ansible scripts to setup http gateways + misc tweaks (#173)

* Adapt ansible scripts for http gateways * Tweaks for ansible scripts * Update README.md
docknetwork · May 15, 2024 · bb73ffb · bb73ffb
1 parent c4368f3
commit bb73ffb
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 61 deletions.
diff --git a/scripts/ansible/aws/README.md b/scripts/ansible/aws/README.md
@@ -141,7 +141,7 @@ Variables:
 1. `aws_profile` - AWS profile to be used
 2. `aws_region` - AWS region to be used
 3. `name` - to use for the instance
-4. `restricted_cidr_ip` - set of IP addresses to allow `https` connections from. If provided, only port `443` will be open for the supplied IP mask.
+4. `https` - should gateway node use `https` or not. In case if not, its `http` port will be only accessible from within the members of the `http` AWS group.
 
 Variables ([`instance_host`:vars]):
 

diff --git a/scripts/ansible/aws/ec2-run-node.yml b/scripts/ansible/aws/ec2-run-node.yml
@@ -45,6 +45,8 @@
       profile: "{{ aws_profile }}"
       region: "{{ aws_region }}"
       name: "{{ instance_name }}"
+      filters:
+
     register: instances
 
   - name: Existing EC2 instance info

diff --git a/scripts/ansible/aws/ec2-set-volume-size.yml b/scripts/ansible/aws/ec2-set-volume-size.yml
@@ -19,6 +19,7 @@
 
   - name: Modify the volume
     amazon.aws.ec2_vol:
+      instance: "{{ instances['instances'][0].instance_id }}"
       profile: "{{ aws_profile }}"
       region: "{{ aws_region }}"
       name: "{{ instance_name }}"

diff --git a/scripts/ansible/aws/ec2-setup-gateway.yml b/scripts/ansible/aws/ec2-setup-gateway.yml
@@ -3,17 +3,16 @@
   gather_facts: False
   vars:
     instance_name: "{{ name }} (created by ansible)"
-    restricted_https: "{{ restricted_cidr_ip is defined }}"
-    unrestricted_http_and_https: "{{ not(restricted_https) }}"
-    group_name: "{{ 'HTTP & HTTPS (created by ansible)' if unrestricted_http_and_https else 'HTTP (created by ansible)' }}"
+    group_name: "{{ 'HTTP & HTTPS (created by ansible)' if https_bool else 'Restricted HTTP (created by ansible)' }}"
   tasks:
-
+  - set_fact: 
+      https_bool: "{{ https | default('true') | bool }}"
   - name: Create HTTP & HTTPS security group
-    when: unrestricted_http_and_https
+    when: https_bool
     amazon.aws.ec2_security_group:
       region: "{{ aws_region }}"
       profile: "{{ aws_profile }}"
-      name: HTTP & HTTPS (created by ansible)
+      name: "{{ group_name }}"
       description: Allows http and https connection (created by ansible)
       rules:
         - proto: tcp
@@ -24,19 +23,19 @@
           from_port: 443
           to_port: 443
           cidr_ip: 0.0.0.0/0
-  
-  - name: Create HTTP security group
-    when: restricted_https
+
+  - name: Create restricted HTTP security group
+    when: not https_bool
     amazon.aws.ec2_security_group:
       region: "{{ aws_region }}"
       profile: "{{ aws_profile }}"
-      name: HTTP (created by ansible)
+      name: "{{ group_name }}"
       description: Allows http connection (created by ansible)
       rules:
         - proto: tcp
           from_port: 80
           to_port: 80
-          cidr_ip: 0.0.0.0/0
+          group_name: "{{ group_name }}"
 
   - name: Get EC2 instance state
     amazon.aws.ec2_instance:
@@ -49,7 +48,7 @@
     ansible.builtin.debug:
       msg: Existing security groups {{ instances['instances'][0] | json_query('security_groups[*].group_id') }}
 
-  - name: Add HTTP & HTTPS open ports group to the EC2 instance
+  - name: Add {{ group_name }} to the EC2 instance
     amazon.aws.ec2_instance:
       profile: "{{ aws_profile }}"
       region: "{{ aws_region }}"
@@ -64,56 +63,18 @@
 
 - name: Open SSH port
   ansible.builtin.import_playbook: ./ec2-enable-ssh.yml
+
+- name: Setup http nginx
+  when: not hostvars['localhost']['https_bool']
+  ansible.builtin.import_playbook: ../setup-nginx-http.yml
+  vars:
+    overriden_host: "{{ hostvars['localhost']['instances']['instances'][0]['network_interfaces'][0]['association']['public_ip'] }}"
 
-- name: Setup nginx and issue certs
-  ansible.builtin.import_playbook: ../setup-nginx.yml
+- name: Setup https nginx and issue certs
+  when: hostvars['localhost']['https_bool']
+  ansible.builtin.import_playbook: ../setup-nginx-https.yml
   vars:
     overriden_host: "{{ hostvars['localhost']['instances']['instances'][0]['network_interfaces'][0]['association']['public_ip'] }}"
 
 - name: Close SSH port
-  ansible.builtin.import_playbook: ./ec2-disable-ssh.yml
-
-- hosts: localhost
-  connection: local
-  gather_facts: False
-  vars:
-    instance_name: "{{ name }} (created by ansible)"
-    restricted_https: "{{ restricted_cidr_ip is defined }}"
-    unrestricted_http_and_https: "{{ not(restricted_https) }}"
-    group_name: "{{ 'HTTP & HTTPS (created by ansible)' if unrestricted_http_and_https else 'HTTP (created by ansible)' }}"
-    restricted_group_name: "{{ 'Restricted HTTPS (' + restricted_cidr_ip + ') (created by ansible)' }}"
-  tasks:
-
-  - name: Create restricted HTTPS security group
-    when: restricted_https
-    amazon.aws.ec2_security_group:
-      region: "{{ aws_region }}"
-      profile: "{{ aws_profile }}"
-      name: "{{ restricted_group_name }}"
-      description: Allows restricted https connection (created by ansible)
-      rules:
-        - proto: tcp
-          from_port: 443
-          to_port: 443
-          cidr_ip: "{{ restricted_cidr_ip }}"
-
-  - name: Get EC2 instance state
-    when: restricted_https
-    amazon.aws.ec2_instance:
-      profile: "{{ aws_profile }}"
-      region: "{{ aws_region }}"
-      name: "{{ instance_name }}"
-    register: instances
-
-  - name: EC2 instance info
-    when: restricted_https
-    ansible.builtin.debug:
-      msg: Existing security groups {{ instances['instances'][0] | json_query('security_groups[*].group_id') }}
-
-  - name: Add HTTP & HTTPS open ports group to the EC2 instance
-    when: restricted_https
-    amazon.aws.ec2_instance:
-      profile: "{{ aws_profile }}"
-      region: "{{ aws_region }}"
-      name: "{{ instance_name }}"
-      security_groups: "{{ instances['instances'][0] | json_query('security_groups[*].group_id') + [restricted_group_name] | difference([group_name])  }}"
+  ansible.builtin.import_playbook: ./ec2-disable-ssh.yml
diff --git a/scripts/ansible/setup-nginx-http.yml b/scripts/ansible/setup-nginx-http.yml
@@ -0,0 +1,25 @@
+- hosts: "{{ overriden_host | default(host) }}"
+  gather_facts: true
+  become: true
+  name: Setup http nginx
+
+  tasks:
+    - name: Install nginx
+      become: yes
+      become_method: sudo
+      ansible.builtin.apt:
+        name: nginx
+        state: latest
+
+    - name: Copy basic nginx configuration
+      become: yes
+      ansible.builtin.copy:
+        src: "{{ nginx_dir }}"
+        dest: /etc/
+
+    - name: Run nginx
+      become: yes
+      become_method: sudo
+      ansible.builtin.service:
+        name: nginx
+        state: restarted
diff --git a/scripts/ansible/setup-nginx.yml → scripts/ansible/setup-nginx-https.yml b/scripts/ansible/setup-nginx.yml → scripts/ansible/setup-nginx-https.yml