From 552c77b36d1575eda52857530977433b16636a57 Mon Sep 17 00:00:00 2001 From: Defunct Date: Sat, 10 Dec 2016 03:22:16 +0000 Subject: [PATCH] refactored ec2 encryption --- roles/cloud-ec2/tasks/encrypt_image.yml | 99 ++++++++----------------- roles/cloud-ec2/tasks/main.yml | 6 +- 2 files changed, 34 insertions(+), 71 deletions(-) diff --git a/roles/cloud-ec2/tasks/encrypt_image.yml b/roles/cloud-ec2/tasks/encrypt_image.yml index ce4406f1..4590332e 100644 --- a/roles/cloud-ec2/tasks/encrypt_image.yml +++ b/roles/cloud-ec2/tasks/encrypt_image.yml @@ -1,72 +1,35 @@ -- name: Locate official Ubuntu 16.04 AMI for region +- name: Check if the encrypted image already exist ec2_ami_find: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" - owner: 099720109477 - sort: name + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" + owner: self + sort: creationDate sort_order: descending sort_end: 1 - region: "{{ region }}" - register: ami_search - -- set_fact: - source_ami_image: "{{ ami_search.results[0].ami_id }}" - -# -# https://github.com/ansible/ansible-modules-extras/issues/3565 -# -#- name: Copy to an encrypted image - #ec2_ami_copy: - #aws_access_key: "{{ aws_access_key }}" - #aws_secret_key: "{{ aws_secret_key }}" - #description: ENC_IMAGE - #encrypted: yes - #name: newimage - #region: "{{ region }}" - #source_image_id: "{{ source_ami_image }}" - #source_region: "{{ region }}" - #register: ec2_ami_copy - #when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != true) -#- debug: var=ec2_ami_copy - -# -# https://github.com/ansible/ansible-modules-extras/issues/3565 -# -- name: Copy to an encrypted image - shell: > - aws ec2 copy-image --source-region '{{ region }}' --region '{{ region }}' --encrypted --source-image-id '{{ source_ami_image }}' --name 'ubuntu-xenial-16.04-amd64-server-encrypted' - environment: - AWS_ACCESS_KEY_ID: "{{ aws_access_key }}" - AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}" - register: ec2_ami_copy - -- set_fact: - ami_image_ouput: "{{ ec2_ami_copy.stdout|from_json }}" - -- set_fact: - ami_encrypted_image: "{{ ami_image_ouput['ImageId'] }}" - -- name: Add tags to the encrypted image - ec2_tag: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - region: "{{ region }}" - resource: "{{ ami_encrypted_image }}" - state: present - tags: - Name: "ubuntu-xenial-16.04-amd64-server-encrypted" - Encrypted: "true" - -- name: Confirm the encrypted image - ec2_ami_find: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" - ami_id: "{{ ami_encrypted_image }}" - region: "{{ region }}" - owner: self state: available - register: ec2_ami_find_encrypted - until: ec2_ami_find_encrypted.results|length > 0 - retries: 60 - delay: 10 + ami_tags: + Algo: "encrypted" + region: "{{ region }}" + register: search_crypt + +- set_fact: + enc_image: "{{ search_crypt.results[0].image_id }}" + when: search_crypt.results + +- name: Copy to an encrypted image + ec2_ami_copy: + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" + encrypted: yes + name: algo + region: "{{ region }}" + source_image_id: "{{ image_id }}" + source_region: "{{ region }}" + tags: + Algo: "encrypted" + wait: true + register: enc_image + when: enc_image is not defined + +- set_fact: + image_id: "{{ enc_image.image_id }}" diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 6c49a98e..886fd144 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,7 +1,7 @@ - name: Locate official Ubuntu 16.04 AMI for region ec2_ami_find: - aws_access_key: "{{ aws_access_key }}" - aws_secret_key: "{{ aws_secret_key }}" + aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}" + aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}" name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" owner: 099720109477 sort: creationDate @@ -11,7 +11,7 @@ register: ami_search - include: encrypt_image.yml - when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != "true1") + when: encrypted is defined - name: Add ssh public key ec2_key: