From 3ea9a0dcca71fc4445186b53d90c3e485b5605be Mon Sep 17 00:00:00 2001 From: Lee Goolsbee Date: Tue, 16 Nov 2021 12:52:23 -0600 Subject: [PATCH 1/2] ITPLT-637 use IMDSv2 --- ansible.cfg | 1 + bin/install-ansible | 3 +++ requirements.yml | 4 ++++ roles/diy_backup/templates/bitbucket.diy-backup.vars.sh.j2 | 3 ++- 4 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 requirements.yml diff --git a/ansible.cfg b/ansible.cfg index a468d9c..226c188 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -2,3 +2,4 @@ retry_files_enabled = False callback_whitelist = profile_tasks conditional_bare_variables = True +collections_paths = ./ diff --git a/bin/install-ansible b/bin/install-ansible index 18e3ceb..33b09c3 100755 --- a/bin/install-ansible +++ b/bin/install-ansible @@ -30,3 +30,6 @@ PIPENV_NOSPIN=1 PIPENV_HIDE_EMOJIS=1 pipenv sync 2>&1 | iconv -c -f utf-8 -t asc if [[ $1 == "--dev" ]]; then pipenv sync --dev fi + +echo "Installing collections from galaxy..." +pipenv run ansible-galaxy collection install -v -r requirements.yml diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..3b5d258 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,4 @@ +--- +collections: + - name: amazon.aws + version: 3.0.0 diff --git a/roles/diy_backup/templates/bitbucket.diy-backup.vars.sh.j2 b/roles/diy_backup/templates/bitbucket.diy-backup.vars.sh.j2 index 27e29e7..9215193 100644 --- a/roles/diy_backup/templates/bitbucket.diy-backup.vars.sh.j2 +++ b/roles/diy_backup/templates/bitbucket.diy-backup.vars.sh.j2 @@ -2,7 +2,8 @@ INSTANCE_NAME={{ atl_aws_stack_name }} -AWS_INFO=$(curl -Lsf http://169.254.169.254/latest/dynamic/instance-identity/document) +IMDSv2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60") +AWS_INFO=$(curl -H "X-aws-ec2-metadata-token: $IMDSv2_TOKEN" -Lsf http://169.254.169.254/latest/dynamic/instance-identity/document) AWS_ACCOUNT_ID=$(echo "${AWS_INFO}" | jq -r .accountId) AWS_AVAILABILITY_ZONE=$(echo "${AWS_INFO}" | jq -r .availabilityZone) AWS_REGION=$(echo "${AWS_INFO}" | jq -r .region) From 92689b523a2d5c56bc5664fa153454f6a1cffe27 Mon Sep 17 00:00:00 2001 From: Lee Goolsbee Date: Mon, 7 Feb 2022 18:16:17 -0600 Subject: [PATCH 2/2] ITPLT-637 bitbucket build dir is world-writable, so ansible-galaxy ignores ansible.cfg unless it's explicitly defined like so --- bitbucket-pipelines.yml | 36 +++++++++++++++++++ .../templates/bitbucket-pipelines.yml.j2 | 1 + 2 files changed, 37 insertions(+) diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml index f66a9fa..157ca6b 100644 --- a/bitbucket-pipelines.yml +++ b/bitbucket-pipelines.yml @@ -38,6 +38,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/aws_common - pipenv run molecule test -s cw-disabled @@ -46,6 +47,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/aws_common - pipenv run molecule test -s default @@ -54,6 +56,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/aws_common - pipenv run molecule test -s logs-disabled @@ -62,6 +65,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/bitbucket_config - pipenv run molecule test -s default @@ -70,6 +74,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/bitbucket_config - pipenv run molecule test -s iam_elasticsearch @@ -78,6 +83,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/confluence_config - pipenv run molecule test -s aurora @@ -86,6 +92,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/confluence_config - pipenv run molecule test -s default @@ -94,6 +101,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/confluence_config - pipenv run molecule test -s password_char_escaping @@ -102,6 +110,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/confluence_config - pipenv run molecule test -s system_jdk @@ -110,6 +119,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/diy_backup - pipenv run molecule test -s default @@ -118,6 +128,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/jira_config - pipenv run molecule test -s aurora @@ -126,6 +137,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/jira_config - pipenv run molecule test -s default @@ -134,6 +146,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/jira_config - pipenv run molecule test -s jira_config_props @@ -142,6 +155,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/jira_config - pipenv run molecule test -s password_char_escaping @@ -150,6 +164,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/linux_common - pipenv run molecule test -s default @@ -158,6 +173,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_common - pipenv run molecule test -s default @@ -166,6 +182,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_common - pipenv run molecule test -s system_jdk @@ -174,6 +191,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s bitbucket_latest @@ -182,6 +200,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s confluence_latest @@ -190,6 +209,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s crowd_latest @@ -198,6 +218,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s default @@ -206,6 +227,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_all @@ -214,6 +236,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_cached_with_downgrade @@ -222,6 +245,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_cached_with_upgrade @@ -230,6 +254,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_software_latest @@ -238,6 +263,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_tarball @@ -246,6 +272,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_version_from_file @@ -254,6 +281,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_version_latest @@ -262,6 +290,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s jira_version_override @@ -270,6 +299,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s servicedesk3 @@ -278,6 +308,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s servicedesk4 @@ -286,6 +317,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_install - pipenv run molecule test -s servicedesk_latest @@ -294,6 +326,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_startup - pipenv run molecule test -s bitbucket @@ -302,6 +335,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_startup - pipenv run molecule test -s default @@ -310,6 +344,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_startup - pipenv run molecule test -s startup_restart_false @@ -318,6 +353,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/product_startup - pipenv run molecule test -s synchrony diff --git a/pipeline_generator/templates/bitbucket-pipelines.yml.j2 b/pipeline_generator/templates/bitbucket-pipelines.yml.j2 index bd05ff8..ac5bdc7 100644 --- a/pipeline_generator/templates/bitbucket-pipelines.yml.j2 +++ b/pipeline_generator/templates/bitbucket-pipelines.yml.j2 @@ -39,6 +39,7 @@ pipelines: services: - docker script: + - export ANSIBLE_CONFIG=./ansible.cfg - ./bin/install-ansible --dev - cd roles/{{ spath.parts[2] }} - pipenv run molecule test -s {{ spath.parts[4] }}