Fix AWS CloudFormation linter warnings (#14294) (#14782)

* fix: Add IPv6 support for WireGuard endpoint addresses Fixes issue where IPv6 addresses in WireGuard configuration files were not properly formatted with square brackets when used with port numbers. The WireGuard client configuration template now detects IPv6 addresses using the ansible.utils.ipv6 filter and wraps them in brackets as required by the WireGuard configuration format. Example outputs: - IPv4: 192.168.1.1:51820 - IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - Hostname: vpn.example.com:51820 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Correct Azure requirements file path to fix deployment failures The previous fix in commit 7acdca0 updated to Azure collection v3.7.0 but referenced the incorrect requirements file name. The file is now called requirements.txt instead of requirements-azure.txt in v3.7.0. This fixes the Azure deployment failure where pip cannot find the requirements file, preventing users from deploying VPN servers on Azure. Also added no_log: true to prevent potential credential leakage during the pip installation process. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: resolve AWS CloudFormation linter warnings (#14294) This commit addresses all the CloudFormation linting issues identified in issue #14294: - Remove unused PublicSSHKeyParameter from CloudFormation template and task parameters The SSH public key is now injected directly via cloud-init template instead of being passed as a CloudFormation parameter - Update ImageIdParameter type from String to AWS::EC2::Image::Id for better type safety - Remove obsolete DependsOn attributes that are automatically enforced by CloudFormation through Ref and GetAtt functions All changes verified with cfn-lint which now passes without warnings. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Replace ansible.utils.ipv6 filter with simple colon detection The ansible.utils.ipv6 filter is not available in the test environment, causing the Smart Test Selection workflow to fail. This change replaces it with a simple string check for colons (':') which reliably detects IPv6 addresses since they contain colons while IPv4 addresses do not. The fix maintains the same functionality: - IPv6 addresses: [2600:3c01::f03c:91ff:fedf:3b2a]:51820 - IPv4 addresses: 192.168.1.1:51820 This resolves the failing workflow tests in PR #14782. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
2025-08-04 11:53:02 +02:00 · 2025-08-03 04:49:40 -04:00 · 2025-08-03 04:49:40 -04:00 · 4634357fb1
commit 4634357fb1
parent 3588642b4b
4 changed files with 4 additions and 19 deletions
--- a/roles/cloud-azure/tasks/venv.yml
+++ b/roles/cloud-azure/tasks/venv.yml
@ -1,6 +1,7 @@
 ---
 - name: Install requirements
  pip:
-    requirements: https://raw.githubusercontent.com/ansible-collections/azure/v3.7.0/requirements-azure.txt
+    requirements: https://raw.githubusercontent.com/ansible-collections/azure/v3.7.0/requirements.txt
    state: latest
    virtualenv_python: python3
+  no_log: true
--- a/roles/cloud-ec2/files/stack.yaml
+++ b/roles/cloud-ec2/files/stack.yaml
@ -5,10 +5,8 @@ Parameters:
  InstanceTypeParameter:
    Type: String
    Default: t2.micro
-  PublicSSHKeyParameter:
-    Type: String
  ImageIdParameter:
-    Type: String
+    Type: AWS::EC2::Image::Id
  WireGuardPort:
    Type: String
  UseThisElasticIP:
@ -83,8 +81,6 @@ Resources:
  Route:
    Type: AWS::EC2::Route
    DependsOn:
-      - InternetGateway
-      - RouteTable
      - VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
@ -94,8 +90,6 @@ Resources:
  RouteIPv6:
    Type: AWS::EC2::Route
    DependsOn:
-      - InternetGateway
-      - RouteTable
      - VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
@ -105,8 +99,6 @@ Resources:
  SubnetIPv6:
    Type: AWS::EC2::SubnetCidrBlock
    DependsOn:
-      - RouteIPv6
-      - VPC
      - VPCIPv6
    Properties:
      Ipv6CidrBlock:
@ -118,10 +110,6 @@ Resources:

  RouteSubnet:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
-    DependsOn:
-      - RouteTable
-      - Subnet
-      - Route
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref Subnet
@ -167,8 +155,6 @@ Resources:
    Type: AWS::EC2::Instance
    DependsOn:
      - SubnetIPv6
-      - Subnet
-      - InstanceSecurityGroup
    Properties:
      InstanceType:
        Ref: InstanceTypeParameter
@ -205,7 +191,6 @@ Resources:
      Domain: vpc
      InstanceId: !Ref EC2Instance
    DependsOn:
-      - EC2Instance
      - VPCGatewayAttachment

  ElasticIPAssociation:
--- a/roles/cloud-ec2/tasks/cloudformation.yml
+++ b/roles/cloud-ec2/tasks/cloudformation.yml
@ -9,7 +9,6 @@
    template: roles/cloud-ec2/files/stack.yaml
    template_parameters:
      InstanceTypeParameter: "{{ cloud_providers.ec2.size }}"
-      PublicSSHKeyParameter: "{{ lookup('file', SSH_keys.public) }}"
      ImageIdParameter: "{{ ami_image }}"
      WireGuardPort: "{{ wireguard_port }}"
      UseThisElasticIP: "{{ existing_eip }}"
--- a/roles/wireguard/templates/client.conf.j2
+++ b/roles/wireguard/templates/client.conf.j2
@ -9,5 +9,5 @@ DNS = {{ wireguard_dns_servers }}
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
 PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
 AllowedIPs = 0.0.0.0/0,::/0
-Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
+Endpoint = {% if ':' in IP_subject_alt_name %}[{{ IP_subject_alt_name }}]:{{ wireguard_port }}{% else %}{{ IP_subject_alt_name }}:{{ wireguard_port }}{% endif %}
 {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}