aws-account-setup.yml

---
- name: Apply configuration to all AWS accounts in an organization
  hosts: localhost
  gather_facts: true

  pre_tasks:
    - name: Block for pre_tasks
      block:
        - name: Test AWS_REGION
          shell: "[[ -n $AWS_REGION ]]"
          register: region
          failed_when: false
          changed_when: false
          check_mode: no
        - name: Test AWS_SECRET_ACCESS_KEY
          shell: "[[ -n $AWS_SECRET_ACCESS_KEY ]]"
          register: secret
          failed_when: false
          changed_when: false
          check_mode: no
        - name: Test AWS_ACCESS_KEY_ID
          shell: "[[ -n $AWS_ACCESS_KEY_ID ]]"
          register: key
          failed_when: false
          changed_when: false
          check_mode: no
        - name: Test if config file exists
          stat:
            path: "{{ config_file }}"
          register: configfile
          failed_when: false
          changed_when: false
          check_mode: no
        - name: Do assertions on configfile and AWS credential envvars
          assert:
            that:
              - "config_file is defined"
              - "key.rc == 0"
              - "secret.rc == 0"
              - "region.rc == 0"
              - "configfile.stat.exists"
        - name: Set global facts
          block:
            - name: Convert organization name to CamelCase
              set_fact:
                cfn_org_name: "{{ organization.name | title }}"
                cfn_tooling_name_prefix: "{{ tooling_account.name | default('NA') | replace('-', ' ') | replace('.', ' ') | title | replace(' ', '') }}"
                tooling_name_prefix_env: "{{ tooling_account.name | default('NA') | replace('-', '') | replace('.', '') }}-{{ tooling_account.environment | default('prd') }}"
                current_time: "{{ lookup('pipe', 'date -u +\"%Y-%m-%dT%H:%M:%SZ\"') }}"

      tags: [ 'always' ]

  vars_files:
    - "{{ config_file }}"
    - "~/.aws-account-config.yml"
  vars:
    - org: "{{ organization.name | default('Unknown') }}"
    - subaccount_limit: "{{ subaccount | default('all') }}"
    - config_basedir: "{{ config_file | dirname }}"

  tasks:
    - name: "Read subaccounts from config_basedir/subaccounts.d"
      include_vars:
        dir: "{{ config_basedir }}/subaccounts.d"
        extensions:
          - 'yml'
          - 'yaml'
        name: subaccounts2
      failed_when: false
      tags:
        - always
    ### Add bastion account to subaccounts list of dicts
    - name: "Create a fact to contain bastion config to be added to subaccounts"
      set_fact:
        bastion_account_local:
          name: "{{ bastion_account.name }}"
          entity: "ixor"
          account_id: "{{ bastion_account.account_id }}"
          email: "{{ bastion_account.email }}"
          environment: "prd"
      tags:
        - always
    - name: "Add bastion account info and subaccounts2 list to subaccounts list"
      set_fact:
        subaccounts_and_bastion: "{{ (subaccounts | default([])) + [ bastion_account_local ] + ((subaccounts2 | default({})).values() | list) }}"
        subaccounts: "{{ (subaccounts | default([])) + ((subaccounts2 | default({})).values() | list) }}"
      tags:
        - always

    - name: "Read user config from config_basedir/aws_users.d"
      include_vars:
        dir: "{{ config_basedir }}/aws_users.d"
        extensions:
          - 'yml'
          - 'yaml'
        name: aws_users2
        ignore_unknown_extensions: true
      tags:
        - always
    - name: "Add aws_users2 to aws_users"
      set_fact:
        aws_users: "{{ (aws_users | default([])) + ((aws_users2 | default({})).values() | list) }}"
      tags:
        - always

    - name: Print all subaccount names
      debug:
        msg: "{{ item.name }}"
      loop: "{{ subaccounts_and_bastion|flatten(levels=1) }}"
      tags: [ 'accountlist' ]
    - name: Import basic account setup tasks
      import_tasks: ansible-includes/aws-account-basic-setup.yml
      tags: [ 'basic', 'userlist' ]
    - name: Import security setup tasks
      import_tasks: ansible-includes/aws-account-security-setup.yml
      tags: [ 'security' ]
      when: security_account is defined
    - name: Import monitoring account setup tasks
      import_tasks: ansible-includes/aws-account-monitoring-setup.yml
      tags: [ 'monitoring' ]
    - name: Import Bastion account setup tasks
      import_tasks: ansible-includes/aws-account-bastion-setup.yml
      tags: [ 'bastion' ]
    - name: Create cached assumerole credentials
      import_tasks: ansible-includes/aws-assumerole-and-save-credentials.yml
      tags: [ 'assumerole', 'never' ]
    - name: Tooling account setup
      import_tasks: ansible-includes/aws-account-tooling-setup.yml
      tags: [ 'tooling' ]
      when: tooling_account is defined
    - name: BB ServiceAccount Variables
      import_tasks: ansible-includes/aws-serviceaccounts-bb-repo-variables.yml
      tags: [ 'bb', 'never' ]
    - name: Update CodeArtifact domain and repository policies
      import_tasks: ansible-includes/aws-set-codeartifact-policies.yml
      tags: [ 'codeartifact' ]