version: 6.10.4

nova/core/galaxy.yml

@@ -1,11 +1,10 @@
 namespace: nova
 name: core
-version: 6.9.9
+version: 6.10.4
 readme: README.md
 authors:
   - https://github.com/novateams
-description:
-  This is a collection of public roles and plugins that are developed by the Nova team.
+description: This is a collection of public roles and plugins that are developed by the Nova team.
   These roles go very well with Catapult https://github.com/ClarifiedSecurity/catapult but can be used separately.
 license:
   - AGPL-3.0-or-later

nova/core/roles/accounts/tasks/opnsense.yml

@@ -93,13 +93,6 @@
         index_var: idx
         label: "{{ item.username }}"
 
-# This is required because sometimes the new configuration will apply on upload and Ansible will try to connect to the host again with invalid credentials
-- name: Restarting {{ inventory_hostname }} to apply configuration in 10 seconds...
-  ansible.builtin.shell: sleep 10 && reboot
-  changed_when: true
-  async: 10
-  poll: 0
-
 - name: Uploading config.xml to {{ inventory_hostname }}...
   ansible.builtin.copy:
     src: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_opnsense_config.xml
@@ -108,18 +101,25 @@
     owner: root
     group: wheel
 
-- name: Setting correct password for {{ ansible_deployer_username }}...
-  ansible.builtin.set_fact:
-    ansible_deployer_password: "{{ admin_accounts_with_password
-      | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
-
 - name: Removing local config.xml file...
   ansible.builtin.file:
     path: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_opnsense_config.xml
     state: absent
   delegate_to: localhost
   become: false
 
+# This is required because sometimes the new configuration will apply on upload and Ansible will try to connect to the host again with invalid credentials
+- name: Restarting {{ custom_vm_name | default(vm_name) }} VM...
+  ansible.builtin.include_role:
+    name: nova.core.powerstate
+  vars:
+    restart: true
+
+- name: Setting correct password for {{ ansible_deployer_username }}...
+  ansible.builtin.set_fact:
+    ansible_deployer_password: "{{ admin_accounts_with_password
+      | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
+
 - name: Waiting until ssh is down for {{ inventory_hostname }}...
   ansible.builtin.wait_for:
     host: "{{ ansible_host }}"
@@ -143,6 +143,4 @@
     name: "{{ custom_vm_name | default(vm_name) }}"
   delegate_to: localhost
   become: false
-  when:
-    - infra_env is defined
-    - infra_env == "vsphere" | default('undefined')
+  when: infra_env | default('') == "vsphere"

nova/core/roles/accounts/tasks/pfsense.yml

@@ -92,13 +92,6 @@
         index_var: idx
         label: "{{ item.username }}"
 
-# This is required because sometimes the new configuration will apply on upload and Ansible will try to connect to the host again with invalid credentials
-- name: Restarting {{ inventory_hostname }} to apply configuration in 10 seconds...
-  ansible.builtin.shell: sleep 10 && reboot
-  changed_when: true
-  async: 10
-  poll: 0
-
 - name: Uploading config.xml to {{ inventory_hostname }}...
   ansible.builtin.copy:
     src: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_pfsense_config.xml
@@ -107,18 +100,25 @@
     owner: root
     group: wheel
 
-- name: Setting correct password for {{ ansible_deployer_username }}...
-  ansible.builtin.set_fact:
-    ansible_deployer_password: "{{ admin_accounts_with_password
-      | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
-
 - name: Removing local config.xml file...
   ansible.builtin.file:
     path: /tmp/{{ project_fullname | default('') }}_{{ inventory_hostname }}_pfsense_config.xml
     state: absent
   delegate_to: localhost
   become: false
 
+# This is required because sometimes the new configuration will apply on upload and Ansible will try to connect to the host again with invalid credentials
+- name: Restarting {{ custom_vm_name | default(vm_name) }} VM...
+  ansible.builtin.include_role:
+    name: nova.core.powerstate
+  vars:
+    restart: true
+
+- name: Setting correct password for {{ ansible_deployer_username }}...
+  ansible.builtin.set_fact:
+    ansible_deployer_password: "{{ admin_accounts_with_password
+      | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
+
 - name: Waiting until ssh is down for {{ inventory_hostname }}...
   ansible.builtin.wait_for:
     host: "{{ ansible_host }}"
@@ -142,6 +142,4 @@
     name: "{{ custom_vm_name | default(vm_name) }}"
   delegate_to: localhost
   become: false
-  when:
-    - infra_env is defined
-    - infra_env == "vsphere" | default('undefined')
+  when: infra_env | default('') == "vsphere"

nova/core/roles/configure_networking/templates/rc.local

@@ -50,8 +50,8 @@
     {% endif %}
 {% endfor %}
 
-echo "This file is re-generated on each startup by /etc/rc.local" > /etc/resolv.conf
 {% if dns_server_combined != [] %}
+echo "This file is re-generated on each startup by /etc/rc.local" > /etc/resolv.conf
 {% for dns_address in dns_server_combined %}
 echo "nameserver {{ dns_address }}" >> /etc/resolv.conf
 {% endfor %}

nova/core/roles/deploy_vars/defaults/main.yml

@@ -144,12 +144,18 @@ vmware_workstation:
 
 aws_defaults:
   region: "{{ aws_region | default('eu-north-1') }}" # Default is Stockholm
-  aws_access_key: "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_aws_access_key_id']
-    | default(vars[project_fullname | default('') ~ '_aws_access_key_id'])
+  access_key:
+    "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_aws_access_key_id')
+    | default(lookup('vars', project_fullname | default('') ~ '_aws_access_key_id'))
     | default(aws_access_key_id) | default('') }}"
-  aws_secret_key: "{{ vars[environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_aws_access_key']
-    | default(vars[project_fullname | default('') ~ '_aws_access_key'])
+  secret_key:
+    "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_aws_access_key')
+    | default(lookup('vars', project_fullname | default('') ~ '_aws_access_key'))
     | default(aws_access_key) | default('') }}"
+  session_token:
+    "{{ lookup('vars', environment_name | default('') ~ '_' ~ project_fullname | default('') ~ '_aws_session_token')
+    | default(lookup('vars', project_fullname | default('') ~ '_aws_session_token'))
+    | default(aws_session_token) | default(omit) }}"
 
 #########
 # Azure #

nova/core/roles/gitlab/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ### gitlab general
-gitlab_version: 18.6.1-ee.0
+gitlab_version: 18.6.2-ee.0
 gitlab_ssh_port: 10022
 # Increase gitlab ssh MaxAuthTries to avoid connection issues for users with more than 6 keys in their SSH agent set to {} to disable
 gitlab_ssh_max_auth_tries: 20

nova/core/roles/machine_operations/defaults/main.yml

@@ -112,6 +112,15 @@ machine_operations_aws_assign_public_ip: true
 # Set to false when pre-created custom security group is used
 machine_operations_create_aws_security_group: true
 
+# List of existing security group names to use for the instance
+# Mutually exclusive with machine_operations_create_aws_security_group set to true
+machine_operations_aws_security_group_names: []
+
+# By default the subnet ID comes from the interfaces list
+# It can be overridden it here to use the same subnet for all interfaces
+# or custom mapping can be created in host_vars/group_vars to map to specific subnet ID to specific host or group
+machine_operations_aws_subnet_id: {}
+
 # AWS security group rules, default is allow all
 # Use the following link to create custom rules:
 # https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_security_group_module.html

nova/core/roles/machine_operations/tasks/aws/create.yml

@@ -55,9 +55,9 @@
               architecture: x86_64
           register: found_amis
 
-        - name: Sorting images by creation_date...
+        - name: Setting latest found image as instance image...
           ansible.builtin.set_fact:
-            all_images: "{{ found_amis.images | sort(attribute='creation_date') }}"
+            ec2_instance_image: "{{ (found_amis.images | sort(attribute='creation_date'))[-1] }}"
 
         - name: Configuring AWS security group for {{ custom_vm_name | default(vm_name) }}...
           amazon.aws.ec2_security_group:
@@ -67,21 +67,33 @@
             state: present
             vpc_id: "{{ aws_vpc_id | default(omit) }}"
           register: created_security_group
-          when: machine_operations_create_aws_security_group
+          when:
+            - machine_operations_create_aws_security_group
+            - machine_operations_aws_security_group_names == []
 
-        - name: Launching {{ hostname }} EC2 instance...
+        - name: Getting required values from templated aws_interfaces.yml...
+          ansible.builtin.set_fact:
+            aws_interfaces: "{{ (lookup('ansible.builtin.template', 'aws_interfaces.yml') | from_yaml)
+              | map('dict2items') | map('rejectattr', 'key', 'equalto', 'connection_interface') | map('items2dict') | list }}"
+            aws_connection_interface_subnet: "{{ (lookup('ansible.builtin.template', 'aws_interfaces.yml') | from_yaml)
+              | map(attribute='subnet_id') | list | default([]) | first | default('') }}"
+
+        - name: Launching {{ custom_vm_name | default(vm_name) }} EC2 instance...
           amazon.aws.ec2_instance:
             name: "{{ custom_vm_name | default(vm_name) }}"
             key_name: "{{ custom_vm_name | default(vm_name) }}"
-            network_interfaces: "{{ lookup('ansible.builtin.template', 'aws_interfaces.yml') | from_yaml }}"
+            network_interfaces: "{{ aws_interfaces }}"
+            vpc_subnet_id: "{{ omit if aws_connection_interface_subnet == [] else aws_connection_interface_subnet }}"
             instance_type: "{{ aws_vm_size | default('t3.micro') }}"
-            security_group: "{{ aws_security_group_id | default(created_security_group.group_id) }}"
-            image_id: "{{ all_images[-1].image_id }}"
+            security_group: "{{ omit if machine_operations_aws_security_group_names != []
+              else machine_operations_aws_security_group_name | default(created_security_group.group_name) }}"
+            security_groups: "{{ omit if machine_operations_aws_security_group_names == [] else machine_operations_aws_security_group_names }}"
+            image_id: "{{ machine_operations_aws_ec2_image_id | default(ec2_instance_image.image_id) }}"
             user_data: "{{ lookup('ansible.builtin.template', 'Configure-CloudWindows.ps1') if 'os_windows' in group_names and fresh_deploy else omit }}"
             tags:
               inventory_hostname: "{{ inventory_hostname }}"
               project_fullname: "{{ project_fullname | default('undefined_project') }}"
-              image_name: "{{ all_images[-1].name }}"
+              image_name: "{{ ec2_instance_image.name }}"
           register: created_ec2_instance
           when: fresh_deploy
 
@@ -110,7 +122,7 @@
 
 - name: Setting connection address to {{ eip_info.public_ip
     | default(created_ec2_instance.instances[0].public_ip_address)
-    | default(existing_instances[-1].public_ip_address) }}
+    | default(existing_instances[-1].public_ip_address) | default('N/A') }}...
   ansible.builtin.set_fact:
     connection_address: "{{ eip_info.public_ip
       | default(created_ec2_instance.instances[0].public_ip_address)

nova/core/roles/machine_operations/tasks/aws/main.yml

@@ -20,8 +20,8 @@
     required_variables:
       - aws_access_key
       - aws_access_key_id
-  when: aws_defaults.aws_access_key | default(false) is ansible.builtin.falsy
-    or aws_defaults.aws_secret_key | default(false) is ansible.builtin.falsy
+  when: aws_defaults.access_key | default(false) is ansible.builtin.falsy
+    or aws_defaults.secret_key | default(false) is ansible.builtin.falsy
 
 - name: MISSING DEPLOYER SSH KEY
   ansible.builtin.fail:

nova/core/roles/machine_operations/templates/aws_interfaces.yml

@@ -2,9 +2,10 @@
 
 {% if interfaces == [] %}
 - assign_public_ip: false
+  connection_interface: true
 {% endif %}
 {% for iface in interfaces %}
-- subnet_id: "{{ iface.cloud_id }}"
+- subnet_id: "{{ iface.cloud_id if machine_operations_aws_subnet_id == {} else machine_operations_aws_subnet_id }}"
   assign_public_ip: false
   device_index: {{ loop.index0 }}
   delete_on_termination: true
@@ -15,4 +16,4 @@
     - private_ip_address: "{{ ip }}"
       primary: {{ true if loop.first else false }}
     {% endfor %}
-{% endfor %}
+  {% endfor %}

nova/core/roles/powerstate/vsphere/main.yml

@@ -17,14 +17,14 @@
       vmware.vmware.guest_info:
         guest_name: "{{ custom_vm_name | default(vm_name) }}"
       register: vm_tools
-      until: vm_tools.guests[0].guest_tools_status | default(false) == "guestToolsRunning"
+      until: vm_tools.guests[0].guest_tools_status | default('') == "guestToolsRunning"
       retries: "{{ (powerstate_agent_info_timeout if powerstate_agent_info_timeout >= 5 else 5) // 5 }}"
       delay: 5
       when:
         - powerstate_vcenter_vm_info.guests[0].hw_power_status != "poweredOff"
         - powerstate_vcenter_vm_info.guests[0].hw_power_status != "suspended"
-        - not reset and not poweroff
-        - shutdown and powerstate_vcenter_vm_info.guests[0].hw_power_status != "poweredOff"
+        - not reset
+        - not poweroff
 
     - name: Including {{ custom_vm_name | default(vm_name) }} poweroff tasks...
       ansible.builtin.include_tasks: poweroff.yml