refactored ec2 encryption

roles/cloud-ec2/tasks/encrypt_image.yml

@@ -1,72 +1,35 @@
-- name: Locate official Ubuntu 16.04 AMI for region
+- name: Check if the encrypted image already exist
   ec2_ami_find:
-    aws_access_key: "{{ aws_access_key }}"
-    aws_secret_key: "{{ aws_secret_key }}"
-    name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
-    owner:  099720109477
-    sort: name
+    aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+    aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
+    owner: self
+    sort: creationDate
     sort_order: descending
     sort_end: 1
+    state: available
+    ami_tags:
+      Algo: "encrypted"
     region: "{{ region }}"
-  register: ami_search
+  register: search_crypt
 
 - set_fact:
-    source_ami_image: "{{ ami_search.results[0].ami_id }}"
+    enc_image: "{{ search_crypt.results[0].image_id }}"
+  when: search_crypt.results
 
-#
-# https://github.com/ansible/ansible-modules-extras/issues/3565
-#
-#- name: Copy to an encrypted image
-  #ec2_ami_copy:
-    #aws_access_key: "{{ aws_access_key }}"
-    #aws_secret_key: "{{ aws_secret_key }}"
-    #description: ENC_IMAGE
-    #encrypted: yes
-    #name: newimage
-    #region: "{{ region }}"
-    #source_image_id: "{{ source_ami_image }}"
-    #source_region: "{{ region }}"
-  #register:   ec2_ami_copy
-  #when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != true)
-#- debug: var=ec2_ami_copy
-
-#
-# https://github.com/ansible/ansible-modules-extras/issues/3565
-#
 - name: Copy to an encrypted image
-  shell: >
-    aws ec2 copy-image --source-region '{{ region }}' --region '{{ region }}' --encrypted --source-image-id '{{ source_ami_image }}' --name 'ubuntu-xenial-16.04-amd64-server-encrypted'
-  environment:
-    AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
-    AWS_SECRET_ACCESS_KEY: "{{ aws_secret_key }}"
-  register: ec2_ami_copy
-
-- set_fact:
-    ami_image_ouput: "{{ ec2_ami_copy.stdout|from_json }}"
-
-- set_fact:
-    ami_encrypted_image: "{{ ami_image_ouput['ImageId'] }}"
-
-- name: Add tags to the encrypted image
-  ec2_tag:
-    aws_access_key: "{{ aws_access_key }}"
-    aws_secret_key: "{{ aws_secret_key }}"
+  ec2_ami_copy:
+    aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+    aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
+    encrypted: yes
+    name: algo
     region: "{{ region }}"
-    resource: "{{ ami_encrypted_image }}"
-    state: present
+    source_image_id: "{{ image_id }}"
+    source_region: "{{ region }}"
     tags:
-      Name: "ubuntu-xenial-16.04-amd64-server-encrypted"
-      Encrypted: "true"
+      Algo: "encrypted"
+    wait: true
+  register: enc_image
+  when: enc_image is not defined
 
-- name: Confirm the encrypted image
-  ec2_ami_find:
-    aws_access_key: "{{ aws_access_key }}"
-    aws_secret_key: "{{ aws_secret_key }}"
-    ami_id: "{{ ami_encrypted_image }}"
-    region: "{{ region }}"
-    owner: self
-    state: available
-  register: ec2_ami_find_encrypted
-  until: ec2_ami_find_encrypted.results|length > 0
-  retries: 60
-  delay: 10
+- set_fact:
+    image_id: "{{ enc_image.image_id }}"

roles/cloud-ec2/tasks/main.yml

@@ -1,7 +1,7 @@
 - name: Locate official Ubuntu 16.04 AMI for region
   ec2_ami_find:
-    aws_access_key: "{{ aws_access_key }}"
-    aws_secret_key: "{{ aws_secret_key }}"
+    aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'))}}"
+    aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'))}}"
     name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"
     owner:  099720109477
     sort: creationDate
@@ -11,7 +11,7 @@
   register: ami_search
 
 - include: encrypt_image.yml
-  when: ami_encrypted_tag is not defined or (ami_encrypted_tag is defined and ami_encrypted_tag != "true1")
+  when: encrypted is defined
 
 - name: Add ssh public key
   ec2_key: