From 0d5e3117e85950c6f106b177996d07a5fdb81a23 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Sat, 3 May 2025 13:07:57 +0200 Subject: [PATCH 1/8] Updatng-permissions-and-adding-more-functions --- roles/aws/aws_admin_tools/defaults/main.yml | 31 ++++++++++++++++--- ...ing.py.j2 => API_Change_ASG_Scaling.py.j2} | 0 ...s.py.j2 => API_Get_Forecasted_Costs.py.j2} | 0 .../aws_admin_tools/templates/API_Get_IP_Set | 21 +++++++++++++ ...tOfEC2.py.j2 => API_Get_List_Of_EC2.py.j2} | 0 .../templates/API_Update_IP_Set | 19 ++++++++++++ 6 files changed, 66 insertions(+), 5 deletions(-) rename roles/aws/aws_admin_tools/templates/{API_ChangeASGScaling.py.j2 => API_Change_ASG_Scaling.py.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_GetForecastedCosts.py.j2 => API_Get_Forecasted_Costs.py.j2} (100%) create mode 100644 roles/aws/aws_admin_tools/templates/API_Get_IP_Set rename roles/aws/aws_admin_tools/templates/{API_GetListOfEC2.py.j2 => API_Get_List_Of_EC2.py.j2} (100%) create mode 100644 roles/aws/aws_admin_tools/templates/API_Update_IP_Set diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index 2ba6159df..50fd57317 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -4,7 +4,7 @@ aws_admin_tools: allowed_ips: - 192.168.1.1/32 # Ip of server with access to API-s functions: - - name: "GetForecastedCosts" + - name: "Get_Forecasted_Costs" type: GET inline_policies: name: "{{ _aws_profile }}Billing" @@ -12,11 +12,32 @@ aws_admin_tools: acton: - "ce:*" policies: [] - - name: "ChangeASGScaling" + - name: "Change_ASG_Scaling" type: POST policies: - arn:aws:iam::aws:policy/AmazonEC2FullAccess - - name: "GetListOfEC2" + - name: "Get_List_Of_EC2" type: GET - policies: - - arn:aws:iam::aws:policy/AmazonEC2FullAccess + policies: [] + inline_policies: + name: "ListEc2" + resource: "*" + acton: + - "ec2:DescribeAddresses" + - "ec2:DescribeInstances" + - name: "Get_IP_Set" + type: GET + policies: [] + inline_policies: + name: "Get_IP_Set" + resource: "*" + acton: + - "wafv2:GetIPSet" + - name: "Update_IP_Set" + type: POST + policies: [] + inline_policies: + name: "Update_IP_Set" + resource: "*" + acton: + - "wafv2:UpdateIPSet" diff --git a/roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 b/roles/aws/aws_admin_tools/templates/API_Change_ASG_Scaling.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_ChangeASGScaling.py.j2 rename to roles/aws/aws_admin_tools/templates/API_Change_ASG_Scaling.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_GetForecastedCosts.py.j2 b/roles/aws/aws_admin_tools/templates/API_Get_Forecasted_Costs.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_GetForecastedCosts.py.j2 rename to roles/aws/aws_admin_tools/templates/API_Get_Forecasted_Costs.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Get_IP_Set b/roles/aws/aws_admin_tools/templates/API_Get_IP_Set new file mode 100644 index 000000000..64a91c0c4 --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/API_Get_IP_Set @@ -0,0 +1,21 @@ +import json +import boto3 + +waf_cli = boto3.client("wafv2") + +def lambda_handler(event, context): + + print("Gathering instance details.") + ip_set=waf_cli.get_ip_set( + Name=event['ip_set'], + Scope='REGIONAL', + Id=event['id'] + ) + + return { + 'statusCode': 200, + 'name': ip_set['IPSet']['Name'], + 'id': ip_set['IPSet']['Id'], + 'addresses': ip_set['IPSet']['Addresses'], + 'lock_token': ip_set['LockToken'], + } diff --git a/roles/aws/aws_admin_tools/templates/API_GetListOfEC2.py.j2 b/roles/aws/aws_admin_tools/templates/API_Get_List_Of_EC2.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_GetListOfEC2.py.j2 rename to roles/aws/aws_admin_tools/templates/API_Get_List_Of_EC2.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Update_IP_Set b/roles/aws/aws_admin_tools/templates/API_Update_IP_Set new file mode 100644 index 000000000..08781fb2b --- /dev/null +++ b/roles/aws/aws_admin_tools/templates/API_Update_IP_Set @@ -0,0 +1,19 @@ +import json +import boto3 + +waf_cli = boto3.client("wafv2") + +def lambda_handler(event, context): + + response = waf_cli.update_ip_set( + Name=event['name'], + Scope=event['scope'], + Id=event['id'], + Addresses=event['addresses'], + LockToken=event['lock_token'] +) + + return { + 'statusCode': 200, + 'body': response + } From 592ea2282dbf8d0eecdbd81c32f60921b801fb47 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Sat, 3 May 2025 13:29:28 +0200 Subject: [PATCH 2/8] Updatng-permissions-and-adding-more-functions-2 --- .../templates/{API_Get_IP_Set => API_Get_IP_Set.py.j2} | 0 .../templates/{API_Update_IP_Set => API_Update_IP_Set.py.j2} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename roles/aws/aws_admin_tools/templates/{API_Get_IP_Set => API_Get_IP_Set.py.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_Update_IP_Set => API_Update_IP_Set.py.j2} (100%) diff --git a/roles/aws/aws_admin_tools/templates/API_Get_IP_Set b/roles/aws/aws_admin_tools/templates/API_Get_IP_Set.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Get_IP_Set rename to roles/aws/aws_admin_tools/templates/API_Get_IP_Set.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Update_IP_Set b/roles/aws/aws_admin_tools/templates/API_Update_IP_Set.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Update_IP_Set rename to roles/aws/aws_admin_tools/templates/API_Update_IP_Set.py.j2 From bdc554bb3e3fccb2fa80c2dac74c561ab57fe095 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Sat, 3 May 2025 23:35:57 +0200 Subject: [PATCH 3/8] Added-inline-policies-to-aws-admin-tools --- roles/aws/aws_admin_tools/tasks/lambda_iam.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index 5e5e5d400..7b6c237fd 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -10,4 +10,5 @@ name: "API_{{ item.name }}" aws_profile: "{{ _aws_profile }}" managed_policies: "{{ _policies }}" + inline_policies: "{{ item.inline_policies }}" policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" From e31b519ba5102a799cc07d321a895901214c05f6 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Sat, 3 May 2025 23:44:04 +0200 Subject: [PATCH 4/8] omititng-inline-policies-if-not-provided --- roles/aws/aws_admin_tools/tasks/lambda_iam.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index 7b6c237fd..c90311deb 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -10,5 +10,5 @@ name: "API_{{ item.name }}" aws_profile: "{{ _aws_profile }}" managed_policies: "{{ _policies }}" - inline_policies: "{{ item.inline_policies }}" + inline_policies: "{{ item.inline_policies | default(omit) }}" policy_document: "{{ lookup('template', 'trusted_entitites.j2') }}" From 3f0754023fd661984af8bc88ecf764da12b9bf53 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Sun, 4 May 2025 00:56:48 +0200 Subject: [PATCH 5/8] Debugging-inline-policies --- roles/aws/aws_admin_tools/tasks/lambda_iam.yml | 4 ++++ roles/aws/aws_iam_role/tasks/main.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index c90311deb..2adfa640f 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -2,6 +2,10 @@ ansible.builtin.set_fact: _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" +- name: Print inline polcies. + ansible.builtin.debug: + msg: "{{ item.inline_policies }}" + - name: Create a role and attach policies. ansible.builtin.include_role: name: aws/aws_iam_role diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index f51b0aecd..151d54e5f 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,3 +1,7 @@ +- name: Print inline polcies. + ansible.builtin.debug: + msg: "{{ aws_iam_role.inline_policies }}" + - name: Create an IAM Managed Policy if defined. amazon.aws.iam_managed_policy: policy_name: "inline_{{ aws_iam_role.inline_policies.name }}_policy" From 17f8c19d669385623c26e515088e4974020aa7f5 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Sun, 4 May 2025 01:13:33 +0200 Subject: [PATCH 6/8] Removed-debug-updated-vars --- roles/aws/aws_admin_tools/defaults/main.yml | 8 ++++---- roles/aws/aws_admin_tools/tasks/lambda_iam.yml | 4 ---- roles/aws/aws_iam_role/tasks/main.yml | 4 ---- 3 files changed, 4 insertions(+), 12 deletions(-) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index 50fd57317..bdc79dace 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -9,7 +9,7 @@ aws_admin_tools: inline_policies: name: "{{ _aws_profile }}Billing" resource: "*" - acton: + action: - "ce:*" policies: [] - name: "Change_ASG_Scaling" @@ -22,7 +22,7 @@ aws_admin_tools: inline_policies: name: "ListEc2" resource: "*" - acton: + action: - "ec2:DescribeAddresses" - "ec2:DescribeInstances" - name: "Get_IP_Set" @@ -31,7 +31,7 @@ aws_admin_tools: inline_policies: name: "Get_IP_Set" resource: "*" - acton: + action: - "wafv2:GetIPSet" - name: "Update_IP_Set" type: POST @@ -39,5 +39,5 @@ aws_admin_tools: inline_policies: name: "Update_IP_Set" resource: "*" - acton: + action: - "wafv2:UpdateIPSet" diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index 2adfa640f..c90311deb 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -2,10 +2,6 @@ ansible.builtin.set_fact: _policies: "{{ item.policies + ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'] }}" -- name: Print inline polcies. - ansible.builtin.debug: - msg: "{{ item.inline_policies }}" - - name: Create a role and attach policies. ansible.builtin.include_role: name: aws/aws_iam_role diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 151d54e5f..f51b0aecd 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,7 +1,3 @@ -- name: Print inline polcies. - ansible.builtin.debug: - msg: "{{ aws_iam_role.inline_policies }}" - - name: Create an IAM Managed Policy if defined. amazon.aws.iam_managed_policy: policy_name: "inline_{{ aws_iam_role.inline_policies.name }}_policy" From 7784cc8e0cddfe26c7397a9676f49a3c3c56337f Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Mon, 5 May 2025 06:37:16 +0200 Subject: [PATCH 7/8] Updating-names-of-functions --- roles/aws/aws_admin_tools/tasks/create.yml | 2 +- .../aws_admin_tools/tasks/create_methods.yml | 2 +- .../aws_admin_tools/tasks/lambda_functions.yml | 18 +++++++++--------- roles/aws/aws_admin_tools/tasks/lambda_iam.yml | 2 +- ...ling.py.j2 => api_change_asg_scaling.py.j2} | 0 ...ts.py.j2 => api_get_forecasted_costs.py.j2} | 0 ...I_Get_IP_Set.py.j2 => api_get_ip_set.py.j2} | 0 ..._Of_EC2.py.j2 => api_get_list_of_ec2.py.j2} | 0 .../templates/{API_tmp.j2 => api_tmp.j2} | 0 ...te_IP_Set.py.j2 => api_update_ip_set.py.j2} | 0 10 files changed, 12 insertions(+), 12 deletions(-) rename roles/aws/aws_admin_tools/templates/{API_Change_ASG_Scaling.py.j2 => api_change_asg_scaling.py.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_Get_Forecasted_Costs.py.j2 => api_get_forecasted_costs.py.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_Get_IP_Set.py.j2 => api_get_ip_set.py.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_Get_List_Of_EC2.py.j2 => api_get_list_of_ec2.py.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_tmp.j2 => api_tmp.j2} (100%) rename roles/aws/aws_admin_tools/templates/{API_Update_IP_Set.py.j2 => api_update_ip_set.py.j2} (100%) diff --git a/roles/aws/aws_admin_tools/tasks/create.yml b/roles/aws/aws_admin_tools/tasks/create.yml index 45b72a3ca..c34889767 100644 --- a/roles/aws/aws_admin_tools/tasks/create.yml +++ b/roles/aws/aws_admin_tools/tasks/create.yml @@ -65,7 +65,7 @@ - name: Update Lambda triggers. ansible.builtin.command: >- aws lambda add-permission - --function-name "API_{{ item.name }}" + --function-name "api_{{ item.name }}" --statement-id "{{ item.name }}_{{ _rand_str }}" --action "lambda:InvokeFunction" --principal apigateway.amazonaws.com diff --git a/roles/aws/aws_admin_tools/tasks/create_methods.yml b/roles/aws/aws_admin_tools/tasks/create_methods.yml index baf864a01..754c12a4b 100644 --- a/roles/aws/aws_admin_tools/tasks/create_methods.yml +++ b/roles/aws/aws_admin_tools/tasks/create_methods.yml @@ -54,7 +54,7 @@ --type AWS --content-handling CONVERT_TO_TEXT --integration-http-method POST - --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:API_{{ item.name }}/invocations" + --uri "arn:aws:apigateway:{{ _aws_region }}:lambda:path/2015-03-31/functions/arn:aws:lambda:{{ _aws_region }}:{{ _acc_id }}:function:api_{{ item.name }}/invocations" --region {{ _aws_region }} - name: Add method response. diff --git a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml index d107b82f5..448961888 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_functions.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_functions.yml @@ -12,30 +12,30 @@ - name: Write Lambda functions. ansible.builtin.template: - src: "API_{{ item.name }}.py.j2" - dest: "/tmp/API_{{ item.name }}.py" + src: "api_{{ item.name }}.py.j2" + dest: "/tmp/api_{{ item.name }}.py" - name: Create a zip archive of Lambda functions. community.general.archive: - path: "/tmp/API_{{ item.name }}.py" - dest: "/tmp/API_{{ item.name }}.zip" + path: "/tmp/api_{{ item.name }}.py" + dest: "/tmp/api_{{ item.name }}.zip" format: zip - name: Place Lambda functions in S3 bucket. amazon.aws.s3_object: bucket: "{{ _aws_profile }}-lambda-api-functions" object: "lambda-functions/API-{{ item.name }}.zip" - src: "/tmp/API_{{ item.name }}.zip" + src: "/tmp/api_{{ item.name }}.zip" mode: put - name: Get appropriate IAM role for Lambda. amazon.aws.iam_role_info: - name: "API_{{ item.name }}" + name: "api_{{ item.name }}" register: _iam_api_lambda - name: Create Lambda functions. amazon.aws.lambda: - name: "API_{{ item.name }}" + name: "api_{{ item.name }}" description: "Lambda function for {{ item.name }}" region: "{{ _aws_region }}" timeout: "{{ aws_admin_tools.timeout }}" @@ -44,6 +44,6 @@ state: present runtime: "{{ aws_admin_tools.runtime }}" role: "{{ _iam_api_lambda.iam_roles[0].arn }}" - handler: "API_{{ item.name }}.lambda_handler" + handler: "api_{{ item.name }}.lambda_handler" tags: - Name: "API_{{ item.name }}" + Name: "api_{{ item.name }}" diff --git a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml index c90311deb..a899e2e04 100644 --- a/roles/aws/aws_admin_tools/tasks/lambda_iam.yml +++ b/roles/aws/aws_admin_tools/tasks/lambda_iam.yml @@ -7,7 +7,7 @@ name: aws/aws_iam_role vars: aws_iam_role: - name: "API_{{ item.name }}" + name: "api_{{ item.name }}" aws_profile: "{{ _aws_profile }}" managed_policies: "{{ _policies }}" inline_policies: "{{ item.inline_policies | default(omit) }}" diff --git a/roles/aws/aws_admin_tools/templates/API_Change_ASG_Scaling.py.j2 b/roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Change_ASG_Scaling.py.j2 rename to roles/aws/aws_admin_tools/templates/api_change_asg_scaling.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Get_Forecasted_Costs.py.j2 b/roles/aws/aws_admin_tools/templates/api_get_forecasted_costs.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Get_Forecasted_Costs.py.j2 rename to roles/aws/aws_admin_tools/templates/api_get_forecasted_costs.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Get_IP_Set.py.j2 b/roles/aws/aws_admin_tools/templates/api_get_ip_set.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Get_IP_Set.py.j2 rename to roles/aws/aws_admin_tools/templates/api_get_ip_set.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Get_List_Of_EC2.py.j2 b/roles/aws/aws_admin_tools/templates/api_get_list_of_ec2.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Get_List_Of_EC2.py.j2 rename to roles/aws/aws_admin_tools/templates/api_get_list_of_ec2.py.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_tmp.j2 b/roles/aws/aws_admin_tools/templates/api_tmp.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_tmp.j2 rename to roles/aws/aws_admin_tools/templates/api_tmp.j2 diff --git a/roles/aws/aws_admin_tools/templates/API_Update_IP_Set.py.j2 b/roles/aws/aws_admin_tools/templates/api_update_ip_set.py.j2 similarity index 100% rename from roles/aws/aws_admin_tools/templates/API_Update_IP_Set.py.j2 rename to roles/aws/aws_admin_tools/templates/api_update_ip_set.py.j2 From 8a6e1fc6b0d859c96fd29fde13a503e606cddbdf Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Mon, 5 May 2025 06:38:26 +0200 Subject: [PATCH 8/8] Updating-names-of-functions-2 --- roles/aws/aws_admin_tools/defaults/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/aws/aws_admin_tools/defaults/main.yml b/roles/aws/aws_admin_tools/defaults/main.yml index bdc79dace..ab8a82f0a 100644 --- a/roles/aws/aws_admin_tools/defaults/main.yml +++ b/roles/aws/aws_admin_tools/defaults/main.yml @@ -4,7 +4,7 @@ aws_admin_tools: allowed_ips: - 192.168.1.1/32 # Ip of server with access to API-s functions: - - name: "Get_Forecasted_Costs" + - name: "get_forecasted_costs" type: GET inline_policies: name: "{{ _aws_profile }}Billing" @@ -12,32 +12,32 @@ aws_admin_tools: action: - "ce:*" policies: [] - - name: "Change_ASG_Scaling" + - name: "change_asg_scaling" type: POST policies: - arn:aws:iam::aws:policy/AmazonEC2FullAccess - - name: "Get_List_Of_EC2" + - name: "get_list_of_ec2" type: GET policies: [] inline_policies: - name: "ListEc2" + name: "list_ec2" resource: "*" action: - "ec2:DescribeAddresses" - "ec2:DescribeInstances" - - name: "Get_IP_Set" + - name: "get_ip_set" type: GET policies: [] inline_policies: - name: "Get_IP_Set" + name: "get_ip_set" resource: "*" action: - "wafv2:GetIPSet" - - name: "Update_IP_Set" + - name: "update_ip_set" type: POST policies: [] inline_policies: - name: "Update_IP_Set" + name: "update_ip_set" resource: "*" action: - "wafv2:UpdateIPSet"