Hii
You left out important information. For instance the output of the "Display
ALB ARNs" debug task.
That is used in your shell command at " for alb_arn in {{
alb_map_arns[item] }}; do", so that is important.
Post that debug output.
Or, post the output of the "Attach WAF to ALBs" task with -vv.
On Thu, 24 Aug 2023 at 21:45, Shivani Arora <[email protected]> wrote:
> Hi Team,
>
> I'm trying the below code to attach region-specific waf to region-specific
> alb's. But the below code doesn't seem to be working for associating the
> waf to alb's. The last shell module is having issues, "$alb_arn" value is
> not getting interpreted and getting the error mentioned below.
>
> tasks:
>
> - block:
> - name: Get service alb info
> community.aws.elb_application_lb_info:
> profile: "{{ aws_profile_name }}"
> region: "{{ region }}"
> names:
> - "Service-{{ ec2_tag_environment }}"
> - "ServiceInt-{{ ec2_tag_environment }}"
> - "Web-{{ ec2_tag_environment }}"
> register: alb_info
> loop: "{{ aws_cloud_regions }}"
> loop_control:
> loop_var: region
>
> - debug:
> var=alb_info
>
> - name: Extract ALB ARNs
> set_fact:
> alb_arns: "{{ alb_arns | default([]) + item.load_balancers |
> map(attribute='load_balancer_arn') | list }}"
> loop: "{{ alb_info.results }}"
>
> - name: Extract ALB map ARNs
> set_fact:
> alb_map_arns: "{{ alb_map_arns | default({}) |
> combine({item.region: item.load_balancers |
> map(attribute='load_balancer_arn') | list}) }}"
> loop: "{{ alb_info.results }}"
>
>
> - name: Display ALB ARNs
> debug:
> var: alb_map_arns
>
> - name: Get WAF WebACL ARN
> shell: |
> aws wafv2 list-web-acls --scope REGIONAL --profile "{{
> aws_profile_name }}" --region "{{ region }}" --query 'WebACLs[?Name==`{{
> ec2_tag_environment }}-ALB`].ARN' --output text
> register: waf_acl
> changed_when: false
> loop: "{{ aws_cloud_regions }}"
> loop_control:
> loop_var: region
>
> - debug:
> var=waf_acl
>
> - name: Print WebACL ARN
> set_fact:
> waf_arn: "{{ waf_arn | default({}) | combine({item.region:
> item.stdout}) }}"
> loop: "{{ waf_acl.results }}"
>
> - debug:
> var=waf_arn
>
> - name: Attach WAF to ALBs
> shell: |
> for alb_arn in {{ alb_map_arns[item] }}; do
> aws wafv2 associate-web-acl \
> --web-acl-arn "{{ waf_arn[item] }}" \
> --resource-arn "$alb_arn" \
> --profile "{{ aws_profile_name }}" \
> --region "{{ item }}"
> done
> loop: "{{ waf_arn.keys() | list }}"
> when: item in alb_map_arns
>
>
> below $alb_arn is not getting interpreted
>
> do\n aws wafv2 associate-web-acl --web-acl-arn
> \"arn:aws:wafv2:eu-central-1:<profile>:regional/webacl/QAtest-ALB/a6dda4d3-9973-4b88-bc49-a7cbad91a302\"
> --resource-arn \"$alb_arn\"
>
> error reason: The ARN isn't valid. A valid ARN begins with arn: and
> includes other information separated by colons or slashes., field:
> RESOURCE_ARN
> An error occurred (WAFNonexistentItemException) when calling the
> AssociateWebACL operation: AWS WAF couldn’t perform the operation because
> your resource doesn’t exist
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/72172b94-528b-4828-b586-836160a318a3n%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/72172b94-528b-4828-b586-836160a318a3n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZR9Owhj-GwJb2E7sFn22-HZoiEi0ZMa_ZBDhwzkkXgqg%40mail.gmail.com.
