Merge pull request #3 from caktus/ansible-upgrade

Set public_access via amazon.aws.s3_bucket module
caktus · Nov 21, 2024 · e817895 · e817895
2 parents bec19ec + 853cf14
commit e817895
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 16 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -2,7 +2,19 @@ caktus.aws-web-stacks
 ======================
 
 
-Changes
--------
+v0.3.0
+------
 
-**Under Development**
+* Set `public_access` via amazon.aws.s3_bucket module
+
+
+v0.2.0
+------
+
+* Upgrade bucket role to reflect Ansible changes
+
+
+v0.1.0
+------
+
+* Initial release
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,7 +9,7 @@ cloudformation_stack_name: 'example stack'
 cloudformation_stack_policy: ''
 cloudformation_stack_template_local_path: '{{ playbook_dir + "/files/ec2-nat.yml" }}'
 cloudformation_stack_template_bucket: 'aws-web-stacks-templates'
-cloudformation_stack_template_bucket_path: 'templates/{{ stack_name }}.yml'
+cloudformation_stack_template_bucket_path: 'templates/{{ cloudformation_stack_name }}.yml'
 cloudformation_stack_template: ''
 cloudformation_stack_template_body: ''
 cloudformation_stack_template_url: ''
@@ -18,7 +18,7 @@ cloudformation_stack_tags: {}
 cloudformation_stack_create_changeset: true
 cloudformation_stack_disable_rollback: false
 cloudformation_stack_events_limit: 200
-cloudformation_stack_termination_protection: false
+cloudformation_stack_termination_protection: true
 cloudformation_stack_inventory_path: '{{ inventory_dir }}/aws_ec2.yml'
 cloudformation_stack_role_arn: ''
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -16,21 +16,18 @@
     aws_secret_key: '{{ _stack.aws_secret_key|default(omit,true) }}'
     profile: '{{ _stack.profile|default(omit,true) }}'
     region: '{{ _stack.region|default(omit,true) }}'
-  when: >-
-    _stack.state|default('present',true) == "present" and _stack.template_bucket and
-    _stack.template_bucket_path and _stack.template_local_path
-  tags: [bucket]
-
-# not possible to do this via Ansible modules as of 9/2019
-- name: block all public access via PublicAccessBlock configuration
-  command: "aws s3api --profile {{ aws_profile }} put-public-access-block --bucket {{ _stack.template_bucket }} --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+    public_access:
+      block_public_acls: true
+      block_public_policy: true
+      ignore_public_acls: true
+      restrict_public_buckets: true
   when: >-
     _stack.state|default('present',true) == "present" and _stack.template_bucket and
     _stack.template_bucket_path and _stack.template_local_path
   tags: [bucket]
 
 - name: "upload CF template to {{ _stack.template_bucket }} bucket"
-  aws_s3:
+  amazon.aws.s3_object:
     bucket: "{{ _stack.template_bucket }}"
     object: "{{ _stack.template_bucket_path }}"
     src: "{{ _stack.template_local_path }}"
@@ -56,7 +53,7 @@
   tags: [bucket]
 
 - name: create/update a cloudformation stack
-  cloudformation:
+  amazon.aws.cloudformation:
     aws_access_key: '{{ _stack.aws_access_key|default(omit,true) }}'
     aws_secret_key: '{{ _stack.aws_secret_key|default(omit,true) }}'
     profile: '{{ _stack.profile|default(omit,true) }}'
@@ -86,7 +83,7 @@
   tags: [cloudformation]
 
 - name: remove a cloudformation stack
-  cloudformation:
+  amazon.aws.cloudformation:
     aws_access_key: '{{ _stack.aws_access_key|default(omit,true) }}'
     aws_secret_key: '{{ _stack.aws_secret_key|default(omit,true) }}'
     profile: '{{ _stack.profile|default(omit,true) }}'