostkey: true
dest: "{{ _ce_provision_build_tmp_dir }}/config"
- version: "{{ ce_deploy.config_repository_branch | default('master') }}"
+ version: "{{ ce_deploy.config_repository_branch | default('master') }}"
become: false
delegate_to: localhost
when: ce_deploy.config_repository is defined and ce_deploy.config_repository
diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml
index 56c0b59b7..e1d35126e 100644
--- a/roles/debian/ce_provision/tasks/main.yml
+++ b/roles/debian/ce_provision/tasks/main.yml
@@ -84,7 +84,7 @@
ansible.builtin.git:
repo: "{{ ce_provision.own_repository | default('https://github.com/codeenigma/ce-provision.git') }}"
dest: "{{ ce_provision.local_dir }}"
- version: "{{ ce_provision.own_repository_branch | default('master') }}"
+ version: "{{ ce_provision.own_repository_branch | default('master') }}"
update: true
accept_hostkey: true #@todo?
become: true
@@ -97,7 +97,7 @@
repo: "{{ ce_provision.config_repository }}"
accept_hostkey: true
dest: "{{ ce_provision.local_dir }}/config"
- version: "{{ ce_provision.config_repository_branch | default('master') }}"
+ version: "{{ ce_provision.config_repository_branch | default('master') }}"
become: true
become_user: "{{ ce_provision.username }}"
when:
diff --git a/roles/debian/clamav/tasks/main.yml b/roles/debian/clamav/tasks/main.yml
index 02e643781..eeaf31013 100644
--- a/roles/debian/clamav/tasks/main.yml
+++ b/roles/debian/clamav/tasks/main.yml
@@ -25,7 +25,7 @@
- name: Build a dictionary of timers for the systemd timers role.
ansible.builtin.set_fact:
- _clamav_timers: "{{ _clamav_timers | default({}) | combine( item ) }}"
+ _clamav_timers: "{{ _clamav_timers | default({}) | combine(item) }}"
with_items: "{{ clamav.timers }}"
when: clamav.timers | length > 0
diff --git a/roles/debian/docker_ce/tasks/main.yml b/roles/debian/docker_ce/tasks/main.yml
index c189679a3..5a661682f 100644
--- a/roles/debian/docker_ce/tasks/main.yml
+++ b/roles/debian/docker_ce/tasks/main.yml
@@ -31,7 +31,7 @@
- name: Add Docker repository to unattended-upgrades origins list.
ansible.builtin.set_fact:
- _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ docker_ce.apt_origin ] }}"
+ _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [docker_ce.apt_origin] }}"
when:
- apt_unattended_upgrades.enable is defined
- apt_unattended_upgrades.enable
diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml
index 93efbb545..f98820592 100644
--- a/roles/debian/gitlab/tasks/main.yml
+++ b/roles/debian/gitlab/tasks/main.yml
@@ -52,7 +52,7 @@
- name: Add GitLab repository to unattended-upgrades origins list.
ansible.builtin.set_fact:
- _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ gitlab.apt_origin ] }}"
+ _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab.apt_origin] }}"
when:
- apt_unattended_upgrades.enable is defined
- apt_unattended_upgrades.enable
@@ -75,7 +75,7 @@
name: debian/ssl
when: gitlab.ssl.enabled
vars:
- ssl: "{{ gitlab.ssl | combine( { 'domain': gitlab.server_name } ) }}"
+ ssl: "{{ gitlab.ssl | combine({'domain': gitlab.server_name}) }}"
- name: Copy Gitlab configuration file.
ansible.builtin.template:
diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml
index 7c9c28dc7..745daadc9 100644
--- a/roles/debian/gitlab_runner/tasks/main.yml
+++ b/roles/debian/gitlab_runner/tasks/main.yml
@@ -22,7 +22,7 @@
- name: Add GitLab Runner repository to unattended-upgrades origins list.
ansible.builtin.set_fact:
- _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ gitlab_runner.apt_origin ] }}"
+ _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [gitlab_runner.apt_origin] }}"
when:
- apt_unattended_upgrades.enable is defined
- apt_unattended_upgrades.enable
diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml
index 72254acca..b427af88c 100644
--- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml
+++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml
@@ -33,7 +33,7 @@
- name: Add MySQL repository to unattended-upgrades origins list.
ansible.builtin.set_fact:
- _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ mysql_server.apt_origin ] }}"
+ _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [mysql_server.apt_origin] }}"
when:
- apt_unattended_upgrades.enable is defined
- apt_unattended_upgrades.enable
diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml
index 445527bb0..5f6e7c7fe 100644
--- a/roles/debian/nginx/defaults/main.yml
+++ b/roles/debian/nginx/defaults/main.yml
@@ -51,7 +51,7 @@ nginx:
# Main log stream for nginx (Cloudwatch).
log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type.
# See php.fpm.unix_socket, if true use a socket here:
- php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock"
+ php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock"
ratelimitingcrawlers: false
client_max_body_size: "700M"
fastcgi_read_timeout: 60
diff --git a/roles/debian/nodejs/tasks/main.yml b/roles/debian/nodejs/tasks/main.yml
index a71b5a6c9..027659df7 100644
--- a/roles/debian/nodejs/tasks/main.yml
+++ b/roles/debian/nodejs/tasks/main.yml
@@ -51,7 +51,7 @@
- name: Add nodejs and yarn repositories to unattended-upgrades origins list.
ansible.builtin.set_fact:
- _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ nodejs.apt_origin_nodejs, nodejs.apt_origin_yarn ] }}"
+ _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [nodejs.apt_origin_nodejs, nodejs.apt_origin_yarn] }}"
when:
- apt_unattended_upgrades.enable is defined
- apt_unattended_upgrades.enable
diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml
index f26f21bac..15ff896a6 100644
--- a/roles/debian/php-common/tasks/main.yml
+++ b/roles/debian/php-common/tasks/main.yml
@@ -30,7 +30,7 @@
- name: Add Sury PHP repository to unattended-upgrades origins list.
ansible.builtin.set_fact:
- _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [ php.apt_origin ] }}"
+ _apt_unattended_upgrades_default_origins: "{{ _apt_unattended_upgrades_default_origins + [php.apt_origin] }}"
when: apt_unattended_upgrades.enable
- name: Install the unattended-upgrades config.
diff --git a/roles/debian/python_boto/tasks/main.yml b/roles/debian/python_boto/tasks/main.yml
index efa4d0153..282f8ef4a 100644
--- a/roles/debian/python_boto/tasks/main.yml
+++ b/roles/debian/python_boto/tasks/main.yml
@@ -5,7 +5,7 @@
- name: Set specific boto3 version to install.
ansible.builtin.set_fact:
- _boto3_install_package: "boto3=={{ python_boto.boto3_version}}"
+ _boto3_install_package: "boto3=={{ python_boto.boto3_version }}"
when:
- python_boto.boto3_version | length > 0
diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml
index c40faef68..96d38a867 100644
--- a/roles/debian/ssl/tasks/letsencrypt.yml
+++ b/roles/debian/ssl/tasks/letsencrypt.yml
@@ -7,7 +7,7 @@
- name: Set LetsEncrypt variables.
ansible.builtin.set_fact:
_ssl_web_server: "{{ ssl.web_server | default('standalone') }}"
- _ssl_services: "{{ ssl.services | default ([]) }}"
+ _ssl_services: "{{ ssl.services | default([]) }}"
# @todo - add support for Route 53 DNS plugin
- name: "Ensure certbot-{{ _ssl_web_server }} plugin is installed."
@@ -23,7 +23,7 @@
- name: Add key/cert pairs to know paths information.
ansible.builtin.set_fact:
- ssl_facts: "{{ ssl_facts | combine({ certificate_domain: { 'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '/fullchain.pem', 'key': _ssl_base_path + '/' + certificate_domain + '/privkey.pem' } }) }}"
+ ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '/fullchain.pem', 'key': _ssl_base_path + '/' + certificate_domain + '/privkey.pem'}}) }}"
with_items: "{{ _ssl_domains }}"
loop_control:
loop_var: certificate_domain
diff --git a/roles/debian/ssl/tasks/main.yml b/roles/debian/ssl/tasks/main.yml
index 2b4f7bcc9..fa2abe07e 100644
--- a/roles/debian/ssl/tasks/main.yml
+++ b/roles/debian/ssl/tasks/main.yml
@@ -9,7 +9,7 @@
- name: Catch legacy implementations with ssl.domain set. # @todo: this can be removed in a later release
ansible.builtin.set_fact:
- _ssl_domains: "{{ [ ssl.domain ] }}"
+ _ssl_domains: "{{ [ssl.domain] }}"
when: ssl.domain is defined
- name: Generates SSL keys.
diff --git a/roles/debian/ssl/tasks/manual.yml b/roles/debian/ssl/tasks/manual.yml
index 66d610450..aa2bd5f73 100644
--- a/roles/debian/ssl/tasks/manual.yml
+++ b/roles/debian/ssl/tasks/manual.yml
@@ -10,7 +10,7 @@
- name: Add key/cert pairs to know paths information.
ansible.builtin.set_fact:
- ssl_facts: "{{ ssl_facts | combine({ certificate_domain: { 'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'ca_certificate': _ssl_base_path + '/' + certificate_domain + '.CA.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key' } }) }}"
+ ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'ca_certificate': _ssl_base_path + '/' + certificate_domain + '.CA.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key'}}) }}"
with_items: "{{ _ssl_domains }}"
loop_control:
loop_var: certificate_domain
diff --git a/roles/debian/ssl/tasks/selfsigned.yml b/roles/debian/ssl/tasks/selfsigned.yml
index aee133dd6..28508d0c7 100644
--- a/roles/debian/ssl/tasks/selfsigned.yml
+++ b/roles/debian/ssl/tasks/selfsigned.yml
@@ -10,7 +10,7 @@
- name: Add key/cert pairs to know paths information.
ansible.builtin.set_fact:
- ssl_facts: "{{ ssl_facts | combine({ certificate_domain: { 'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key' } }) }}"
+ ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'domain': certificate_domain, 'certificate': _ssl_base_path + '/' + certificate_domain + '.cert', 'key': _ssl_base_path + '/' + certificate_domain + '.key'}}) }}"
with_items: "{{ _ssl_domains }}"
loop_control:
loop_var: certificate_domain
diff --git a/roles/debian/ssl/tasks/unmanaged.yml b/roles/debian/ssl/tasks/unmanaged.yml
index 37c55fb06..bad2a6833 100644
--- a/roles/debian/ssl/tasks/unmanaged.yml
+++ b/roles/debian/ssl/tasks/unmanaged.yml
@@ -1,7 +1,7 @@
---
- name: Add key/cert pairs to know paths information.
ansible.builtin.set_fact:
- ssl_facts: "{{ ssl_facts | combine({ certificate_domain:{ 'certificate': ssl.cert, 'key': ssl.key } }) }}"
+ ssl_facts: "{{ ssl_facts | combine({certificate_domain: {'certificate': ssl.cert, 'key': ssl.key}}) }}"
with_items: "{{ _ssl_domains }}"
loop_control:
loop_var: certificate_domain
diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml
index 7f8929355..362d33824 100644
--- a/roles/debian/varnish_config/tasks/main.yml
+++ b/roles/debian/varnish_config/tasks/main.yml
@@ -11,5 +11,5 @@
- "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2"
- "default.vcl.j2"
notify:
- - reload systemd
- - restart varnish
+ - Reload systemd
+ - Restart varnish