Fixing-aws_vpc-role-2-PR-devel-2.x

roles/aws/aws_backup_validation/tasks/main.yml

@@ -25,7 +25,7 @@
       timeout: "{{ aws_backup_validation.timeout }}"
       role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}"
       runtime: "{{ aws_backup_validation.runtime }}"
-      function_file: "{{ lookup('template', item + '_validation.py.j2')  }}"
+      function_file: "{{ lookup('template', item + '_validation.py.j2') }}"
       s3_bucket: "ce-{{ _aws_profile }}-lambda-functions"
       tags:
         Name: "{{ item }}_backup_validation"

roles/aws/aws_elasticache/tasks/main.yml

@@ -38,4 +38,4 @@
     security_group_ids: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role
     zone: "{{ aws_elasticache.zone | default(omit) }}"
 
-# @TODO grab the endpoint data for the memcached client role
+# @TODO grab the endpoint data for the memcached client role

roles/aws/aws_iam_role/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: Create an IAM Managed Policy if defined.
   amazon.aws.iam_managed_policy:
-    policy_name: "inline_{{ aws_iam_role.name }}_policy"
+    policy_name: "inline_{{ aws_iam_role.inline_policies.name }}_policy"
     policy:
       Version: "2012-10-17"
       Statement:
@@ -13,7 +13,7 @@
 
 - name: Join managed and inline policy.
   ansible.builtin.set_fact:
-    _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}"
+    _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.policy.arn] }}"
   when: aws_iam_role.inline_policies.action is defined and aws_iam_role.inline_policies.action | length > 0
 
 - name: Create combined var if inline policy is not defined or empty.

roles/aws/aws_s3_bucket/tasks/main.yml

@@ -24,4 +24,4 @@
 
 - name: Register aws_s3_bucket results.
   ansible.builtin.set_fact:
-    aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name | replace('-','_'): {'bucket': _aws_s3_bucket, 'policy': _aws_s3_bucket_policy}}}, recursive=True) }}"
+    aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name | replace('-', '_'): {'bucket': _aws_s3_bucket, 'policy': _aws_s3_bucket_policy}}}, recursive=True) }}"

roles/aws/aws_vpc/tasks/main.yml

@@ -10,15 +10,13 @@
   register: _aws_vpc_vpc
 
 - name: Ensure default Security group is tagged.
-  amazon.aws.ec2_security_group:
-    name: "default"
-    profile: "{{ aws_vpc.aws_profile }}"
-    region: "{{ aws_vpc.region }}"
-    tags: "{{ aws_vpc.tags }}"
-    state: "{{ aws_vpc.state }}"
-    vpc_id: "{{ _aws_vpc_vpc.vpc.id }}"
-    description: "default VPC security group"
-    purge_rules: false
+  ansible.builtin.include_tasks: "security_group.yml"
+  vars:
+    aws_vpc:
+      name: "default"
+      id: "{{ _aws_vpc_vpc.vpc.id }}"
+      description: "default VPC security group"
+      purge_rules: false
 
 - name: Create VPC Security groups.
   ansible.builtin.include_tasks: "security_group.yml"

roles/aws/aws_vpc/tasks/security_group.yml

@@ -5,7 +5,13 @@
     region: "{{ aws_vpc.region }}"
     tags: "{{ aws_vpc.tags | combine({'Name': security_group.name}) }}"
     state: "{{ aws_vpc.state }}"
-    vpc_id: "{{ _aws_vpc_vpc.vpc.id }}"
+    vpc_id: "{{ aws_vpc.id }}"
     description: "{{ security_group.description }}"
     rules: "{{ security_group.rules | default(omit) }}"
     rules_egress: "{{ security_group.rules_egress | default(omit) }}"
+    purge_rules: "{{ aws_vpc.purge_rules | default(omit) }}"
+  register: _aws_vpc_result
+
+- name: Register aws_vpc SG results.
+  ansible.builtin.set_fact:
+    aws_vpc: "{{ aws_vpc | combine({'_result': {aws_vpc.name: _aws_vpc_result}}, recursive=True) }}"

roles/debian/jenkins/defaults/main.yml

@@ -7,7 +7,7 @@ ldap_client:
   bindpw: ""
 
 jenkins:
-  apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key
+  apt_signed_by: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
   server_name: "jenkins.{{ _domain_name }}"
   ssl_handling: "ssl_selfsigned"
   listen_http_port: -1

roles/debian/jenkins/tasks/main.yml

@@ -1,17 +1,17 @@
 ---
-- name: Add Jenkins repository and key.
+- name: Add Jenkins repository.
   ansible.builtin.include_role:
     name: debian/apt_repository
   vars:
     apt_repository:
-      legacy_repo: "deb http://pkg.jenkins.io/debian binary/"
+      legacy_repo: "deb http://pkg.jenkins.io/debian-stable binary/"
       format: list # Jenkins repo does not support deb822
-      list_repo_string: "http://pkg.jenkins.io/debian binary/" # override automated repo string generation
+      list_repo_string: "http://pkg.jenkins.io/debian-stable binary/" # override automated repo string generation
       name: jenkins
       types:
         - deb
       uris:
-        - http://pkg.jenkins.io/debian
+        - http://pkg.jenkins.io/debian-stable
       signed_by: "{{ jenkins.apt_signed_by }}"
       state: present
       key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00"
@@ -100,20 +100,23 @@
     group: "{{ jenkins.user }}"
     mode: 0775
 
-- name: Restart Jenkins.
+- name: Copy jenkins service file with jenkins port number.
+  ansible.builtin.template:
+    src: "jenkins.service.j2"
+    dest: "/usr/lib/systemd/system/jenkins.service"
+    owner: "root"
+    group: "root"
+    mode: 0644
+
+- name: Restart Jenkins and reload daemon.
   ansible.builtin.service:
     name: jenkins
+    daemon_reload: true
     state: restarted
-  when: aptoutput.changed
-
-- name: Paise for 2 minutes.
-  ansible.builtin.pause:
-    minutes: 2
-  when: aptoutput.changed
 
 - name: Download Jenkins CLI.
   ansible.builtin.get_url:
-    url: "https://localhost:{{ jenkins.listen_https_port }}/jnlpJars/jenkins-cli.jar"
+    url: "http://localhost:{{ jenkins.listen_https_port }}/jnlpJars/jenkins-cli.jar"
     validate_certs: false
     dest: /opt/jenkins-cli.jar
 
@@ -135,13 +138,13 @@
         timer_OnCalendar: "{{ jenkins.on_calendar }}"
 
 - name: Install Jenkins Plugins.
-  ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }}  -noCertificateCheck -s https://localhost:{{ jenkins.listen_https_port }}/ install-plugin {{ jenkins.plugins | join(' ') }}"
+  ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }}  -noCertificateCheck -s http://localhost:{{ jenkins.listen_https_port }}/ install-plugin {{ jenkins.plugins | join(' ') }}"
   become: true
   become_user: "{{ jenkins.user }}"
   register: pluginoutput
 
 - name: Safe restart Jenkins.
-  ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }}  -noCertificateCheck -s https://localhost:{{ jenkins.listen_https_port }}/ safe-restart"
+  ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }}  -noCertificateCheck -s http://localhost:{{ jenkins.listen_https_port }}/ safe-restart"
   become: true
   become_user: "{{ jenkins.user }}"
   when: pluginoutput.changed

roles/debian/jenkins/templates/jenkins.service.j2

@@ -0,0 +1,151 @@
+
+# This file is managed by systemd(1). Do NOT edit this file manually!
+# To override these settings, run:
+#
+#     systemctl edit jenkins
+#
+# For more information about drop-in files, see:
+#
+#     https://www.freedesktop.org/software/systemd/man/systemd.unit.html
+#
+
+[Unit]
+Description=Jenkins Continuous Integration Server
+Requires=network.target
+After=network.target
+StartLimitBurst=5
+StartLimitIntervalSec=5m
+
+[Service]
+Type=notify
+NotifyAccess=main
+ExecStart=/usr/bin/jenkins
+Restart=on-failure
+SuccessExitStatus=143
+
+# Configures the time to wait for start-up. If Jenkins does not signal start-up
+# completion within the configured time, the service will be considered failed
+# and will be shut down again. Takes a unit-less value in seconds, or a time span
+# value such as "5min 20s". Pass "infinity" to disable the timeout logic.
+#TimeoutStartSec=90
+
+# Unix account that runs the Jenkins daemon
+# Be careful when you change this, as you need to update the permissions of
+# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins)
+# $JENKINS_WEBROOT.
+User=jenkins
+Group=jenkins
+
+# Directory where Jenkins stores its configuration and workspaces
+Environment="JENKINS_HOME=/var/lib/jenkins"
+WorkingDirectory=/var/lib/jenkins
+
+# Location of the Jenkins WAR
+#Environment="JENKINS_WAR=/usr/share/java/jenkins.war"
+
+# Location of the exploded WAR
+Environment="JENKINS_WEBROOT=%C/jenkins/war"
+
+# Location of the Jenkins log. By default, systemd-journald(8) is used.
+#Environment="JENKINS_LOG=%L/jenkins/jenkins.log"
+
+# The Java home directory. When left empty, JENKINS_JAVA_CMD and PATH are consulted.
+#Environment="JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64"
+
+# The Java executable. When left empty, JAVA_HOME and PATH are consulted.
+#Environment="JENKINS_JAVA_CMD=/etc/alternatives/java"
+
+# Arguments for the Jenkins JVM
+Environment="JAVA_OPTS=-Djava.awt.headless=true"
+
+# Unix Domain Socket to listen on for local HTTP requests. Default is disabled.
+#Environment="JENKINS_UNIX_DOMAIN_PATH=/run/jenkins/jenkins.socket"
+
+# IP address to listen on for HTTP requests.
+# The default is to listen on all interfaces (0.0.0.0).
+#Environment="JENKINS_LISTEN_ADDRESS="
+
+# Port to listen on for HTTP requests. Set to -1 to disable.
+# To be able to listen on privileged ports (port numbers less than 1024),
+# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
+# directive below.
+Environment="JENKINS_PORT={{ jenkins.listen_https_port }}"
+
+# IP address to listen on for HTTPS requests. Default is disabled.
+#Environment="JENKINS_HTTPS_LISTEN_ADDRESS="
+
+# Port to listen on for HTTPS requests. Default is disabled.
+# To be able to listen on privileged ports (port numbers less than 1024),
+# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
+# directive below.
+#Environment="JENKINS_HTTPS_PORT=443"
+
+# Path to the keystore in JKS format (as created by the JDK's keytool).
+# Default is disabled.
+#Environment="JENKINS_HTTPS_KEYSTORE=/path/to/keystore.jks"
+
+# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
+# Default is disabled.
+#Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=s3cR3tPa55w0rD"
+
+# IP address to listen on for HTTP2 requests. Default is disabled.
+#Environment="JENKINS_HTTP2_LISTEN_ADDRESS="
+
+# HTTP2 port to listen on. Default is disabled.
+# To be able to listen on privileged ports (port numbers less than 1024),
+# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
+# directive below.
+#Environment="JENKINS_HTTP2_PORT="
+
+# Controls which capabilities to include in the ambient capability set for the
+# executed process. Takes a whitespace-separated list of capability names, e.g.
+# CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Ambient capability sets are
+# useful if you want to execute a process as a non-privileged user but still
+# want to give it some capabilities. For example, add the CAP_NET_BIND_SERVICE
+# capability to be able to listen on privileged ports (port numbers less than
+# 1024).
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# Debug level for logs. The higher the value, the more verbose. 5 is INFO.
+#Environment="JENKINS_DEBUG_LEVEL=5"
+
+# Set to true to enable logging to /var/log/jenkins/access_log.
+#Environment="JENKINS_ENABLE_ACCESS_LOG=false"
+
+# Servlet context (important if you want to use reverse proxying)
+#Environment="JENKINS_PREFIX=/jenkins"
+
+# Arbitrary additional arguments to pass to Jenkins.
+# Full option list: java -jar jenkins.war --help
+#Environment="JENKINS_OPTS="
+
+# Maximum core file size. If unset, the value from the OS is inherited.
+#LimitCORE=infinity
+
+# Maximum file size. If unset, the value from the OS is inherited.
+#LimitFSIZE=infinity
+
+# File descriptor limit. If unset, the value from the OS is inherited.
+#LimitNOFILE=8192
+
+# Maximum number of processes. If unset, the value from the OS is inherited.
+#LimitNPROC=32768
+
+# Set the umask to control the permission bits of files that Jenkins creates.
+#
+# 0027 makes files read-only for group and inaccessible for others, which some
+# security sensitive users might consider beneficial, especially if Jenkins
+# is running on a server that is used for multiple purposes. Beware that 0027
+# permissions would interfere with sudo scripts that run on the controller
+# (see JENKINS-25065).
+#
+# Note also that the particularly sensitive parts of $JENKINS_HOME (such as
+# credentials) are always written without 'other' access. So the umask values
+# only affect job configuration, build records, etc.
+#
+# If unset, the value from the OS is inherited, which is normally 0022.
+# The default umask comes from pam_umask(8) and /etc/login.defs.
+#UMask=0022
+
+[Install]
+WantedBy=multi-user.target