diff --git a/roles/_meta/aws_region/meta/main.yml b/roles/_meta/aws_region/meta/main.yml index 0c13ab2e9..a11491c0e 100644 --- a/roles/_meta/aws_region/meta/main.yml +++ b/roles/_meta/aws_region/meta/main.yml @@ -8,4 +8,4 @@ dependencies: - role: aws/aws_cloudwatch_log_group - role: aws/aws_backup - role: aws/aws_backup_sns -# - role: aws/aws_admin_tools + - role: aws/aws_admin_tools diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index f5ac58341..5e5e5d400 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -3,7 +3,11 @@ _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" - name: Create a role and attach policies. - amazon.aws.iam_role: - name: "API_{{ item.name }}" - assume_role_policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" - managed_policies: "{{ _policies }}" + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: "API_{{ item.name }}" + aws_profile: "{{ _aws_profile }}" + managed_policies: "{{ _policies }}" + policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index 08b5f17e6..57b7c2cf9 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -12,6 +12,7 @@ - arn:aws:iam::aws:policy/AmazonRDSFullAccess - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess - arn:aws:iam::aws:policy/AmazonSSMFullAccess + - arn:aws:iam::aws:policy/AmazonSESFullAccess policy_document: "{{ lookup('file', 'trusted_entitites.j2') }}" - name: Create backup validation Lambda functions. @@ -34,21 +35,21 @@ # ansible.builtin.set_fact: # aws_lambda: "{{ aws_lambda | ansible.utils.remove_keys(target=['response_metadata', 'function_file']) }}" -#- name: Create an IAM Managed Policy for passing roles and setup IAM role. -# ansible.builtin.include_role: -# name: aws/aws_iam_role -# vars: -# aws_iam_role: -# name: AWSBackupDefaultServiceRole -# aws_profile: "{{ _aws_profile }}" -# inline_policies: -# name: "PassRole" -# resource: "*" -# action: "iam:PassRole" -# policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" -# managed_policies: -# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup -# - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores +- name: Create an IAM Managed Policy for passing roles and setup IAM role. + ansible.builtin.include_role: + name: aws/aws_iam_role + vars: + aws_iam_role: + name: AWSBackupDefaultServiceRole + aws_profile: "{{ _aws_profile }}" + inline_policies: + name: "PassRole" + resource: "*" + action: "iam:PassRole" + policy_document: "{{ lookup('file', 'pass_role_backup.j2') }}" + managed_policies: + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores # TODO: Not all clients have verified identity #- name: Get verified domain. diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 4dbb3dc60..79d7e562d 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,9 +1,42 @@ +- name: Create an IAM Managed Policy if defined. + amazon.aws.iam_managed_policy: + policy_name: "inline_{{ aws_iam_role.name }}_policy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "{{ aws_iam_role.inline_policies.action }}" + Resource: "{{ aws_iam_role.inline_policies.resource }}" + state: present + register: _inline_iam_policy + when: inline_policies.action is defined and inline_policies.action > 0 + +- name: Join managed and inline policy. + ansible.builtin.set_fact: + _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}" + when: inline_policies.action is defined and inline_policies.action > 0 + +- name: Create combined var if inline policy is not defined or empty. + ansible.builtin.set_fact: + _combined_policies: "{{ aws_iam_role.managed_policies }}" + when: inline_policies.action is not defined or inline_policies.action == 0 + +- name: Create assume role policy document if predefined string is passed. + ansible.builtin.set_fact: + _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" + when: aws_iam_role.policy_document | type_debug == 'AnsibleUnicode' + +- name: Create assume role policy document if template is provided. + ansible.builtin.set_fact: + _assume_role_policy: "{{ aws_iam_role.policy_document }}" + when: aws_iam_role.policy_document | type_debug != 'AnsibleUnicode' + - name: Create an IAM role. amazon.aws.iam_role: profile: "{{ aws_iam_role.aws_profile }}" name: "{{ aws_iam_role.name }}" - assume_role_policy_document: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" - managed_policies: "{{ aws_iam_role.managed_policies }}" + assume_role_policy_document: "{{ _assume_role_policy }}" + managed_policies: "{{ _combined_policies }}" purge_policies: "{{ aws_iam_role.purge_policies }}" tags: "{{ aws_iam_role.tags }}" create_instance_profile: "{% if aws_iam_role.policy_document == 'ec2' %}true{% else %}false{% endif %}"