Allow user to restore controllers from snapshots

Author: ppiwowa-csco

roles/aws_controllers/tasks/aws_vbond_ec2_instance.yml

@@ -10,6 +10,25 @@
 # 2 aws_eip
 # 1 ec2 instance
 
+- name: AMI Registration from EBS Snapshot
+  amazon.aws.ec2_ami:
+    name: "{{ aws_tag_creator }}-Validator"
+    region: "{{ aws_region }}"
+    state: present
+    architecture: x86_64
+    virtualization_type: hvm
+    root_device_name: /dev/xvda
+    device_mapping:
+      - device_name: /dev/xvda
+        snapshot_id: "{{ volume_snapshots[0] }}"
+        delete_on_termination: true
+        volume_type: gp2
+    tags:
+      Name: "{{ aws_tag_creator }}-Validator"
+      Creator: "{{ aws_tag_creator }}"
+  when: volume_snapshots
+  register: ami_result
+
 
 # NICs
 - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts
@@ -95,7 +114,7 @@
     count: 1
     instance_type: "{{ aws_vbond_instance_type }}"
     image:
-      id: "{{ aws_vbond_ami_id }}"
+      id: "{{ ami_result.image_id if volume_snapshots else aws_vmanage_ami_id }}"
     state: present
     vpc_subnet_id: "{{ aws_mgmt_subnet.id }}"
     region: "{{ aws_region }}"
@@ -121,6 +140,14 @@
           delete_on_termination: true
   register: ec2_vbond
 
+- name: Deregister/Delete AMI (keep associated snapshots)
+  amazon.aws.ec2_ami:
+    image_id: "{{ ami_result.image_id }}"
+    delete_snapshot: false
+    state: absent
+    region: "{{ aws_region }}"
+  when: volume_snapshots
+
 - name: Store vBond instance details for deployment_results
   ansible.builtin.set_fact:
     instance:
@@ -163,15 +190,17 @@
     purge_rules: false
     purge_tags: false
     purge_rules_egress: false
-    rules:
+    rules: "{{ sg_rules_vbond }}"
+    rules_egress: "{{ sg_rules_vbond if aws_sg_block_egress else [] }}"
+  register: allow_traffic
+  retries: 3
+  delay: 3
+  until: allow_traffic is succeeded
+  vars:
+    sg_rules_vbond:
       - proto: all
         cidr_ip: "{{ eip_vbond.results[0].public_ip }}/32"
         rule_desc: "{{ hostname }} - mgmt (VPN 512)"
       - proto: all
         cidr_ip: "{{ eip_vbond.results[1].public_ip }}/32"
         rule_desc: "{{ hostname }} - transport (VPN 0)"
-    rules_egress: []
-  register: allow_traffic
-  retries: 3
-  delay: 3
-  until: allow_traffic is succeeded

roles/aws_controllers/tasks/aws_vmanage_ec2_instance.yml

@@ -9,6 +9,24 @@
 # 2 aws_eip
 # 1 ec2 instance
 
+- name: AMI Registration from EBS Snapshot
+  amazon.aws.ec2_ami:
+    name: "{{ aws_tag_creator }}-Manager"
+    region: "{{ aws_region }}"
+    state: present
+    architecture: x86_64
+    virtualization_type: hvm
+    root_device_name: /dev/xvda
+    device_mapping:
+      - device_name: /dev/xvda
+        snapshot_id: "{{ volume_snapshots[0] }}"
+        delete_on_termination: true
+        volume_type: gp2
+    tags:
+      Name: "{{ aws_tag_creator }}-Manager"
+      Creator: "{{ aws_tag_creator }}"
+  when: volume_snapshots
+  register: ami_result
 
 # NICs
 - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts
@@ -115,7 +133,7 @@
     count: 1
     instance_type: "{{ aws_vmanage_instance_type }}"
     image:
-      id: "{{ aws_vmanage_ami_id }}"
+      id: "{{ ami_result.image_id if volume_snapshots else aws_vmanage_ami_id }}"
     state: present
     vpc_subnet_id: "{{ aws_mgmt_subnet.id }}"
     region: "{{ aws_region }}"
@@ -137,8 +155,17 @@
         ebs:
           volume_size: 60
           delete_on_termination: true
+          snapshot_id: "{{ volume_snapshots[1] if volume_snapshots else omit }}"
   register: ec2_vmanage
 
+- name: Deregister/Delete AMI (keep associated snapshots)
+  amazon.aws.ec2_ami:
+    image_id: "{{ ami_result.image_id }}"
+    delete_snapshot: false
+    state: absent
+    region: "{{ aws_region }}"
+  when: volume_snapshots
+
 - name: Store vManage instance details for deployment_results
   ansible.builtin.set_fact:
     instance:
@@ -199,7 +226,7 @@
     purge_tags: false
     purge_rules_egress: false
     rules: "{{ sg_rules }}"
-    rules_egress: []
+    rules_egress: "{{ sg_rules if aws_sg_block_egress else [] }}"
   register: allow_traffic
   retries: 3
   delay: 3

roles/aws_controllers/tasks/aws_vsmart_ec2_instance.yml

@@ -10,6 +10,25 @@
 # 2 aws_eip
 # 1 ec2 instance
 
+- name: AMI Registration from EBS Snapshot
+  amazon.aws.ec2_ami:
+    name: "{{ aws_tag_creator }}-Controller"
+    region: "{{ aws_region }}"
+    state: present
+    architecture: x86_64
+    virtualization_type: hvm
+    root_device_name: /dev/xvda
+    device_mapping:
+      - device_name: /dev/xvda
+        snapshot_id: "{{ volume_snapshots[0] }}"
+        delete_on_termination: true
+        volume_type: gp2
+    tags:
+      Name: "{{ aws_tag_creator }}-Controller"
+      Creator: "{{ aws_tag_creator }}"
+  when: volume_snapshots
+  register: ami_result
+
 
 # NICs
 - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts
@@ -91,7 +110,7 @@
     count: 1
     instance_type: "{{ aws_vsmart_instance_type }}"
     image:
-      id: "{{ aws_vsmart_ami_id }}"
+      id: "{{ ami_result.image_id if volume_snapshots else aws_vmanage_ami_id }}"
     state: present
     vpc_subnet_id: "{{ aws_mgmt_subnet.id }}"
     region: "{{ aws_region }}"
@@ -117,6 +136,14 @@
           delete_on_termination: true
   register: ec2_vsmart
 
+- name: Deregister/Delete AMI (keep associated snapshots)
+  amazon.aws.ec2_ami:
+    image_id: "{{ ami_result.image_id }}"
+    delete_snapshot: false
+    state: absent
+    region: "{{ aws_region }}"
+  when: volume_snapshots
+
 # TODO:
 # Note that the variable: ec2_vsmart.instances[0].network_interfaces is returning a list of interfaces
 # but that list can be different than device_index (so mgmt and transport are mixed)
@@ -166,15 +193,17 @@
     purge_rules: false
     purge_tags: false
     purge_rules_egress: false
-    rules:
+    rules: "{{ sg_rules_vsmart }}"
+    rules_egress: "{{ sg_rules_vsmart if aws_sg_block_egress else [] }}"
+  register: allow_traffic
+  retries: 3
+  delay: 3
+  until: allow_traffic is succeeded
+  vars:
+    sg_rules_vsmart:
       - proto: all
         cidr_ip: "{{ eip_vsmart.results[0].public_ip }}/32"
         rule_desc: "{{ hostname }} - mgmt (VPN 512)"
       - proto: all
         cidr_ip: "{{ eip_vsmart.results[1].public_ip }}/32"
         rule_desc: "{{ hostname }} - transport (VPN 0)"
-    rules_egress: []
-  register: allow_traffic
-  retries: 3
-  delay: 3
-  until: allow_traffic is succeeded

roles/aws_controllers/tasks/main.yml

@@ -72,6 +72,7 @@
     hostname: "{{ instance_item.hostname }}"
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
+    volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}"
   loop: "{{ vbond_instances }}"
   loop_control:
     loop_var: instance_item
@@ -84,6 +85,7 @@
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
     persona: "{{ instance_item.persona }}"
+    volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}"
   loop: "{{ vmanage_instances }}"
   loop_control:
     loop_var: instance_item
@@ -95,6 +97,7 @@
     hostname: "{{ instance_item.hostname }}"
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
+    volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}"
   loop: "{{ vsmart_instances }}"
   loop_control:
     loop_var: instance_item

roles/aws_network_infrastructure/defaults/main.yml

@@ -5,6 +5,7 @@
 
 # VPN subnets from which we can connect to AWS EIPs (Security Group config)
 aws_allowed_subnets: null
+aws_sg_block_egress: false
 
 #####################################
 #     General AWS configuration     #

roles/aws_network_infrastructure/tasks/aws_create_network_infrastructure.yml

@@ -156,18 +156,20 @@
         from_port: 8
         to_port: -1
         cidr_ip: "{{ aws_allowed_subnets }}"
-    rules_egress:
-      - proto: -1
-        from_port: 0
-        to_port: 0
-        cidr_ip: 0.0.0.0/0
+    rules_egress: "{{ egress_allow_all if not aws_sg_block_egress else [] }}"
     purge_rules: false
     purge_tags: false
-    purge_rules_egress: false
+    purge_rules_egress: "{{ aws_sg_block_egress and _created_vpc.changed }}"
     tags:
       Name: "{{ aws_security_group_name }}"
       Creator: "{{ aws_tag_creator }}"
   register: _created_security_group
+  vars:
+    egress_allow_all:
+      - proto: -1
+        from_port: 0
+        to_port: 0
+        cidr_ip: 0.0.0.0/0
 
 - name: Copy Security Group resources information to log file
   ansible.builtin.blockinfile:

roles/azure_controllers/tasks/azure_vbond_vm.yml

@@ -136,7 +136,7 @@
     location: "{{ az_location }}"
     os_type: "Linux"
     hyper_v_generation: "V1"
-    source: "{{ az_vbond_image_vhd_source }}"
+    source: "{{ volume_snapshots[0] if volume_snapshots else az_vbond_image_vhd_source }}"
 
 - name: "Create vBond VM: {{ hostname }}"
   azure.azcollection.azure_rm_virtualmachine:

roles/azure_controllers/tasks/azure_vmanage_vm.yml

@@ -212,7 +212,17 @@
     location: "{{ az_location }}"
     os_type: "Linux"
     hyper_v_generation: "V1"
-    source: "{{ az_vmanage_image_vhd_source }}"
+    source: "{{ volume_snapshots[0] if volume_snapshots else az_vmanage_image_vhd_source }}"
+
+- name: "Create an image from a VHD for vManage: {{ hostname }}-image"
+  azure.azcollection.azure_rm_manageddisk:
+    resource_group: "{{ az_resource_group }}"
+    name: "{{ hostname }}-datadisk1"
+    location: "{{ az_location }}"
+    source_uri: "{{ volume_snapshots[1] }}"
+    create_option: copy
+  when: volume_snapshots
+  register: datadisk_info
 
 - name: "Create VM for vmanage: {{ hostname }}"
   azure.azcollection.azure_rm_virtualmachine:
@@ -239,6 +249,7 @@
         disk_size_gb: 100
         managed_disk_type: Premium_LRS
         storage_container_name: "{{ hostname }}-datadisk1"
+        managed_disk_id: "{{ datadisk_info.state.id if volume_snapshots else omit }}"
     tags:
       Name: "{{ hostname }}"
       Creator: "{{ az_tag_creator }}"

roles/azure_controllers/tasks/azure_vsmart_vm.yml

@@ -126,7 +126,7 @@
     location: "{{ az_location }}"
     os_type: "Linux"
     hyper_v_generation: "V1"
-    source: "{{ az_vsmart_image_vhd_source }}"
+    source: "{{ volume_snapshots[0] if volume_snapshots else az_vsmart_image_vhd_source }}"
 
 - name: "Create vSmart VM: {{ hostname }}"
   azure.azcollection.azure_rm_virtualmachine:

roles/azure_controllers/tasks/main.yml

@@ -53,6 +53,7 @@
     hostname: "{{ instance_item.hostname }}"
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
+    volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}"
   loop: "{{ vbond_instances }}"
   loop_control:
     loop_var: instance_item
@@ -101,6 +102,7 @@
     hostname: "{{ instance_item.hostname }}"
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
+    volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}"
   loop: "{{ vsmart_instances }}"
   loop_control:
     loop_var: instance_item
@@ -113,6 +115,7 @@
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
     persona: "{{ instance_item.persona }}"
+    volume_snapshots: "{{ instance_item.volume_snapshots | default([]) }}"
   loop: "{{ vmanage_instances }}"
   loop_control:
     loop_var: instance_item