From fbc3357f22eedba71d7a6bf760fb947485945a6a Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Wed, 26 Jul 2023 09:53:45 -0400 Subject: [PATCH 1/4] Fix typos in both backup role READMEs --- roles/backup_create_plan/README.md | 6 ++++-- roles/backup_select_resources/README.md | 10 +++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/roles/backup_create_plan/README.md b/roles/backup_create_plan/README.md index 84e79404..4f6ab975 100644 --- a/roles/backup_create_plan/README.md +++ b/roles/backup_create_plan/README.md @@ -51,8 +51,10 @@ Example Playbook - hosts: localhost roles: - role: cloud.aws_ops.backup_create_plan - plan_name: my-backup-plan - plan_rules: "{{ daily_backup }}" + vars: + plan_name: my-backup-plan + plan_rules: + - "{{ daily_backup }}" License ------- diff --git a/roles/backup_select_resources/README.md b/roles/backup_select_resources/README.md index 0fe73045..026d27cd 100644 --- a/roles/backup_select_resources/README.md +++ b/roles/backup_select_resources/README.md @@ -24,7 +24,7 @@ Role Variables * **selection_excluded_resources**: List of resources to exclude from backup * **selection_tags**: List of resource tags selected for backup * **selection_conditions**: Conditions for resources to back up -* **backup_role_name**: (Required) The name of an IAM role with permissions to perform all needed backup actions for the selected resources. Alternatively, provide a new for a new IAM role which will be created with the same permissions as the AWSBackupDefaultServiceRole (note: these permissions allow backups and restores for all resources). +* **backup_role_name**: (Required) The name of an IAM role with permissions to perform all needed backup actions for the selected resources. Alternatively, provide a name for a new IAM role which will be created with the same permissions as the AWSBackupDefaultServiceRole (note: these permissions allow backups and restores for all resources). ### Included sample resource selection variables These are included in vars/main.yaml for use as-is or as examples for modification. @@ -52,14 +52,17 @@ Example Playbooks selection_name: s3_buckets selection_resources: - "{{ all_s3_buckets }}" + backup_role_name: my-iam-role ### Create backup plan and select resources - hosts: localhost roles: - role: cloud.aws_ops.backup_create_plan - plan_name: my-backup-plan - plan_rules: "{{ daily_backup }}" + vars: + plan_name: my-backup-plan + plan_rules: + - "{{ daily_backup }}" - hosts: localhost roles: @@ -69,6 +72,7 @@ Example Playbooks selection_name: s3_buckets selection_resources: - "{{ all_s3_buckets }}" + backup_role_name: my-iam-role License ------- From 268d541974656720657121c4ee0df9a9aa71e38b Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Fri, 4 Aug 2023 09:28:27 -0400 Subject: [PATCH 2/4] Update IAM role to include S3 backup and restore policies --- roles/backup_select_resources/tasks/main.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/backup_select_resources/tasks/main.yaml b/roles/backup_select_resources/tasks/main.yaml index d263b4df..9ccd26cd 100644 --- a/roles/backup_select_resources/tasks/main.yaml +++ b/roles/backup_select_resources/tasks/main.yaml @@ -30,9 +30,9 @@ register: backup_select_resources_role_info - name: Create new role when IAM role does not exist + when: backup_select_resources_role_info.iam_roles | length == 0 block: - name: Create role - when: backup_select_resources_role_info.iam_roles | length == 0 community.aws.iam_role: name: "{{ backup_role_name }}" state: present @@ -41,6 +41,9 @@ description: "AWS Backup Role" managed_policy: - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup + - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores + - arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup + - arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore wait: true register: backup_select_resources_new_role_info From 35ff2e65fbb041cdfa0d8b7a18ed27de983c54d0 Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Fri, 4 Aug 2023 09:41:12 -0400 Subject: [PATCH 3/4] Add changelog fragment --- changelogs/fragments/20230804-backup-role-bugfixes.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/fragments/20230804-backup-role-bugfixes.yaml diff --git a/changelogs/fragments/20230804-backup-role-bugfixes.yaml b/changelogs/fragments/20230804-backup-role-bugfixes.yaml new file mode 100644 index 00000000..01df22cf --- /dev/null +++ b/changelogs/fragments/20230804-backup-role-bugfixes.yaml @@ -0,0 +1,5 @@ +--- +trivial: + - Update README in backup_create_plan role and backup_select_resources role (https://github.com/redhat-cop/cloud.aws_ops/pull/81). +bugfixes: + - Add all necessary IAM service role policies for backup when creating a new IAM role in backup_select_resources role (https://github.com/redhat-cop/cloud.aws_ops/pull/81). From 8d7d8309aa0313d60d431199739845fbe1b4aec5 Mon Sep 17 00:00:00 2001 From: Helen Bailey Date: Fri, 4 Aug 2023 17:42:21 -0400 Subject: [PATCH 4/4] Update backup_select_resources README --- roles/backup_select_resources/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/backup_select_resources/README.md b/roles/backup_select_resources/README.md index 026d27cd..ea188a80 100644 --- a/roles/backup_select_resources/README.md +++ b/roles/backup_select_resources/README.md @@ -13,6 +13,8 @@ AWS User Account with the following permission: * backup:GetBackupPlan * backup:GetBackupSelection * backup:ListBackupSelections +* iam:AttachRolePolicy +* iam:CreateRole * iam:GetRole Role Variables