facing issue with shell module in ansible

Archives Ansible Project
1

Hi Team,

I’m trying the below code to attach region-specific waf to region-specific alb’s. But the below code doesn’t seem to be working for associating the waf to alb’s. The last shell module is having issues, “$alb_arn” value is not getting interpreted and getting the error mentioned below.

tasks:

  • block:

  • name: Get service alb info
    community.aws.elb_application_lb_info:
    profile: “{{ aws_profile_name }}”
    region: “{{ region }}”
    names:

  • “Service-{{ ec2_tag_environment }}”

  • “ServiceInt-{{ ec2_tag_environment }}”

  • “Web-{{ ec2_tag_environment }}”
    register: alb_info
    loop: “{{ aws_cloud_regions }}”
    loop_control:
    loop_var: region

  • debug:
    var=alb_info

  • name: Extract ALB ARNs
    set_fact:
    alb_arns: “{{ alb_arns | default() + item.load_balancers | map(attribute=‘load_balancer_arn’) | list }}”
    loop: “{{ alb_info.results }}”

  • name: Extract ALB map ARNs
    set_fact:
    alb_map_arns: “{{ alb_map_arns | default({}) | combine({item.region: item.load_balancers | map(attribute=‘load_balancer_arn’) | list}) }}”
    loop: “{{ alb_info.results }}”

  • name: Display ALB ARNs
    debug:
    var: alb_map_arns

  • name: Get WAF WebACL ARN
    shell: |
    aws wafv2 list-web-acls --scope REGIONAL --profile “{{ aws_profile_name }}” --region “{{ region }}” --query ‘WebACLs[?Name=={{ ec2_tag_environment }}-ALB].ARN’ --output text
    register: waf_acl
    changed_when: false
    loop: “{{ aws_cloud_regions }}”
    loop_control:
    loop_var: region

  • debug:
    var=waf_acl

  • name: Print WebACL ARN
    set_fact:
    waf_arn: “{{ waf_arn | default({}) | combine({item.region: item.stdout}) }}”
    loop: “{{ waf_acl.results }}”

  • debug:
    var=waf_arn

  • name: Attach WAF to ALBs
    shell: |
    for alb_arn in {{ alb_map_arns[item] }}; do
    aws wafv2 associate-web-acl
    –web-acl-arn “{{ waf_arn[item] }}”
    –resource-arn “$alb_arn”
    –profile “{{ aws_profile_name }}”
    –region “{{ item }}”
    done
    loop: “{{ waf_arn.keys() | list }}”
    when: item in alb_map_arns

below $alb_arn is not getting interpreted

do\n aws wafv2 associate-web-acl --web-acl-arn "arn:aws:wafv2:eu-central-1::regional/webacl/QAtest-ALB/a6dda4d3-9973-4b88-bc49-a7cbad91a302" --resource-arn "$alb_arn"

error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN
An error occurred (WAFNonexistentItemException) when calling the AssociateWebACL operation: AWS WAF couldn’t perform the operation because your resource doesn’t exist

2

Hii

You left out important information. For instance the output of the “Display ALB ARNs” debug task.
That is used in your shell command at " for alb_arn in {{ alb_map_arns[item] }}; do", so that is important.
Post that debug output.
Or, post the output of the “Attach WAF to ALBs” task with -vv.

3

Hey Dick,

Thanks for responding.

Please find the attached debug output as requested

TASK [Display ALB ARNs] ************************************************************************************
Thursday 24 August 2023 13:04:34 -0700 (0:00:00.338) 0:00:24.776 *******
ok: [localhost] => {
“alb_map_arns”: {
“eu-central-1”: [
“arn:aws:elasticloadbalancing:eu-central-1::loadbalancer/app/Web-QAtest/78c12741885fcfbb”,
“arn:aws:elasticloadbalancing:eu-central-1::loadbalancer/app/Service-QAtest/a22b43074f64f9d7”,
“arn:aws:elasticloadbalancing:eu-central-1::loadbalancer/app/ServiceInt-QAtest/2f7fff2fb7d354a7”
],
“us-east-1”: [
“arn:aws:elasticloadbalancing:us-east-1::loadbalancer/app/Web-QAtest/c1fba8d4f0526447”,
“arn:aws:elasticloadbalancing:us-east-1::loadbalancer/app/Service-QAtest/1c8cde570dbc2c98”,
“arn:aws:elasticloadbalancing:us-east-1::loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1”
]
}
}

4

And the output of “Attach WAF to ALBs”?

5

output of "Attach WAF to ALBs:

TASK [Attach WAF to ALBs] _*********************************************************************************************************_

Thursday 24 August 2023 12:34:47 -0700 (0:00:00.305) 0:00:33.257 _***_**

failed: [localhost] (item=us-east-1) => {“ansible_loop_var”: “item”, “changed”: true, “cmd”: “for alb_arn in [‘arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447’, ‘arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98’, ‘arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1’]; do\n echo "ALB ARN: $alb_arn"\n echo "WAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee"\n aws wafv2 associate-web-acl --web-acl-arn "arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee" --resource-arn $alb_arn --profile "<>" --region "us-east-1"\ndone\n”, “delta”: “0:00:12.982311”, “end”: “2023-08-24 12:35:01.526408”, “item”: “us-east-1”, “msg”: “non-zero return code”, “rc”: 255, “start”: “2023-08-24 12:34:48.544097”, “stderr”: “\nAn error occurred (WAFInvalidParameterException) when calling the AssociateWebACL operation: Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: [arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,\n\nAn error occurred (WAFNonexistentItemException) when calling the AssociateWebACL operation: AWS WAF couldn’t perform the operation because your resource doesn’t exist.\n\nAn error occurred (WAFNonexistentItemException) when calling the AssociateWebACL operation: AWS WAF couldn’t perform the operation because your resource doesn’t exist.”, “stderr_lines”: [“”, “An error occurred (WAFInvalidParameterException) when calling the AssociateWebACL operation: Error reason: The ARN isn’t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: [arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,”, “”, “An error occurred (WAFNonexistentItemException) when calling the AssociateWebACL operation: AWS WAF couldn’t perform the operation because your resource doesn’t exist.”, “”, “An error occurred (WAFNonexistentItemException) when calling the AssociateWebACL operation: AWS WAF couldn’t perform the operation because your resource doesn’t exist.”], “stdout”: “ALB ARN: [arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,\nWAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee\nALB ARN: arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98,\nWAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee\nALB ARN: arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1]\nWAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee”, “stdout_lines”: [“ALB ARN: [arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Web-QAtest/c1fba8d4f0526447,”, “WAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee”, “ALB ARN: arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/Service-QAtest/1c8cde570dbc2c98,”, “WAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee”, “ALB ARN: arn:aws:elasticloadbalancing:us-east-1:<>:loadbalancer/app/ServiceInt-QAtest/e8b1dcfb2f17b6e1]”, “WAF ARN: arn:aws:wafv2:us-east-1:<>:regional/webacl/QAtest-ALB/11dd2e60-7d87-4827-8be6-6b2660b759ee”]}

6

I think the problem is here. You are trying to loop over a yaml list in your shell code, which does not work. I’m guessing you’d need to join that yaml list by a space to make it work in the shell command. That is assuming the items themself do not contain spaces.
So the first line of your shell command would be:

for alb_arn in {{ alb_map_arns[item] | join(’ ') }}; do