From 4634357fb12ade5fa5c6736fdd3a287c92785f34 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Sun, 3 Aug 2025 04:49:40 -0400
Subject: [PATCH] Fix AWS CloudFormation linter warnings (#14294) (#14782)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: Add IPv6 support for WireGuard endpoint addresses

Fixes issue where IPv6 addresses in WireGuard configuration files were
not properly formatted with square brackets when used with port numbers.

The WireGuard client configuration template now detects IPv6 addresses
using the ansible.utils.ipv6 filter and wraps them in brackets as required
by the WireGuard configuration format.

Example outputs:
- IPv4: 192.168.1.1:51820
- IPv6: [2600:3c01::f03c:91ff:fedf:3b2a]:51820
- Hostname: vpn.example.com:51820

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Correct Azure requirements file path to fix deployment failures

The previous fix in commit 7acdca0 updated to Azure collection v3.7.0 but
referenced the incorrect requirements file name. The file is now called
requirements.txt instead of requirements-azure.txt in v3.7.0.

This fixes the Azure deployment failure where pip cannot find the
requirements file, preventing users from deploying VPN servers on Azure.

Also added no_log: true to prevent potential credential leakage during
the pip installation process.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: resolve AWS CloudFormation linter warnings (#14294)

This commit addresses all the CloudFormation linting issues identified in issue #14294:

- Remove unused PublicSSHKeyParameter from CloudFormation template and task parameters
  The SSH public key is now injected directly via cloud-init template instead of
  being passed as a CloudFormation parameter
- Update ImageIdParameter type from String to AWS::EC2::Image::Id for better type safety
- Remove obsolete DependsOn attributes that are automatically enforced by CloudFormation
  through Ref and GetAtt functions

All changes verified with cfn-lint which now passes without warnings.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Replace ansible.utils.ipv6 filter with simple colon detection

The ansible.utils.ipv6 filter is not available in the test environment,
causing the Smart Test Selection workflow to fail. This change replaces
it with a simple string check for colons (':') which reliably detects
IPv6 addresses since they contain colons while IPv4 addresses do not.

The fix maintains the same functionality:
- IPv6 addresses: [2600:3c01::f03c:91ff:fedf:3b2a]:51820
- IPv4 addresses: 192.168.1.1:51820

This resolves the failing workflow tests in PR #14782.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
---
 roles/cloud-azure/tasks/venv.yml         |  3 ++-
 roles/cloud-ec2/files/stack.yaml         | 17 +----------------
 roles/cloud-ec2/tasks/cloudformation.yml |  1 -
 roles/wireguard/templates/client.conf.j2 |  2 +-
 4 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/roles/cloud-azure/tasks/venv.yml b/roles/cloud-azure/tasks/venv.yml
index 411566d..fb35433 100644
--- a/roles/cloud-azure/tasks/venv.yml
+++ b/roles/cloud-azure/tasks/venv.yml
@@ -1,6 +1,7 @@
 ---
 - name: Install requirements
   pip:
-    requirements: https://raw.githubusercontent.com/ansible-collections/azure/v3.7.0/requirements-azure.txt
+    requirements: https://raw.githubusercontent.com/ansible-collections/azure/v3.7.0/requirements.txt
     state: latest
     virtualenv_python: python3
+  no_log: true
diff --git a/roles/cloud-ec2/files/stack.yaml b/roles/cloud-ec2/files/stack.yaml
index 90e0cdb..c067175 100644
--- a/roles/cloud-ec2/files/stack.yaml
+++ b/roles/cloud-ec2/files/stack.yaml
@@ -5,10 +5,8 @@ Parameters:
   InstanceTypeParameter:
     Type: String
     Default: t2.micro
-  PublicSSHKeyParameter:
-    Type: String
   ImageIdParameter:
-    Type: String
+    Type: AWS::EC2::Image::Id
   WireGuardPort:
     Type: String
   UseThisElasticIP:
@@ -83,8 +81,6 @@ Resources:
   Route:
     Type: AWS::EC2::Route
     DependsOn:
-      - InternetGateway
-      - RouteTable
       - VPCGatewayAttachment
     Properties:
       RouteTableId: !Ref RouteTable
@@ -94,8 +90,6 @@ Resources:
   RouteIPv6:
     Type: AWS::EC2::Route
     DependsOn:
-      - InternetGateway
-      - RouteTable
       - VPCGatewayAttachment
     Properties:
       RouteTableId: !Ref RouteTable
@@ -105,8 +99,6 @@ Resources:
   SubnetIPv6:
     Type: AWS::EC2::SubnetCidrBlock
     DependsOn:
-      - RouteIPv6
-      - VPC
       - VPCIPv6
     Properties:
       Ipv6CidrBlock:
@@ -118,10 +110,6 @@ Resources:
 
   RouteSubnet:
     Type: "AWS::EC2::SubnetRouteTableAssociation"
-    DependsOn:
-      - RouteTable
-      - Subnet
-      - Route
     Properties:
       RouteTableId: !Ref RouteTable
       SubnetId: !Ref Subnet
@@ -167,8 +155,6 @@ Resources:
     Type: AWS::EC2::Instance
     DependsOn:
       - SubnetIPv6
-      - Subnet
-      - InstanceSecurityGroup
     Properties:
       InstanceType:
         Ref: InstanceTypeParameter
@@ -205,7 +191,6 @@ Resources:
       Domain: vpc
       InstanceId: !Ref EC2Instance
     DependsOn:
-      - EC2Instance
       - VPCGatewayAttachment
 
   ElasticIPAssociation:
diff --git a/roles/cloud-ec2/tasks/cloudformation.yml b/roles/cloud-ec2/tasks/cloudformation.yml
index f05ab37..18fe29e 100644
--- a/roles/cloud-ec2/tasks/cloudformation.yml
+++ b/roles/cloud-ec2/tasks/cloudformation.yml
@@ -9,7 +9,6 @@
     template: roles/cloud-ec2/files/stack.yaml
     template_parameters:
       InstanceTypeParameter: "{{ cloud_providers.ec2.size }}"
-      PublicSSHKeyParameter: "{{ lookup('file', SSH_keys.public) }}"
       ImageIdParameter: "{{ ami_image }}"
       WireGuardPort: "{{ wireguard_port }}"
       UseThisElasticIP: "{{ existing_eip }}"
diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2
index 409ec18..a6e48a5 100644
--- a/roles/wireguard/templates/client.conf.j2
+++ b/roles/wireguard/templates/client.conf.j2
@@ -9,5 +9,5 @@ DNS = {{ wireguard_dns_servers }}
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
 PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
 AllowedIPs = 0.0.0.0/0,::/0
-Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
+Endpoint = {% if ':' in IP_subject_alt_name %}[{{ IP_subject_alt_name }}]:{{ wireguard_port }}{% else %}{{ IP_subject_alt_name }}:{{ wireguard_port }}{% endif %}
 {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}