diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index a11491c0e..0c13ab2e9 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -8,4 +8,4 @@ dependencies: - role: aws/aws_cloudwatch_log_group - role: aws/aws_backup - role: aws/aws_backup_sns - - role: aws/aws_admin_tools +# - role: aws/aws_admin_tools diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 37366f4b2..08b5f17e6 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -34,21 +34,21 @@ # ansible.builtin.set_fact: # aws_lambda: "{{ aws_lambda | ansible.utils.remove_keys(target=['response_metadata', 'function_file']) }}" -- name: Create an IAM Managed Policy for passing roles and setup IAM role. - ansible.builtin.include_role: - name: aws/aws_iam_role - vars: - aws_iam_role: - name: AWSBackupDefaultServiceRole - aws_profile: "{{ _aws_profile }}" - inline_policies: - name: "PassRole" - resource: "*" - action: "iam:PassRole" - policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" - managed_policies: - - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup - - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores +#- name: Create an IAM Managed Policy for passing roles and setup IAM role. +# ansible.builtin.include_role: +# name: aws/aws_iam_role +# vars: +# aws_iam_role: +# name: AWSBackupDefaultServiceRole +# aws_profile: "{{ _aws_profile }}" +# inline_policies: +# name: "PassRole" +# resource: "*" +# action: "iam:PassRole" +# policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" +# managed_policies: +# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup +# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores # TODO: Not all clients have verified identity #- name: Get verified domain. diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 27afb6e02..4dbb3dc60 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,42 +1,9 @@ -- name: Create an IAM Managed Policy if defined. - amazon.aws.iam_managed_policy: - policy_name: "inline_{{ aws_iam_role.name }}_policy" - policy: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: "{{ aws_iam_role.inline_policies.action }}" - Resource: "{{ aws_iam_role.inline_policies.resource }}" - state: present - register: _inline_iam_policy - when: inline_policies.action is defined and inline_policies.action > 0 - -- name: Join managed and inline policy. - ansible.builtin.set_fact: - _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}" - when: inline_policies.action is defined and inline_policies.action > 0 - -- name: Create combined var if inline policy is not defined or empty. - ansible.builtin.set_fact: - _combined_policies: "{{ aws_iam_role.managed_policies }}" - when: inline_policies.action is not defined or inline_policies.action == 0 - -- name: Create assume role policy document if predefined string is passed. - ansible.builtin.set_fact: - _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" - when: aws_iam_role.policy_document | type_debug == 'string' - -- name: Create assume role policy document if template is provided. - ansible.builtin.set_fact: - _assume_role_policy: "{{ aws_iam_role.policy_document }}" - when: aws_iam_role.policy_document | type_debug != 'string' - - name: Create an IAM role. amazon.aws.iam_role: profile: "{{ aws_iam_role.aws_profile }}" name: "{{ aws_iam_role.name }}" - assume_role_policy_document: "{{ _assume_role_policy }}" - managed_policies: "{{ _combined_policies }}" + assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" + managed_policies: "{{ aws_iam_role.managed_policies }}" purge_policies: "{{ aws_iam_role.purge_policies }}" tags: "{{ aws_iam_role.tags }}" create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}"