From 248b6edad7faf1aaf104a8c7e247efc3fd54526c Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 5 Jul 2023 16:02:54 +0200 Subject: [PATCH 01/15] Fix sannity errors Signed-off-by: Alina Buzachis --- plugins/modules/eval_nat_network_acls.py | 40 ++++++++++++------------ tox.ini | 2 +- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/plugins/modules/eval_nat_network_acls.py b/plugins/modules/eval_nat_network_acls.py index 68b32e5..5ebeca9 100644 --- a/plugins/modules/eval_nat_network_acls.py +++ b/plugins/modules/eval_nat_network_acls.py @@ -195,11 +195,11 @@ def check_egress_towards_dst(acls, dst_ip, dst_port): outbound traffic to destination: \ {self.dst_ip} : {str(dst_port)}" ) - else: - self.fail_json( - msg=f"NatGateway Subnet {self.src_subnet_id} \ - Network Acl Egress Rules do not allow outbound traffic to destination: {self.dst_ip} : {str(dst_port)}" - ) + + self.fail_json( + msg=f"NatGateway Subnet {self.src_subnet_id} \ + Network Acl Egress Rules do not allow outbound traffic to destination: {self.dst_ip} : {str(dst_port)}" + ) def check_ingress_from_dst(acls, src_ip): for item in acls: @@ -228,12 +228,12 @@ def check_ingress_from_dst(acls, src_ip): Network Acl Ingress Rules do not allow \ inbound traffic from destination: {self.dst_ip}" ) - else: - self.fail_json( - msg=f"NatGateway Subnet {self.src_subnet_id} \ - Network Acl Ingress Rules do not allow \ - inbound traffic from destination: {self.dst_ip}" - ) + + self.fail_json( + msg=f"NatGateway Subnet {self.src_subnet_id} \ + Network Acl Ingress Rules do not allow \ + inbound traffic from destination: {self.dst_ip}" + ) def check_ingress_from_src(acls, src_ip, dst_port): for item in acls: @@ -259,11 +259,11 @@ def check_ingress_from_src(acls, src_ip, dst_port): Ingress Rules do not allow inbound \ traffic from source: {self.src_ip} towards destination port {str(dst_port)}" ) - else: - self.fail_json( - msg=f"NatGateway Subnet Network Acl Ingress Rules do not allow \ - inbound traffic from source {self.src_ip} towards destination port {str(dst_port)}" - ) + + self.fail_json( + msg=f"NatGateway Subnet Network Acl Ingress Rules do not allow \ + inbound traffic from source {self.src_ip} towards destination port {str(dst_port)}" + ) def check_egress_towards_src(acls, dst_ip): for item in acls: @@ -290,10 +290,10 @@ def check_egress_towards_src(acls, dst_ip): self.fail_json( msg=f"NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" ) - else: - self.fail_json( - msg=f"NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" - ) + + self.fail_json( + msg=f"NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" + ) check_egress_towards_dst(egress_acls, dst_ip, dst_port) check_ingress_from_dst(ingress_acls, dst_ip) diff --git a/tox.ini b/tox.ini index 0c0b026..3640c0a 100644 --- a/tox.ini +++ b/tox.ini @@ -40,6 +40,6 @@ setenv = [flake8] exclude = .git,.tox,tests/output -ignore = E501, W503, W504, E402 +ignore = E501, W503, W504, E402, E501 max-line-length = 160 builtins = _ From d6e2af7bb682a151ec986f0ee81f79909f64ee29 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 5 Jul 2023 16:29:42 +0200 Subject: [PATCH 02/15] Fix sanity Signed-off-by: Alina Buzachis --- plugins/modules/eval_nat_network_acls.py | 42 ++++++++++-------- plugins/modules/eval_network_acls.py | 44 +++++++++++-------- plugins/modules/eval_security_groups.py | 20 ++++----- plugins/modules/eval_src_igw_route.py | 35 ++++++++------- plugins/modules/eval_vpc_peering.py | 12 ++--- plugins/modules/get_connection_next_hop.py | 10 +---- plugins/modules/validate_network_acls.py | 8 +--- plugins/modules/validate_route_tables.py | 22 +++++----- .../modules/validate_security_group_rules.py | 9 +--- 9 files changed, 94 insertions(+), 108 deletions(-) diff --git a/plugins/modules/eval_nat_network_acls.py b/plugins/modules/eval_nat_network_acls.py index 5ebeca9..bba0abe 100644 --- a/plugins/modules/eval_nat_network_acls.py +++ b/plugins/modules/eval_nat_network_acls.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -123,7 +119,6 @@ class EvalNatNetworkAcls(AnsibleModule): def __init__(self): - argument_spec = dict( src_ip=dict(type="str", required=True), src_port_range=dict(type="str"), @@ -197,8 +192,9 @@ def check_egress_towards_dst(acls, dst_ip, dst_port): ) self.fail_json( - msg=f"NatGateway Subnet {self.src_subnet_id} \ - Network Acl Egress Rules do not allow outbound traffic to destination: {self.dst_ip} : {str(dst_port)}" + msg="NatGateway Subnet {0} Network Acl Egress Rules do not allow outbound traffic to destination: {1} : {2}".format( + self.src_subnet_id, self.dst_ip, str(dst_port) + ) ) def check_ingress_from_dst(acls, src_ip): @@ -230,9 +226,9 @@ def check_ingress_from_dst(acls, src_ip): ) self.fail_json( - msg=f"NatGateway Subnet {self.src_subnet_id} \ - Network Acl Ingress Rules do not allow \ - inbound traffic from destination: {self.dst_ip}" + msg="NatGateway Subnet {0} Network Acl Ingress Rules do not allow inbound traffic from destination: {1}".format( + self.src_subnet_id, self.dst_ip + ) ) def check_ingress_from_src(acls, src_ip, dst_port): @@ -255,14 +251,17 @@ def check_ingress_from_src(acls, src_ip, dst_port): break else: self.fail_json( - msg=f"NatGateway Subnet Network Acl \ + msg="NatGateway Subnet Network Acl \ Ingress Rules do not allow inbound \ - traffic from source: {self.src_ip} towards destination port {str(dst_port)}" + traffic from source: {0} towards destination port {1}".format( + self.src_ip, str(dst_port) + ) ) self.fail_json( - msg=f"NatGateway Subnet Network Acl Ingress Rules do not allow \ - inbound traffic from source {self.src_ip} towards destination port {str(dst_port)}" + msg="NatGateway Subnet Network Acl Ingress Rules do not allow inbound traffic from source {0} towards destination port {1}".format( + self.src_ip, str(dst_port) + ) ) def check_egress_towards_src(acls, dst_ip): @@ -288,11 +287,15 @@ def check_egress_towards_src(acls, dst_ip): break else: self.fail_json( - msg=f"NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" + msg="NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {0}".format( + self.src_ip + ) ) self.fail_json( - msg=f"NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" + msg=f"NatGateway Subnet Network Acl Egress Rules do not allow outbound traffic to source: {0}".format( + self.src_ip + ) ) check_egress_towards_dst(egress_acls, dst_ip, dst_port) @@ -332,7 +335,9 @@ def get_nat_next_hop(self): if most_specific >= 0 and "igw-" in str(next_hop): return True self.fail_json( - msg=f"No Internet Gateway route found for destination: {self.dst_ip}" + msg="No Internet Gateway route found for destination: {0}".format( + self.dst_ip + ) ) def execute_module(self): @@ -342,11 +347,10 @@ def execute_module(self): self.get_nat_next_hop() self.exit_json(result="NAT Network ACLs evaluation successful") except Exception as e: - self.fail_json(msg=f"NAT Network ACLs evaluation failed: {e}") + self.fail_json(msg="NAT Network ACLs evaluation failed: {0}".format(e)) def main(): - EvalNatNetworkAcls() diff --git a/plugins/modules/eval_network_acls.py b/plugins/modules/eval_network_acls.py index a52bf26..7888f81 100644 --- a/plugins/modules/eval_network_acls.py +++ b/plugins/modules/eval_network_acls.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -129,7 +125,6 @@ class EvalNetworkAcls(AnsibleModule): def __init__(self): - argument_spec = dict( src_ip=dict(type="str", required=True), src_subnet_id=dict(type="str", required=True), @@ -193,12 +188,15 @@ def check_egress_acls(acls, dst_ip, dst_port): return True else: self.fail_json( - msg=f"Source Subnet Network Acl Egress Rules \ - do not allow outbound traffic to destination: {self.dst_ip} : {str(dst_port)}" + msg=f"Source Subnet Network Acl Egress Rules do not allow outbound traffic to destination: {0} : {1}".format( + self.dst_ip, str(dst_port) + ) ) self.fail_json( - msg=f"Source Subnet Network Acl Egress Rules do not allow outbound traffic to destination: {self.dst_ip} : {str(dst_port)}" + msg="Source Subnet Network Acl Egress Rules do not allow outbound traffic to destination: {0} : {1}".format( + self.dst_ip, str(dst_port) + ) ) def check_ingress_acls(acls, src_ip): @@ -224,11 +222,15 @@ def check_ingress_acls(acls, src_ip): return True else: self.fail_json( - msg=f"Source Subnet Network Acl Ingress Rules do not allow inbound traffic from destination: {self.dst_ip}" + msg="Source Subnet Network Acl Ingress Rules do not allow inbound traffic from destination: {0}".format( + self.dst_ip + ) ) self.fail_json( - msg=f"Source Subnet Network Acl Ingress Rules do not allow inbound traffic from destination: {self.dst_ip}" + msg="Source Subnet Network Acl Ingress Rules do not allow inbound traffic from destination: {0}".format( + self.dst_ip + ) ) egress_acls = [acl["egress"] for acl in acls if acl["egress"]][0] @@ -264,10 +266,14 @@ def check_egress_acls(acls, dst_ip): break else: self.fail_json( - msg=f"Destination Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" + msg="Destination Subnet Network Acl Egress Rules do not allow outbound traffic to source: {0}".format( + self.src_ip + ) ) self.fail_json( - msg=f"Destination Subnet Network Acl Egress Rules do not allow outbound traffic to source: {self.src_ip}" + msg="Destination Subnet Network Acl Egress Rules do not allow outbound traffic to source: {0}".format( + self.src_ip + ) ) def check_ingress_acls(acls, src_ip, dst_port): @@ -290,14 +296,15 @@ def check_ingress_acls(acls, src_ip, dst_port): return True else: self.fail_json( - msg=f"Destination Subnet Network Acl Ingress Rules \ - do not allow inbound traffic from source: \ - {self.src_ip} towards destination port {str(self.dst_port)}" + msg="Destination Subnet Network Acl Ingress Rules do not allow inbound traffic from source: {0} towards destination port {1}".format( + self.src_ip, str(self.dst_port) + ) ) self.fail_json( - msg=f"Destination Subnet Network Acl Ingress Rules do not allow\ - inbound traffic from source: {self.src_ip} towards destination port {str(self.dst_port)}" + msg="Destination Subnet Network Acl Ingress Rules do not allow inbound traffic from source: {0} towards destination port {1}".format( + self.src_ip, str(self.dst_port) + ) ) egress_acls = [acl["egress"] for acl in acls if acl["egress"]][0] @@ -320,11 +327,10 @@ def execute_module(self): self.eval_nacls() self.exit_json(result="Network ACLs evaluation successful") except Exception as e: - self.fail_json(msg=f"Network ACLs evaluation failed: {e}") + self.fail_json(msg="Network ACLs evaluation failed: {0}".format(e)) def main(): - EvalNetworkAcls() diff --git a/plugins/modules/eval_security_groups.py b/plugins/modules/eval_security_groups.py index bd94011..e9bc915 100644 --- a/plugins/modules/eval_security_groups.py +++ b/plugins/modules/eval_security_groups.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -131,7 +127,6 @@ class EvalSecurityGroups(AnsibleModule): def __init__(self): - argument_spec = dict( src_ip=dict(type="str", required=True), src_security_groups=dict(type="list", elements="str", required=True), @@ -179,7 +174,9 @@ def eval_src_egress_rules(): ): return True self.fail_json( - msg=f"Egress rules on source do not allow traffic towards destination: {self.dst_ip} : {str(dst_port)}" + msg="Egress rules on source do not allow traffic towards destination: {0} : {1}".format( + self.dst_ip, str(dst_port) + ) ) def eval_dst_ingress_rules(): @@ -208,7 +205,9 @@ def eval_dst_ingress_rules(): ): return True self.fail_json( - msg=f"Ingress rules on destination do not allow traffic from source: {self.src_ip} towards destination port {str(dst_port)}" + msg="Ingress rules on destination do not allow traffic from source: {0} towards destination port {1}".format( + self.src_ip, str(dst_port) + ) ) eval_src_egress_rules() @@ -237,7 +236,9 @@ def check_src_egress_rules(self): if dst_ip in ip_network(cidr["cidr_ip"], strict=False): return True self.fail_json( - msg=f"Egress rules on source do not allow traffic towards destination: {self.dst_ip} : {str(dst_port)}" + msg="Egress rules on source do not allow traffic towards destination: {0} : {1}".format( + self.dst_ip, str(dst_port) + ) ) def execute_module(self): @@ -247,11 +248,10 @@ def execute_module(self): self.eval_sg_rules() self.exit_json(result="Security Groups rules validation successful") except Exception as e: - self.fail_json(msg=f"Security Groups rules validation failed: {e}") + self.fail_json(msg="Security Groups rules validation failed: {0}".format(e)) def main(): - EvalSecurityGroups() diff --git a/plugins/modules/eval_src_igw_route.py b/plugins/modules/eval_src_igw_route.py index a4abffd..71a465a 100644 --- a/plugins/modules/eval_src_igw_route.py +++ b/plugins/modules/eval_src_igw_route.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -189,7 +185,6 @@ class EvalSrcIgwRoute(AnsibleModule): def __init__(self): - argument_spec = dict( src_ip=dict(type="str", required=True), src_network_interface=dict(type="dict", required=True), @@ -238,7 +233,9 @@ def eval_src_egress_rule(self): if dst_ip in ip_network(cidr["cidr_ip"], strict=False): return True self.fail_json( - msg=f"Egress rules on source do not allow traffic towards destination: {self.dst_ip} : {str(dst_port)}" + msg="Egress rules on source do not allow traffic towards destination: {0} : {1}".format( + self.dst_ip, str(dst_port) + ) ) def eval_src_nacls(self): @@ -262,17 +259,19 @@ def check_egress_acls(acls, dst_ip, dst_port): return True else: self.fail_json( - msg=f"Source Subnet {self.src_subnet_id} \ - Network Acl Egress Rules do not allow \ - outbound traffic to destination: {self.dst_ip} : {str(self.dst_port)}" + msg="Source Subnet {0} Network Acl Egress Rules do not allow outbound traffic to destination: {1} : {2}".format( + self.src_subnet_id, + self.dst_ip, + str(self.dst_port), + ) ) self.fail_json( - msg=f"Source Subnet {self.src_subnet_id} Network Acl Egress \ - Rules do not allow outbound traffic to destination: {self.dst_ip} : {str(self.dst_port)}" + msg="Source Subnet {0} Network Acl Egress Rules do not allow outbound traffic to destination: {1} : {2}".format( + self.src_subnet_id, self.dst_ip, str(self.dst_port) + ) ) def check_ingress_acls(acls, src_ip): - for item in acls: acl = dict(zip(keys, item)) # Check ipv4 acl rule only @@ -295,11 +294,14 @@ def check_ingress_acls(acls, src_ip): return True else: self.fail_json( - msg=f"Source Subnet {self.src_subnet_id} Network Acl \ - Ingress Rules do not allow inbound traffic from destination: {self.dst_ip}" + msg="Source Subnet {0} Network Acl Ingress Rules do not allow inbound traffic from destination: {1}".format( + self.src_subnet_id, self.dst_ip + ) ) self.fail_json( - msg=f"Source Subnet {self.src_subnet_id} Network Acl Ingress Rules do not allow inbound traffic from destination: {self.dst_ip}" + msg="Source Subnet {0} Network Acl Ingress Rules do not allow inbound traffic from destination: {1}".format( + self.src_subnet_id, self.dst_ip + ) ) dst_ip = ip_address(self.dst_ip) @@ -343,11 +345,10 @@ def execute_module(self): self.eval_src_nacls() self.exit_json(result="Source evaluation successful") except Exception as e: - self.fail_json(msg=f"Source evaluation failed: {e}") + self.fail_json(msg="Source evaluation failed: {0}".format(e)) def main(): - EvalSrcIgwRoute() diff --git a/plugins/modules/eval_vpc_peering.py b/plugins/modules/eval_vpc_peering.py index a9bea42..b3bebd6 100644 --- a/plugins/modules/eval_vpc_peering.py +++ b/plugins/modules/eval_vpc_peering.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -117,7 +113,6 @@ class EvalVpcPeering(AnsibleModule): def __init__(self): - argument_spec = dict( src_ip=dict(type="str", required=True), dst_vpc=dict(type="str", required=False), @@ -174,7 +169,9 @@ def eval_peer_route_table(self): return True else: self.fail_json( - msg=f"Destination Subnet route table does not contain a valid peering route for source: {self.scr_ip}" + msg="Destination Subnet route table does not contain a valid peering route for source: {0}".format( + self.scr_ip + ) ) def execute_module(self): @@ -183,11 +180,10 @@ def execute_module(self): self.eval_peer_route_table() self.exit_json(result="VPC peering evaluation successful") except Exception as e: - self.fail_json(msg=f"VPC peering evaluation failed: {e}") + self.fail_json(msg="VPC peering evaluation failed: {0}".format(e)) def main(): - EvalVpcPeering() diff --git a/plugins/modules/get_connection_next_hop.py b/plugins/modules/get_connection_next_hop.py index eb9d5d6..442459c 100644 --- a/plugins/modules/get_connection_next_hop.py +++ b/plugins/modules/get_connection_next_hop.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -70,7 +66,6 @@ class GetConnectionNextHopType(AnsibleModule): def __init__(self): - argument_spec = dict( dst_ip=dict(type="str", required=True), routes=dict(type="list", elements="dict", required=True), @@ -111,7 +106,7 @@ def get_next_hop(self): or next_hop.get("transit_gateway_id") or next_hop.get("vpc_peering_connection_id") ) - self.fail_json(msg=f"No route found for destination: {self.dst_ip}") + self.fail_json(msg="No route found for destination: {0}".format(self.dst_ip)) def execute_module(self): next_hop = None @@ -120,11 +115,10 @@ def execute_module(self): next_hop = self.get_next_hop() self.exit_json(next_hop=next_hop) except Exception as e: - self.fail_json(msg=f"Failed to get connection next hop type: {e}") + self.fail_json(msg="Failed to get connection next hop type: {0}".format(e)) def main(): - GetConnectionNextHopType() diff --git a/plugins/modules/validate_network_acls.py b/plugins/modules/validate_network_acls.py index fee789f..132cd85 100644 --- a/plugins/modules/validate_network_acls.py +++ b/plugins/modules/validate_network_acls.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -137,7 +133,6 @@ def is_port_in_range(port, from_port, to_port): class ValidateNetworkACL(AnsibleModule): def __init__(self): - argument_spec = dict( dest_subnet_cidrs=dict(type="list", elements="str", required=True), dest_network_acl_rules=dict(type="list", elements="dict", required=True), @@ -216,11 +211,10 @@ def execute_module(self): self.exit_json(result="Network ACL validation successful") except Exception as e: - self.fail_json(msg=f"Network ACL validation failed: {e}") + self.fail_json(msg="Network ACL validation failed: {0}".format(e)) def main(): - ValidateNetworkACL() diff --git a/plugins/modules/validate_route_tables.py b/plugins/modules/validate_route_tables.py index c223312..986eca4 100644 --- a/plugins/modules/validate_route_tables.py +++ b/plugins/modules/validate_route_tables.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -270,7 +266,6 @@ class ValidateRouteTables(AnsibleModule): def __init__(self): - argument_spec = dict( dest_subnets=dict(type="list", elements="dict", required=True), dest_route_tables=dict(type="list", elements="dict", required=True), @@ -319,7 +314,9 @@ def validate_route_tables( and not b_check_vpc_rtb_rds ): self.exit_json( - result=f"Source and destination resources are using the same route table(s): {self.ec2_rtb_list}" + result="Source and destination resources are using the same route table(s): {0}".format( + self.ec2_rtb_list + ) ) def validate_route_connection( @@ -329,7 +326,6 @@ def validate_route_connection( dest_route_tables, b_check_vpc_rtb_rds, ): - # Third verification: Check wheter route is through a peering connection # Verify whether Destination RTBs contains route to Source network for rtb in dest_route_tables: @@ -371,7 +367,6 @@ def validate_route_to_dest_on_source( dest_subnet_cidrs, b_check_vpc_rtb_ec2, ): - # Verify whether Source RTB contains route to Destination network for rtb in src_route_tables: required_cidrs = copy.deepcopy(dest_subnet_cidrs) @@ -474,22 +469,25 @@ def execute_module(self): if len(self.rds_rtb_list) > 0: self.fail_json( - msg=f"Please review route table(s) {self.rds_rtb_list} for entries matching {src_private_ips} Cidr" + msg="Please review route table(s) {0} for entries matching {1} Cidr".format( + self.rds_rtb_list, src_private_ips + ) ) if len(self.ec2_rtb_list) > 0: self.fail_json( - msg=f"Please review route table(s) {self.ec2_rtb_list} for entries matching {dest_subnet_cidrs} Cidr" + msg="Please review route table(s) {0} for entries matching {1} Cidr".format( + self.ec2_rtb_list, dest_subnet_cidrs + ) ) self.exit_json(result="Route table validation successful") except Exception as e: - self.fail_json(msg=f"Route table validation failed: {e}") + self.fail_json(msg="Route table validation failed: {0}".format(e)) def main(): - ValidateRouteTables() diff --git a/plugins/modules/validate_security_group_rules.py b/plugins/modules/validate_security_group_rules.py index 1665481..4eb48e5 100644 --- a/plugins/modules/validate_security_group_rules.py +++ b/plugins/modules/validate_security_group_rules.py @@ -4,10 +4,6 @@ # Copyright: (c) 2022, Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - DOCUMENTATION = r""" --- @@ -127,7 +123,6 @@ class ValidateSecurityGroupRules(AnsibleModule): def __init__(self): - argument_spec = dict( dest_subnet_cidrs=dict(type="list", elements="str", required=True), dest_security_groups=dict(type="list", elements="dict", required=True), @@ -198,7 +193,6 @@ def evaluate_security_group_rules_basedon_ip( ) def execute_module(self): - try: dest_secgroup_ids = [ x["group_id"] for x in self.params.get("dest_security_groups") @@ -245,11 +239,10 @@ def execute_module(self): self.exit_json(result="Security Group validation successful") except Exception as e: - self.fail_json(msg=f"Security Group validation failed: {e}") + self.fail_json(msg="Security Group validation failed: {0}".format(e)) def main(): - ValidateSecurityGroupRules() From f837727932cf5a5eadad0beb7604f1afb44c528e Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 5 Jul 2023 17:46:00 +0200 Subject: [PATCH 03/15] A round of sanity fixes Signed-off-by: Alina Buzachis --- roles/aws_setup_credentials/tasks/main.yml | 2 +- .../tasks/read_option.yml | 18 +++--- roles/connectivity_troubleshooter/README.md | 2 +- .../tasks/main.yml | 14 ++--- .../tasks/main.yml | 14 ++--- .../tasks/main.yml | 58 +++++++++---------- .../tasks/main.yml | 48 +++++++-------- .../tasks/main.yml | 40 ++++++------- .../tasks/main.yml | 54 ++++++++--------- .../tasks/get_ec2_instance_info.yml | 36 ++++++------ .../tasks/get_rds_instance_info.yml | 46 +++++++-------- .../tasks/main.yml | 36 ++++++------ .../test_aws_setup_credentials/tasks/main.yml | 8 +-- 13 files changed, 188 insertions(+), 188 deletions(-) diff --git a/roles/aws_setup_credentials/tasks/main.yml b/roles/aws_setup_credentials/tasks/main.yml index da0ee15..ed017cd 100644 --- a/roles/aws_setup_credentials/tasks/main.yml +++ b/roles/aws_setup_credentials/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Define intial value for credentials ansible.builtin.set_fact: - aws_role_credentials: {} + aws_setup_credentials__aws_role_credentials: {} - name: Create auth credentials ansible.builtin.include_tasks: read_option.yml with_dict: "{{ aws_connection_env }}" diff --git a/roles/aws_setup_credentials/tasks/read_option.yml b/roles/aws_setup_credentials/tasks/read_option.yml index ef2f3e2..4fe5ace 100644 --- a/roles/aws_setup_credentials/tasks/read_option.yml +++ b/roles/aws_setup_credentials/tasks/read_option.yml @@ -1,23 +1,23 @@ --- - name: Set 'option_key' and 'option_value' from Environment ansible.builtin.set_fact: - option_key: "{{ ('dest' in item.value) | ternary(item.value.dest, item.key) }}" - option_value: "{{ lookup('vars', item.key, default='') }}" + aws_setup_credentials__option_key: "{{ ('dest' in item.value) | ternary(item.value.dest, item.key) }}" + aws_setup_credentials__option_value: "{{ lookup('vars', item.key, default='') }}" - name: Combine user-defined variable ansible.builtin.set_fact: - aws_role_credentials: "{{ aws_role_credentials | combine({option_key: option_value}) }}" - when: option_value | length > 0 + aws_setup_credentials__aws_role_credentials: "{{ aws_setup_credentials__aws_role_credentials | combine({aws_setup_credentials__option_key: aws_setup_credentials__option_value}) }}" + when: aws_setup_credentials__option_value | length > 0 - name: Read value from Environment - when: option_value | length == 0 + when: aws_setup_credentials__option_value | length == 0 block: - name: Set 'env_values' variable ansible.builtin.set_fact: - env_values: [] + aws_setup_credentials__env_values: [] - name: Set 'env_values' from Environment ansible.builtin.set_fact: - env_values: "{{ env_values + [current_value] }}" + aws_setup_credentials__env_values: "{{ aws_setup_credentials__env_values + [current_value] }}" with_items: "{{ ('env' in item.value) | ternary(item.value.env, []) }}" when: current_value | length > 0 loop_control: @@ -27,5 +27,5 @@ - name: Combine with environment-defined variable ansible.builtin.set_fact: - aws_role_credentials: "{{ aws_role_credentials | combine({option_key: env_values[0]}) }}" - when: env_values | length > 0 + aws_setup_credentials__aws_role_credentials: "{{ aws_setup_credentials__aws_role_credentials | combine({aws_setup_credentials__option_key: aws_setup_credentials__env_values[0]}) }}" + when: aws_setup_credentials__env_values | length > 0 diff --git a/roles/connectivity_troubleshooter/README.md b/roles/connectivity_troubleshooter/README.md index 932ba12..96126b9 100644 --- a/roles/connectivity_troubleshooter/README.md +++ b/roles/connectivity_troubleshooter/README.md @@ -15,7 +15,7 @@ Authentication against AWS is managed by the `aws_setup_credentials` role. It also requires the folllowing roles: - cloud.aws_troubleshooting.connectivity_troubleshooter_validate - cloud.aws_troubleshooting.connectivity_troubleshooter_igw -- cloud.aws_troubleshooting.connectivity_troubleshooter_local +- cloud.aws_troubleshooting.connectivity_troubleshooter_local - cloud.aws_troubleshooting.connectivity_troubleshooter_nat - cloud.aws_troubleshooting.connectivity_troubleshooter_peering diff --git a/roles/connectivity_troubleshooter/tasks/main.yml b/roles/connectivity_troubleshooter/tasks/main.yml index b3882ce..95ec169 100644 --- a/roles/connectivity_troubleshooter/tasks/main.yml +++ b/roles/connectivity_troubleshooter/tasks/main.yml @@ -2,7 +2,7 @@ # tasks file for roles/connectivity_troubleshooter - name: Run 'connectivity_troubleshooter' module_defaults: - group/aws: "{{ aws_role_credentials }}" + group/aws: "{{ aws_setup_credentials__aws_role_credentials }}" block: - name: Include 'connectivity_troubleshooter_validate' role @@ -16,8 +16,8 @@ - name: Fail when next hop type is not supported by this role ansible.builtin.fail: - msg: Next hop type '{{ next_hop }}' is not supported by this role - when: next_hop != 'local' and not next_hop.startswith('nat-') and not next_hop.startswith('igw-') and not next_hop.startswith('pcx-') + msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role + when: connectivity_troubleshooter_validate__next_hop != 'local' and not connectivity_troubleshooter_validate__next_hop.startswith('nat-') and not connectivity_troubleshooter_validate__next_hop.startswith('igw-') and not connectivity_troubleshooter_validate__next_hop.startswith('pcx-') - name: Include 'connectivity_troubleshooter_local' role ansible.builtin.include_role: @@ -28,7 +28,7 @@ connectivity_troubleshooter_local_source_ip: "{{ connectivity_troubleshooter_source_ip }}" connectivity_troubleshooter_local_destination_vpc: "{{ connectivity_troubleshooter_destination_vpc }}" connectivity_troubleshooter_local_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" - when: "'local' == next_hop" + when: "'local' == connectivity_troubleshooter_validate__next_hop" - name: Include 'connectivity_troubleshooter_igw' role ansible.builtin.include_role: @@ -40,7 +40,7 @@ connectivity_troubleshooter_igw_destination_vpc: "{{ connectivity_troubleshooter_destination_vpc }}" connectivity_troubleshooter_igw_source_vpc: "{{ connectivity_troubleshooter_source_vpc }}" connectivity_troubleshooter_igw_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" - when: "'igw-' in next_hop" + when: "'igw-' in connectivity_troubleshooter_validate__next_hop" - name: Include 'connectivity_troubleshooter_nat' role ansible.builtin.include_role: @@ -50,7 +50,7 @@ connectivity_troubleshooter_nat_destination_port: "{{ connectivity_troubleshooter_destination_port }}" connectivity_troubleshooter_nat_source_ip: "{{ connectivity_troubleshooter_source_ip }}" connectivity_troubleshooter_nat_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" - when: "'nat-' in next_hop" + when: "'nat-' in connectivity_troubleshooter_validate__next_hop" - name: Include 'connectivity_troubleshooter_peering' role ansible.builtin.include_role: @@ -61,4 +61,4 @@ connectivity_troubleshooter_peering_source_ip: "{{ connectivity_troubleshooter_source_ip }}" connectivity_troubleshooter_peering_destination_vpc: "{{ connectivity_troubleshooter_destination_vpc }}" connectivity_troubleshooter_peering_source_vpc: "{{ connectivity_troubleshooter_source_vpc }}" - when: "'pcx-' in next_hop" + when: "'pcx-' in connectivity_troubleshooter_validate__next_hop" diff --git a/roles/connectivity_troubleshooter_igw/tasks/main.yml b/roles/connectivity_troubleshooter_igw/tasks/main.yml index 152a33c..7c35e01 100644 --- a/roles/connectivity_troubleshooter_igw/tasks/main.yml +++ b/roles/connectivity_troubleshooter_igw/tasks/main.yml @@ -11,7 +11,7 @@ amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" - register: __src_security_groups + register: connectivity_troubleshooter_igw__src_security_groups with_items: "{{ src_security_groups }}" - name: Gather information about Source subnet network ACLs @@ -19,19 +19,19 @@ filters: association.subnet-id: - "{{ src_subnet_id }}" - register: __src_subnet_nacls + register: connectivity_troubleshooter_igw__src_subnet_nacls - name: Set 'src_subnet_nacls' variable ansible.legacy.set_fact: src_subnet_nacls: "{{ src_subnet_nacls | d([]) + [dict(_keys | zip(_vals))] }}" - loop: "{{ __src_subnet_nacls.nacls }}" + loop: "{{ connectivity_troubleshooter_igw__src_subnet_nacls.nacls }}" vars: _keys: "{{ ['egress', 'ingress'] }}" _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" - - name: Set 'src_security_groups_info' variable + - name: Set 'connectivity_troubleshooter_igw__src_security_groups_info' variable ansible.legacy.set_fact: - src_security_groups_info: "{{ __src_security_groups.results | sum(attribute='security_groups', start=[]) }}" + connectivity_troubleshooter_igw__src_security_groups_info: "{{ connectivity_troubleshooter_igw__src_security_groups.results | sum(attribute='security_groups', start=[]) }}" - name: Evaluate ingress and egress netwok ACLs cloud.aws_troubleshooting.eval_src_igw_route: @@ -41,6 +41,6 @@ dst_ip: "{{ connectivity_troubleshooter_igw_destination_ip }}" dst_port: "{{ connectivity_troubleshooter_igw_destination_port }}" src_network_interface: "{{ src_network_interface }}" - src_security_groups_info: "{{ src_security_groups_info }}" + src_security_groups_info: "{{ connectivity_troubleshooter_igw__src_security_groups_info }}" src_network_acls: "{{ src_subnet_nacls }}" - register: __result_eval_src_igw_route + register: connectivity_troubleshooter_igw__result_eval_src_igw_route diff --git a/roles/connectivity_troubleshooter_local/tasks/main.yml b/roles/connectivity_troubleshooter_local/tasks/main.yml index 9e32adb..30aecd8 100644 --- a/roles/connectivity_troubleshooter_local/tasks/main.yml +++ b/roles/connectivity_troubleshooter_local/tasks/main.yml @@ -5,58 +5,58 @@ block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: - msg: Next hop type '{{ next_hop }}' is not supported by this role - when: next_hop != 'local' + msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role + when: connectivity_troubleshooter_validate__next_hop != 'local' - name: Gather information about Destination ENI amazon.aws.ec2_eni_info: filters: addresses.private-ip-address: "{{ connectivity_troubleshooter_local_destination_ip }}" - register: __describe_dst_eni + register: connectivity_troubleshooter_local__describe_dst_eni - - name: Set 'dst_vpc_id', 'dst_subnet_id' and 'dst_security_groups' variables + - name: Set 'connectivity_troubleshooter_local__dst_vpc_id', 'connectivity_troubleshooter_local__dst_subnet_id' and 'connectivity_troubleshooter_local__dst_security_groups' variables ansible.builtin.set_fact: - dst_vpc_id: "{{ __dst_network_interface_info.vpc_id }}" - dst_subnet_id: "{{ __dst_network_interface_info.subnet_id }}" - dst_security_groups: "{{ __dst_network_interface_info.groups | map(attribute='group_id') | list }}" + connectivity_troubleshooter_local__dst_vpc_id: "{{ __dst_network_interface_info.vpc_id }}" + connectivity_troubleshooter_local__dst_subnet_id: "{{ __dst_network_interface_info.subnet_id }}" + connectivity_troubleshooter_local__dst_security_groups: "{{ __dst_network_interface_info.groups | map(attribute='group_id') | list }}" vars: - __dst_network_interface_info: "{{ __describe_dst_eni.network_interfaces.0 }}" + __dst_network_interface_info: "{{ connectivity_troubleshooter_local__describe_dst_eni.network_interfaces.0 }}" - name: Fail when no network interface found ansible.builtin.fail: msg: Kindly check the connectivity_troubleshooter_local_destination_ip parameter, no network interface found - when: __describe_dst_eni['network_interfaces'] | length == 0 + when: connectivity_troubleshooter_local__describe_dst_eni['network_interfaces'] | length == 0 - name: Fail when no route is present towards required destination VPC ansible.builtin.fail: msg: Kindly check the source route table to ensure a more specific route is present towards required destination VPC - when: connectivity_troubleshooter_local_destination_vpc | default('', true) | trim and connectivity_troubleshooter_local_destination_vpc != dst_vpc_id + when: connectivity_troubleshooter_local_destination_vpc | default('', true) | trim and connectivity_troubleshooter_local_destination_vpc != connectivity_troubleshooter_local__dst_vpc_id - name: Gather information about Source security groups amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" - register: __src_security_groups_info + register: connectivity_troubleshooter_local__src_security_groups_info with_items: "{{ src_security_groups }}" - name: Gather information about Destination security group amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" - register: __dst_security_groups_info + register: connectivity_troubleshooter_local__dst_security_groups_info with_items: "{{ dst_security_groups }}" - name: Set 'src_security_groups_info' and 'dst_security_groups_info' variables ansible.builtin.set_fact: - src_security_groups_info: "{{ __src_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" - dst_security_groups_info: "{{ __dst_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" + src_security_groups_info: "{{ connectivity_troubleshooter_local__src_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" + dst_security_groups_info: "{{ connectivity_troubleshooter_local__dst_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" - name: Set 'security_groups_info' variable ansible.builtin.set_fact: security_groups_info: "{{ security_groups_info | default([]) + item.security_groups }}" with_items: - - "{{ __src_security_groups_info.results }}" - - "{{ __dst_security_groups_info.results }}" + - "{{ connectivity_troubleshooter_local__src_security_groups_info.results }}" + - "{{ connectivity_troubleshooter_local__dst_security_groups_info.results }}" - name: Evaluate ingress and egress security group rules cloud.aws_troubleshooting.eval_security_groups: @@ -66,19 +66,19 @@ dst_port: "{{ connectivity_troubleshooter_local_destination_port }}" dst_security_groups: "{{ dst_security_groups }}" security_groups: "{{ security_groups_info }}" - register: __result_eval_security_groups + register: connectivity_troubleshooter_local__result_eval_security_groups - name: Gather information about Source subnet network ACLs community.aws.ec2_vpc_nacl_info: filters: association.subnet-id: - "{{ src_subnet_id }}" - register: __network_acls_info + register: connectivity_troubleshooter_local__network_acls_info - - name: Set 'src_network_acls_info' variable + - name: Set 'connectivity_troubleshooter_local__src_network_acls_info' variable ansible.builtin.set_fact: - src_network_acls_info: "{{ src_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" - loop: "{{ __network_acls_info.nacls }}" + connectivity_troubleshooter_local__src_network_acls_info: "{{ connectivity_troubleshooter_local__src_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" + loop: "{{ connectivity_troubleshooter_local__network_acls_info.nacls }}" vars: _keys: "{{ ['egress', 'ingress'] }}" _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" @@ -88,12 +88,12 @@ filters: association.subnet-id: - "{{ dst_subnet_id }}" - register: __network_acls_info + register: connectivity_troubleshooter_local__network_acls_info - name: Set 'dst_network_acls_info' variable ansible.builtin.set_fact: - dst_network_acls_info: "{{ dst_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" - loop: "{{ __network_acls_info.nacls }}" + connectivity_troubleshooter_local__dst_network_acls_info: "{{ connectivity_troubleshooter_local__dst_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" + loop: "{{ connectivity_troubleshooter_local__network_acls_info.nacls }}" vars: _keys: "{{ ['egress', 'ingress'] }}" _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" @@ -101,11 +101,11 @@ - name: Evaluate ingress and egress netwok ACLs cloud.aws_troubleshooting.eval_network_acls: src_ip: "{{ connectivity_troubleshooter_local_source_ip }}" - src_subnet_id: "{{ src_subnet_id }}" + src_subnet_id: "{{ connectivity_troubleshooter_local__src_subnet_id }}" src_port_range: "{{ connectivity_troubleshooter_local_source_port_range }}" dst_ip: "{{ connectivity_troubleshooter_local_destination_ip }}" dst_port: "{{ connectivity_troubleshooter_local_destination_port }}" - dst_subnet_id: "{{ dst_subnet_id }}" - src_network_acls: "{{ src_network_acls_info }}" - dst_network_acls: "{{ dst_network_acls_info }}" - register: __result_eval_network_acls + dst_subnet_id: "{{ connectivity_troubleshooter_local__dst_subnet_id }}" + src_network_acls: "{{ connectivity_troubleshooter_local__src_network_acls_info }}" + dst_network_acls: "{{ connectivity_troubleshooter_local__dst_network_acls_info }}" + register: connectivity_troubleshooter_local__result_eval_network_acls diff --git a/roles/connectivity_troubleshooter_nat/tasks/main.yml b/roles/connectivity_troubleshooter_nat/tasks/main.yml index def2ff0..8e9e4cb 100644 --- a/roles/connectivity_troubleshooter_nat/tasks/main.yml +++ b/roles/connectivity_troubleshooter_nat/tasks/main.yml @@ -5,32 +5,32 @@ block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: - msg: Next hop type '{{ next_hop }}' is not supported by this role - when: "'nat-' not in next_hop" + msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role + when: "'nat-' not in connectivity_troubleshooter_validate__next_hop" - name: Gather information about NAT gateway amazon.aws.ec2_vpc_nat_gateway_info: filters: - nat-gateway-id: "{{ next_hop }}" - register: __describe_nat_gw + nat-gateway-id: "{{ connectivity_troubleshooter_validate__next_hop }}" + register: connectivity_troubleshooter_nat__describe_nat_gw - - name: Set 'nat_subnet_id' and 'nat_vpc_id' variables + - name: Set 'connectivity_troubleshooter_nat__nat_subnet_id' and 'connectivity_troubleshooter_nat__nat_vpc_id' variables ansible.builtin.set_fact: - nat_subnet_id: "{{ __nat_gw_info.subnet_id }}" - nat_vpc_id: "{{ __nat_gw_info.vpc_id }}" + connectivity_troubleshooter_nat__nat_subnet_id: "{{ __nat_gw_info.subnet_id }}" + connectivity_troubleshooter_nat__nat_vpc_id: "{{ __nat_gw_info.vpc_id }}" vars: - __nat_gw_info: "{{ __describe_nat_gw.result.0 }}" + __nat_gw_info: "{{ connectivity_troubleshooter_nat__describe_nat_gw.result.0 }}" - name: Gather information about NAT gateway subnet networks ACLs community.aws.ec2_vpc_nacl_info: filters: - association.subnet-id: "{{ nat_subnet_id }}" - register: __nat_network_acls_info + association.subnet-id: "{{ connectivity_troubleshooter_nat__describe_nat_gwnat_subnet_id }}" + register: connectivity_troubleshooter_nat__nat_network_acls_info - - name: Set 'nat_network_acls' variable + - name: Set 'connectivity_troubleshooter__nat_network_acls' variable ansible.builtin.set_fact: - nat_network_acls: "{{ nat_network_acls | d([]) + [dict(_keys | zip(_vals))] }}" - loop: "{{ __nat_network_acls_info.nacls }}" + connectivity_troubleshooter_nat__nat_network_acls: "{{ connectivity_troubleshooter_nat__nat_network_acls | d([]) + [dict(_keys | zip(_vals))] }}" + loop: "{{ connectivity_troubleshooter_nat__nat_network_acls_info.nacls }}" vars: _keys: "{{ ['egress', 'ingress'] }}" _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" @@ -39,13 +39,13 @@ amazon.aws.ec2_vpc_route_table_info: filters: association.subnet-id: - - "{{ nat_subnet_id }}" - register: __nat_route_table + - "{{ connectivity_troubleshooter_nat__nat_subnet_id }}" + register: connectivity_troubleshooter_nat__nat_route_table - name: Set 'nat_routes' variable ansible.builtin.set_fact: - nat_routes: "{{ __nat_route_table.route_tables.0.routes }}" - when: __nat_route_table.route_tables | length > 0 + connectivity_troubleshooter_nat__nat_routes: "{{ connectivity_troubleshooter_nat__nat_route_table.route_tables.0.routes }}" + when: connectivity_troubleshooter_nat__nat_route_table.route_tables | length > 0 # if RouteTable is not returned, this indicates association of subnet with main route table - name: Gather information about VPC route table using association.main=true @@ -55,17 +55,17 @@ amazon.aws.ec2_vpc_route_table_info: filters: association.main: "true" - vpc-id: "{{ nat_vpc_id }}" - register: __nat_route_table_retry + vpc-id: "{{ connectivity_troubleshooter_nat__nat_vpc_id }}" + register: connectivity_troubleshooter_nat__nat_route_table_retry - name: Fail when route table for NAT Gateway is found ansible.builtin.fail: msg: Could not find route table for NAT Gateway - when: __nat_route_table_retry.route_tables | length == 0 + when: connectivity_troubleshooter_nat__nat_route_table_retry.route_tables | length == 0 - name: Set 'nat_routes' variable ansible.builtin.set_fact: - nat_routes: "{{ __nat_route_table_retry.route_tables.0.routes }}" + connectivity_troubleshooter_nat__nat_routes: "{{ connectivity_troubleshooter_nat__nat_route_table_retry.route_tables.0.routes }}" - name: Evaluate ingress and egress NAT netwok ACLs cloud.aws_troubleshooting.eval_nat_network_acls: @@ -74,7 +74,7 @@ src_port_range: "{{ connectivity_troubleshooter_nat_source_port_range }}" dst_ip: "{{ connectivity_troubleshooter_nat_destination_ip }}" dst_port: "{{ connectivity_troubleshooter_nat_destination_port }}" - nat_subnet_id: "{{ nat_subnet_id }}" - nat_network_acls: "{{ nat_network_acls }}" - routes: "{{ nat_routes }}" + nat_subnet_id: "{{ connectivity_troubleshooter__nat_subnet_id }}" + nat_network_acls: "{{ connectivity_troubleshooter__nat_network_acls }}" + routes: "{{ connectivity_troubleshooter__nat_routes }}" register: __result_eval_nat_network_acls diff --git a/roles/connectivity_troubleshooter_peering/tasks/main.yml b/roles/connectivity_troubleshooter_peering/tasks/main.yml index 0762012..0a75038 100644 --- a/roles/connectivity_troubleshooter_peering/tasks/main.yml +++ b/roles/connectivity_troubleshooter_peering/tasks/main.yml @@ -5,65 +5,65 @@ block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: - msg: Next hop type '{{ next_hop }}' is not supported by this role - when: "'pcx-' not in next_hop" + msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role + when: "'pcx-' not in connectivity_troubleshooter_validate__next_hop" - name: Gather information about peering connection community.aws.ec2_vpc_peering_info: filters: vpc-peering-connection-id: - - "{{ next_hop }}" - register: vpc_peering_connection_info + - "{{ connectivity_troubleshooter_validate__next_hop }}" + register: connectivity_troubleshooter_peering__vpc_peering_connection_info - name: Gather information about Network Interface of the Destination peer amazon.aws.ec2_eni_info: filters: addresses.private-ip-address: "{{ connectivity_troubleshooter_peering_destination_ip }}" - register: __dst_peer_eni + register: connectivity_troubleshooter_peering__dst_peer_eni - - name: Set 'dst_peer_vpc_id' and 'dst_peer_subnet_id' variables + - name: Set 'connectivity_troubleshooter_peering__dst_peer_vpc_id' and 'connectivity_troubleshooter_peering__dst_peer_subnet_id' variables ansible.builtin.set_fact: - dst_peer_vpc_id: "{{ __dst_peer_eni_info.vpc_id }}" - dst_peer_subnet_id: "{{ __dst_peer_eni_info.subnet_id }}" + connectivity_troubleshooter_peering__dst_peer_vpc_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.vpc_id }}" + connectivity_troubleshooter_peering__dst_peer_subnet_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.subnet_id }}" vars: - __dst_peer_eni_info: "{{ __dst_peer_eni.network_interfaces.0 }}" + __dst_peer_eni_info: "{{ connectivity_troubleshooter_peering__dst_peer_eni.network_interfaces.0 }}" - name: Gather information about Destination peer subnet amazon.aws.ec2_vpc_route_table_info: filters: association.subnet-id: - - "{{ dst_peer_subnet_id }}" - register: __dst_peer_route_table + - "{{ connectivity_troubleshooter_peering__dst_peer_subnet_id }}" + register: connectivity_troubleshooter_peering__dst_peer_route_table - name: Set 'routes' variable ansible.builtin.set_fact: - routes: "{{ __dst_peer_route_table.route_tables.0.routes }}" - when: __dst_peer_route_table.route_tables | length > 0 + routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table.route_tables.0.routes }}" + when: connectivity_troubleshooter_peering__dst_peer_route_table.route_tables | length > 0 # if RouteTable is not returned, this indicates association of subnet with main route table - name: Gather information about VPC route table using association.main=true - when: __dst_peer_route_table.route_tables | length == 0 + when: connectivity_troubleshooter_peering__dst_peer_route_table.route_tables | length == 0 block: - name: Gather information about Destination peer subnet amazon.aws.ec2_vpc_route_table_info: filters: association.main: "true" - vpc-id: "{{ dst_peer_vpc_id }}" - register: __dst_peer_route_table_retry + vpc-id: "{{ connectivity_troubleshooter_peering__dst_peer_vpc_id }}" + register: connectivity_troubleshooter_peering__dst_peer_route_table_retry - name: Fail when no route table for Destination peer is found ansible.builtin.fail: msg: Could not find route table for Destination peer - when: __dst_peer_route_table_retry.route_tables | length == 0 + when: connectivity_troubleshooter_peering__dst_peer_route_table_retry.route_tables | length == 0 - name: Set 'routes' variable ansible.builtin.set_fact: - routes: "{{ __dst_peer_route_table_retry.route_tables.0.routes }}" + connectivity_troubleshooter_peering__routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table_retry.route_tables.0.routes }}" - name: Evaluate VPC peering connection cloud.aws_troubleshooting.eval_vpc_peering: src_ip: "{{ connectivity_troubleshooter_peering_source_ip }}" peering_id: "{{ next_hop }}" dst_vpc: "{{ connectivity_troubleshooter_peering_destination_vpc }}" - routes: "{{ routes }}" - vpc_peering_connection: "{{ vpc_peering_connection_info.vpc_peering_connections.0 }}" + routes: "{{ connectivity_troubleshooter_peering__routes }}" + vpc_peering_connection: "{{ connectivity_troubleshooter_peering__vpc_peering_connection_info.vpc_peering_connections.0 }}" diff --git a/roles/connectivity_troubleshooter_validate/tasks/main.yml b/roles/connectivity_troubleshooter_validate/tasks/main.yml index 5c6e57e..f06a56c 100644 --- a/roles/connectivity_troubleshooter_validate/tasks/main.yml +++ b/roles/connectivity_troubleshooter_validate/tasks/main.yml @@ -23,71 +23,71 @@ msg: connectivity_troubleshooter_validate_source_ip and connectivity_troubleshooter_validate_destination_ip are same, kindly provide different values when: connectivity_troubleshooter_validate_source_ip == connectivity_troubleshooter_validate_destination_ip - - name: Set '__filter_eni' variable + - name: Set 'connectivity_troubleshooter_validate__filter_eni' variable ansible.builtin.set_fact: - __filter_eni: { addresses.private-ip-address: "{{ connectivity_troubleshooter_validate_source_ip }}" } - - name: Set '__filter_eni' variable + connectivity_troubleshooter_validate__filter_eni: { addresses.private-ip-address: "{{ connectivity_troubleshooter_validate_source_ip }}" } + - name: Set 'connectivity_troubleshooter_validate__filter_eni' variable ansible.builtin.set_fact: - __filter_eni: "{{ __filter_eni | combine({'vpc-id': connectivity_troubleshooter_validate_source_vpc}) }}" + connectivity_troubleshooter_validate__filter_eni: "{{ connectivity_troubleshooter_validate__filter_eni | combine({'vpc-id': connectivity_troubleshooter_validate_source_vpc}) }}" when: connectivity_troubleshooter_validate_source_vpc | default('', true) | trim != '' - name: Gather information about Source ENI amazon.aws.ec2_eni_info: - filters: "{{ __filter_eni }}" - register: __describe_src_eni + filters: "{{ connectivity_troubleshooter_validate__filter_eni }}" + register: connectivity_troubleshooter_validate__describe_src_eni - name: Fail when no network interface found ansible.builtin.fail: msg: Kindly check the connectivity_troubleshooter_validate_source_ip and connectivity_troubleshooter_validate_source_vpc parameters, no network interface found - when: __describe_src_eni['network_interfaces'] | length == 0 + when: connectivity_troubleshooter_validate__describe_src_eni['network_interfaces'] | length == 0 - - name: Set 'src_subnet_id', 'src_vpc_id', 'src_security_groups' and 'src_network_interface' variables + - name: Set 'connectivity_troubleshooter_validate__src_subnet_id', 'connectivity_troubleshooter_validate__src_vpc_id', 'connectivity_troubleshooter_validate__src_security_groups' and 'connectivity_troubleshooter_validate__src_network_interface' variables ansible.builtin.set_fact: - src_subnet_id: "{{ __src_network_interface_info.subnet_id }}" - src_vpc_id: "{{ __src_network_interface_info.vpc_id }}" - src_security_groups: "{{ __src_network_interface_info.groups | map(attribute='group_id') | list }}" - src_network_interface: "{{ __src_network_interface_info }}" + connectivity_troubleshooter_validate__src_subnet_id: "{{ connectivity_troubleshooter_validate__src_network_interface_info.subnet_id }}" + connectivity_troubleshooter_validate__src_vpc_id: "{{ connectivity_troubleshooter_validate__src_network_interface_info.vpc_id }}" + connectivity_troubleshooter_validate__src_security_groups: "{{ connectivity_troubleshooter_validate__src_network_interface_info.groups | map(attribute='group_id') | list }}" + connectivity_troubleshooter_validate__src_network_interface: "{{ connectivity_troubleshooter_validate__src_network_interface_info }}" vars: - __src_network_interface_info: "{{ __describe_src_eni.network_interfaces.0 }}" + __src_network_interface_info: "{{ connectivity_troubleshooter_validate__describe_src_eni.network_interfaces.0 }}" - name: Gather information about Source VPC route table amazon.aws.ec2_vpc_route_table_info: filters: - association.subnet-id: "{{ src_subnet_id }}" - register: __src_route_table + association.subnet-id: "{{ connectivity_troubleshooter_validate__src_subnet_id }}" + register: connectivity_troubleshooter_validate__src_route_table - - name: Set 'routes' variable + - name: Set 'connectivity_troubleshooter_validate__routes' variable ansible.builtin.set_fact: - routes: "{{ __src_route_table.route_tables.0.routes }}" - when: __src_route_table.route_tables | length > 0 + connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table.route_tables.0.routes }}" + when: connectivity_troubleshooter_validate__src_route_table.route_tables | length > 0 # if RouteTable is not returned, this indicates association of subnet with main route table - name: Gather information about VPC route table using association.main=true - when: __src_route_table.route_tables | length == 0 + when: connectivity_troubleshooter_validate__src_route_table.route_tables | length == 0 block: - name: Gather information about VPC route table amazon.aws.ec2_vpc_route_table_info: filters: association.main: "true" - vpc-id: "{{ src_vpc_id }}" - register: __src_route_table_retry + vpc-id: "{{ connectivity_troubleshooter_validate__src_vpc_id }}" + register: connectivity_troubleshooter_validate__src_route_table_retry - name: Fail when no route table for connectivity_troubleshooter_validate_source_ip is found ansible.builtin.fail: msg: Could not find route table for connectivity_troubleshooter_validate_source_ip - when: __src_route_table_retry.route_tables | length == 0 + when: connectivity_troubleshooter_validate__src_route_table_retry.route_tables | length == 0 - name: Set 'routes' variable ansible.builtin.set_fact: - routes: "{{ __src_route_table_retry.route_tables.0.routes }}" + connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table_retry.route_tables.0.routes }}" - name: Get connection next hop cloud.aws_troubleshooting.get_connection_next_hop: dst_ip: "{{ connectivity_troubleshooter_validate_destination_ip }}" - routes: "{{ routes }}" - register: __result_next_hop + routes: "{{ connectivity_troubleshooter_validate__routes }}" + register: connectivity_troubleshooter_validate__result_next_hop - - name: Set 'next_hop' variable + - name: Set 'connectivity_troubleshooter_validate__next_hop' variable ansible.builtin.set_fact: - next_hop: "{{ __result_next_hop.next_hop }}" + connectivity_troubleshooter_validate__next_hop: "{{ connectivity_troubleshooter_validate__result_next_hop.next_hop }}" diff --git a/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml b/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml index b97698c..c733f29 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml @@ -3,49 +3,49 @@ amazon.aws.ec2_instance_info: instance_ids: - "{{ troubleshoot_rds_connectivity_ec2_instance_id }}" - register: result + register: troubleshoot_rds_connectivity__result - name: Fail when no EC2 instance found ansible.builtin.fail: msg: "EC2 instance not found with id: {{ troubleshoot_rds_connectivity_ec2_instance_id }}" - when: result.instances | length == 0 + when: troubleshoot_rds_connectivity__result.instances | length == 0 -- name: Set 'ec2_security_group_ids', 'ec2_subnet_id', 'ec2_vpc_id' and 'ec2_private_ip_addrs' variables +- name: Set 'roubleshoot_rds_connectivity__ec2_security_group_ids', 'roubleshoot_rds_connectivity__ec2_subnet_id', 'roubleshoot_rds_connectivity__ec2_vpc_id' and 'roubleshoot_rds_connectivity__ec2_private_ip_addrs' variables ansible.builtin.set_fact: - ec2_security_group_ids: "{{ ec2_instance_info.security_groups | map(attribute='group_id') | list }}" - ec2_subnet_id: "{{ ec2_instance_info.subnet_id }}" - ec2_vpc_id: "{{ ec2_instance_info.vpc_id }}" - ec2_private_ip_addrs: "{{ ec2_instance_info.network_interfaces | map(attribute='private_ip_addresses') | flatten | map(attribute='private_ip_address') | list\ + troubleshoot_rds_connectivity__ec2_security_group_ids: "{{ ec2_instance_info.security_groups | map(attribute='group_id') | list }}" + troubleshoot_rds_connectivity__ec2_subnet_id: "{{ ec2_instance_info.subnet_id }}" + troubleshoot_rds_connectivity__ec2_vpc_id: "{{ ec2_instance_info.vpc_id }}" + troubleshoot_rds_connectivity__ec2_private_ip_addrs: "{{ ec2_instance_info.network_interfaces | map(attribute='private_ip_addresses') | flatten | map(attribute='private_ip_address') | list\ \ }}" vars: - ec2_instance_info: "{{ result.instances.0 }}" + ec2_instance_info: "{{ troubleshoot_rds_connectivity__result.instances.0 }}" - name: Get EC2 Subnet info amazon.aws.ec2_vpc_subnet_info: - subnet_ids: "{{ ec2_subnet_id }}" - register: ec2_subnets_info + subnet_ids: "{{ troubleshoot_rds_connectivity__ec2_subnet_id }}" + register: troubleshoot_rds_connectivity__ec2_subnets_info - name: Get EC2 Network Acl Rules community.aws.ec2_vpc_nacl_info: filters: - association.subnet-id: "{{ ec2_subnet_id }}" - register: ec2_network_acl + association.subnet-id: "{{ troubleshoot_rds_connectivity__ec2_subnet_id }}" + register: troubleshoot_rds_connectivity__ec2_network_acl - name: Get EC2 Security Groups info amazon.aws.ec2_security_group_info: filters: - group-id: "{{ ec2_security_group_ids }}" - register: ec2_security_groups + group-id: "{{ troubleshoot_rds_connectivity__ec2_security_group_ids }}" + register: troubleshoot_rds_connectivity__ec2_security_groups - name: Get EC2 Route Tables amazon.aws.ec2_vpc_route_table_info: filters: - association.subnet-id: "{{ ec2_subnet_id }}" - register: ec2_subnet_route_table + association.subnet-id: "{{ troubleshoot_rds_connectivity__ec2_subnet_id }}" + register: troubleshoot_rds_connectivity__ec2_subnet_route_table - name: Get EC2 Vpc Route Tables amazon.aws.ec2_vpc_route_table_info: filters: association.main: true - vpc-id: "{{ ec2_vpc_id }}" - register: ec2_vpc_route_table + vpc-id: "{{ troubleshoot_rds_connectivity__ec2_vpc_id }}" + register: troubleshoot_rds_connectivity__ec2_vpc_route_table diff --git a/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml b/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml index 21a9bd2..64ba1bf 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml @@ -2,59 +2,59 @@ - name: Get RDS instance properties amazon.aws.rds_instance_info: db_instance_identifier: "{{ troubleshoot_rds_connectivity_db_instance_id }}" - register: rds_info + register: troubleshoot_rds_connectivity__rds_info - name: Assert that DB instance exists ansible.builtin.fail: msg: No DB instance found with identifier '{{ troubleshoot_rds_connectivity_db_instance_id }}' - when: rds_info.instances | length == 0 + when: troubleshoot_rds_connectivity__rds_info.instances | length == 0 - name: Assert that DB Instance status is 'available' ansible.builtin.fail: - msg: Bad DB instance status, expecting 'available', found '{{ rds_info.instances.0.db_instance_status }}' - when: rds_info.instances.0.db_instance_status != "available" + msg: Bad DB instance status, expecting 'available', found '{{ troubleshoot_rds_connectivity__rds_info.instances.0.db_instance_status }}' + when: troubleshoot_rds_connectivity__rds_info.instances.0.db_instance_status != "available" -- name: Set 'rds_instance_endpoint_addr', 'rds_instance_endpoint_port', 'rds_instance_subnets', 'rds_instance_vpc_id' and rds_instance_vpc_security_groups' variables +- name: Set 'troubleshoot_rds_connectivity__rds_instance_endpoint_addr', 'troubleshoot_rds_connectivity__rds_instance_endpoint_port', 'troubleshoot_rds_connectivity__rds_instance_subnets', 'troubleshoot_rds_connectivity__rds_instance_vpc_id' and 'troubleshoot_rds_connectivity__rds_instance_vpc_security_groups' variables ansible.builtin.set_fact: - rds_instance_endpoint_addr: "{{ rds_instance_info.endpoint.address }}" - rds_instance_endpoint_port: "{{ rds_instance_info.endpoint.port }}" + troubleshoot_rds_connectivity__rds_instance_endpoint_addr: "{{ rds_instance_info.endpoint.address }}" + troubleshoot_rds_connectivity__rds_instance_endpoint_port: "{{ rds_instance_info.endpoint.port }}" # rds_instance_publicly_accessible: "{{ rds_instance_info.publicly_accessible }}" - rds_instance_subnets: "{{ rds_instance_info.db_subnet_group.subnets | map(attribute='subnet_identifier') | list }}" - rds_instance_vpc_id: "{{ rds_instance_info.db_subnet_group.vpc_id }}" - rds_instance_vpc_security_groups: "{{ rds_instance_info.vpc_security_groups | map(attribute='vpc_security_group_id') | list }}" + troubleshoot_rds_connectivity__rds_instance_subnets: "{{ rds_instance_info.db_subnet_group.subnets | map(attribute='subnet_identifier') | list }}" + troubleshoot_rds_connectivity__rds_instance_vpc_id: "{{ rds_instance_info.db_subnet_group.vpc_id }}" + troubleshoot_rds_connectivity__rds_instance_vpc_security_groups: "{{ rds_instance_info.vpc_security_groups | map(attribute='vpc_security_group_id') | list }}" vars: - rds_instance_info: "{{ rds_info.instances.0 }}" + rds_instance_info: "{{ troubleshoot_rds_connectivity__rds_info.instances.0 }}" - name: Get RDS Network ACL Rules community.aws.ec2_vpc_nacl_info: filters: - association.subnet-id: "{{ rds_instance_subnets }}" - register: rds_network_acl + association.subnet-id: "{{ troubleshoot_rds_connectivity__rds_instance_subnets }}" + register: troubleshoot_rds_connectivity__rds_network_acl - name: Get RDS Subnet info amazon.aws.ec2_vpc_subnet_info: - subnet_ids: "{{ rds_instance_subnets }}" - register: rds_subnets_info + subnet_ids: "{{ troubleshoot_rds_connectivity__rds_instance_subnets }}" + register: troubleshoot_rds_connectivity__rds_subnets_info -- name: Set 'rds_subnets_cidrs' variable +- name: Set 'troubleshoot_rds_connectivity__rds_subnets_cidrs' variable ansible.builtin.set_fact: - rds_subnets_cidrs: "{{ rds_subnets_info.subnets | map(attribute='cidr_block') | list }}" + troubleshoot_rds_connectivity__rds_subnets_cidrs: "{{ troubleshoot_rds_connectivity__rds_subnets_info.subnets | map(attribute='cidr_block') | list }}" - name: Get RDS Security Groups amazon.aws.ec2_security_group_info: filters: - group-id: "{{ rds_instance_vpc_security_groups }}" - register: rds_security_groups + group-id: "{{ troubleshoot_rds_connectivity__rds_instance_vpc_security_groups }}" + register: troubleshoot_rds_connectivity__rds_security_groups - name: Get RDS Route Tables amazon.aws.ec2_vpc_route_table_info: filters: - association.subnet-id: "{{ rds_instance_subnets }}" - register: rds_subnet_route_table + association.subnet-id: "{{ troubleshoot_rds_connectivity__rds_instance_subnets }}" + register: troubleshoot_rds_connectivity__rds_subnet_route_table - name: Get RDS VPC Route Tables amazon.aws.ec2_vpc_route_table_info: filters: association.main: true - vpc-id: "{{ rds_instance_vpc_id }}" - register: rds_vpc_route_table + vpc-id: "{{ troubleshoot_rds_connectivity__rds_instance_vpc_id }}" + register: troubleshoot_rds_connectivity__rds_vpc_route_table diff --git a/roles/troubleshoot_rds_connectivity/tasks/main.yml b/roles/troubleshoot_rds_connectivity/tasks/main.yml index 258cea8..0c523d5 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/main.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/main.yml @@ -16,7 +16,7 @@ - name: Run 'troubleshoot_rds_connectivity' roles module_defaults: - group/aws: "{{ aws_role_credentials }}" + group/aws: "{{ aws_setup_credentials__aws_role_credentials }}" block: - name: Include 'get_rds_instance_info.yml' @@ -28,29 +28,29 @@ # Evaluates security group rules. - name: Evaluate Security Group Rules cloud.aws_troubleshooting.validate_security_group_rules: - dest_subnet_cidrs: "{{ rds_subnets_cidrs }}" - dest_security_groups: "{{ rds_security_groups.security_groups }}" - dest_port: "{{ rds_instance_endpoint_port }}" - src_security_groups: "{{ ec2_security_groups.security_groups }}" - src_private_ip: "{{ ec2_private_ip_addrs | first }}" + dest_subnet_cidrs: "{{ troubleshoot_rds_connectivity__rds_subnets_cidrs }}" + dest_security_groups: "{{ troubleshoot_rds_connectivity__rds_security_groups.security_groups }}" + dest_port: "{{ troubleshoot_rds_connectivity__rds_instance_endpoint_port }}" + src_security_groups: "{{ troubleshoot_rds_connectivity__ec2_security_groups.security_groups }}" + src_private_ip: "{{ troubleshoot_rds_connectivity__ec2_private_ip_addrs | first }}" # Evaluates network ACLs. - name: Evaluate network ACLS cloud.aws_troubleshooting.validate_network_acls: - dest_subnet_cidrs: "{{ rds_subnets_cidrs }}" - dest_network_acl_rules: "{{ rds_network_acl.nacls }}" + dest_subnet_cidrs: "{{ troubleshoot_rds_connectivity__rds_subnets_cidrs }}" + dest_network_acl_rules: "{{ troubleshoot_rds_connectivity__rds_network_acl.nacls }}" dest_port: - - "{{ rds_instance_endpoint_port }}" - src_network_acl_rules: "{{ ec2_network_acl.nacls }}" - src_private_ip: "{{ ec2_private_ip_addrs }}" + - "{{ troubleshoot_rds_connectivity__rds_instance_endpoint_port }}" + src_network_acl_rules: "{{ troubleshoot_rds_connectivity__ec2_network_acl.nacls }}" + src_private_ip: "{{ troubleshoot_rds_connectivity__ec2_private_ip_addrs }}" # Evaluates route tables. - name: Evaluate route tables cloud.aws_troubleshooting.validate_route_tables: - dest_subnets: "{{ rds_subnets_info.subnets }}" - dest_route_tables: "{{ rds_subnet_route_table.route_tables }}" - dest_vpc_route_tables: "{{ rds_vpc_route_table.route_tables }}" - src_subnets: "{{ ec2_subnets_info.subnets }}" - src_private_ip: "{{ ec2_private_ip_addrs }}" - src_route_tables: "{{ ec2_subnet_route_table.route_tables }}" - src_vpc_route_tables: "{{ ec2_vpc_route_table.route_tables }}" + dest_subnets: "{{ troubleshoot_rds_connectivity__rds_subnets_info.subnets }}" + dest_route_tables: "{{ troubleshoot_rds_connectivity__rds_subnet_route_table.route_tables }}" + dest_vpc_route_tables: "{{ troubleshoot_rds_connectivity__rds_vpc_route_table.route_tables }}" + src_subnets: "{{ troubleshoot_rds_connectivity__ec2_subnets_info.subnets }}" + src_private_ip: "{{ troubleshoot_rds_connectivity__ec2_private_ip_addrs }}" + src_route_tables: "{{ troubleshoot_rds_connectivity__ec2_subnet_route_table.route_tables }}" + src_vpc_route_tables: "{{ troubleshoot_rds_connectivity__ec2_vpc_route_table.route_tables }}" diff --git a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml index 5c6d75c..bfd3577 100644 --- a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml +++ b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml @@ -8,7 +8,7 @@ - name: Ensure credentials contain only aws_profile key ansible.builtin.assert: that: - - aws_role_credentials is defined - - aws_role_credentials.keys() | length == 1 - - '"aws_profile" in aws_role_credentials' - - aws_role_credentials.aws_profile == 'profile-1' + - aws_setup_credentials__aws_role_credentials is defined + - aws_setup_credentials__aws_role_credentials.keys() | length == 1 + - '"aws_profile" in aws_setup_credentials__aws_role_credentials' + - aws_setup_credentials__aws_role_credentials.aws_profile == 'profile-1' From a8026ded51b3a8e0f90f724ccc82630f541d29fc Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 5 Jul 2023 18:55:25 +0200 Subject: [PATCH 04/15] Another round of linting Signed-off-by: Alina Buzachis --- roles/aws_setup_credentials/README.md | 17 ++++++------ .../tasks/read_option.yml | 27 +++++++++---------- .../tasks/main.yml | 2 +- .../tasks/main.yml | 22 +++++++-------- .../tasks/main.yml | 2 +- .../test_aws_setup_credentials/tasks/main.yml | 10 +++---- .../tasks/main.yml | 8 +++++- 7 files changed, 46 insertions(+), 42 deletions(-) diff --git a/roles/aws_setup_credentials/README.md b/roles/aws_setup_credentials/README.md index 642ba99..ed9724a 100644 --- a/roles/aws_setup_credentials/README.md +++ b/roles/aws_setup_credentials/README.md @@ -1,7 +1,6 @@ -aws_setup_credentials -================== +# aws_setup_credentials -A role to define credentials for aws modules. The role defines a variable named **aws_role_credentials** which contains AWS credentials for Amazon modules based on user input. +A role to define credentials for aws modules. The role defines a variable named **aws_setup_credentials\_\_output** which contains AWS credentials for Amazon modules based on user input. Requirements ------------ @@ -19,7 +18,7 @@ Role Variables * **aws_access_key**: - The AWS access key to use. - Mutually exclusive with option aws_profile. - - Environment variable: + - Environment variable: - AWS_ACCESS_KEY_ID - AWS_ACCESS_KEY - EC2_ACCESS_KEY. @@ -33,7 +32,7 @@ Role Variables * **aws_security_token**: - The AWS security token if using temporary access and secret keys. - Mutually exclusive with option aws_profile. - - Environment variable: + - Environment variable: - AWS_SECURITY_TOKEN - EC2_SECURITY_TOKEN * **aws_ca_bundle**: @@ -42,7 +41,7 @@ Role Variables - AWS_CA_BUNDLE * **aws_validate_certs**: - When set to "false", SSL certificates will not be validated for communication with the AWS APIs. - - Environment variable: + - Environment variable: - AWS_VALIDATE_CERTS * **aws_profile**: - The AWS profile to use. @@ -54,8 +53,8 @@ Role Variables - A dictionary to modify the botocore configuration. - Parameters can be found at [botocore config](https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). * **aws_region**: - - The AWS region to use. - - Environment variable: + - The AWS region to use. + - Environment variable: - AWS_REGION - EC2_REGION. @@ -82,7 +81,7 @@ Example Playbook zone-name: eu-east-1 module_defaults: group/aws: - '{{ aws_role_credentials }}' + '{{ aws_setup_credentials__output }}' License ------- diff --git a/roles/aws_setup_credentials/tasks/read_option.yml b/roles/aws_setup_credentials/tasks/read_option.yml index 4fe5ace..ced9c10 100644 --- a/roles/aws_setup_credentials/tasks/read_option.yml +++ b/roles/aws_setup_credentials/tasks/read_option.yml @@ -1,31 +1,30 @@ --- -- name: Set 'option_key' and 'option_value' from Environment +- name: Define key and value variables to search into environment ansible.builtin.set_fact: - aws_setup_credentials__option_key: "{{ ('dest' in item.value) | ternary(item.value.dest, item.key) }}" - aws_setup_credentials__option_value: "{{ lookup('vars', item.key, default='') }}" + aws_setup_credentials__item_key: "{{ ('dest' in item.value) | ternary(item.value.dest, item.key) }}" + aws_setup_credentials__item_value: "{{ lookup('vars', item.key, default='') }}" - name: Combine user-defined variable ansible.builtin.set_fact: - aws_setup_credentials__aws_role_credentials: "{{ aws_setup_credentials__aws_role_credentials | combine({aws_setup_credentials__option_key: aws_setup_credentials__option_value}) }}" - when: aws_setup_credentials__option_value | length > 0 + aws_setup_credentials__output: "{{ aws_setup_credentials__output | combine({aws_setup_credentials__item_key: aws_setup_credentials__item_value}) }}" + when: aws_setup_credentials__item_value | length > 0 - name: Read value from Environment - when: aws_setup_credentials__option_value | length == 0 + when: aws_setup_credentials__item_value | length == 0 block: - - name: Set 'env_values' variable + - name: Initialize environment variable list ansible.builtin.set_fact: aws_setup_credentials__env_values: [] - - name: Set 'env_values' from Environment + + - name: Append single environment variable into variables list ansible.builtin.set_fact: - aws_setup_credentials__env_values: "{{ aws_setup_credentials__env_values + [current_value] }}" + aws_setup_credentials__env_values: "{{ aws_setup_credentials__env_values + [lookup('env', aws_setup_credentials__env_key)] }}" with_items: "{{ ('env' in item.value) | ternary(item.value.env, []) }}" - when: current_value | length > 0 + when: lookup('env', aws_setup_credentials__env_key) | length > 0 loop_control: - loop_var: env_var - vars: - current_value: "{{ lookup('env', env_var) }}" + loop_var: aws_setup_credentials__env_key - name: Combine with environment-defined variable ansible.builtin.set_fact: - aws_setup_credentials__aws_role_credentials: "{{ aws_setup_credentials__aws_role_credentials | combine({aws_setup_credentials__option_key: aws_setup_credentials__env_values[0]}) }}" + aws_setup_credentials__output: "{{ aws_setup_credentials__output | combine({aws_setup_credentials__item_key: aws_setup_credentials__item_value[0]}) }}" when: aws_setup_credentials__env_values | length > 0 diff --git a/roles/connectivity_troubleshooter/tasks/main.yml b/roles/connectivity_troubleshooter/tasks/main.yml index 95ec169..5e4e4f4 100644 --- a/roles/connectivity_troubleshooter/tasks/main.yml +++ b/roles/connectivity_troubleshooter/tasks/main.yml @@ -2,7 +2,7 @@ # tasks file for roles/connectivity_troubleshooter - name: Run 'connectivity_troubleshooter' module_defaults: - group/aws: "{{ aws_setup_credentials__aws_role_credentials }}" + group/aws: "{{ aws_setup_credentials__output }}" block: - name: Include 'connectivity_troubleshooter_validate' role diff --git a/roles/connectivity_troubleshooter_local/tasks/main.yml b/roles/connectivity_troubleshooter_local/tasks/main.yml index 30aecd8..a2086e0 100644 --- a/roles/connectivity_troubleshooter_local/tasks/main.yml +++ b/roles/connectivity_troubleshooter_local/tasks/main.yml @@ -37,23 +37,23 @@ filters: group_id: "{{ item }}" register: connectivity_troubleshooter_local__src_security_groups_info - with_items: "{{ src_security_groups }}" + with_items: "{{ connectivity_troubleshooter_local__src_security_groups }}" - name: Gather information about Destination security group amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" register: connectivity_troubleshooter_local__dst_security_groups_info - with_items: "{{ dst_security_groups }}" + with_items: "{{ connectivity_troubleshooter_local__dst_security_groups }}" - - name: Set 'src_security_groups_info' and 'dst_security_groups_info' variables + - name: Set 'connectivity_troubleshooter_local__src_security_groups_info' and 'connectivity_troubleshooter_local__dst_security_groups_info' variables ansible.builtin.set_fact: - src_security_groups_info: "{{ connectivity_troubleshooter_local__src_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" - dst_security_groups_info: "{{ connectivity_troubleshooter_local__dst_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" + connectivity_troubleshooter_local__src_security_groups_info: "{{ connectivity_troubleshooter_local__src_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" + connectivity_troubleshooter_local__dst_security_groups_info: "{{ connectivity_troubleshooter_local__dst_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" - - name: Set 'security_groups_info' variable + - name: Set 'connectivity_troubleshooter_local__security_groups_info' variable ansible.builtin.set_fact: - security_groups_info: "{{ security_groups_info | default([]) + item.security_groups }}" + connectivity_troubleshooter_local__security_groups_info: "{{ connectivity_troubleshooter_local__security_groups_info | default([]) + item.security_groups }}" with_items: - "{{ connectivity_troubleshooter_local__src_security_groups_info.results }}" - "{{ connectivity_troubleshooter_local__dst_security_groups_info.results }}" @@ -61,11 +61,11 @@ - name: Evaluate ingress and egress security group rules cloud.aws_troubleshooting.eval_security_groups: src_ip: "{{ connectivity_troubleshooter_local_source_ip }}" - src_security_groups: "{{ src_security_groups }}" + src_security_groups: "{{ connectivity_troubleshooter_local__src_security_groups }}" dst_ip: "{{ connectivity_troubleshooter_local_destination_ip }}" dst_port: "{{ connectivity_troubleshooter_local_destination_port }}" - dst_security_groups: "{{ dst_security_groups }}" - security_groups: "{{ security_groups_info }}" + dst_security_groups: "{{ connectivity_troubleshooter_local__dst_security_groups }}" + security_groups: "{{ connectivity_troubleshooter_local__security_groups_info }}" register: connectivity_troubleshooter_local__result_eval_security_groups - name: Gather information about Source subnet network ACLs @@ -101,7 +101,7 @@ - name: Evaluate ingress and egress netwok ACLs cloud.aws_troubleshooting.eval_network_acls: src_ip: "{{ connectivity_troubleshooter_local_source_ip }}" - src_subnet_id: "{{ connectivity_troubleshooter_local__src_subnet_id }}" + src_subnet_id: "{{ src_subnet_id }}" src_port_range: "{{ connectivity_troubleshooter_local_source_port_range }}" dst_ip: "{{ connectivity_troubleshooter_local_destination_ip }}" dst_port: "{{ connectivity_troubleshooter_local_destination_port }}" diff --git a/roles/troubleshoot_rds_connectivity/tasks/main.yml b/roles/troubleshoot_rds_connectivity/tasks/main.yml index 0c523d5..5dea63b 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/main.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/main.yml @@ -16,7 +16,7 @@ - name: Run 'troubleshoot_rds_connectivity' roles module_defaults: - group/aws: "{{ aws_setup_credentials__aws_role_credentials }}" + group/aws: "{{ aws_setup_credentials__output }}" block: - name: Include 'get_rds_instance_info.yml' diff --git a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml index bfd3577..a08034d 100644 --- a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml +++ b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml @@ -3,12 +3,12 @@ ansible.builtin.include_role: name: cloud.aws_troubleshooting.aws_setup_credentials vars: - aws_profile: profile-1 + aws_profile: default - name: Ensure credentials contain only aws_profile key ansible.builtin.assert: that: - - aws_setup_credentials__aws_role_credentials is defined - - aws_setup_credentials__aws_role_credentials.keys() | length == 1 - - '"aws_profile" in aws_setup_credentials__aws_role_credentials' - - aws_setup_credentials__aws_role_credentials.aws_profile == 'profile-1' + - aws_setup_credentials__output is defined + - aws_setup_credentials__output.keys() | length == 1 + - '"aws_profile" in aws_setup_credentials__output' + - aws_setup_credentials__output.aws_profile == 'default' diff --git a/tests/integration/targets/test_connectivity_troubleshooter/tasks/main.yml b/tests/integration/targets/test_connectivity_troubleshooter/tasks/main.yml index 952943f..e386b2e 100644 --- a/tests/integration/targets/test_connectivity_troubleshooter/tasks/main.yml +++ b/tests/integration/targets/test_connectivity_troubleshooter/tasks/main.yml @@ -2,7 +2,13 @@ # tasks file for tests/integration/targets/test_connectivity_troubleshooter - name: Integration test for connectivity_troublershooter role block: - - name: Test 'connectivity_troubleshooter' role + - name: Setup environment for test + module_defaults: + group/aws: + aws_access_key: "{{ aws_access_key }}" + aws_secret_key: "{{ aws_secret_key }}" + security_token: "{{ security_token | default(omit) }}" + region: "{{ aws_region }}" block: - name: Get image ID to for EC2 instance amazon.aws.ec2_ami_info: From ba47f5e68282d255fdce5a31e8229531b3da8caf Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 5 Jul 2023 19:24:23 +0200 Subject: [PATCH 05/15] Yet another round of lint fixes Signed-off-by: Alina Buzachis --- roles/aws_setup_credentials/tasks/main.yml | 2 +- .../tasks/main.yml | 14 +++++++------- .../tasks/main.yml | 16 ++++++++-------- .../tasks/main.yml | 12 ++++++------ .../tasks/main.yml | 6 +++--- .../tasks/main.yml | 4 ++-- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/roles/aws_setup_credentials/tasks/main.yml b/roles/aws_setup_credentials/tasks/main.yml index ed017cd..c005a3f 100644 --- a/roles/aws_setup_credentials/tasks/main.yml +++ b/roles/aws_setup_credentials/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Define intial value for credentials ansible.builtin.set_fact: - aws_setup_credentials__aws_role_credentials: {} + aws_setup_credentials__output: {} - name: Create auth credentials ansible.builtin.include_tasks: read_option.yml with_dict: "{{ aws_connection_env }}" diff --git a/roles/connectivity_troubleshooter_igw/tasks/main.yml b/roles/connectivity_troubleshooter_igw/tasks/main.yml index 7c35e01..729fa0f 100644 --- a/roles/connectivity_troubleshooter_igw/tasks/main.yml +++ b/roles/connectivity_troubleshooter_igw/tasks/main.yml @@ -4,15 +4,15 @@ block: - name: Fail when next hop type is not supported by this role ansible.legacy.fail: - msg: Next hop type '{{ next_hop }}' is not supported by this role - when: "'igw-' not in next_hop" + msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role + when: "'igw-' not in connectivity_troubleshooter_validate__next_hop" - name: Gather information about Source security groups amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" register: connectivity_troubleshooter_igw__src_security_groups - with_items: "{{ src_security_groups }}" + with_items: "{{ connectivity_troubleshooter_igw__src_security_groups }}" - name: Gather information about Source subnet network ACLs community.aws.ec2_vpc_nacl_info: @@ -23,11 +23,11 @@ - name: Set 'src_subnet_nacls' variable ansible.legacy.set_fact: - src_subnet_nacls: "{{ src_subnet_nacls | d([]) + [dict(_keys | zip(_vals))] }}" + connectivity_troubleshooter_igw__src_subnet_nacls: "{{ src_subnet_nacls | d([]) + [dict(connectivity_troubleshooter_igw__keys | zip(connectivity_troubleshooter_igw__vals))] }}" loop: "{{ connectivity_troubleshooter_igw__src_subnet_nacls.nacls }}" vars: - _keys: "{{ ['egress', 'ingress'] }}" - _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" + connectivity_troubleshooter_igw__keys: "{{ ['egress', 'ingress'] }}" + connectivity_troubleshooter_igw__vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" - name: Set 'connectivity_troubleshooter_igw__src_security_groups_info' variable ansible.legacy.set_fact: @@ -42,5 +42,5 @@ dst_port: "{{ connectivity_troubleshooter_igw_destination_port }}" src_network_interface: "{{ src_network_interface }}" src_security_groups_info: "{{ connectivity_troubleshooter_igw__src_security_groups_info }}" - src_network_acls: "{{ src_subnet_nacls }}" + src_network_acls: "{{connectivity_troubleshooter_igw__src_subnet_nacls }}" register: connectivity_troubleshooter_igw__result_eval_src_igw_route diff --git a/roles/connectivity_troubleshooter_local/tasks/main.yml b/roles/connectivity_troubleshooter_local/tasks/main.yml index a2086e0..3267670 100644 --- a/roles/connectivity_troubleshooter_local/tasks/main.yml +++ b/roles/connectivity_troubleshooter_local/tasks/main.yml @@ -16,11 +16,11 @@ - name: Set 'connectivity_troubleshooter_local__dst_vpc_id', 'connectivity_troubleshooter_local__dst_subnet_id' and 'connectivity_troubleshooter_local__dst_security_groups' variables ansible.builtin.set_fact: - connectivity_troubleshooter_local__dst_vpc_id: "{{ __dst_network_interface_info.vpc_id }}" - connectivity_troubleshooter_local__dst_subnet_id: "{{ __dst_network_interface_info.subnet_id }}" - connectivity_troubleshooter_local__dst_security_groups: "{{ __dst_network_interface_info.groups | map(attribute='group_id') | list }}" + connectivity_troubleshooter_local__dst_vpc_id: "{{ connectivity_troubleshooter_local__dst_network_interface_info.vpc_id }}" + connectivity_troubleshooter_local__dst_subnet_id: "{{ connectivity_troubleshooter_local__dst_network_interface_info.subnet_id }}" + connectivity_troubleshooter_local__dst_security_groups: "{{ connectivity_troubleshooter_local__dst_network_interface_info.groups | map(attribute='group_id') | list }}" vars: - __dst_network_interface_info: "{{ connectivity_troubleshooter_local__describe_dst_eni.network_interfaces.0 }}" + connectivity_troubleshooter_local__dst_network_interface_info: "{{ connectivity_troubleshooter_local__describe_dst_eni.network_interfaces.0 }}" - name: Fail when no network interface found ansible.builtin.fail: @@ -90,13 +90,13 @@ - "{{ dst_subnet_id }}" register: connectivity_troubleshooter_local__network_acls_info - - name: Set 'dst_network_acls_info' variable + - name: Set 'connectivity_troubleshooter_local__dst_network_acls_info' variable ansible.builtin.set_fact: - connectivity_troubleshooter_local__dst_network_acls_info: "{{ connectivity_troubleshooter_local__dst_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" + connectivity_troubleshooter_local__dst_network_acls_info: "{{ connectivity_troubleshooter_local__dst_network_acls_info | d([]) + [dict(connectivity_troubleshooter_local__keys | zip(connectivity_troubleshooter_local__vals))] }}" loop: "{{ connectivity_troubleshooter_local__network_acls_info.nacls }}" vars: - _keys: "{{ ['egress', 'ingress'] }}" - _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" + connectivity_troubleshooter_local__keys: "{{ ['egress', 'ingress'] }}" + connectivity_troubleshooter_local__vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" - name: Evaluate ingress and egress netwok ACLs cloud.aws_troubleshooting.eval_network_acls: diff --git a/roles/connectivity_troubleshooter_nat/tasks/main.yml b/roles/connectivity_troubleshooter_nat/tasks/main.yml index 8e9e4cb..da08570 100644 --- a/roles/connectivity_troubleshooter_nat/tasks/main.yml +++ b/roles/connectivity_troubleshooter_nat/tasks/main.yml @@ -16,10 +16,10 @@ - name: Set 'connectivity_troubleshooter_nat__nat_subnet_id' and 'connectivity_troubleshooter_nat__nat_vpc_id' variables ansible.builtin.set_fact: - connectivity_troubleshooter_nat__nat_subnet_id: "{{ __nat_gw_info.subnet_id }}" - connectivity_troubleshooter_nat__nat_vpc_id: "{{ __nat_gw_info.vpc_id }}" + connectivity_troubleshooter_nat__nat_subnet_id: "{{ connectivity_troubleshooter_nat__nat_gw_info.subnet_id }}" + connectivity_troubleshooter_nat__nat_vpc_id: "{{ connectivity_troubleshooter_nat__nat_gw_info.vpc_id }}" vars: - __nat_gw_info: "{{ connectivity_troubleshooter_nat__describe_nat_gw.result.0 }}" + connectivity_troubleshooter_nat__nat_gw_info: "{{ connectivity_troubleshooter_nat__describe_nat_gw.result.0 }}" - name: Gather information about NAT gateway subnet networks ACLs community.aws.ec2_vpc_nacl_info: @@ -29,11 +29,11 @@ - name: Set 'connectivity_troubleshooter__nat_network_acls' variable ansible.builtin.set_fact: - connectivity_troubleshooter_nat__nat_network_acls: "{{ connectivity_troubleshooter_nat__nat_network_acls | d([]) + [dict(_keys | zip(_vals))] }}" + connectivity_troubleshooter_nat__nat_network_acls: "{{ connectivity_troubleshooter_nat__nat_network_acls | d([]) + [dict(connectivity_troubleshooter_nat__keys | zip(connectivity_troubleshooter_nat__vals))] }}" loop: "{{ connectivity_troubleshooter_nat__nat_network_acls_info.nacls }}" vars: - _keys: "{{ ['egress', 'ingress'] }}" - _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" + connectivity_troubleshooter_nat__keys: "{{ ['egress', 'ingress'] }}" + connectivity_troubleshooter_nat__vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" - name: Gather information about VPC route table amazon.aws.ec2_vpc_route_table_info: diff --git a/roles/connectivity_troubleshooter_peering/tasks/main.yml b/roles/connectivity_troubleshooter_peering/tasks/main.yml index 0a75038..f6ae78d 100644 --- a/roles/connectivity_troubleshooter_peering/tasks/main.yml +++ b/roles/connectivity_troubleshooter_peering/tasks/main.yml @@ -26,7 +26,7 @@ connectivity_troubleshooter_peering__dst_peer_vpc_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.vpc_id }}" connectivity_troubleshooter_peering__dst_peer_subnet_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.subnet_id }}" vars: - __dst_peer_eni_info: "{{ connectivity_troubleshooter_peering__dst_peer_eni.network_interfaces.0 }}" + connectivity_troubleshooter_peering__dst_peer_eni_info: "{{ connectivity_troubleshooter_peering__dst_peer_eni.network_interfaces.0 }}" - name: Gather information about Destination peer subnet amazon.aws.ec2_vpc_route_table_info: @@ -37,7 +37,7 @@ - name: Set 'routes' variable ansible.builtin.set_fact: - routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table.route_tables.0.routes }}" + connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_peering__dst_peer_route_table.route_tables | length > 0 # if RouteTable is not returned, this indicates association of subnet with main route table @@ -63,7 +63,7 @@ - name: Evaluate VPC peering connection cloud.aws_troubleshooting.eval_vpc_peering: src_ip: "{{ connectivity_troubleshooter_peering_source_ip }}" - peering_id: "{{ next_hop }}" + peering_id: "{{ connectivity_troubleshooter_validate__next_hop }}" dst_vpc: "{{ connectivity_troubleshooter_peering_destination_vpc }}" routes: "{{ connectivity_troubleshooter_peering__routes }}" vpc_peering_connection: "{{ connectivity_troubleshooter_peering__vpc_peering_connection_info.vpc_peering_connections.0 }}" diff --git a/roles/connectivity_troubleshooter_validate/tasks/main.yml b/roles/connectivity_troubleshooter_validate/tasks/main.yml index f06a56c..2707915 100644 --- a/roles/connectivity_troubleshooter_validate/tasks/main.yml +++ b/roles/connectivity_troubleshooter_validate/tasks/main.yml @@ -49,7 +49,7 @@ connectivity_troubleshooter_validate__src_security_groups: "{{ connectivity_troubleshooter_validate__src_network_interface_info.groups | map(attribute='group_id') | list }}" connectivity_troubleshooter_validate__src_network_interface: "{{ connectivity_troubleshooter_validate__src_network_interface_info }}" vars: - __src_network_interface_info: "{{ connectivity_troubleshooter_validate__describe_src_eni.network_interfaces.0 }}" + connectivity_troubleshooter_validate__src_network_interface_info: "{{ connectivity_troubleshooter_validate__describe_src_eni.network_interfaces.0 }}" - name: Gather information about Source VPC route table amazon.aws.ec2_vpc_route_table_info: @@ -78,7 +78,7 @@ msg: Could not find route table for connectivity_troubleshooter_validate_source_ip when: connectivity_troubleshooter_validate__src_route_table_retry.route_tables | length == 0 - - name: Set 'routes' variable + - name: Set 'connectivity_troubleshooter_validate__routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table_retry.route_tables.0.routes }}" From ec4f69eeecc93b7490aad135ec1b9a8bec9ad1a6 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Mon, 14 Aug 2023 14:05:15 +0200 Subject: [PATCH 06/15] Yet another round of fixes Signed-off-by: Alina Buzachis --- roles/aws_setup_credentials/tasks/main.yml | 1 + .../tasks/main.yml | 15 +++---- .../tasks/main.yml | 18 +++++---- .../tasks/main.yml | 40 +++++++++++-------- .../tasks/main.yml | 13 +++--- .../tasks/main.yml | 16 ++++---- .../tasks/main.yml | 24 ++++++----- .../tasks/get_ec2_instance_info.yml | 7 ++-- .../tasks/get_rds_instance_info.yml | 3 +- .../test_aws_setup_credentials/tasks/main.yml | 20 +++++----- .../tasks/setup_classic.yml | 22 +++++----- .../tasks/setup_destination_peering.yml | 14 +++---- tox.ini | 8 ++-- 13 files changed, 108 insertions(+), 93 deletions(-) diff --git a/roles/aws_setup_credentials/tasks/main.yml b/roles/aws_setup_credentials/tasks/main.yml index c005a3f..8a6ae74 100644 --- a/roles/aws_setup_credentials/tasks/main.yml +++ b/roles/aws_setup_credentials/tasks/main.yml @@ -2,6 +2,7 @@ - name: Define intial value for credentials ansible.builtin.set_fact: aws_setup_credentials__output: {} + - name: Create auth credentials ansible.builtin.include_tasks: read_option.yml with_dict: "{{ aws_connection_env }}" diff --git a/roles/connectivity_troubleshooter/tasks/main.yml b/roles/connectivity_troubleshooter/tasks/main.yml index 5e4e4f4..cc72943 100644 --- a/roles/connectivity_troubleshooter/tasks/main.yml +++ b/roles/connectivity_troubleshooter/tasks/main.yml @@ -1,11 +1,11 @@ --- # tasks file for roles/connectivity_troubleshooter -- name: Run 'connectivity_troubleshooter' +- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter module_defaults: group/aws: "{{ aws_setup_credentials__output }}" block: - - name: Include 'connectivity_troubleshooter_validate' role + - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_validate role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_validate vars: @@ -17,9 +17,10 @@ - name: Fail when next hop type is not supported by this role ansible.builtin.fail: msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role - when: connectivity_troubleshooter_validate__next_hop != 'local' and not connectivity_troubleshooter_validate__next_hop.startswith('nat-') and not connectivity_troubleshooter_validate__next_hop.startswith('igw-') and not connectivity_troubleshooter_validate__next_hop.startswith('pcx-') + when: connectivity_troubleshooter_validate__next_hop != 'local' and not connectivity_troubleshooter_validate__next_hop.startswith('nat-') and not connectivity_troubleshooter_validate__next_hop.startswith('igw-') + and not connectivity_troubleshooter_validate__next_hop.startswith('pcx-') - - name: Include 'connectivity_troubleshooter_local' role + - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_local role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_local vars: @@ -30,7 +31,7 @@ connectivity_troubleshooter_local_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" when: "'local' == connectivity_troubleshooter_validate__next_hop" - - name: Include 'connectivity_troubleshooter_igw' role + - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_igw role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_igw vars: @@ -42,7 +43,7 @@ connectivity_troubleshooter_igw_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" when: "'igw-' in connectivity_troubleshooter_validate__next_hop" - - name: Include 'connectivity_troubleshooter_nat' role + - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_nat role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_nat vars: @@ -52,7 +53,7 @@ connectivity_troubleshooter_nat_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" when: "'nat-' in connectivity_troubleshooter_validate__next_hop" - - name: Include 'connectivity_troubleshooter_peering' role + - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_peering role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_peering vars: diff --git a/roles/connectivity_troubleshooter_igw/tasks/main.yml b/roles/connectivity_troubleshooter_igw/tasks/main.yml index 729fa0f..1a8a997 100644 --- a/roles/connectivity_troubleshooter_igw/tasks/main.yml +++ b/roles/connectivity_troubleshooter_igw/tasks/main.yml @@ -1,37 +1,39 @@ --- # tasks file for roles/connectivity_troubleshooter_igw -- name: Run 'connectivity_troubleshooter_igw' role +- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_igw role block: - name: Fail when next hop type is not supported by this role ansible.legacy.fail: msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role when: "'igw-' not in connectivity_troubleshooter_validate__next_hop" - - name: Gather information about Source security groups + - name: Gather information about source security groups amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" register: connectivity_troubleshooter_igw__src_security_groups with_items: "{{ connectivity_troubleshooter_igw__src_security_groups }}" - - name: Gather information about Source subnet network ACLs + - name: Gather information about source subnet network ACLs community.aws.ec2_vpc_nacl_info: filters: association.subnet-id: - "{{ src_subnet_id }}" register: connectivity_troubleshooter_igw__src_subnet_nacls - - name: Set 'src_subnet_nacls' variable + - name: Set source subnet NACLs ansible.legacy.set_fact: - connectivity_troubleshooter_igw__src_subnet_nacls: "{{ src_subnet_nacls | d([]) + [dict(connectivity_troubleshooter_igw__keys | zip(connectivity_troubleshooter_igw__vals))] }}" + connectivity_troubleshooter_igw__src_subnet_nacls: "{{ src_subnet_nacls | d([]) + [dict(connectivity_troubleshooter_igw__keys | zip(connectivity_troubleshooter_igw__vals))] + }}" loop: "{{ connectivity_troubleshooter_igw__src_subnet_nacls.nacls }}" vars: connectivity_troubleshooter_igw__keys: "{{ ['egress', 'ingress'] }}" connectivity_troubleshooter_igw__vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" - - name: Set 'connectivity_troubleshooter_igw__src_security_groups_info' variable + - name: Set source security groups info ansible.legacy.set_fact: - connectivity_troubleshooter_igw__src_security_groups_info: "{{ connectivity_troubleshooter_igw__src_security_groups.results | sum(attribute='security_groups', start=[]) }}" + connectivity_troubleshooter_igw__src_security_groups_info: "{{ connectivity_troubleshooter_igw__src_security_groups.results | sum(attribute='security_groups', + start=[]) }}" - name: Evaluate ingress and egress netwok ACLs cloud.aws_troubleshooting.eval_src_igw_route: @@ -42,5 +44,5 @@ dst_port: "{{ connectivity_troubleshooter_igw_destination_port }}" src_network_interface: "{{ src_network_interface }}" src_security_groups_info: "{{ connectivity_troubleshooter_igw__src_security_groups_info }}" - src_network_acls: "{{connectivity_troubleshooter_igw__src_subnet_nacls }}" + src_network_acls: "{{ connectivity_troubleshooter_igw__src_subnet_nacls }}" register: connectivity_troubleshooter_igw__result_eval_src_igw_route diff --git a/roles/connectivity_troubleshooter_local/tasks/main.yml b/roles/connectivity_troubleshooter_local/tasks/main.yml index 3267670..c4a323c 100644 --- a/roles/connectivity_troubleshooter_local/tasks/main.yml +++ b/roles/connectivity_troubleshooter_local/tasks/main.yml @@ -1,24 +1,25 @@ --- # tasks file for roles/connectivity_troubleshooter_local -- name: Run 'connectivity_troubleshooter_local' role +- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_local role block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: msg: Next hop type '{{ connectivity_troubleshooter_validate__next_hop }}' is not supported by this role when: connectivity_troubleshooter_validate__next_hop != 'local' - - name: Gather information about Destination ENI + - name: Gather information about destination ENI amazon.aws.ec2_eni_info: filters: addresses.private-ip-address: "{{ connectivity_troubleshooter_local_destination_ip }}" register: connectivity_troubleshooter_local__describe_dst_eni - - name: Set 'connectivity_troubleshooter_local__dst_vpc_id', 'connectivity_troubleshooter_local__dst_subnet_id' and 'connectivity_troubleshooter_local__dst_security_groups' variables + - name: Set destination VPC id, subnet id and security groups ansible.builtin.set_fact: connectivity_troubleshooter_local__dst_vpc_id: "{{ connectivity_troubleshooter_local__dst_network_interface_info.vpc_id }}" connectivity_troubleshooter_local__dst_subnet_id: "{{ connectivity_troubleshooter_local__dst_network_interface_info.subnet_id }}" - connectivity_troubleshooter_local__dst_security_groups: "{{ connectivity_troubleshooter_local__dst_network_interface_info.groups | map(attribute='group_id') | list }}" + connectivity_troubleshooter_local__dst_security_groups: "{{ connectivity_troubleshooter_local__dst_network_interface_info.groups | map(attribute='group_id') + | list }}" vars: connectivity_troubleshooter_local__dst_network_interface_info: "{{ connectivity_troubleshooter_local__describe_dst_eni.network_interfaces.0 }}" @@ -32,28 +33,31 @@ msg: Kindly check the source route table to ensure a more specific route is present towards required destination VPC when: connectivity_troubleshooter_local_destination_vpc | default('', true) | trim and connectivity_troubleshooter_local_destination_vpc != connectivity_troubleshooter_local__dst_vpc_id - - name: Gather information about Source security groups + - name: Gather information about source security groups amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" register: connectivity_troubleshooter_local__src_security_groups_info with_items: "{{ connectivity_troubleshooter_local__src_security_groups }}" - - name: Gather information about Destination security group + - name: Gather information about destination security group amazon.aws.ec2_security_group_info: filters: group_id: "{{ item }}" register: connectivity_troubleshooter_local__dst_security_groups_info with_items: "{{ connectivity_troubleshooter_local__dst_security_groups }}" - - name: Set 'connectivity_troubleshooter_local__src_security_groups_info' and 'connectivity_troubleshooter_local__dst_security_groups_info' variables + - name: Set source and destination security groups info ansible.builtin.set_fact: - connectivity_troubleshooter_local__src_security_groups_info: "{{ connectivity_troubleshooter_local__src_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" - connectivity_troubleshooter_local__dst_security_groups_info: "{{ connectivity_troubleshooter_local__dst_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" + connectivity_troubleshooter_local__src_security_groups_info: "{{ connectivity_troubleshooter_local__src_security_groups_info.results | sum(attribute='security_groups', + start=[]) }}" + connectivity_troubleshooter_local__dst_security_groups_info: "{{ connectivity_troubleshooter_local__dst_security_groups_info.results | sum(attribute='security_groups', + start=[]) }}" - - name: Set 'connectivity_troubleshooter_local__security_groups_info' variable + - name: Set security groups info ansible.builtin.set_fact: - connectivity_troubleshooter_local__security_groups_info: "{{ connectivity_troubleshooter_local__security_groups_info | default([]) + item.security_groups }}" + connectivity_troubleshooter_local__security_groups_info: "{{ connectivity_troubleshooter_local__security_groups_info | default([]) + item.security_groups + }}" with_items: - "{{ connectivity_troubleshooter_local__src_security_groups_info.results }}" - "{{ connectivity_troubleshooter_local__dst_security_groups_info.results }}" @@ -68,31 +72,33 @@ security_groups: "{{ connectivity_troubleshooter_local__security_groups_info }}" register: connectivity_troubleshooter_local__result_eval_security_groups - - name: Gather information about Source subnet network ACLs + - name: Gather information about source subnet network ACLs community.aws.ec2_vpc_nacl_info: filters: association.subnet-id: - "{{ src_subnet_id }}" register: connectivity_troubleshooter_local__network_acls_info - - name: Set 'connectivity_troubleshooter_local__src_network_acls_info' variable + - name: Set source NACLs info ansible.builtin.set_fact: - connectivity_troubleshooter_local__src_network_acls_info: "{{ connectivity_troubleshooter_local__src_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" + connectivity_troubleshooter_local__src_network_acls_info: "{{ connectivity_troubleshooter_local__src_network_acls_info | d([]) + [dict(_keys | zip(_vals))] + }}" loop: "{{ connectivity_troubleshooter_local__network_acls_info.nacls }}" vars: _keys: "{{ ['egress', 'ingress'] }}" _vals: "{{ ['egress', 'ingress'] | map('extract', item) }}" - - name: Gather information about Destination network ACLs + - name: Gather information about destination network ACLs community.aws.ec2_vpc_nacl_info: filters: association.subnet-id: - "{{ dst_subnet_id }}" register: connectivity_troubleshooter_local__network_acls_info - - name: Set 'connectivity_troubleshooter_local__dst_network_acls_info' variable + - name: Set destination NACLs info ansible.builtin.set_fact: - connectivity_troubleshooter_local__dst_network_acls_info: "{{ connectivity_troubleshooter_local__dst_network_acls_info | d([]) + [dict(connectivity_troubleshooter_local__keys | zip(connectivity_troubleshooter_local__vals))] }}" + connectivity_troubleshooter_local__dst_network_acls_info: "{{ connectivity_troubleshooter_local__dst_network_acls_info | d([]) + [dict(connectivity_troubleshooter_local__keys + | zip(connectivity_troubleshooter_local__vals))] }}" loop: "{{ connectivity_troubleshooter_local__network_acls_info.nacls }}" vars: connectivity_troubleshooter_local__keys: "{{ ['egress', 'ingress'] }}" diff --git a/roles/connectivity_troubleshooter_nat/tasks/main.yml b/roles/connectivity_troubleshooter_nat/tasks/main.yml index da08570..a492af9 100644 --- a/roles/connectivity_troubleshooter_nat/tasks/main.yml +++ b/roles/connectivity_troubleshooter_nat/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for roles/connectivity_troubleshooter_nat -- name: Run 'connectivity_troubleshooter_nat' role +- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_nat role block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: @@ -14,7 +14,7 @@ nat-gateway-id: "{{ connectivity_troubleshooter_validate__next_hop }}" register: connectivity_troubleshooter_nat__describe_nat_gw - - name: Set 'connectivity_troubleshooter_nat__nat_subnet_id' and 'connectivity_troubleshooter_nat__nat_vpc_id' variables + - name: Set NAT subnet id and NAT VPC id ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_subnet_id: "{{ connectivity_troubleshooter_nat__nat_gw_info.subnet_id }}" connectivity_troubleshooter_nat__nat_vpc_id: "{{ connectivity_troubleshooter_nat__nat_gw_info.vpc_id }}" @@ -27,9 +27,10 @@ association.subnet-id: "{{ connectivity_troubleshooter_nat__describe_nat_gwnat_subnet_id }}" register: connectivity_troubleshooter_nat__nat_network_acls_info - - name: Set 'connectivity_troubleshooter__nat_network_acls' variable + - name: Set NAT NACLs ansible.builtin.set_fact: - connectivity_troubleshooter_nat__nat_network_acls: "{{ connectivity_troubleshooter_nat__nat_network_acls | d([]) + [dict(connectivity_troubleshooter_nat__keys | zip(connectivity_troubleshooter_nat__vals))] }}" + connectivity_troubleshooter_nat__nat_network_acls: "{{ connectivity_troubleshooter_nat__nat_network_acls | d([]) + [dict(connectivity_troubleshooter_nat__keys + | zip(connectivity_troubleshooter_nat__vals))] }}" loop: "{{ connectivity_troubleshooter_nat__nat_network_acls_info.nacls }}" vars: connectivity_troubleshooter_nat__keys: "{{ ['egress', 'ingress'] }}" @@ -42,7 +43,7 @@ - "{{ connectivity_troubleshooter_nat__nat_subnet_id }}" register: connectivity_troubleshooter_nat__nat_route_table - - name: Set 'nat_routes' variable + - name: Set NAT routes ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_routes: "{{ connectivity_troubleshooter_nat__nat_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_nat__nat_route_table.route_tables | length > 0 @@ -63,7 +64,7 @@ msg: Could not find route table for NAT Gateway when: connectivity_troubleshooter_nat__nat_route_table_retry.route_tables | length == 0 - - name: Set 'nat_routes' variable + - name: Set NAT routest ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_routes: "{{ connectivity_troubleshooter_nat__nat_route_table_retry.route_tables.0.routes }}" diff --git a/roles/connectivity_troubleshooter_peering/tasks/main.yml b/roles/connectivity_troubleshooter_peering/tasks/main.yml index f6ae78d..35897e6 100644 --- a/roles/connectivity_troubleshooter_peering/tasks/main.yml +++ b/roles/connectivity_troubleshooter_peering/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for roles/connectivity_troubleshooter_peering_destination -- name: Run 'connectivity_troubleshooter_peering' role +- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_peering role block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: @@ -15,27 +15,27 @@ - "{{ connectivity_troubleshooter_validate__next_hop }}" register: connectivity_troubleshooter_peering__vpc_peering_connection_info - - name: Gather information about Network Interface of the Destination peer + - name: Gather information about Network Interface of the destination peer amazon.aws.ec2_eni_info: filters: addresses.private-ip-address: "{{ connectivity_troubleshooter_peering_destination_ip }}" register: connectivity_troubleshooter_peering__dst_peer_eni - - name: Set 'connectivity_troubleshooter_peering__dst_peer_vpc_id' and 'connectivity_troubleshooter_peering__dst_peer_subnet_id' variables + - name: Set destination peer VPC id and subnet id ansible.builtin.set_fact: connectivity_troubleshooter_peering__dst_peer_vpc_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.vpc_id }}" connectivity_troubleshooter_peering__dst_peer_subnet_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.subnet_id }}" vars: connectivity_troubleshooter_peering__dst_peer_eni_info: "{{ connectivity_troubleshooter_peering__dst_peer_eni.network_interfaces.0 }}" - - name: Gather information about Destination peer subnet + - name: Gather information about destination peer subnet amazon.aws.ec2_vpc_route_table_info: filters: association.subnet-id: - "{{ connectivity_troubleshooter_peering__dst_peer_subnet_id }}" register: connectivity_troubleshooter_peering__dst_peer_route_table - - name: Set 'routes' variable + - name: Set routes ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_peering__dst_peer_route_table.route_tables | length > 0 @@ -44,19 +44,19 @@ - name: Gather information about VPC route table using association.main=true when: connectivity_troubleshooter_peering__dst_peer_route_table.route_tables | length == 0 block: - - name: Gather information about Destination peer subnet + - name: Gather information about destination peer subnet amazon.aws.ec2_vpc_route_table_info: filters: association.main: "true" vpc-id: "{{ connectivity_troubleshooter_peering__dst_peer_vpc_id }}" register: connectivity_troubleshooter_peering__dst_peer_route_table_retry - - name: Fail when no route table for Destination peer is found + - name: Fail when no route table for destination peer is found ansible.builtin.fail: msg: Could not find route table for Destination peer when: connectivity_troubleshooter_peering__dst_peer_route_table_retry.route_tables | length == 0 - - name: Set 'routes' variable + - name: Set routes ansible.builtin.set_fact: connectivity_troubleshooter_peering__routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table_retry.route_tables.0.routes }}" diff --git a/roles/connectivity_troubleshooter_validate/tasks/main.yml b/roles/connectivity_troubleshooter_validate/tasks/main.yml index 2707915..2d3c7cd 100644 --- a/roles/connectivity_troubleshooter_validate/tasks/main.yml +++ b/roles/connectivity_troubleshooter_validate/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for roles/connectivity_troubleshooter_validate -- name: Run 'connectivity_troubleshooter_validate' role +- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_validate role block: - name: Fail when the IPv4 address of the resource you want to connect is not defined ansible.builtin.fail: @@ -23,15 +23,16 @@ msg: connectivity_troubleshooter_validate_source_ip and connectivity_troubleshooter_validate_destination_ip are same, kindly provide different values when: connectivity_troubleshooter_validate_source_ip == connectivity_troubleshooter_validate_destination_ip - - name: Set 'connectivity_troubleshooter_validate__filter_eni' variable + - name: Set connectivity_troubleshooter_validate__filter_eni variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__filter_eni: { addresses.private-ip-address: "{{ connectivity_troubleshooter_validate_source_ip }}" } - - name: Set 'connectivity_troubleshooter_validate__filter_eni' variable + - name: Set connectivity_troubleshooter_validate__filter_eni variable ansible.builtin.set_fact: - connectivity_troubleshooter_validate__filter_eni: "{{ connectivity_troubleshooter_validate__filter_eni | combine({'vpc-id': connectivity_troubleshooter_validate_source_vpc}) }}" + connectivity_troubleshooter_validate__filter_eni: "{{ connectivity_troubleshooter_validate__filter_eni | combine({'vpc-id': connectivity_troubleshooter_validate_source_vpc}) + }}" when: connectivity_troubleshooter_validate_source_vpc | default('', true) | trim != '' - - name: Gather information about Source ENI + - name: Gather information about source ENI amazon.aws.ec2_eni_info: filters: "{{ connectivity_troubleshooter_validate__filter_eni }}" register: connectivity_troubleshooter_validate__describe_src_eni @@ -42,22 +43,23 @@ found when: connectivity_troubleshooter_validate__describe_src_eni['network_interfaces'] | length == 0 - - name: Set 'connectivity_troubleshooter_validate__src_subnet_id', 'connectivity_troubleshooter_validate__src_vpc_id', 'connectivity_troubleshooter_validate__src_security_groups' and 'connectivity_troubleshooter_validate__src_network_interface' variables + - name: Set source subnet id, VPC id, security groups and network interface ansible.builtin.set_fact: connectivity_troubleshooter_validate__src_subnet_id: "{{ connectivity_troubleshooter_validate__src_network_interface_info.subnet_id }}" connectivity_troubleshooter_validate__src_vpc_id: "{{ connectivity_troubleshooter_validate__src_network_interface_info.vpc_id }}" - connectivity_troubleshooter_validate__src_security_groups: "{{ connectivity_troubleshooter_validate__src_network_interface_info.groups | map(attribute='group_id') | list }}" + connectivity_troubleshooter_validate__src_security_groups: "{{ connectivity_troubleshooter_validate__src_network_interface_info.groups | map(attribute='group_id') + | list }}" connectivity_troubleshooter_validate__src_network_interface: "{{ connectivity_troubleshooter_validate__src_network_interface_info }}" vars: connectivity_troubleshooter_validate__src_network_interface_info: "{{ connectivity_troubleshooter_validate__describe_src_eni.network_interfaces.0 }}" - - name: Gather information about Source VPC route table + - name: Gather information about source VPC route table amazon.aws.ec2_vpc_route_table_info: filters: association.subnet-id: "{{ connectivity_troubleshooter_validate__src_subnet_id }}" register: connectivity_troubleshooter_validate__src_route_table - - name: Set 'connectivity_troubleshooter_validate__routes' variable + - name: Set routes ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_validate__src_route_table.route_tables | length > 0 @@ -78,7 +80,7 @@ msg: Could not find route table for connectivity_troubleshooter_validate_source_ip when: connectivity_troubleshooter_validate__src_route_table_retry.route_tables | length == 0 - - name: Set 'connectivity_troubleshooter_validate__routes' variable + - name: Set routes ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table_retry.route_tables.0.routes }}" @@ -88,6 +90,6 @@ routes: "{{ connectivity_troubleshooter_validate__routes }}" register: connectivity_troubleshooter_validate__result_next_hop - - name: Set 'connectivity_troubleshooter_validate__next_hop' variable + - name: Set next hop ansible.builtin.set_fact: connectivity_troubleshooter_validate__next_hop: "{{ connectivity_troubleshooter_validate__result_next_hop.next_hop }}" diff --git a/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml b/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml index c733f29..9a05285 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml @@ -10,13 +10,14 @@ msg: "EC2 instance not found with id: {{ troubleshoot_rds_connectivity_ec2_instance_id }}" when: troubleshoot_rds_connectivity__result.instances | length == 0 -- name: Set 'roubleshoot_rds_connectivity__ec2_security_group_ids', 'roubleshoot_rds_connectivity__ec2_subnet_id', 'roubleshoot_rds_connectivity__ec2_vpc_id' and 'roubleshoot_rds_connectivity__ec2_private_ip_addrs' variables +- name: Set 'roubleshoot_rds_connectivity__ec2_security_group_ids', 'roubleshoot_rds_connectivity__ec2_subnet_id', 'roubleshoot_rds_connectivity__ec2_vpc_id' and + 'roubleshoot_rds_connectivity__ec2_private_ip_addrs' variables ansible.builtin.set_fact: troubleshoot_rds_connectivity__ec2_security_group_ids: "{{ ec2_instance_info.security_groups | map(attribute='group_id') | list }}" troubleshoot_rds_connectivity__ec2_subnet_id: "{{ ec2_instance_info.subnet_id }}" troubleshoot_rds_connectivity__ec2_vpc_id: "{{ ec2_instance_info.vpc_id }}" - troubleshoot_rds_connectivity__ec2_private_ip_addrs: "{{ ec2_instance_info.network_interfaces | map(attribute='private_ip_addresses') | flatten | map(attribute='private_ip_address') | list\ - \ }}" + troubleshoot_rds_connectivity__ec2_private_ip_addrs: "{{ ec2_instance_info.network_interfaces | map(attribute='private_ip_addresses') | flatten | map(attribute='private_ip_address') + | list }}" vars: ec2_instance_info: "{{ troubleshoot_rds_connectivity__result.instances.0 }}" diff --git a/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml b/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml index 64ba1bf..4b1693a 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml @@ -14,7 +14,8 @@ msg: Bad DB instance status, expecting 'available', found '{{ troubleshoot_rds_connectivity__rds_info.instances.0.db_instance_status }}' when: troubleshoot_rds_connectivity__rds_info.instances.0.db_instance_status != "available" -- name: Set 'troubleshoot_rds_connectivity__rds_instance_endpoint_addr', 'troubleshoot_rds_connectivity__rds_instance_endpoint_port', 'troubleshoot_rds_connectivity__rds_instance_subnets', 'troubleshoot_rds_connectivity__rds_instance_vpc_id' and 'troubleshoot_rds_connectivity__rds_instance_vpc_security_groups' variables +- name: Set 'troubleshoot_rds_connectivity__rds_instance_endpoint_addr', 'troubleshoot_rds_connectivity__rds_instance_endpoint_port', 'troubleshoot_rds_connectivity__rds_instance_subnets', + 'troubleshoot_rds_connectivity__rds_instance_vpc_id' and 'troubleshoot_rds_connectivity__rds_instance_vpc_security_groups' variables ansible.builtin.set_fact: troubleshoot_rds_connectivity__rds_instance_endpoint_addr: "{{ rds_instance_info.endpoint.address }}" troubleshoot_rds_connectivity__rds_instance_endpoint_port: "{{ rds_instance_info.endpoint.port }}" diff --git a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml index a08034d..7dc35fe 100644 --- a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml +++ b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml @@ -1,14 +1,16 @@ --- -- name: Test 'aws_setup_credentials' role +- name: Test cloud.aws_troubleshooting.aws_setup_credentials ansible.builtin.include_role: name: cloud.aws_troubleshooting.aws_setup_credentials vars: - aws_profile: default + aws_security_token: '{{ security_token | default(omit) }}' -- name: Ensure credentials contain only aws_profile key - ansible.builtin.assert: - that: - - aws_setup_credentials__output is defined - - aws_setup_credentials__output.keys() | length == 1 - - '"aws_profile" in aws_setup_credentials__output' - - aws_setup_credentials__output.aws_profile == 'default' +- name: Trying calling module using generating credentials + module_defaults: + group/aws: + "{{ aws_setup_credentials__output }}" + block: + - name: Get instances to be terminated + amazon.aws.ec2_instance_info: + filters: + instance-state-name: 'running' diff --git a/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_classic.yml b/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_classic.yml index a0c7c4c..2a9d512 100644 --- a/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_classic.yml +++ b/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_classic.yml @@ -38,7 +38,7 @@ subnets: - "{{ __subnet_private_public.results[0].subnet.id }}" routes: - - dest: 0.0.0.0/0 + - dest: "0.0.0.0/0" gateway_id: "{{ __create_igw.gateway_id }}" register: __route_table_public @@ -57,7 +57,7 @@ subnets: - "{{ __subnet_private_public.results[1].subnet.id }}" routes: - - dest: 0.0.0.0/0 + - dest: "0.0.0.0/0" gateway_id: "{{ __create_nat_gw.nat_gateway_id }}" register: __route_table_private @@ -71,24 +71,24 @@ - proto: udp from_port: 12345 to_port: 12345 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 22 to_port: 22 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 443 to_port: 443 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 80 to_port: 80 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" rules_egress: - proto: tcp from_port: 80 to_port: 80 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" register: __security_group_in - name: Create public Security Group @@ -101,19 +101,19 @@ - proto: udp from_port: 12345 to_port: 12345 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 22 to_port: 22 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 443 to_port: 443 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 80 to_port: 80 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 3128 to_port: 3128 diff --git a/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_destination_peering.yml b/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_destination_peering.yml index f367e4e..e7fe3e1 100644 --- a/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_destination_peering.yml +++ b/tests/integration/targets/test_connectivity_troubleshooter/tasks/setup_destination_peering.yml @@ -74,7 +74,7 @@ routes: - dest: "{{ vpc_1_subnet_cidr_1 }}" vpc_peering_connection_id: "{{ __create_vpc_peering.peering_id }}" - - dest: 0.0.0.0/0 + - dest: "0.0.0.0/0" gateway_id: "{{ __create_igw.gateway_id }}" register: __route_table_in @@ -88,15 +88,15 @@ - proto: udp from_port: 12345 to_port: 12345 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 22 to_port: 22 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 443 to_port: 443 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" register: __security_group_in - name: Out Security Group @@ -109,15 +109,15 @@ - proto: udp from_port: 12345 to_port: 12345 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 22 to_port: 22 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 443 to_port: 443 - cidr_ip: 0.0.0.0/0 + cidr_ip: "0.0.0.0/0" - proto: tcp from_port: 3128 to_port: 3128 diff --git a/tox.ini b/tox.ini index 3640c0a..f8e4adf 100644 --- a/tox.ini +++ b/tox.ini @@ -6,20 +6,18 @@ skipsdist = True deps = -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt install_command = pip install {opts} {packages} -setenv = - LC_ALL=C.UTF-8 [testenv:black] deps = - black >= 22.0, < 23.0 + black >= 23.0, < 24.0 commands = black {toxinidir}/plugins {toxinidir}/tests [testenv:ansible-lint] deps = - ansible-lint>=6.7.0 -commands = ansible-lint --profile production --format pep8 --nocolor --strict --write {toxinidir}/roles {toxinidir}/tests + ansible-lint==6.16.0 +commands = ansible-linters [testenv:linters] deps = From d4970c527686cc787a23df62d7b0f52bc37aec78 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Mon, 14 Aug 2023 15:22:00 +0200 Subject: [PATCH 07/15] Exclude python 3.9 testing on devel and milestone Signed-off-by: Alina Buzachis --- .github/workflows/linters.yml | 36 ++++++------------- .github/workflows/sanity.yml | 15 ++++---- requirements.txt | 0 .../tasks/main.yml | 12 +++---- .../tasks/main.yml | 6 ++-- .../tasks/main.yml | 12 +++---- .../tasks/main.yml | 10 +++--- .../tasks/main.yml | 6 ++-- .../tasks/main.yml | 17 ++++----- .../tasks/get_ec2_instance_info.yml | 3 +- .../tasks/get_rds_instance_info.yml | 4 +-- tox.ini | 4 +-- 12 files changed, 56 insertions(+), 69 deletions(-) delete mode 100644 requirements.txt diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 31388fc..e71cbdb 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -1,35 +1,21 @@ --- name: Linters -'on': +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +on: push: - branches: - - main pull_request: - branches: - - main jobs: - linters: + uses: ansible-network/github_actions/.github/workflows/tox-linters.yml@main + ansible-lint: + name: Ansible Lint runs-on: ubuntu-latest - strategy: - matrix: - python_version: ['3.8'] steps: - - name: Check out code - uses: actions/checkout@v2 + - uses: ansible-network/github_actions/.github/actions/checkout_dependency@main - - name: Set up Python ${{ matrix.python_version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python_version }} - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install tox - - name: Test with tox - run: tox -e linters -vv - - ansible-lint: - uses: ansible-network/github_actions/.github/workflows/ansible-lint.yml@main + - name: Run ansible-lint + uses: ansible/ansible-lint@v6.17.2 diff --git a/.github/workflows/sanity.yml b/.github/workflows/sanity.yml index 02af4d6..c82cad5 100644 --- a/.github/workflows/sanity.yml +++ b/.github/workflows/sanity.yml @@ -5,13 +5,6 @@ concurrency: on: pull_request: - types: - - opened - - reopened - - labeled - - unlabeled - - synchronize - - closed branches: - main - stable-* @@ -68,6 +61,10 @@ jobs: "ansible-version": "milestone", "python-version": "3.8" }, + { + "ansible-version": "milestone", + "python-version": "3.9" + }, { "ansible-version": "devel", "python-version": "3.7" @@ -75,6 +72,10 @@ jobs: { "ansible-version": "devel", "python-version": "3.8" + }, + { + "ansible-version": "devel", + "python-version": "3.9" } ] all_green: diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index e69de29..0000000 diff --git a/roles/connectivity_troubleshooter/tasks/main.yml b/roles/connectivity_troubleshooter/tasks/main.yml index cc72943..775c5a5 100644 --- a/roles/connectivity_troubleshooter/tasks/main.yml +++ b/roles/connectivity_troubleshooter/tasks/main.yml @@ -1,11 +1,11 @@ --- # tasks file for roles/connectivity_troubleshooter -- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter +- name: Run 'cloud.aws_troubleshooting.connectivity_troubleshooter' role module_defaults: group/aws: "{{ aws_setup_credentials__output }}" block: - - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_validate role + - name: Include 'cloud.aws_troubleshooting.connectivity_troubleshooter_validate' role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_validate vars: @@ -20,7 +20,7 @@ when: connectivity_troubleshooter_validate__next_hop != 'local' and not connectivity_troubleshooter_validate__next_hop.startswith('nat-') and not connectivity_troubleshooter_validate__next_hop.startswith('igw-') and not connectivity_troubleshooter_validate__next_hop.startswith('pcx-') - - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_local role + - name: Include 'cloud.aws_troubleshooting.connectivity_troubleshooter_local' role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_local vars: @@ -31,7 +31,7 @@ connectivity_troubleshooter_local_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" when: "'local' == connectivity_troubleshooter_validate__next_hop" - - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_igw role + - name: Include 'cloud.aws_troubleshooting.connectivity_troubleshooter_igw' role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_igw vars: @@ -43,7 +43,7 @@ connectivity_troubleshooter_igw_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" when: "'igw-' in connectivity_troubleshooter_validate__next_hop" - - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_nat role + - name: Include 'cloud.aws_troubleshooting.connectivity_troubleshooter_nat' role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_nat vars: @@ -53,7 +53,7 @@ connectivity_troubleshooter_nat_source_port_range: "{{ connectivity_troubleshooter_source_port_range }}" when: "'nat-' in connectivity_troubleshooter_validate__next_hop" - - name: Include cloud.aws_troubleshooting.connectivity_troubleshooter_peering role + - name: Include 'cloud.aws_troubleshooting.connectivity_troubleshooter_peering' role ansible.builtin.include_role: name: cloud.aws_troubleshooting.connectivity_troubleshooter_peering vars: diff --git a/roles/connectivity_troubleshooter_igw/tasks/main.yml b/roles/connectivity_troubleshooter_igw/tasks/main.yml index 1a8a997..5991656 100644 --- a/roles/connectivity_troubleshooter_igw/tasks/main.yml +++ b/roles/connectivity_troubleshooter_igw/tasks/main.yml @@ -1,6 +1,6 @@ --- # tasks file for roles/connectivity_troubleshooter_igw -- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_igw role +- name: Run 'cloud.aws_troubleshooting.connectivity_troubleshooter_igw' role block: - name: Fail when next hop type is not supported by this role ansible.legacy.fail: @@ -21,9 +21,9 @@ - "{{ src_subnet_id }}" register: connectivity_troubleshooter_igw__src_subnet_nacls - - name: Set source subnet NACLs + - name: Set 'connectivity_troubleshooter_igw__src_subnet_nacls' variable ansible.legacy.set_fact: - connectivity_troubleshooter_igw__src_subnet_nacls: "{{ src_subnet_nacls | d([]) + [dict(connectivity_troubleshooter_igw__keys | zip(connectivity_troubleshooter_igw__vals))] + connectivity_troubleshooter_igw__src_subnet_nacls: "{{ connectivity_troubleshooter_igw__src_subnet_nacls | d([]) + [dict(connectivity_troubleshooter_igw__keys | zip(connectivity_troubleshooter_igw__vals))] }}" loop: "{{ connectivity_troubleshooter_igw__src_subnet_nacls.nacls }}" vars: diff --git a/roles/connectivity_troubleshooter_local/tasks/main.yml b/roles/connectivity_troubleshooter_local/tasks/main.yml index c4a323c..32efc4f 100644 --- a/roles/connectivity_troubleshooter_local/tasks/main.yml +++ b/roles/connectivity_troubleshooter_local/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for roles/connectivity_troubleshooter_local -- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_local role +- name: Run 'cloud.aws_troubleshooting.connectivity_troubleshooter_local' role block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: @@ -14,7 +14,7 @@ addresses.private-ip-address: "{{ connectivity_troubleshooter_local_destination_ip }}" register: connectivity_troubleshooter_local__describe_dst_eni - - name: Set destination VPC id, subnet id and security groups + - name: Set 'connectivity_troubleshooter_local__dst_vpc_id', 'connectivity_troubleshooter_local__dst_subnet_id' and 'connectivity_troubleshooter_local__dst_security_groups' variables ansible.builtin.set_fact: connectivity_troubleshooter_local__dst_vpc_id: "{{ connectivity_troubleshooter_local__dst_network_interface_info.vpc_id }}" connectivity_troubleshooter_local__dst_subnet_id: "{{ connectivity_troubleshooter_local__dst_network_interface_info.subnet_id }}" @@ -47,14 +47,14 @@ register: connectivity_troubleshooter_local__dst_security_groups_info with_items: "{{ connectivity_troubleshooter_local__dst_security_groups }}" - - name: Set source and destination security groups info + - name: Set 'connectivity_troubleshooter_local__src_security_groups_info' and 'connectivity_troubleshooter_local__dst_security_groups_info' variables ansible.builtin.set_fact: connectivity_troubleshooter_local__src_security_groups_info: "{{ connectivity_troubleshooter_local__src_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" connectivity_troubleshooter_local__dst_security_groups_info: "{{ connectivity_troubleshooter_local__dst_security_groups_info.results | sum(attribute='security_groups', start=[]) }}" - - name: Set security groups info + - name: Set 'connectivity_troubleshooter_local__security_groups_info' variable ansible.builtin.set_fact: connectivity_troubleshooter_local__security_groups_info: "{{ connectivity_troubleshooter_local__security_groups_info | default([]) + item.security_groups }}" @@ -79,7 +79,7 @@ - "{{ src_subnet_id }}" register: connectivity_troubleshooter_local__network_acls_info - - name: Set source NACLs info + - name: Set 'connectivity_troubleshooter_local__src_network_acls_info' variable ansible.builtin.set_fact: connectivity_troubleshooter_local__src_network_acls_info: "{{ connectivity_troubleshooter_local__src_network_acls_info | d([]) + [dict(_keys | zip(_vals))] }}" @@ -95,7 +95,7 @@ - "{{ dst_subnet_id }}" register: connectivity_troubleshooter_local__network_acls_info - - name: Set destination NACLs info + - name: Set 'connectivity_troubleshooter_local__dst_network_acls_info' variable ansible.builtin.set_fact: connectivity_troubleshooter_local__dst_network_acls_info: "{{ connectivity_troubleshooter_local__dst_network_acls_info | d([]) + [dict(connectivity_troubleshooter_local__keys | zip(connectivity_troubleshooter_local__vals))] }}" diff --git a/roles/connectivity_troubleshooter_nat/tasks/main.yml b/roles/connectivity_troubleshooter_nat/tasks/main.yml index a492af9..a429b40 100644 --- a/roles/connectivity_troubleshooter_nat/tasks/main.yml +++ b/roles/connectivity_troubleshooter_nat/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for roles/connectivity_troubleshooter_nat -- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_nat role +- name: Run 'cloud.aws_troubleshooting.connectivity_troubleshooter_nat' role block: - name: Fail when next hop type is not supported by this role ansible.builtin.fail: @@ -14,7 +14,7 @@ nat-gateway-id: "{{ connectivity_troubleshooter_validate__next_hop }}" register: connectivity_troubleshooter_nat__describe_nat_gw - - name: Set NAT subnet id and NAT VPC id + - name: Set 'connectivity_troubleshooter_nat__nat_subnet_id' and 'connectivity_troubleshooter_nat__nat_vpc_id' variables ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_subnet_id: "{{ connectivity_troubleshooter_nat__nat_gw_info.subnet_id }}" connectivity_troubleshooter_nat__nat_vpc_id: "{{ connectivity_troubleshooter_nat__nat_gw_info.vpc_id }}" @@ -27,7 +27,7 @@ association.subnet-id: "{{ connectivity_troubleshooter_nat__describe_nat_gwnat_subnet_id }}" register: connectivity_troubleshooter_nat__nat_network_acls_info - - name: Set NAT NACLs + - name: Set 'connectivity_troubleshooter_nat__nat_network_acls' variable ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_network_acls: "{{ connectivity_troubleshooter_nat__nat_network_acls | d([]) + [dict(connectivity_troubleshooter_nat__keys | zip(connectivity_troubleshooter_nat__vals))] }}" @@ -43,7 +43,7 @@ - "{{ connectivity_troubleshooter_nat__nat_subnet_id }}" register: connectivity_troubleshooter_nat__nat_route_table - - name: Set NAT routes + - name: Set 'connectivity_troubleshooter_nat__nat_routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_routes: "{{ connectivity_troubleshooter_nat__nat_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_nat__nat_route_table.route_tables | length > 0 @@ -64,7 +64,7 @@ msg: Could not find route table for NAT Gateway when: connectivity_troubleshooter_nat__nat_route_table_retry.route_tables | length == 0 - - name: Set NAT routest + - name: Set 'connectivity_troubleshooter_nat__nat_routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_nat__nat_routes: "{{ connectivity_troubleshooter_nat__nat_route_table_retry.route_tables.0.routes }}" diff --git a/roles/connectivity_troubleshooter_peering/tasks/main.yml b/roles/connectivity_troubleshooter_peering/tasks/main.yml index 35897e6..cded0ca 100644 --- a/roles/connectivity_troubleshooter_peering/tasks/main.yml +++ b/roles/connectivity_troubleshooter_peering/tasks/main.yml @@ -21,7 +21,7 @@ addresses.private-ip-address: "{{ connectivity_troubleshooter_peering_destination_ip }}" register: connectivity_troubleshooter_peering__dst_peer_eni - - name: Set destination peer VPC id and subnet id + - name: Set 'connectivity_troubleshooter_peering__dst_peer_vpc_id' and 'connectivity_troubleshooter_peering__dst_peer_subnet_id' variables ansible.builtin.set_fact: connectivity_troubleshooter_peering__dst_peer_vpc_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.vpc_id }}" connectivity_troubleshooter_peering__dst_peer_subnet_id: "{{ connectivity_troubleshooter_peering__dst_peer_eni_info.subnet_id }}" @@ -35,7 +35,7 @@ - "{{ connectivity_troubleshooter_peering__dst_peer_subnet_id }}" register: connectivity_troubleshooter_peering__dst_peer_route_table - - name: Set routes + - name: Set 'connectivity_troubleshooter_validate__routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_peering__dst_peer_route_table.route_tables | length > 0 @@ -56,7 +56,7 @@ msg: Could not find route table for Destination peer when: connectivity_troubleshooter_peering__dst_peer_route_table_retry.route_tables | length == 0 - - name: Set routes + - name: Set 'connectivity_troubleshooter_peering__routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_peering__routes: "{{ connectivity_troubleshooter_peering__dst_peer_route_table_retry.route_tables.0.routes }}" diff --git a/roles/connectivity_troubleshooter_validate/tasks/main.yml b/roles/connectivity_troubleshooter_validate/tasks/main.yml index 2d3c7cd..7ead125 100644 --- a/roles/connectivity_troubleshooter_validate/tasks/main.yml +++ b/roles/connectivity_troubleshooter_validate/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for roles/connectivity_troubleshooter_validate -- name: Run cloud.aws_troubleshooting.connectivity_troubleshooter_validate role +- name: Run 'cloud.aws_troubleshooting.connectivity_troubleshooter_validate' role block: - name: Fail when the IPv4 address of the resource you want to connect is not defined ansible.builtin.fail: @@ -18,15 +18,16 @@ msg: The private IPv4 address of the AWS resource in your Amazon VPC you want to test connectivity from must be defined as connectivity_troubleshooter_validate_source_ip when: connectivity_troubleshooter_validate_source_ip is not defined - - name: Fail when connectivity_troubleshooter_validate_source_ip and connectivity_troubleshooter_validate_destination_ip coincide + - name: Fail when 'connectivity_troubleshooter_validate_source_ip' and 'connectivity_troubleshooter_validate_destination_ip' coincide ansible.builtin.fail: msg: connectivity_troubleshooter_validate_source_ip and connectivity_troubleshooter_validate_destination_ip are same, kindly provide different values when: connectivity_troubleshooter_validate_source_ip == connectivity_troubleshooter_validate_destination_ip - - name: Set connectivity_troubleshooter_validate__filter_eni variable + - name: Set 'connectivity_troubleshooter_validate__filter_eni' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__filter_eni: { addresses.private-ip-address: "{{ connectivity_troubleshooter_validate_source_ip }}" } - - name: Set connectivity_troubleshooter_validate__filter_eni variable + + - name: Set 'connectivity_troubleshooter_validate__filter_eni' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__filter_eni: "{{ connectivity_troubleshooter_validate__filter_eni | combine({'vpc-id': connectivity_troubleshooter_validate_source_vpc}) }}" @@ -43,7 +44,7 @@ found when: connectivity_troubleshooter_validate__describe_src_eni['network_interfaces'] | length == 0 - - name: Set source subnet id, VPC id, security groups and network interface + - name: Set 'connectivity_troubleshooter_validate__src_subnet_id', 'connectivity_troubleshooter_validate__src_vpc_id', 'connectivity_troubleshooter_validate__src_security_groups' and 'connectivity_troubleshooter_validate__src_network_interface' variables ansible.builtin.set_fact: connectivity_troubleshooter_validate__src_subnet_id: "{{ connectivity_troubleshooter_validate__src_network_interface_info.subnet_id }}" connectivity_troubleshooter_validate__src_vpc_id: "{{ connectivity_troubleshooter_validate__src_network_interface_info.vpc_id }}" @@ -59,7 +60,7 @@ association.subnet-id: "{{ connectivity_troubleshooter_validate__src_subnet_id }}" register: connectivity_troubleshooter_validate__src_route_table - - name: Set routes + - name: Set 'connectivity_troubleshooter_validate__routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table.route_tables.0.routes }}" when: connectivity_troubleshooter_validate__src_route_table.route_tables | length > 0 @@ -80,7 +81,7 @@ msg: Could not find route table for connectivity_troubleshooter_validate_source_ip when: connectivity_troubleshooter_validate__src_route_table_retry.route_tables | length == 0 - - name: Set routes + - name: Set 'connectivity_troubleshooter_validate__routes' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__routes: "{{ connectivity_troubleshooter_validate__src_route_table_retry.route_tables.0.routes }}" @@ -90,6 +91,6 @@ routes: "{{ connectivity_troubleshooter_validate__routes }}" register: connectivity_troubleshooter_validate__result_next_hop - - name: Set next hop + - name: Set 'connectivity_troubleshooter_validate__next_hop' variable ansible.builtin.set_fact: connectivity_troubleshooter_validate__next_hop: "{{ connectivity_troubleshooter_validate__result_next_hop.next_hop }}" diff --git a/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml b/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml index 9a05285..b1edfe1 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/get_ec2_instance_info.yml @@ -10,8 +10,7 @@ msg: "EC2 instance not found with id: {{ troubleshoot_rds_connectivity_ec2_instance_id }}" when: troubleshoot_rds_connectivity__result.instances | length == 0 -- name: Set 'roubleshoot_rds_connectivity__ec2_security_group_ids', 'roubleshoot_rds_connectivity__ec2_subnet_id', 'roubleshoot_rds_connectivity__ec2_vpc_id' and - 'roubleshoot_rds_connectivity__ec2_private_ip_addrs' variables +- name: Set EC2 security group ids, EC2 subnetid, EC2 VPC id and EC2 private IPs ansible.builtin.set_fact: troubleshoot_rds_connectivity__ec2_security_group_ids: "{{ ec2_instance_info.security_groups | map(attribute='group_id') | list }}" troubleshoot_rds_connectivity__ec2_subnet_id: "{{ ec2_instance_info.subnet_id }}" diff --git a/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml b/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml index 4b1693a..3cfb8ed 100644 --- a/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml +++ b/roles/troubleshoot_rds_connectivity/tasks/get_rds_instance_info.yml @@ -14,7 +14,7 @@ msg: Bad DB instance status, expecting 'available', found '{{ troubleshoot_rds_connectivity__rds_info.instances.0.db_instance_status }}' when: troubleshoot_rds_connectivity__rds_info.instances.0.db_instance_status != "available" -- name: Set 'troubleshoot_rds_connectivity__rds_instance_endpoint_addr', 'troubleshoot_rds_connectivity__rds_instance_endpoint_port', 'troubleshoot_rds_connectivity__rds_instance_subnets', +- name: Set RDS instance endpoint address, RDS instance endpoint port, and RDS instance subnets 'troubleshoot_rds_connectivity__rds_instance_vpc_id' and 'troubleshoot_rds_connectivity__rds_instance_vpc_security_groups' variables ansible.builtin.set_fact: troubleshoot_rds_connectivity__rds_instance_endpoint_addr: "{{ rds_instance_info.endpoint.address }}" @@ -37,7 +37,7 @@ subnet_ids: "{{ troubleshoot_rds_connectivity__rds_instance_subnets }}" register: troubleshoot_rds_connectivity__rds_subnets_info -- name: Set 'troubleshoot_rds_connectivity__rds_subnets_cidrs' variable +- name: Set RDS subnets cidrs ansible.builtin.set_fact: troubleshoot_rds_connectivity__rds_subnets_cidrs: "{{ troubleshoot_rds_connectivity__rds_subnets_info.subnets | map(attribute='cidr_block') | list }}" diff --git a/tox.ini b/tox.ini index f8e4adf..c849b3f 100644 --- a/tox.ini +++ b/tox.ini @@ -16,8 +16,8 @@ commands = [testenv:ansible-lint] deps = - ansible-lint==6.16.0 -commands = ansible-linters + ansible-lint==6.17.2 +commands = ansible-lint --profile production --format pep8 --nocolor --strict --write {toxinidir}/roles {toxinidir}/tests [testenv:linters] deps = From 4bae40876796f680ba7441016028f2c556749f27 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Tue, 15 Aug 2023 15:15:13 +0200 Subject: [PATCH 08/15] Add empty requirements.txt Signed-off-by: Alina Buzachis --- requirements.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..e69de29 From d0554068031a2b4705735058232c89140528119e Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Tue, 15 Aug 2023 16:01:20 +0200 Subject: [PATCH 09/15] add tests/config.yml and split long text line Signed-off-by: Alina Buzachis --- plugins/modules/eval_network_acls.py | 3 ++- requirements.txt | 0 tests/config.yml | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) delete mode 100644 requirements.txt create mode 100644 tests/config.yml diff --git a/plugins/modules/eval_network_acls.py b/plugins/modules/eval_network_acls.py index 7888f81..bf6e445 100644 --- a/plugins/modules/eval_network_acls.py +++ b/plugins/modules/eval_network_acls.py @@ -296,7 +296,8 @@ def check_ingress_acls(acls, src_ip, dst_port): return True else: self.fail_json( - msg="Destination Subnet Network Acl Ingress Rules do not allow inbound traffic from source: {0} towards destination port {1}".format( + msg="Destination Subnet Network Acl Ingress Rules do not allow inbound traffic from source: {0} \ + towards destination port {1}".format( self.src_ip, str(self.dst_port) ) ) diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index e69de29..0000000 diff --git a/tests/config.yml b/tests/config.yml new file mode 100644 index 0000000..faff92e --- /dev/null +++ b/tests/config.yml @@ -0,0 +1,2 @@ +modules: + python_requires: '>=3.6' From 648a205bb03c2e8f6e424a89b04ffcd99725c10e Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Tue, 15 Aug 2023 16:58:02 +0200 Subject: [PATCH 10/15] Just a test Signed-off-by: Alina Buzachis --- .github/workflows/linters.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index e71cbdb..57d70be 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -18,4 +18,6 @@ jobs: - uses: ansible-network/github_actions/.github/actions/checkout_dependency@main - name: Run ansible-lint - uses: ansible/ansible-lint@v6.17.2 + uses: ansible/ansible-lint@main + with: + args: "--profile production" From 74db396d471a425a1791ba27b17d2f851dcd182e Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Tue, 15 Aug 2023 17:16:07 +0200 Subject: [PATCH 11/15] Revert Signed-off-by: Alina Buzachis --- .github/workflows/linters.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 57d70be..e71cbdb 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -18,6 +18,4 @@ jobs: - uses: ansible-network/github_actions/.github/actions/checkout_dependency@main - name: Run ansible-lint - uses: ansible/ansible-lint@main - with: - args: "--profile production" + uses: ansible/ansible-lint@v6.17.2 From 78d95732893ea1054edc65ef582f4d3bc66ee776 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 23 Aug 2023 13:28:31 +0200 Subject: [PATCH 12/15] Bump ansible-lint version to 6.18.0 as suggested --- .github/workflows/linters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index e71cbdb..7523de4 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -18,4 +18,4 @@ jobs: - uses: ansible-network/github_actions/.github/actions/checkout_dependency@main - name: Run ansible-lint - uses: ansible/ansible-lint@v6.17.2 + uses: ansible/ansible-lint@v6.18.0 From 50fa80a6b5efecb3a9405b71f41b3c17e312a19e Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Wed, 23 Aug 2023 13:28:54 +0200 Subject: [PATCH 13/15] Bump ansible-lint version to 6.18.0 as suggested --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index c849b3f..d335446 100644 --- a/tox.ini +++ b/tox.ini @@ -16,7 +16,7 @@ commands = [testenv:ansible-lint] deps = - ansible-lint==6.17.2 + ansible-lint==6.18.0 commands = ansible-lint --profile production --format pep8 --nocolor --strict --write {toxinidir}/roles {toxinidir}/tests [testenv:linters] From d86e852f2d577b0102e1e18ddf3599544b83e4e8 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Thu, 24 Aug 2023 13:34:46 +0200 Subject: [PATCH 14/15] Add changelog fragment Signed-off-by: Alina Buzachis --- changelogs/fragments/ansible_lint_sanity_fixes.yml | 4 ++++ .../targets/test_aws_setup_credentials/tasks/main.yml | 9 +++++---- 2 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/ansible_lint_sanity_fixes.yml diff --git a/changelogs/fragments/ansible_lint_sanity_fixes.yml b/changelogs/fragments/ansible_lint_sanity_fixes.yml new file mode 100644 index 0000000..f1a6fa4 --- /dev/null +++ b/changelogs/fragments/ansible_lint_sanity_fixes.yml @@ -0,0 +1,4 @@ +breaking_changes: + - role/aws_setup_credentials - Due to ansible-lint issue, the AWS generated credentials are now stored into variable `aws_setup_credentials__output` instead of `aws_role_credentials` (https://github.com/redhat-cop/cloud.aws_troubleshooting/pull/24)." + - role/connectivity_troubleshooter_validated - Due to ansible-lint issue, the next hop information stored into variable `connectivity_troubleshooter_validate__next_hop` instead of `next_hop` (https://github.com/redhat-cop/cloud.aws_troubleshooting/pull/24)." + diff --git a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml index 7dc35fe..7c002d9 100644 --- a/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml +++ b/tests/integration/targets/test_aws_setup_credentials/tasks/main.yml @@ -3,14 +3,15 @@ ansible.builtin.include_role: name: cloud.aws_troubleshooting.aws_setup_credentials vars: - aws_security_token: '{{ security_token | default(omit) }}' + aws_security_token: "{{ security_token | default(omit) }}" + tags: + - skip_ansible_lint - name: Trying calling module using generating credentials module_defaults: - group/aws: - "{{ aws_setup_credentials__output }}" + group/aws: "{{ aws_setup_credentials__output }}" block: - name: Get instances to be terminated amazon.aws.ec2_instance_info: filters: - instance-state-name: 'running' + instance-state-name: running From 7852fca7c21f4ada6dbde55f4ba328fadae16a4d Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Thu, 24 Aug 2023 14:02:16 +0200 Subject: [PATCH 15/15] Update ansible_lint_sanity_fixes.yml --- changelogs/fragments/ansible_lint_sanity_fixes.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/changelogs/fragments/ansible_lint_sanity_fixes.yml b/changelogs/fragments/ansible_lint_sanity_fixes.yml index f1a6fa4..5d9d5cb 100644 --- a/changelogs/fragments/ansible_lint_sanity_fixes.yml +++ b/changelogs/fragments/ansible_lint_sanity_fixes.yml @@ -1,4 +1,3 @@ breaking_changes: - role/aws_setup_credentials - Due to ansible-lint issue, the AWS generated credentials are now stored into variable `aws_setup_credentials__output` instead of `aws_role_credentials` (https://github.com/redhat-cop/cloud.aws_troubleshooting/pull/24)." - role/connectivity_troubleshooter_validated - Due to ansible-lint issue, the next hop information stored into variable `connectivity_troubleshooter_validate__next_hop` instead of `next_hop` (https://github.com/redhat-cop/cloud.aws_troubleshooting/pull/24)." -