Your first task is replacing blocked_account_list each time through the
loop, so you end up with only those blocked accounts listed for the last
region.
However, you are also registering the results, so you can create a loop
that retains all the blocked accounts along with their associated region.
- name: Tie region to the blocked accounts
ansible.builtin.debug:
msg: "{{ item }}"
vars:
ba_query: '[].{region: region, blocked_accounts:
ansible_facts.blocked_account_list}'
loop:
- "{{ blocked_accounts.results | json_query(ba_query) }}"
This result in the following output. (Note, I'm running with
ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook …
and I've inserted the region into the account numbers so I can tell
which accounts came from which region.):
TASK [Tie region to the blocked accounts]
************************************************************************************************************************************
ok: [localhost] => (item=[{'region': 'us-east-1', 'blocked_accounts':
['20ea8d-us-east-1-bfbafa5', 'c7a19f-us-east-1-33e64c5']}, {'region': 'eu-central-1',
'blocked_accounts': ['5afabf-eu-central-1-ae02', '5c46e3-eu-central-1-1a7c']}]) =>
msg:
- blocked_accounts:
- 20ea8d-us-east-1-bfbafa5
- c7a19f-us-east-1-33e64c5
region: us-east-1
- blocked_accounts:
- 5afabf-eu-central-1-ae02
- 5c46e3-eu-central-1-1a7c
region: eu-central-1
After that, it isn't particularly clear to me how the region is supposed
to play into the following tasks. But perhaps this will help get past
the first problem.
--
Todd
On 9/1/23 2:54 PM, Shivani Arora wrote:
Hi Team,
I'm having issues with looping in Ansible. The background of what I'm
trying to do is -
I have 2 regions in aws_cloud_regions and their respective
waf_blocked_accounts list, which looks like the one below.
I want to create regional_account_rules in waf for both the regions
(as in us-east-1 blocked_account_list gets attached to
regional_account_rules for US East and the same for another region)
but facing issues while looping over regions and blocked_account_list
together.
Also note, that search_string in "Create statements" accepts a string
list, so we have to create one outer loop and one inner loop, an outer
loop for regions, and an inner for adding blocked account lists one by
one.
-bash-4.2$ cat environment/QAtest/us-east-1/waf_blocked_accounts.yml
blocked_account_list:
- 5afabfb36d6c356772d8ae02
- 5c46e33273766a3634f91a7c
"aws_cloud_regions": [
"us-east-1",
"eu-central-1"
]
The playbook which needs modification, it is not region-specific as of
now:
- name: Loop over AWS regions
include_vars:
file: "environment/QAtest/{{ region }}/waf_blocked_accounts.yml"
loop: "{{ aws_cloud_regions }}"
loop_control:
loop_var: region
register: blocked_accounts
- name: Create statements
set_fact:
acc_statements: "{{ acc_statements + [loop_statement] }}"
vars:
loop_statement:
byte_match_statement:
search_string: "{{ acc_id }}"
positional_constraint: EXACTLY
field_to_match:
single_header:
name: "accountmoid"
text_transformations:
- type: NONE
priority: 0
loop: "{{ blocked_account_list }}"
loop_control:
loop_var: acc_id
- set_fact:
regional_account_rules:
- name: "BlockedAccounts"
priority: 3
action:
block: {}
visibility_config:
sampled_requests_enabled: yes
cloud_watch_metrics_enabled: yes
metric_name: "BlockedAccounts"
statement:
or_statement:
statements: "{{ acc_statements }}"
- set_fact:
regional_account_rules: "{{ regional_account_rules | default([]) }}"
Any help is appreciated. Thanks in advance.
--
You received this message because you are subscribed to the Google
Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/cd18c106-b3c0-4f3b-8e6c-60c52ee3e5e6n%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/cd18c106-b3c0-4f3b-8e6c-60c52ee3e5e6n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Todd
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9b5462d2-4c49-ed72-2654-d0486fd831f1%40gmail.com.
