Merge pull request #1562 from guardian/aa/aws-cli-v2

feat(aws-tools)!: Update AWS CLI to v2

roles/aws-tools/files/aws.pub

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG
+ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx
+PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G
+TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz
+gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk
+C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG
+94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO
+lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG
+fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG
+EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX
+XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB
+tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF
+CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC
+ZqFYbwUJCv/cOgAKCRCmMQrMRnJHXKYuEAC+wtZ611qQtOl0t5spM9SWZuszbcyA
+0xBAJq2pncnp6wdCOkuAPu4/R3UCIoD2C49MkLj9Y0Yvue8CCF6OIJ8L+fKBv2DI
+yWZGmHL0p9wa/X8NCKQrKxK1gq5PuCzi3f3SqwfbZuZGeK/ubnmtttWXpUtuU/Iz
+VR0u/0sAy3j4uTGKh2cX7XnZbSqgJhUk9H324mIJiSwzvw1Ker6xtH/LwdBeJCck
+bVBdh3LZis4zuD4IZeBO1vRvjot3Oq4xadUv5RSPATg7T1kivrtLCnwvqc6L4LnF
+0OkNysk94L3LQSHyQW2kQS1cVwr+yGUSiSp+VvMbAobAapmMJWP6e/dKyAUGIX6+
+2waLdbBs2U7MXznx/2ayCLPH7qCY9cenbdj5JhG9ibVvFWqqhSo22B/URQE/CMrG
++3xXwtHEBoMyWEATr1tWwn2yyQGbkUGANneSDFiTFeoQvKNyyCFTFO1F2XKCcuDs
+19nj34PE2TJilTG2QRlMr4D0NgwLLAMg2Los1CK6nXWnImYHKuaKS9LVaCoC8vu7
+IRBik1NX6SjrQnftk0M9dY+s0ZbAN1gbdjZ8H3qlbl/4TxMdr87m8LP4FZIIo261
+Eycv34pVkCePZiP+dgamEiQJ7IL4ZArio9mv6HbDGV6mLY45+l6/0EzCwkI5IyIf
+BfWC9s/USgxchg==
+=ptgS
+-----END PGP PUBLIC KEY BLOCK-----

roles/aws-tools/tasks/main.yml

@@ -3,11 +3,84 @@
   set_fact:
     post_focal: "{{ 'post-focal' if ( ansible_distribution_major_version|int >= 20 ) else 'older' }}"
 
-- name: Install pip3
-  apt: name=python3-pip state=present
+- name: Install unzip
+  apt: name=unzip state=present
 
-- name: Install latest AWS CLI
-  command: pip3 install awscli
+- name: Install gpg
+  apt: name=gnupg state=present
+
+# It is not uncommon for this role to be run once in a base image, and again in a recipe.
+# There's no point installing the AWS CLI twice, so check if it's already installed.
+- shell: which aws 2>/dev/null || echo aws_cli_not_installed
+  register: aws_cli_installed
+
+- name: (AWS CLI v2) Create temporary directory
+  file: path=/tmp/awscliv2 state=directory
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: Generate default GPG key
+  command: gpg --batch --passphrase '' --quick-gen-key AMIgo default default
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+# The public key was obtained from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html with the following detail:
+# Key ID:           A6310ACC4672475C
+# Type:             RSA
+# Size:             4096/4096
+# Created:          2019-09-18
+# Expires:          2025-07-24
+# User ID:          AWS CLI Team <aws-cli@amazon.com>
+# Key fingerprint:  FB5DB77FD5C118B80511ADA8A6310ACC4672475C
+- name: Copy AWS GPG key
+  copy: src=aws.pub dest=/tmp/awscliv2/aws.pub mode=0444
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: Import AWS GPG key
+  command: gpg --import /tmp/awscliv2/aws.pub
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: Trust AWS GPG key
+  command: gpg --quick-lsign-key FB5DB77FD5C118B80511ADA8A6310ACC4672475C
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Download (aarch64)
+  get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip dest=/tmp/awscliv2/awscliv2.zip
+  when:
+    - ansible_architecture == "aarch64"
+    - aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Download (x86_64)
+  get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip dest=/tmp/awscliv2/awscliv2.zip
+  when:
+    - ansible_architecture == "x86_64"
+    - aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Download signature (aarch64)
+  get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip.sig dest=/tmp/awscliv2/awscliv2.zip.sig
+  when:
+    - ansible_architecture == "aarch64"
+    - aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Download signature (x86_64)
+  get_url: url=https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig dest=/tmp/awscliv2/awscliv2.zip.sig
+  when:
+    - ansible_architecture == "x86_64"
+    - aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Verify downloaded ZIP file
+  command: gpg --verify /tmp/awscliv2/awscliv2.zip.sig /tmp/awscliv2/awscliv2.zip
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Extract
+  ansible.builtin.unarchive: src=/tmp/awscliv2/awscliv2.zip dest=/tmp/awscliv2 remote_src=yes
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Install
+  command: /tmp/awscliv2/aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
+
+- name: (AWS CLI v2) Remove temporary directory
+  file: path=/tmp/awscliv2 state=absent
+  when: aws_cli_installed.stdout == "aws_cli_not_installed"
 
 - name: Install cloudformation tools
   include: "{{ item }}"