Allow user to restore controllers from snapshots

roles/aws_controllers/defaults/main.yml

@@ -32,6 +32,7 @@ vbond_port: 12346
 default_vbond_ip: 192.168.1.199  # default ips from official Cisco guides
 ipv6_strict_control: true
 # vpn0_interface_color: default
+aws_sg_block_egress: false
 
 
 ###############################

roles/aws_controllers/tasks/aws_vbond_ec2_instance.yml

@@ -10,6 +10,25 @@
 # 2 aws_eip
 # 1 ec2 instance
 
+- name: AMI Registration from EBS Snapshot
+  amazon.aws.ec2_ami:
+    name: "{{ aws_tag_creator }}-Validator"
+    region: "{{ aws_region }}"
+    state: present
+    architecture: x86_64
+    virtualization_type: hvm
+    root_device_name: /dev/xvda
+    device_mapping:
+      - device_name: /dev/xvda
+        snapshot_id: "{{ root_snapshot_id }}"
+        delete_on_termination: true
+        volume_type: gp2
+    tags:
+      Name: "{{ aws_tag_creator }}-Validator"
+      Creator: "{{ aws_tag_creator }}"
+  when: root_snapshot_id
+  register: ami_result
+
 
 # NICs
 - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts
@@ -95,7 +114,7 @@
     count: 1
     instance_type: "{{ aws_vbond_instance_type }}"
     image:
-      id: "{{ aws_vbond_ami_id }}"
+      id: "{{ ami_result.image_id if root_snapshot_id else aws_vbond_ami_id }}"
     state: present
     vpc_subnet_id: "{{ aws_mgmt_subnet.id }}"
     region: "{{ aws_region }}"
@@ -121,6 +140,14 @@
           delete_on_termination: true
   register: ec2_vbond
 
+- name: Deregister/Delete AMI (keep associated snapshots)
+  amazon.aws.ec2_ami:
+    image_id: "{{ ami_result.image_id }}"
+    delete_snapshot: false
+    state: absent
+    region: "{{ aws_region }}"
+  when: root_snapshot_id
+
 - name: Store vBond instance details for deployment_results
   ansible.builtin.set_fact:
     instance:
@@ -168,7 +195,10 @@
     purge_rules: false
     purge_tags: false
     purge_rules_egress: false
-    rules:
+    rules: "{{ sg_rules_vbond }}"
+    rules_egress: "{{ sg_rules_vbond if aws_sg_block_egress else [] }}"
+  vars:
+    sg_rules_vbond:
       - proto: all
         cidr_ip: "{{ eip_vbond.results[0].public_ip }}/32"
         rule_desc: "{{ hostname }} - mgmt (VPN 512)"
@@ -181,7 +211,6 @@
       - proto: all
         cidr_ipv6: "{{ instance.transport_public_ipv6 }}/128"
         rule_desc: "{{ hostname }} - transport IPv6 (VPN 0)"
-    rules_egress: []
   register: allow_traffic
   retries: 3
   delay: 3

roles/aws_controllers/tasks/aws_vmanage_ec2_instance.yml

@@ -9,6 +9,24 @@
 # 2 aws_eip
 # 1 ec2 instance
 
+- name: AMI Registration from EBS Snapshot
+  amazon.aws.ec2_ami:
+    name: "{{ aws_tag_creator }}-Manager"
+    region: "{{ aws_region }}"
+    state: present
+    architecture: x86_64
+    virtualization_type: hvm
+    root_device_name: /dev/xvda
+    device_mapping:
+      - device_name: /dev/xvda
+        snapshot_id: "{{ root_snapshot_id }}"
+        delete_on_termination: true
+        volume_type: gp2
+    tags:
+      Name: "{{ aws_tag_creator }}-Manager"
+      Creator: "{{ aws_tag_creator }}"
+  when: root_snapshot_id
+  register: ami_result
 
 # NICs
 - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts
@@ -26,6 +44,7 @@
     description: Network interface for SD-WAN Controller
     security_groups: "{{ aws_security_group_config.group_id }}"
     region: "{{ aws_region }}"
+    private_ip_address: "{{ cluster_private_ip if subnet_item.tags.Name | regex_search('cluster') and cluster_private_ip else omit }}"
     tags:
       Name: "nic-{{ subnet_item.tags.Name }}"
       Creator: "{{ aws_tag_creator }}"
@@ -115,7 +134,7 @@
     count: 1
     instance_type: "{{ aws_vmanage_instance_type }}"
     image:
-      id: "{{ aws_vmanage_ami_id }}"
+      id: "{{ ami_result.image_id if root_snapshot_id else aws_vmanage_ami_id }}"
     state: present
     vpc_subnet_id: "{{ aws_mgmt_subnet.id }}"
     region: "{{ aws_region }}"
@@ -137,8 +156,17 @@
         ebs:
           volume_size: 60
           delete_on_termination: true
+          snapshot_id: "{{ data_snapshot_id if data_snapshot_id else omit }}"
   register: ec2_vmanage
 
+- name: Deregister/Delete AMI (keep associated snapshots)
+  amazon.aws.ec2_ami:
+    image_id: "{{ ami_result.image_id }}"
+    delete_snapshot: false
+    state: absent
+    region: "{{ aws_region }}"
+  when: root_snapshot_id
+
 - name: Store vManage instance details for deployment_results
   ansible.builtin.set_fact:
     instance:
@@ -210,7 +238,7 @@
     purge_tags: false
     purge_rules_egress: false
     rules: "{{ sg_rules }}"
-    rules_egress: []
+    rules_egress: "{{ sg_rules if aws_sg_block_egress else [] }}"
   register: allow_traffic
   retries: 3
   delay: 3

roles/aws_controllers/tasks/aws_vsmart_ec2_instance.yml

@@ -10,6 +10,25 @@
 # 2 aws_eip
 # 1 ec2 instance
 
+- name: AMI Registration from EBS Snapshot
+  amazon.aws.ec2_ami:
+    name: "{{ aws_tag_creator }}-Controller"
+    region: "{{ aws_region }}"
+    state: present
+    architecture: x86_64
+    virtualization_type: hvm
+    root_device_name: /dev/xvda
+    device_mapping:
+      - device_name: /dev/xvda
+        snapshot_id: "{{ root_snapshot_id }}"
+        delete_on_termination: true
+        volume_type: gp2
+    tags:
+      Name: "{{ aws_tag_creator }}-Controller"
+      Creator: "{{ aws_tag_creator }}"
+  when: root_snapshot_id
+  register: ami_result
+
 
 # NICs
 - name: Filter required subnets for instance creation. Set aws_mgmt_subnet and aws_transport_subnet facts
@@ -91,7 +110,7 @@
     count: 1
     instance_type: "{{ aws_vsmart_instance_type }}"
     image:
-      id: "{{ aws_vsmart_ami_id }}"
+      id: "{{ ami_result.image_id if root_snapshot_id else aws_vsmart_ami_id }}"
     state: present
     vpc_subnet_id: "{{ aws_mgmt_subnet.id }}"
     region: "{{ aws_region }}"
@@ -117,6 +136,14 @@
           delete_on_termination: true
   register: ec2_vsmart
 
+- name: Deregister/Delete AMI (keep associated snapshots)
+  amazon.aws.ec2_ami:
+    image_id: "{{ ami_result.image_id }}"
+    delete_snapshot: false
+    state: absent
+    region: "{{ aws_region }}"
+  when: root_snapshot_id
+
 # TODO:
 # Note that the variable: ec2_vsmart.instances[0].network_interfaces is returning a list of interfaces
 # but that list can be different than device_index (so mgmt and transport are mixed)
@@ -171,7 +198,10 @@
     purge_rules: false
     purge_tags: false
     purge_rules_egress: false
-    rules:
+    rules: "{{ sg_rules_vsmart }}"
+    rules_egress: "{{ sg_rules_vsmart if aws_sg_block_egress else [] }}"
+  vars:
+    sg_rules_vsmart:
       - proto: all
         cidr_ip: "{{ eip_vsmart.results[0].public_ip }}/32"
         rule_desc: "{{ hostname }} - mgmt (VPN 512)"
@@ -184,7 +214,6 @@
       - proto: all
         cidr_ipv6: "{{ instance.transport_public_ipv6 }}/128"
         rule_desc: "{{ hostname }} - transport IPv6 (VPN 0)"
-    rules_egress: []
   register: allow_traffic
   retries: 3
   delay: 3

roles/aws_controllers/tasks/main.yml

@@ -72,6 +72,7 @@
     hostname: "{{ instance_item.hostname }}"
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
+    root_snapshot_id: "{{ instance_item.root_snapshot_id | default('') }}"
   loop: "{{ vbond_instances }}"
   loop_control:
     loop_var: instance_item
@@ -84,6 +85,9 @@
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
     persona: "{{ instance_item.persona }}"
+    root_snapshot_id: "{{ instance_item.root_snapshot_id | default('') }}"
+    data_snapshot_id: "{{ instance_item.data_snapshot_id | default('') }}"
+    cluster_private_ip: "{{ instance_item.cluster_private_ip | default(omit) }}"
   loop: "{{ vmanage_instances }}"
   loop_control:
     loop_var: instance_item
@@ -95,6 +99,7 @@
     hostname: "{{ instance_item.hostname }}"
     system_ip: "{{ instance_item.system_ip }}"
     site_id: "{{ instance_item.site_id }}"
+    root_snapshot_id: "{{ instance_item.root_snapshot_id | default('') }}"
   loop: "{{ vsmart_instances }}"
   loop_control:
     loop_var: instance_item

roles/aws_network_infrastructure/defaults/main.yml

@@ -5,6 +5,7 @@
 
 # VPN subnets from which we can connect to AWS EIPs (Security Group config)
 aws_allowed_subnets: null
+aws_sg_block_egress: false
 
 #####################################
 #     General AWS configuration     #

roles/aws_network_infrastructure/tasks/aws_create_network_infrastructure.yml

@@ -160,18 +160,20 @@
         from_port: 8
         to_port: -1
         cidr_ip: "{{ aws_allowed_subnets }}"
-    rules_egress:
-      - proto: -1
-        from_port: 0
-        to_port: 0
-        cidr_ip: 0.0.0.0/0
+    rules_egress: "{{ egress_allow_all if not aws_sg_block_egress else [] }}"
     purge_rules: false
     purge_tags: false
-    purge_rules_egress: false
+    purge_rules_egress: "{{ aws_sg_block_egress and _created_vpc.changed }}"
     tags:
       Name: "{{ aws_security_group_name }}"
       Creator: "{{ aws_tag_creator }}"
   register: _created_security_group
+  vars:
+    egress_allow_all:
+      - proto: -1
+        from_port: 0
+        to_port: 0
+        cidr_ip: 0.0.0.0/0
 
 - name: Copy Security Group resources information to log file
   ansible.builtin.blockinfile:

roles/azure_controllers/defaults/main.yml

@@ -55,6 +55,7 @@ az_subnets: |
 
 # Security group
 az_network_security_group: "{{ az_resources_prefix }}-nsg"
+az_nsg_block_egress: false
 
 
 # Private DNS zone

roles/azure_controllers/tasks/azure_vbond_vm.yml

@@ -57,15 +57,7 @@
   azure.azcollection.azure_rm_securitygroup:
     resource_group: "{{ az_resource_group }}"
     name: "{{ az_network_security_group }}"
-    rules:
-      - name: "{{ public_ip_state.state.name }}"
-        protocol: "*"
-        destination_port_range: "*"
-        source_port_range: "*"
-        source_address_prefix: "{{ public_ip_state.state.ip_address }}"
-        access: Allow
-        priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
-        direction: Inbound
+    rules: "{{ [inbound_rule, outbound_rule] if az_nsg_block_egress else [inbound_rule] }}"
     tags:
       Name: "{{ az_network_security_group }}"
       Creator: "{{ az_tag_creator }}"
@@ -76,6 +68,25 @@
     index_var: my_idx
     label: public_ip_state.state.name
   when: public_ip_state.state.name not in az_res_gr.securitygroups | map(attribute='rules') | flatten | map(attribute='name') | list
+  vars:
+    inbound_rule:
+      name: "{{ public_ip_state.state.name }}"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      source_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Inbound
+    outbound_rule:
+      name: "{{ public_ip_state.state.name }}-out"
+      protocol: "*"
+      destination_port_range: "*"
+      source_port_range: "*"
+      destination_address_prefix: "{{ public_ip_state.state.ip_address }}"
+      access: Allow
+      priority: "{{ 1500 + ((az_res_gr.securitygroups | first).rules | length) + 1 + my_idx }}"
+      direction: Outbound
 
 - name: "Create virtual network interface cards"
   azure.azcollection.azure_rm_networkinterface:
@@ -172,7 +183,7 @@
     location: "{{ az_location }}"
     os_type: "Linux"
     hyper_v_generation: "V1"
-    source: "{{ az_vbond_image_vhd_source }}"
+    source: "{{ root_snapshot_id if root_snapshot_id else az_vbond_image_vhd_source }}"
 
 - name: "Create vBond VM: {{ hostname }}"
   azure.azcollection.azure_rm_virtualmachine: