From c0088358680c08e196a63dc63c91a56432d156be Mon Sep 17 00:00:00 2001 From: Arsenii Petrovich Date: Wed, 27 Feb 2019 15:23:26 +0300 Subject: [PATCH] Fixes bugs, also added removal for insecure variables before uploading config to S3 --- .gitignore | 1 + roles/destroy/tasks/main.yml | 4 +-- roles/dynamodb/tasks/main.yml | 2 +- roles/main_infra/templates/backend.tfvars.j2 | 4 +-- roles/s3/tasks/main.yml | 27 ++++++++++++++++---- 5 files changed, 28 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index ab28adb..582a5af 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ roles/main_infra/files/terraform.tfvars group_vars/*.yml *.retry +*.temp diff --git a/roles/destroy/tasks/main.yml b/roles/destroy/tasks/main.yml index 09b506f..feab63f 100644 --- a/roles/destroy/tasks/main.yml +++ b/roles/destroy/tasks/main.yml @@ -55,12 +55,12 @@ - name: Destroy S3 bucket s3_bucket: - name: "{{ bucket }}" + name: "{{ prefix }}-{{ bucket }}" state: absent force: yes when: user_answer.user_input|bool == True - dynamodb_table: - name: "{{ dynamodb_table }}" + name: "{{ prefix }}-{{ dynamodb_table }}" state: absent when: user_answer.user_input|bool == True diff --git a/roles/dynamodb/tasks/main.yml b/roles/dynamodb/tasks/main.yml index c9e9670..c4324e1 100644 --- a/roles/dynamodb/tasks/main.yml +++ b/roles/dynamodb/tasks/main.yml @@ -1,6 +1,6 @@ - name: Create DynamoDB table dynamodb_table: - name: "{{ dynamodb_table }}" + name: "{{ prefix }}-{{ dynamodb_table }}" hash_key_name: LockID hash_key_type: STRING read_capacity: 1 diff --git a/roles/main_infra/templates/backend.tfvars.j2 b/roles/main_infra/templates/backend.tfvars.j2 index e15b1c1..5a3905d 100644 --- a/roles/main_infra/templates/backend.tfvars.j2 +++ b/roles/main_infra/templates/backend.tfvars.j2 @@ -1,4 +1,4 @@ region = "{{ ansible_env.AWS_REGION }}" -bucket = "{{ bucket }}" -dynamodb_table = "{{ dynamodb_table }}" +bucket = "{{ prefix }}-{{ bucket }}" +dynamodb_table = "{{ prefix }}-{{ dynamodb_table }}" key = "terraform.tfstate" diff --git a/roles/s3/tasks/main.yml b/roles/s3/tasks/main.yml index 7ee55b2..88f0ed5 100644 --- a/roles/s3/tasks/main.yml +++ b/roles/s3/tasks/main.yml @@ -1,12 +1,12 @@ - name: Create S3 bucket aws_s3: - bucket: "{{ bucket }}" + bucket: "{{ prefix }}-{{ bucket }}" mode: create permission: private - name: Apply tags and versioning to create S3 bucket s3_bucket: - name: "{{ bucket }}" + name: "{{ prefix }}-{{ bucket }}" versioning: yes tags: origin: terraform @@ -14,7 +14,7 @@ - name: Add lifecycle management policy to created S3 bucket s3_lifecycle: - name: "{{ bucket }}" + name: "{{ prefix }}-{{ bucket }}" rule_id: "expire" noncurrent_version_expiration_days: 90 status: enabled @@ -26,10 +26,27 @@ register: stat_result when: upload_config_to_s3|bool == True +- name: Copy temporary file to be uploaded + command: "cp {{ playbook_dir }}/group_vars/all.yml {{ playbook_dir }}/group_vars/all.yml.temp" + when: upload_config_to_s3|bool == True + +- name: Remove insecure variables +- lineinfile: + path: "{{ playbook_dir }}/group_vars/all.yml.temp" + regexp: 'aws_.*' + line: '' + when: upload_config_to_s3|bool == True + - name: Upload config to S3 bucket aws_s3: - bucket: "{{ bucket }}" + bucket: "{{ prefix }}-{{ bucket }}" object: all.yml - src: "{{ playbook_dir }}/group_vars/all.yml" + src: "{{ playbook_dir }}/group_vars/all.yml.temp" mode: put when: stat_result.stat.exists == True and upload_config_to_s3|bool == True + +- name: Remove temp file + file: + path: "{{ playbook_dir }}/group_vars/all.yml" + state: absent + when: upload_config_to_s3|bool == True