How to convert the cloudformation template_url parameter to be the Jinja template substitution

Archives Ansible Project
1

Hi All,

The cloudformation template_url parameter requires Amazon S3 URL which is currently working by providing the complete URL of the file. But I wanted to convert that to be the Jinja template substitution.

My playbook below:

  • name: create ps-cross-account-roles changeset
    cloudformation:
    stack_name: “ps-cross-account-roles”
    state: present
    region: “{{ account_config.1 }}”
    aws_access_key: “{{ account_config.0.sts_creds.access_key }}”
    aws_secret_key: “{{ account_config.0.sts_creds.secret_key }}”
    security_token: “{{ account_config.0.sts_creds.session_token }}”
    create_changeset: true
    changeset_name: “{{ cf_changeset_name }}”

Don’t pass the cd-deploy-role to CF due to possible privilege escalation

for anyone able to perform stack updates.

role_arn: “{{ account_config.0.account_config.pass_role_arn }}”

template_url: “https://s3-eu-west-1.amazonaws.com/xxxxxxxxxxx/cloudformation/xxxxxxxxxxxx/ps-cross-account-roles.yaml
template_parameters: “{{ account_config.0.account_config.stacks[‘ps-cross-account-roles’].params }}”
termination_protection: no
tags: “{{ global_tags | combine(account_config.0.account_config.stacks[‘ps-cross-account-roles’].override_tags, recursive=True) }}”

Convert to a list of dicts duplicated per region. See https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter

loop: “{{ assumed_roles_with_account_config.results|subelements(‘account_config.regions’, skip_missing=True) }}”
loop_control:
loop_var: account_config
label: “{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}”
tags:
rxgt-ps-identity-stack-deploy

build_account:
account_alias: xxxxxxx
sts_role_arn: arn:aws:iam::xxxxxxxxxxx:role/xxxx/xx/cd-deploy-role
pass_role_arn: “”

account_config:
s3_sync:
params:
region: eu-west-1
bucket: xxxxxxxxxxxxxxx
file_root: files/
key_prefix: cloudformation/xxxxxx/
mode: push
file_change_strategy: date_size
permission: private
include: “.yaml,.json”

How to convert the template_url to jinja template substitution?

template_url: “{{ build_account.account_config.s3_sync.params.bucket }}”

Can someone please advise?

Thanks
Kishore

2

Hi all,

This is resolved by using template_url: “https://s3.amazonaws.com/{{ build_account.account_config.s3_sync.params.bucket }}/{{ build_account.account_config.s3_sync.params.key_prefix }}ps-cross-account-iam-roles.yaml”

Regards
Kishore