Thanks, Todd. I'm majorly facing issues with looping. I want to create
regional_account_rules
for us-east-1 and eu-central-1 and want to make sure correct "acc_statements"
get created for each region with respective blocked accounts. Could you
provide some suggestions how to achieve this?
On Saturday, September 2, 2023 at 2:38:48 AM UTC+5:30 Todd Lewis wrote:
> Your first task is replacing blocked_account_list each time through the
> loop, so you end up with only those blocked accounts listed for the last
> region.
>
> However, you are also registering the results, so you can create a loop
> that retains all the blocked accounts along with their associated region.
>
> - name: Tie region to the blocked accounts
> ansible.builtin.debug:
> msg: "{{ item }}"
> vars:
> ba_query: '[].{region: region, blocked_accounts:
> ansible_facts.blocked_account_list}'
> loop:
> - "{{ blocked_accounts.results | json_query(ba_query) }}"
>
> This result in the following output. (Note, I'm running with
> ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook …
> and I've inserted the region into the account numbers so I can tell which
> accounts came from which region.):
>
> TASK [Tie region to the blocked accounts]
> ************************************************************************************************************************************
> ok: [localhost] => (item=[{'region': 'us-east-1', 'blocked_accounts':
> ['20ea8d-us-east-1-bfbafa5', 'c7a19f-us-east-1-33e64c5']}, {'region':
> 'eu-central-1', 'blocked_accounts': ['5afabf-eu-central-1-ae02',
> '5c46e3-eu-central-1-1a7c']}]) =>
> msg:
> - blocked_accounts:
> - 20ea8d-us-east-1-bfbafa5
> - c7a19f-us-east-1-33e64c5
> region: us-east-1
> - blocked_accounts:
> - 5afabf-eu-central-1-ae02
> - 5c46e3-eu-central-1-1a7c
> region: eu-central-1
>
> After that, it isn't particularly clear to me how the region is supposed
> to play into the following tasks. But perhaps this will help get past the
> first problem.
> --
> Todd
>
>
> On 9/1/23 2:54 PM, Shivani Arora wrote:
>
> Hi Team,
>
> I'm having issues with looping in Ansible. The background of what I'm
> trying to do is -
> I have 2 regions in aws_cloud_regions and their respective
> waf_blocked_accounts list, which looks like the one below.
>
> I want to create regional_account_rules in waf for both the regions (as in
> us-east-1 blocked_account_list gets attached to regional_account_rules
> for US East and the same for another region) but facing issues while
> looping over regions and blocked_account_list together.
>
>
> Also note, that search_string in "Create statements" accepts a string
> list, so we have to create one outer loop and one inner loop, an outer
> loop for regions, and an inner for adding blocked account lists one by one.
>
>
>
> -bash-4.2$ cat environment/QAtest/us-east-1/waf_blocked_accounts.yml
>
> blocked_account_list:
>
> - 5afabfb36d6c356772d8ae02
>
> - 5c46e33273766a3634f91a7c
>
>
>
> "aws_cloud_regions": [
> "us-east-1",
> "eu-central-1"
> ]
>
>
> The playbook which needs modification, it is not region-specific as of now:
>
> - name: Loop over AWS regions
>
> include_vars:
>
> file: "environment/QAtest/{{ region }}/waf_blocked_accounts.yml"
>
> loop: "{{ aws_cloud_regions }}"
>
> loop_control:
>
> loop_var: region
>
> register: blocked_accounts
>
>
> - name: Create statements
>
> set_fact:
>
> acc_statements: "{{ acc_statements + [loop_statement] }}"
>
> vars:
>
> loop_statement:
>
> byte_match_statement:
>
> search_string: "{{ acc_id }}"
>
> positional_constraint: EXACTLY
>
> field_to_match:
>
> single_header:
>
> name: "accountmoid"
>
> text_transformations:
>
> - type: NONE
>
> priority: 0
>
> loop: "{{ blocked_account_list }}"
>
> loop_control:
>
> loop_var: acc_id
>
>
>
> - set_fact:
>
> regional_account_rules:
>
> - name: "BlockedAccounts"
>
> priority: 3
>
> action:
>
> block: {}
>
> visibility_config:
>
> sampled_requests_enabled: yes
>
> cloud_watch_metrics_enabled: yes
>
> metric_name: "BlockedAccounts"
>
> statement:
>
> or_statement:
>
> statements: "{{ acc_statements }}"
>
> - set_fact:
>
> regional_account_rules: "{{ regional_account_rules | default([]) }}"
>
>
>
> Any help is appreciated. Thanks in advance.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/cd18c106-b3c0-4f3b-8e6c-60c52ee3e5e6n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/cd18c106-b3c0-4f3b-8e6c-60c52ee3e5e6n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
> --
> Todd
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0a4b1d00-7637-4b12-a226-8a4703e475d4n%40googlegroups.com.
