diff --git a/Makefile b/Makefile index ae62dd9..805e4e5 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,6 @@ CLUSTER_NAME ?= ans-$(shell whoami) -EXTRA_VARS ?= --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" VIRTUALENV ?= "./virtualenv/" ANSIBLE = $(VIRTUALENV)/bin/ansible-playbook -v $(EXTRA_VARS) @@ -47,13 +46,16 @@ delete: $(ANSIBLE) delete-cluster.yaml create.multiaz: - $(ANSIBLE) create-cluster.yaml -i ./environment/multi-az/hosts + $(ANSIBLE) create-cluster.yaml -i ./environment/multi-az/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" create.private: - $(ANSIBLE) create-cluster.yaml -i ./environment/private-link/hosts + $(ANSIBLE) create-cluster.yaml -i ./environment/private-link/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" delete.private: - $(ANSIBLE) delete-cluster.yaml -i ./environment/private-link/hosts + $(ANSIBLE) delete-cluster.yaml -i ./environment/private-link/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" create.pl: create.private @@ -61,24 +63,31 @@ delete.pl: delete.private delete.multiaz: - $(ANSIBLE) delete-cluster.yaml -i ./environment/multi-az/hosts + $(ANSIBLE) delete-cluster.yaml -i ./environment/multi-az/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" create.tgw: - $(ANSIBLE) create-cluster.yaml -i ./environment/transit-gateway-egress/hosts + $(ANSIBLE) create-cluster.yaml -i ./environment/transit-gateway-egress/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" delete.tgw: - $(ANSIBLE) delete-cluster.yaml -i ./environment/transit-gateway-egress/hosts + $(ANSIBLE) delete-cluster.yaml -i ./environment/transit-gateway-egress/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" create.hcp: - $(ANSIBLE) create-cluster.yaml -i ./environment/hcp/hosts + $(ANSIBLE) create-cluster.yaml -i ./environment/hcp/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)-HCP-ROSA" delete.hcp: - $(ANSIBLE) delete-cluster.yaml -i ./environment/hcp/hosts + $(ANSIBLE) delete-cluster.yaml -i ./environment/hcp/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)-HCP-ROSA" create.new: - $(ANSIBLE) install.yml -i ./environment/hcp/hosts + $(ANSIBLE) install.yml -i ./environment/hcp/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)-HCP-ROSA" delete.new: - $(ANSIBLE) uninstall.yml -i ./environment/hcp/hosts + $(ANSIBLE) uninstall.yml -i ./environment/hcp/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)-HCP-ROSA" docker.create: image docker run --rm \ diff --git a/install.yml b/install.yml index 255c37d..63a8636 100644 --- a/install.yml +++ b/install.yml @@ -33,7 +33,7 @@ # - vars/main.yaml roles: - # - name: roles/_vars + - name: roles/_vars - name: roles/network_math # - name: roles/tgw_create # when: rosa_tgw_enabled | bool @@ -53,3 +53,37 @@ gateway_endpoints: [s3] interface_endpoints: [sts,ec2,elasticloadbalancing] when: rosa_subnet_ids | default([]) | length == 0 + + - name: roles/rosa_account_roles + vars: + rosa_account_roles: + hosted_cp: "{{ rosa_hosted_cp }}" + version: "{{ rosa_account_roles_version }}" + prefix: "{{ rosa_account_roles_prefix }}" + + - name: roles/rosa_cluster + vars: + rosa_cluster: + name: "{{ cluster_name }}" + aws_account_id: "{{ aws_account_id }}" + account_roles_prefix: "{{ rosa_account_roles_prefix }}" + region: "{{ rosa_region }}" + private_link: "{{ rosa_private_link }}" + vpc_cidr: "{{ rosa_vpc_cidr }}" + multi_az: "{{ rosa_multi_az }}" + version: "{{ rosa_version }}" + hosted_cp: "{{ rosa_hosted_cp }}" + min_replicas: "{{ rosa_min_replicas }}" + max_replicas: "{{ rosa_max_replicas }}" + compute_nodes: "{{ rosa_compute_nodes | default(rosa_multi_az | ternary('3', '2')) }}" + compute_machine_type: "m5.xlarge" + kms_key_arn: "{{ rosa_kms_key_arn }}" + tags: "{{ extra_tags }}" + http_proxy: "{{ proxy_enabled | bool | ternary('http://'+(proxy_private_ip|default(''))+':3128', omit) }}" + https_proxy: "{{ proxy_enabled | bool | ternary('http://'+(proxy_private_ip|default(''))+':3128', omit) }}" + additional_trust_bundle_file: "{{ proxy_enabled | bool | ternary('roles/proxy_create/files/squid-ca-cert.pem', omit) }}" # "roles/proxy_create/files/squid-ca-cert.pem" + no_proxy: "{{ proxy_enabled | bool | ternary(rosa_no_proxy|default(None), omit) }}" + + + + diff --git a/roles/_vars/defaults/main.yml b/roles/_vars/defaults/main.yml index 15092cd..a3293b0 100644 --- a/roles/_vars/defaults/main.yml +++ b/roles/_vars/defaults/main.yml @@ -26,12 +26,11 @@ rosa_vpc_endpoints_enabled: false rosa_subnet_ids: [] rosa_machine_cidr: ~ rosa_compute_machine_type: m5.xlarge - +rosa_min_replicas: +rosa_max_replicas: rosa_hosted_cp: False rosa_account_roles_version: "4.14" -rosa_account_roles_prefix: AnsibleROSA -## leave commented out to use the cluster name as the prefix -# rosa_operator_roles_prefix: ~ +rosa_account_roles_prefix: Ansible rosa_custom_domain_enabled: false diff --git a/roles/_vars/tasks/main.yml b/roles/_vars/tasks/main.yml index 0b082e0..f5b3293 100644 --- a/roles/_vars/tasks/main.yml +++ b/roles/_vars/tasks/main.yml @@ -12,3 +12,11 @@ - set_fact: aws_account_id: "{{ _aws_caller_info.account }}" + +- fail: + msg: | + rosa_account_roles_prefix must end in "-HCP-ROSA" for Hosted Control Plane Clusters + rosa_account_roles_prefix currently set to: "{{ rosa_account_roles_prefix }}" + when: + - rosa_account_roles_prefix is not search("^.*-HCP-ROSA$") + - rosa_hosted_cp | bool diff --git a/roles/account_roles_create/files/classic/4.12/sts_installer_permission_policy.json b/roles/account_roles_create/files/classic/4.12/sts_installer_permission_policy.json deleted file mode 100644 index 7b0e8ef..0000000 --- a/roles/account_roles_create/files/classic/4.12/sts_installer_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["autoscaling:DescribeAutoScalingGroups", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CopyImage", "ec2:CreateDhcpOptions", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:DeleteDhcpOptions", "ec2:DeleteInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:GetConsoleOutput", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ReleaseAddress", "ec2:ReplaceRouteTableAssociation", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:TagInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUserPolicies", "iam:ListUsers", "iam:PassRole", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "iam:TagRole", "iam:UntagRole", "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetAccountLimit", "route53:GetChange", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53:UpdateHostedZoneComment", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketReplication", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutBucketAcl", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "servicequotas:GetServiceQuota", "servicequotas:ListAWSDefaultServiceQuotas", "sts:AssumeRole", "sts:AssumeRoleWithWebIdentity", "sts:GetCallerIdentity", "tag:GetResources", "tag:UntagResources", "ec2:CreateVpcEndpointServiceConfiguration", "ec2:DeleteVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:ModifyVpcEndpointServicePermissions", "kms:DescribeKey", "cloudwatch:GetMetricData"], "Effect": "Allow", "Resource": "*"}, {"Action": ["secretsmanager:GetSecretValue"], "Effect": "Allow", "Resource": "*", "Condition": {"StringEquals": {"aws:ResourceTag/red-hat-managed": "true"}}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.12/sts_support_permission_policy.json b/roles/account_roles_create/files/classic/4.12/sts_support_permission_policy.json deleted file mode 100644 index c1ecf07..0000000 --- a/roles/account_roles_create/files/classic/4.12/sts_support_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2-instance-connect:SendSerialConsoleSSHPublicKey", "ec2:CopySnapshot", "ec2:CreateNetworkInsightsPath", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:DeleteNetworkInsightsAnalysis", "ec2:DeleteNetworkInsightsPath", "ec2:DeleteTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAddressesAttribute", "ec2:DescribeAggregateIdFormat", "ec2:DescribeAvailabilityZones", "ec2:DescribeByoipCidrs", "ec2:DescribeCapacityReservations", "ec2:DescribeCarrierGateways", "ec2:DescribeClassicLinkInstances", "ec2:DescribeClientVpnAuthorizationRules", "ec2:DescribeClientVpnConnections", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeClientVpnRoutes", "ec2:DescribeClientVpnTargetNetworks", "ec2:DescribeCoipPools", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeIdentityIdFormat", "ec2:DescribeIdFormat", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeIpv6Pools", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLocalGatewayRouteTables", "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "ec2:DescribeLocalGatewayRouteTableVpcAssociations", "ec2:DescribeLocalGateways", "ec2:DescribeLocalGatewayVirtualInterfaceGroups", "ec2:DescribeLocalGatewayVirtualInterfaces", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInsightsAnalyses", "ec2:DescribeNetworkInsightsPaths", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribePrincipalIdFormat", "ec2:DescribePublicIpv4Pools", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", "ec2:DescribeScheduledInstances", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetInstances", "ec2:DescribeStaleSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayConnectPeers", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayMulticastDomains", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpointConnectionNotifications", "ec2:DescribeVpcEndpointConnections", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetAssociatedIpv6PoolCidrs", "ec2:GetConsoleOutput", "ec2:GetManagedPrefixListEntries", "ec2:GetSerialConsoleAccessStatus", "ec2:GetTransitGatewayAttachmentPropagations", "ec2:GetTransitGatewayMulticastDomainAssociations", "ec2:GetTransitGatewayPrefixListReferences", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:ModifyInstanceAttribute", "ec2:RebootInstances", "ec2:RunInstances", "ec2:SearchLocalGatewayRoutes", "ec2:SearchTransitGatewayMulticastGroups", "ec2:SearchTransitGatewayRoutes", "ec2:StartInstances", "ec2:StartNetworkInsightsAnalysis", "ec2:StopInstances", "ec2:TerminateInstances", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GetRole", "iam:ListRoles", "route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "s3:GetBucketTagging", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListAllMyBuckets", "sts:DecodeAuthorizationMessage", "tiros:CreateQuery", "tiros:GetQueryAnswer", "tiros:GetQueryExplanation"], "Effect": "Allow", "Resource": "*"}, {"Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::managed-velero*", "arn:aws:s3:::*image-registry*"]}, {"Action": ["kms:CreateGrant"], "Effect": "Allow", "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}, "StringLike": {"kms:ViaService": "ec2.*.amazonaws.com"}}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.13/sts_installer_permission_policy.json b/roles/account_roles_create/files/classic/4.13/sts_installer_permission_policy.json deleted file mode 100644 index 7b0e8ef..0000000 --- a/roles/account_roles_create/files/classic/4.13/sts_installer_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["autoscaling:DescribeAutoScalingGroups", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CopyImage", "ec2:CreateDhcpOptions", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:DeleteDhcpOptions", "ec2:DeleteInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:GetConsoleOutput", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ReleaseAddress", "ec2:ReplaceRouteTableAssociation", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:TagInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUserPolicies", "iam:ListUsers", "iam:PassRole", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "iam:TagRole", "iam:UntagRole", "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetAccountLimit", "route53:GetChange", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53:UpdateHostedZoneComment", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketReplication", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutBucketAcl", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "servicequotas:GetServiceQuota", "servicequotas:ListAWSDefaultServiceQuotas", "sts:AssumeRole", "sts:AssumeRoleWithWebIdentity", "sts:GetCallerIdentity", "tag:GetResources", "tag:UntagResources", "ec2:CreateVpcEndpointServiceConfiguration", "ec2:DeleteVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:ModifyVpcEndpointServicePermissions", "kms:DescribeKey", "cloudwatch:GetMetricData"], "Effect": "Allow", "Resource": "*"}, {"Action": ["secretsmanager:GetSecretValue"], "Effect": "Allow", "Resource": "*", "Condition": {"StringEquals": {"aws:ResourceTag/red-hat-managed": "true"}}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.13/sts_instance_controlplane_permission_policy.json b/roles/account_roles_create/files/classic/4.13/sts_instance_controlplane_permission_policy.json deleted file mode 100644 index a334aed..0000000 --- a/roles/account_roles_create/files/classic/4.13/sts_instance_controlplane_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:Describe*", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "kms:DescribeKey"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.13/sts_instance_controlplane_trust_policy.json b/roles/account_roles_create/files/classic/4.13/sts_instance_controlplane_trust_policy.json deleted file mode 100644 index 721f1a4..0000000 --- a/roles/account_roles_create/files/classic/4.13/sts_instance_controlplane_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["ec2.amazonaws.com"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.13/sts_instance_worker_permission_policy.json b/roles/account_roles_create/files/classic/4.13/sts_instance_worker_permission_policy.json deleted file mode 100644 index 1da32aa..0000000 --- a/roles/account_roles_create/files/classic/4.13/sts_instance_worker_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:DescribeInstances", "ec2:DescribeRegions"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.13/sts_support_permission_policy.json b/roles/account_roles_create/files/classic/4.13/sts_support_permission_policy.json deleted file mode 100644 index c1ecf07..0000000 --- a/roles/account_roles_create/files/classic/4.13/sts_support_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2-instance-connect:SendSerialConsoleSSHPublicKey", "ec2:CopySnapshot", "ec2:CreateNetworkInsightsPath", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:DeleteNetworkInsightsAnalysis", "ec2:DeleteNetworkInsightsPath", "ec2:DeleteTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAddressesAttribute", "ec2:DescribeAggregateIdFormat", "ec2:DescribeAvailabilityZones", "ec2:DescribeByoipCidrs", "ec2:DescribeCapacityReservations", "ec2:DescribeCarrierGateways", "ec2:DescribeClassicLinkInstances", "ec2:DescribeClientVpnAuthorizationRules", "ec2:DescribeClientVpnConnections", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeClientVpnRoutes", "ec2:DescribeClientVpnTargetNetworks", "ec2:DescribeCoipPools", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeIdentityIdFormat", "ec2:DescribeIdFormat", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeIpv6Pools", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLocalGatewayRouteTables", "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "ec2:DescribeLocalGatewayRouteTableVpcAssociations", "ec2:DescribeLocalGateways", "ec2:DescribeLocalGatewayVirtualInterfaceGroups", "ec2:DescribeLocalGatewayVirtualInterfaces", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInsightsAnalyses", "ec2:DescribeNetworkInsightsPaths", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribePrincipalIdFormat", "ec2:DescribePublicIpv4Pools", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", "ec2:DescribeScheduledInstances", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetInstances", "ec2:DescribeStaleSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayConnectPeers", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayMulticastDomains", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpointConnectionNotifications", "ec2:DescribeVpcEndpointConnections", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetAssociatedIpv6PoolCidrs", "ec2:GetConsoleOutput", "ec2:GetManagedPrefixListEntries", "ec2:GetSerialConsoleAccessStatus", "ec2:GetTransitGatewayAttachmentPropagations", "ec2:GetTransitGatewayMulticastDomainAssociations", "ec2:GetTransitGatewayPrefixListReferences", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:ModifyInstanceAttribute", "ec2:RebootInstances", "ec2:RunInstances", "ec2:SearchLocalGatewayRoutes", "ec2:SearchTransitGatewayMulticastGroups", "ec2:SearchTransitGatewayRoutes", "ec2:StartInstances", "ec2:StartNetworkInsightsAnalysis", "ec2:StopInstances", "ec2:TerminateInstances", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GetRole", "iam:ListRoles", "route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "s3:GetBucketTagging", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListAllMyBuckets", "sts:DecodeAuthorizationMessage", "tiros:CreateQuery", "tiros:GetQueryAnswer", "tiros:GetQueryExplanation"], "Effect": "Allow", "Resource": "*"}, {"Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::managed-velero*", "arn:aws:s3:::*image-registry*"]}, {"Action": ["kms:CreateGrant"], "Effect": "Allow", "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}, "StringLike": {"kms:ViaService": "ec2.*.amazonaws.com"}}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.14/sts_installer_trust_policy.json b/roles/account_roles_create/files/classic/4.14/sts_installer_trust_policy.json deleted file mode 100644 index afcd8e0..0000000 --- a/roles/account_roles_create/files/classic/4.14/sts_installer_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.14/sts_instance_controlplane_permission_policy.json b/roles/account_roles_create/files/classic/4.14/sts_instance_controlplane_permission_policy.json deleted file mode 100644 index a334aed..0000000 --- a/roles/account_roles_create/files/classic/4.14/sts_instance_controlplane_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:Describe*", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "kms:DescribeKey"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.14/sts_instance_controlplane_trust_policy.json b/roles/account_roles_create/files/classic/4.14/sts_instance_controlplane_trust_policy.json deleted file mode 100644 index 721f1a4..0000000 --- a/roles/account_roles_create/files/classic/4.14/sts_instance_controlplane_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["ec2.amazonaws.com"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.14/sts_instance_worker_permission_policy.json b/roles/account_roles_create/files/classic/4.14/sts_instance_worker_permission_policy.json deleted file mode 100644 index 1da32aa..0000000 --- a/roles/account_roles_create/files/classic/4.14/sts_instance_worker_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:DescribeInstances", "ec2:DescribeRegions"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.14/sts_instance_worker_trust_policy.json b/roles/account_roles_create/files/classic/4.14/sts_instance_worker_trust_policy.json deleted file mode 100644 index 721f1a4..0000000 --- a/roles/account_roles_create/files/classic/4.14/sts_instance_worker_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["ec2.amazonaws.com"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/classic/4.14/sts_support_trust_policy.json b/roles/account_roles_create/files/classic/4.14/sts_support_trust_policy.json deleted file mode 100644 index e2a26c4..0000000 --- a/roles/account_roles_create/files/classic/4.14/sts_support_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::710019948333:role/RH-Technical-Support-Access"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/hcp/4.14/sts_installer_trust_policy.json b/roles/account_roles_create/files/hcp/4.14/sts_installer_trust_policy.json deleted file mode 100644 index afcd8e0..0000000 --- a/roles/account_roles_create/files/hcp/4.14/sts_installer_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/hcp/4.14/sts_instance_worker_trust_policy.json b/roles/account_roles_create/files/hcp/4.14/sts_instance_worker_trust_policy.json deleted file mode 100644 index 721f1a4..0000000 --- a/roles/account_roles_create/files/hcp/4.14/sts_instance_worker_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["ec2.amazonaws.com"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/files/hcp/4.14/sts_support_trust_policy.json b/roles/account_roles_create/files/hcp/4.14/sts_support_trust_policy.json deleted file mode 100644 index e2a26c4..0000000 --- a/roles/account_roles_create/files/hcp/4.14/sts_support_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::710019948333:role/RH-Technical-Support-Access"]}}]} \ No newline at end of file diff --git a/roles/account_roles_create/tasks/classic.yml b/roles/account_roles_create/tasks/classic.yml deleted file mode 100644 index a2374bb..0000000 --- a/roles/account_roles_create/tasks/classic.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -# tasks file for roles/account-roles - -- name: create support role - iam_role: - name: "{{ rosa_account_roles_prefix }}-Support-Role" - assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_support_trust_policy.json')|path_join) }}" - tags: - red-hat-managed: 'true' - rosa_role_type: support - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" - -- name: create support policy - iam_policy: - iam_type: role - iam_name: "{{ rosa_account_roles_prefix }}-Support-Role" - policy_name: "{{ rosa_account_roles_prefix }}-Support-Role-Policy" - policy_json: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_support_permission_policy.json')|path_join) }}" - -- name: create installer role - iam_role: - name: "{{ rosa_account_roles_prefix }}-Installer-Role" - assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_installer_trust_policy.json')|path_join) }}" - tags: - red-hat-managed: 'true' - rosa_role_type: installer - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" - -- name: create installer policy - iam_policy: - iam_type: role - iam_name: "{{ rosa_account_roles_prefix }}-Installer-Role" - policy_name: "{{ rosa_account_roles_prefix }}-Installer-Role-Policy" - policy_json: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_installer_permission_policy.json')|path_join) }}" - -- name: create controlplane role - iam_role: - name: "{{ rosa_account_roles_prefix }}-ControlPlane-Role" - assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_instance_controlplane_trust_policy.json')|path_join) }}" - tags: - red-hat-managed: 'true' - rosa_role_type: instance_controlplane - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" - -- name: create controlplane policy - iam_policy: - iam_type: role - iam_name: "{{ rosa_account_roles_prefix }}-ControlPlane-Role" - policy_name: "{{ rosa_account_roles_prefix }}-ControlPlane-Role-Policy" - policy_json: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_instance_controlplane_permission_policy.json')|path_join) }}" - -- name: create worker role - iam_role: - name: "{{ rosa_account_roles_prefix }}-Worker-Role" - assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_instance_worker_trust_policy.json')|path_join) }}" - tags: - red-hat-managed: 'true' - rosa_role_type: instance_worker - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" - -- name: create worker policy - iam_policy: - iam_type: role - iam_name: "{{ rosa_account_roles_prefix }}-Worker-Role" - policy_name: "{{ rosa_account_roles_prefix }}-Worker-Role-Policy" - policy_json: "{{ lookup('file',('classic',rosa_account_roles_version,'sts_instance_worker_permission_policy.json')|path_join) }}" - -# - fail: diff --git a/roles/account_roles_create/tasks/main.yml b/roles/account_roles_create/tasks/main.yml index ba4f70e..8e53d13 100644 --- a/roles/account_roles_create/tasks/main.yml +++ b/roles/account_roles_create/tasks/main.yml @@ -1,5 +1,15 @@ -- include_tasks: classic.yml - when: not rosa_hosted_cp | default('False') | bool +--- +- pause: + seconds: 5 + prompt: | + the rh_mobb {{ role_name }} role is being deprecated for the + more modular rh_mobb rosa_account_roles role. Consider switching. -- include_tasks: hcp.yml - when: rosa_hosted_cp | default('False') | bool +- include_role: + name: rosa_account_roles + vars: + state: present + rosa_account_roles: + hosted_cp: "{{ rosa_hosted_cp }}" + version: "{{ rosa_account_roles_version }}" + prefix: "{{ rosa_account_roles_prefix }}" diff --git a/roles/account_roles_delete/files/4.12/sts_installer_permission_policy.json b/roles/account_roles_delete/files/4.12/sts_installer_permission_policy.json deleted file mode 100644 index 7b0e8ef..0000000 --- a/roles/account_roles_delete/files/4.12/sts_installer_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["autoscaling:DescribeAutoScalingGroups", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CopyImage", "ec2:CreateDhcpOptions", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:DeleteDhcpOptions", "ec2:DeleteInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeregisterImage", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceCreditSpecifications", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeReservedInstancesOfferings", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:GetConsoleOutput", "ec2:GetEbsDefaultKmsKeyId", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:ReleaseAddress", "ec2:ReplaceRouteTableAssociation", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:TagInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUserPolicies", "iam:ListUsers", "iam:PassRole", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "iam:TagRole", "iam:UntagRole", "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetAccountLimit", "route53:GetChange", "route53:GetHostedZone", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53:UpdateHostedZoneComment", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketReplication", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutBucketAcl", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "servicequotas:GetServiceQuota", "servicequotas:ListAWSDefaultServiceQuotas", "sts:AssumeRole", "sts:AssumeRoleWithWebIdentity", "sts:GetCallerIdentity", "tag:GetResources", "tag:UntagResources", "ec2:CreateVpcEndpointServiceConfiguration", "ec2:DeleteVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:ModifyVpcEndpointServicePermissions", "kms:DescribeKey", "cloudwatch:GetMetricData"], "Effect": "Allow", "Resource": "*"}, {"Action": ["secretsmanager:GetSecretValue"], "Effect": "Allow", "Resource": "*", "Condition": {"StringEquals": {"aws:ResourceTag/red-hat-managed": "true"}}}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_installer_trust_policy.json b/roles/account_roles_delete/files/4.12/sts_installer_trust_policy.json deleted file mode 100644 index afcd8e0..0000000 --- a/roles/account_roles_delete/files/4.12/sts_installer_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"]}}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_instance_controlplane_permission_policy.json b/roles/account_roles_delete/files/4.12/sts_instance_controlplane_permission_policy.json deleted file mode 100644 index a334aed..0000000 --- a/roles/account_roles_delete/files/4.12/sts_instance_controlplane_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:Describe*", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "kms:DescribeKey"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_instance_controlplane_trust_policy.json b/roles/account_roles_delete/files/4.12/sts_instance_controlplane_trust_policy.json deleted file mode 100644 index 721f1a4..0000000 --- a/roles/account_roles_delete/files/4.12/sts_instance_controlplane_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["ec2.amazonaws.com"]}}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_instance_worker_permission_policy.json b/roles/account_roles_delete/files/4.12/sts_instance_worker_permission_policy.json deleted file mode 100644 index 1da32aa..0000000 --- a/roles/account_roles_delete/files/4.12/sts_instance_worker_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:DescribeInstances", "ec2:DescribeRegions"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_instance_worker_trust_policy.json b/roles/account_roles_delete/files/4.12/sts_instance_worker_trust_policy.json deleted file mode 100644 index 721f1a4..0000000 --- a/roles/account_roles_delete/files/4.12/sts_instance_worker_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["ec2.amazonaws.com"]}}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_support_permission_policy.json b/roles/account_roles_delete/files/4.12/sts_support_permission_policy.json deleted file mode 100644 index c1ecf07..0000000 --- a/roles/account_roles_delete/files/4.12/sts_support_permission_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2-instance-connect:SendSerialConsoleSSHPublicKey", "ec2:CopySnapshot", "ec2:CreateNetworkInsightsPath", "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:CreateTags", "ec2:DeleteNetworkInsightsAnalysis", "ec2:DeleteNetworkInsightsPath", "ec2:DeleteTags", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAddressesAttribute", "ec2:DescribeAggregateIdFormat", "ec2:DescribeAvailabilityZones", "ec2:DescribeByoipCidrs", "ec2:DescribeCapacityReservations", "ec2:DescribeCarrierGateways", "ec2:DescribeClassicLinkInstances", "ec2:DescribeClientVpnAuthorizationRules", "ec2:DescribeClientVpnConnections", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeClientVpnRoutes", "ec2:DescribeClientVpnTargetNetworks", "ec2:DescribeCoipPools", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DescribeIdentityIdFormat", "ec2:DescribeIdFormat", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeIpv6Pools", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLocalGatewayRouteTables", "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "ec2:DescribeLocalGatewayRouteTableVpcAssociations", "ec2:DescribeLocalGateways", "ec2:DescribeLocalGatewayVirtualInterfaceGroups", "ec2:DescribeLocalGatewayVirtualInterfaces", "ec2:DescribeManagedPrefixLists", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInsightsAnalyses", "ec2:DescribeNetworkInsightsPaths", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribePrincipalIdFormat", "ec2:DescribePublicIpv4Pools", "ec2:DescribeRegions", "ec2:DescribeReservedInstances", "ec2:DescribeRouteTables", "ec2:DescribeScheduledInstances", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeSpotFleetInstances", "ec2:DescribeStaleSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeTransitGatewayAttachments", "ec2:DescribeTransitGatewayConnectPeers", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayMulticastDomains", "ec2:DescribeTransitGatewayPeeringAttachments", "ec2:DescribeTransitGatewayRouteTables", "ec2:DescribeTransitGateways", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcEndpointConnectionNotifications", "ec2:DescribeVpcEndpointConnections", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServiceConfigurations", "ec2:DescribeVpcEndpointServicePermissions", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetAssociatedIpv6PoolCidrs", "ec2:GetConsoleOutput", "ec2:GetManagedPrefixListEntries", "ec2:GetSerialConsoleAccessStatus", "ec2:GetTransitGatewayAttachmentPropagations", "ec2:GetTransitGatewayMulticastDomainAssociations", "ec2:GetTransitGatewayPrefixListReferences", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:ModifyInstanceAttribute", "ec2:RebootInstances", "ec2:RunInstances", "ec2:SearchLocalGatewayRoutes", "ec2:SearchTransitGatewayMulticastGroups", "ec2:SearchTransitGatewayRoutes", "ec2:StartInstances", "ec2:StartNetworkInsightsAnalysis", "ec2:StopInstances", "ec2:TerminateInstances", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GetRole", "iam:ListRoles", "route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "s3:GetBucketTagging", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListAllMyBuckets", "sts:DecodeAuthorizationMessage", "tiros:CreateQuery", "tiros:GetQueryAnswer", "tiros:GetQueryExplanation"], "Effect": "Allow", "Resource": "*"}, {"Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::managed-velero*", "arn:aws:s3:::*image-registry*"]}, {"Action": ["kms:CreateGrant"], "Effect": "Allow", "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}, "StringLike": {"kms:ViaService": "ec2.*.amazonaws.com"}}}]} \ No newline at end of file diff --git a/roles/account_roles_delete/files/4.12/sts_support_trust_policy.json b/roles/account_roles_delete/files/4.12/sts_support_trust_policy.json deleted file mode 100644 index e2a26c4..0000000 --- a/roles/account_roles_delete/files/4.12/sts_support_trust_policy.json +++ /dev/null @@ -1 +0,0 @@ -{"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::710019948333:role/RH-Technical-Support-Access"]}}]} \ No newline at end of file diff --git a/roles/account_roles_delete/tasks/hcp.yml b/roles/account_roles_delete/tasks/hcp.yml deleted file mode 100644 index 1a47e41..0000000 --- a/roles/account_roles_delete/tasks/hcp.yml +++ /dev/null @@ -1,17 +0,0 @@ -- set_fact: - _rosa_account_roles_prefix: "{{ rosa_account_roles_prefix }}-HCP" - -- name: delete HCP Worker role - iam_role: - name: "{{ _rosa_account_roles_prefix }}-ROSA-Worker-Role" - state: absent - -- name: delete HCP Installer role - iam_role: - name: "{{ _rosa_account_roles_prefix }}-ROSA-Installer-Role" - state: absent - -- name: delete HCP Support role - iam_role: - name: "{{ _rosa_account_roles_prefix }}-ROSA-Support-Role" - state: absent diff --git a/roles/account_roles_delete/tasks/main.yml b/roles/account_roles_delete/tasks/main.yml index 545bc44..dede7ac 100644 --- a/roles/account_roles_delete/tasks/main.yml +++ b/roles/account_roles_delete/tasks/main.yml @@ -1,13 +1,15 @@ --- -# tasks file for roles/account-roles +- pause: + seconds: 5 + prompt: | + the rh_mobb {{ role_name }} role is being deprecated for the + more modular rh_mobb rosa_account_roles role. Consider switching. -- set_fact: - _ocp_version: "{{ rosa_version | regex_search('^[0-9]+\\.[0-9]+') }}" - -- when: rosa_account_roles_prefix != "ManagedOpenShift" - block: - - include_tasks: classic.yml - when: not rosa_hosted_cp | default('False') | bool - - - include_tasks: hcp.yml - when: rosa_hosted_cp | default('False') | bool +- include_role: + name: rosa_account_roles + vars: + state: absent + rosa_account_roles: + hosted_cp: "{{ rosa_hosted_cp }}" + version: "{{ rosa_account_roles_version }}" + prefix: "{{ rosa_account_roles_prefix }}" diff --git a/roles/cluster_create/tasks/main.yml b/roles/cluster_create/tasks/main.yml index 4ba8cd0..9afef19 100644 --- a/roles/cluster_create/tasks/main.yml +++ b/roles/cluster_create/tasks/main.yml @@ -1,176 +1,214 @@ --- -- name: what cluster am i creating? - debug: - msg: | - *************************************** - Preparing to create {{ cluster_name }}. - This task may take up to an hour. - *************************************** - - verbosity: 0 - -# do this better ... maybe better set during vpc creation and inherited. -- when: rosa_subnet_ids | length == 0 - block: - - name: figure out list of subnets - set_fact: - _private_subnet_ids: "{{ _private_subnets.results | default([]) | json_query('[*].subnet.id') }}" - _public_subnet_ids: "{{ _public_subnets.results | default([]) | json_query('[*].subnet.id') }}" - when: - - _private_subnets is defined or _public_subnets is defined - - name: set subnet_ids when private-link cluster - set_fact: - rosa_subnet_ids: "{{ _private_subnet_ids }}" - when: (rosa_private_link | bool) - - name: set subnet_ids when public or private cluster - set_fact: - rosa_subnet_ids: "{{ _private_subnet_ids + _public_subnet_ids }}" - when: (not rosa_private_link | bool) - -- name: check if cluster exists - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_info - -- name: configure proxy settings - set_fact: - rosa_http_proxy: "http://{{ proxy_private_ip }}:3128" - rosa_https_proxy: "http://{{ proxy_private_ip }}:3128" - rosa_additional_trust_bundle_file: "roles/proxy_create/files/squid-ca-cert.pem" - rosa_no_proxy: ".s3.{{ rosa_region }}.amazonaws.com" - when: proxy_enabled | bool - -- when: _cluster_info.cluster == {} - block: - # - set_fact: - # _installer_role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-Installer-Role" - - - name: create oidc config - ocm_oidc_config: - state: present - register: _oidc_config - when: rosa_hosted_cp | default(False) | bool - - - set_fact: - _oidc_id: "{{ _oidc_config.oidc_config.id }}" - when: rosa_hosted_cp | default(False) | bool - - # HCP roles - - set_fact: - _role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-HCP-ROSA-Installer-Role" - _support_role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-HCP-ROSA-Support-Role" - _worker_iam_role: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-HCP-ROSA-Worker-Role" - when: rosa_hosted_cp | default(False) | bool - - # Classic roles - - set_fact: - _role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-Installer-Role" - _support_role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-Support-Role" - _controlplane_iam_role: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-ControlPlane-Role" - _worker_iam_role: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_account_roles_prefix }}-Worker-Role" - when: not rosa_hosted_cp | default(False) | bool - - - name: create cluster - ocm_cluster: - # state: dry-run - name: "{{ cluster_name }}" - region: "{{ rosa_region }}" - private: "{{ rosa_private }}" - private_link: "{{ rosa_private_link }}" - sts: "{{ rosa_sts }}" - aws_account_id: "{{ aws_account_id | default(omit) }}" - machine_cidr: "{{ rosa_vpc_cidr }}" - multi_az: "{{ rosa_multi_az | bool }}" - subnet_ids: "{{ rosa_subnet_ids | join(',') }}" - version: "{{ rosa_version | default(omit) }}" - hosted_cp: "{{ rosa_hosted_cp | default(omit) }}" - oidc_config_id: "{{ _oidc_id | default(omit) }}" - http_proxy: "{{ rosa_http_proxy | default(omit) }}" - https_proxy: "{{ rosa_https_proxy | default(omit) }}" - no_proxy: "{{ rosa_no_proxy | default(omit) }}" - additional_trust_bundle_file: "{{ rosa_additional_trust_bundle_file | default(omit) }}" - disable_workload_monitoring: "{{ rosa_disable_workload_monitoring | bool }}" - min_replicas: "{{ rosa_min_replicas | default(omit) }}" - max_replicas: "{{ rosa_max_replicas | default(omit) }}" - compute_nodes: "{{ rosa_compute_nodes | default(omit) }}" - compute_machine_type: "{{ rosa_compute_machine_type | default(omit) }}" - role_arn: "{{ _role_arn }}" - support_role_arn: "{{ _support_role_arn }}" - controlplane_iam_role: "{{ _controlplane_iam_role | default(omit) }}" - worker_iam_role: "{{ _worker_iam_role }}" - operator_roles_prefix: "{{ cluster_name }}" - kms_key_arn: "{{ rosa_kms_key_arn | default(None) }}" - tags: "{{ extra_tags }}" - register: _rosa_cluster - -- debug: - msg: "debug rosa" -- debug: - var: _rosa_cluster - -- name: get info about the cluster - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_info - -- when: - - rosa_sts | bool - - _cluster_info.cluster.state == 'waiting' - block: - - include_role: - name: operator_roles_create - vars: - cluster_id: "{{ _cluster_info.cluster.id }}" - oidc_endpoint_url: "{{ _cluster_info.cluster.aws.sts.oidc_endpoint_url }}" - oidc_id: "{{ _oidc_id | default(omit) }}" - when: rosa_sts | bool - - - include_role: - name: kms_create - when: - - rosa_kms_key_arn != "" - - rosa_kms_key_arn != None - - rosa_sts | bool - - - debug: - msg: | - ******************************************* - * Waiting for cluster to start installing * - ******************************************* - - - name: waiting for cluster to start installing - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_info - until: _cluster_info.cluster.state in ["installing","error"] - retries: 10 - delay: 60 - no_log: true - -- when: rosa_wait | bool - block: - - debug: - msg: | - *********************************** - * Waiting for cluster to be ready * - *********************************** - - You can watch progress logs by running: - $ rosa logs -c {{ cluster_name }} install -w - - - name: wait for cluster to be ready - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_info - until: _cluster_info.cluster.state in ["ready","error"] - retries: 120 - delay: 60 - no_log: true - -- fail: - msg: | - ***************************************** - Cluster Install Failed - {{ _cluster_info.cluster | to_nice_yaml }} - ***************************************** - when: _cluster_info.cluster.state == 'error' +- pause: + seconds: 5 + prompt: | + the rh_mobb {{ role_name }} role is being deprecated for the + more modular rh_mobb rosa_cluster role. Consider switching. + +# - set_fact: +# http_proxy: "{{ proxy_enabled | default(False) | bool | ternary('http://'+ (proxy_private_ip|default('')) +':3128', omit) }}" +# https_proxy: "{{ proxy_enabled | default(False) | bool | ternary('http://'+ (proxy_private_ip|default('')) +':3128', omit) }}" +# additional_trust_bundle_file: "{{ proxy_enabled | default(False) | bool | ternary('roles/proxy_create/files/squid-ca-cert.pem', omit) }}" # "roles/proxy_create/files/squid-ca-cert.pem" + +# - fail: + +- include_role: + name: rosa_cluster + vars: + state: present + rosa_cluster: + name: "{{ cluster_name }}" + aws_account_id: "{{ aws_account_id }}" + account_roles_prefix: "{{ rosa_account_roles_prefix }}" + region: "{{ rosa_region }}" + private_link: "{{ rosa_private_link }}" + vpc_cidr: "{{ rosa_vpc_cidr }}" + multi_az: "{{ rosa_multi_az }}" + version: "{{ rosa_version }}" + hosted_cp: "{{ rosa_hosted_cp }}" + min_replicas: "{{ rosa_min_replicas | default(omit) }}" + max_replicas: "{{ rosa_max_replicas | default(omit) }}" + compute_nodes: "{{ rosa_compute_nodes | default(rosa_multi_az | ternary('3', '2')) }}" + compute_machine_type: "{{ rosa_compute_machine_type | default('m5.xlarge') }}" + kms_key_arn: "{{ rosa_kms_key_arn | default(omit) }}" + tags: "{{ extra_tags }}" + http_proxy: "{{ proxy_enabled | default(False) | bool | ternary('http://'+ (proxy_private_ip|default('')) +':3128', omit) }}" + https_proxy: "{{ proxy_enabled | default(False) | bool | ternary('http://'+ (proxy_private_ip|default('')) +':3128', omit) }}" + additional_trust_bundle_file: "{{ proxy_enabled | default(False) | bool | ternary('roles/proxy_create/files/squid-ca-cert.pem', omit) }}" # "roles/proxy_create/files/squid-ca-cert.pem" + no_proxy: "{{ proxy_enabled | default(False) | bool | ternary(rosa_no_proxy,omit) }}" +# --- +# - name: what cluster am i creating? +# debug: +# msg: | +# *************************************** +# Preparing to create {{ cluster_name }}. +# This task may take up to an hour. +# *************************************** + +# verbosity: 0 + +# # do this better ... maybe better set during vpc creation and inherited. +# - when: rosa_subnet_ids | length == 0 +# block: +# - name: figure out list of subnets +# set_fact: +# _private_subnet_ids: "{{ _private_subnets.results | default([]) | json_query('[*].subnet.id') }}" +# _public_subnet_ids: "{{ _public_subnets.results | default([]) | json_query('[*].subnet.id') }}" +# when: +# - _private_subnets is defined or _public_subnets is defined +# - name: set subnet_ids when private-link cluster +# set_fact: +# rosa_subnet_ids: "{{ _private_subnet_ids }}" +# when: (rosa_private_link | bool) +# - name: set subnet_ids when public or private cluster +# set_fact: +# rosa_subnet_ids: "{{ _private_subnet_ids + _public_subnet_ids }}" +# when: (not rosa_private_link | bool) + +# - name: check if cluster exists +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_info + +# - name: configure proxy settings +# set_fact: +# rosa_http_proxy: "http://{{ proxy_private_ip }}:3128" +# rosa_https_proxy: "http://{{ proxy_private_ip }}:3128" +# rosa_additional_trust_bundle_file: "roles/proxy_create/files/squid-ca-cert.pem" +# rosa_no_proxy: ".s3.{{ rosa_region }}.amazonaws.com" +# when: proxy_enabled | bool + +# - when: _cluster_info.cluster == {} +# block: +# # - set_fact: +# # _installer_role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Installer-Role" + +# - name: create oidc config +# ocm_oidc_config: +# state: present +# register: _oidc_config +# when: rosa_hosted_cp | default(False) | bool + +# - set_fact: +# _oidc_id: "{{ _oidc_config.oidc_config.id }}" +# when: rosa_hosted_cp | default(False) | bool + +# # HCP roles +# - set_fact: +# _role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Installer-Role" +# _support_role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Support-Role" +# _worker_iam_role: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Worker-Role" +# when: rosa_hosted_cp | default(False) | bool + +# # Classic roles +# - set_fact: +# _role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Installer-Role" +# _support_role_arn: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Support-Role" +# _controlplane_iam_role: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-ControlPlane-Role" +# _worker_iam_role: "arn:aws:iam::{{ aws_account_id }}:role/{{ rosa_cluster_prefix }}-Worker-Role" +# when: not rosa_hosted_cp | default(False) | bool + +# - name: create cluster +# ocm_cluster: +# # state: dry-run +# name: "{{ cluster_name }}" +# region: "{{ rosa_region }}" +# private: "{{ rosa_private }}" +# private_link: "{{ rosa_private_link }}" +# sts: "{{ rosa_sts }}" +# aws_account_id: "{{ aws_account_id | default(omit) }}" +# machine_cidr: "{{ rosa_vpc_cidr }}" +# multi_az: "{{ rosa_multi_az | bool }}" +# subnet_ids: "{{ rosa_subnet_ids | join(',') }}" +# version: "{{ rosa_version | default(omit) }}" +# hosted_cp: "{{ rosa_hosted_cp | default(omit) }}" +# oidc_config_id: "{{ _oidc_id | default(omit) }}" +# http_proxy: "{{ rosa_http_proxy | default(omit) }}" +# https_proxy: "{{ rosa_https_proxy | default(omit) }}" +# no_proxy: "{{ rosa_no_proxy | default(omit) }}" +# additional_trust_bundle_file: "{{ rosa_additional_trust_bundle_file | default(omit) }}" +# disable_workload_monitoring: "{{ rosa_disable_workload_monitoring | bool }}" +# min_replicas: "{{ rosa_min_replicas | default(omit) }}" +# max_replicas: "{{ rosa_max_replicas | default(omit) }}" +# compute_nodes: "{{ rosa_compute_nodes | default(omit) }}" +# compute_machine_type: "{{ rosa_compute_machine_type | default(omit) }}" +# role_arn: "{{ _role_arn }}" +# support_role_arn: "{{ _support_role_arn }}" +# controlplane_iam_role: "{{ _controlplane_iam_role | default(omit) }}" +# worker_iam_role: "{{ _worker_iam_role }}" +# operator_roles_prefix: "{{ cluster_name }}" +# kms_key_arn: "{{ rosa_kms_key_arn | default(None) }}" +# tags: "{{ extra_tags }}" +# register: _rosa_cluster + +# - debug: +# msg: "debug rosa" +# - debug: +# var: _rosa_cluster + +# - name: get info about the cluster +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_info + +# - when: +# - rosa_sts | bool +# - _cluster_info.cluster.state == 'waiting' +# block: +# - include_role: +# name: operator_roles_create +# vars: +# cluster_id: "{{ _cluster_info.cluster.id }}" +# oidc_endpoint_url: "{{ _cluster_info.cluster.aws.sts.oidc_endpoint_url }}" +# oidc_id: "{{ _oidc_id | default(omit) }}" +# when: rosa_sts | bool + +# - include_role: +# name: kms_create +# when: +# - rosa_kms_key_arn != "" +# - rosa_kms_key_arn != None +# - rosa_sts | bool + +# - debug: +# msg: | +# ******************************************* +# * Waiting for cluster to start installing * +# ******************************************* + +# - name: waiting for cluster to start installing +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_info +# until: _cluster_info.cluster.state in ["installing","error"] +# retries: 10 +# delay: 60 +# no_log: true + +# - when: rosa_wait | bool +# block: +# - debug: +# msg: | +# *********************************** +# * Waiting for cluster to be ready * +# *********************************** + +# You can watch progress logs by running: +# $ rosa logs -c {{ cluster_name }} install -w + +# - name: wait for cluster to be ready +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_info +# until: _cluster_info.cluster.state in ["ready","error"] +# retries: 120 +# delay: 60 +# no_log: true + +# - fail: +# msg: | +# ***************************************** +# Cluster Install Failed +# {{ _cluster_info.cluster | to_nice_yaml }} +# ***************************************** +# when: _cluster_info.cluster.state == 'error' diff --git a/roles/cluster_delete/tasks/main.yml b/roles/cluster_delete/tasks/main.yml index 2aeed8d..2d1f822 100644 --- a/roles/cluster_delete/tasks/main.yml +++ b/roles/cluster_delete/tasks/main.yml @@ -1,66 +1,81 @@ --- -- name: what cluster am i deleting? - debug: - msg: | - *************************************** - Preparing to delete {{ cluster_name }}. - This task may take up to an hour. - *************************************** - verbosity: 0 +- pause: + seconds: 5 + prompt: | + the rh_mobb {{ role_name }} role is being deprecated for the + more modular rh_mobb rosa_cluster role. Consider switching. -- name: check if cluster exists - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_exists +- include_role: + name: rosa_cluster + vars: + state: absent + rosa_cluster: + name: "{{ cluster_name }}" + aws_account_id: "{{ aws_account_id }}" -## Delete the cluster -- when: _cluster_exists.cluster != {} - block: - - set_fact: - _cluster_id: "{{ _cluster_exists.cluster.id }}" - _operator_roles_prefix: "{{ _cluster_exists.cluster.aws.sts.operator_role_prefix }}" - _oidc_endpoint_url: "{{ _cluster_exists.cluster.aws.sts.oidc_endpoint_url }}" +# --- +# - name: what cluster am i deleting? +# debug: +# msg: | +# *************************************** +# Preparing to delete {{ cluster_name }}. +# This task may take up to an hour. +# *************************************** +# verbosity: 0 - - name: check for oidc config - set_fact: - _oidc_config_id: "{{ _cluster_exists.cluster.aws.sts.oidc_config.id | default(None) }}" - when: '"oidc_config" in _cluster_exists.cluster.aws.sts.keys()' +# - name: check if cluster exists +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_exists - - name: delete cluster - ocm_cluster: - name: "{{ cluster_name }}" - state: absent - register: _delete_cluster +# ## Delete the cluster +# - when: _cluster_exists.cluster != {} +# block: +# - set_fact: +# _cluster_id: "{{ _cluster_exists.cluster.id }}" +# _operator_roles_prefix: "{{ _cluster_exists.cluster.aws.sts.operator_role_prefix }}" +# _oidc_endpoint_url: "{{ _cluster_exists.cluster.aws.sts.oidc_endpoint_url }}" - - name: verify the cluster is deleted - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_deleted - changed_when: false - failed_when: false - until: _cluster_deleted.cluster == {} - retries: 120 - delay: 10 +# - name: check for oidc config +# set_fact: +# _oidc_config_id: "{{ _cluster_exists.cluster.aws.sts.oidc_config.id | default(None) }}" +# when: '"oidc_config" in _cluster_exists.cluster.aws.sts.keys()' - - fail: - msg: "Cluster took too long to delete" - when: _cluster_deleted.cluster != {} +# - name: delete cluster +# ocm_cluster: +# name: "{{ cluster_name }}" +# state: absent +# register: _delete_cluster -# - debug: -# var: _cluster_exists +# - name: verify the cluster is deleted +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_deleted +# changed_when: false +# failed_when: false +# until: _cluster_deleted.cluster == {} +# retries: 120 +# delay: 10 -- name: delete oidc config - ocm_oidc_config: - id: "{{ _oidc_config_id }}" - state: absent - when: _oidc_config_id | default(None) +# - fail: +# msg: "Cluster took too long to delete" +# when: _cluster_deleted.cluster != {} -- include_role: - name: operator_roles_delete - vars: - cluster_id: "{{ _cluster_id }}" - operator_roles_prefix: "{{ _operator_roles_prefix }}" - oidc_endpoint_url: "{{ _oidc_endpoint_url }}" - # when: (_cluster_exists.cluster == {} and _cluster_id is defined) or - # ((_cluster_deleted.cluster is defined) and (_cluster_deleted.cluster == {})) +# # - debug: +# # var: _cluster_exists + +# - name: delete oidc config +# ocm_oidc_config: +# id: "{{ _oidc_config_id }}" +# state: absent +# when: _oidc_config_id | default(None) + +# - include_role: +# name: operator_roles_delete +# vars: +# cluster_id: "{{ _cluster_id }}" +# operator_roles_prefix: "{{ _operator_roles_prefix }}" +# oidc_endpoint_url: "{{ _oidc_endpoint_url }}" +# # when: (_cluster_exists.cluster == {} and _cluster_id is defined) or +# # ((_cluster_deleted.cluster is defined) and (_cluster_deleted.cluster == {})) diff --git a/roles/operator_roles_create/tasks/main.yml b/roles/operator_roles_create/tasks/main.yml index bdef0e3..227bb18 100644 --- a/roles/operator_roles_create/tasks/main.yml +++ b/roles/operator_roles_create/tasks/main.yml @@ -3,14 +3,14 @@ _cluster_type: "{{ rosa_hosted_cp | ternary('hcp','classic') }}" # tasks file for roles/operator-roles -- name: check for cluster - ocm_cluster_info: - name: "{{ cluster_name }}" - register: _cluster_info - no_log: true +# - name: check for cluster +# ocm_cluster_info: +# name: "{{ cluster_name }}" +# register: _cluster_info +# no_log: true # oidc provider -- name: get the cert chain from the host +- name: get the cert chain from the oidc endpoint peer_cert_chain_info: host: "{{ oidc_endpoint_url }}" register: _oidc_endpoint_chain diff --git a/roles/operator_roles_delete/tasks/roles.yml b/roles/operator_roles_delete/tasks/roles.yml index c2db96e..ce776c1 100644 --- a/roles/operator_roles_delete/tasks/roles.yml +++ b/roles/operator_roles_delete/tasks/roles.yml @@ -1,9 +1,9 @@ - set_fact: _name: "{{ '-'.join([cluster_name,item.namespace,item.name])[:64] }}" - when: _cluster_type == 'classic' -- set_fact: - _name: "{{ '-'.join([cluster_name, 'hcp', item.namespace,item.name])[:64] }}" - when: _cluster_type == 'hcp' +# when: _cluster_type == 'classic' +# - set_fact: +# _name: "{{ '-'.join([cluster_name, 'hcp', item.namespace,item.name])[:64] }}" +# when: _cluster_type == 'hcp' - name: "delete operator policy {{ _name }}" iam_policy: diff --git a/roles/rosa_account_roles/README.md b/roles/rosa_account_roles/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/rosa_account_roles/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/rosa_account_roles/defaults/main.yml b/roles/rosa_account_roles/defaults/main.yml new file mode 100644 index 0000000..586166e --- /dev/null +++ b/roles/rosa_account_roles/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# defaults file for rosa_account_roles +rosa_account_roles: + hosted_cp: False + version: "4.14" + prefix: ManagedOpenShift + + # set force to true to delete the default account role + # (prefix is ManagedOpenShift or ManagedOpenShift-HCP) + force: False diff --git a/roles/account_roles_create/files/classic/4.14/sts_installer_permission_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_installer_permission_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.14/sts_installer_permission_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_installer_permission_policy.json diff --git a/roles/account_roles_create/files/classic/4.12/sts_installer_trust_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_installer_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.12/sts_installer_trust_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_installer_trust_policy.json diff --git a/roles/account_roles_create/files/classic/4.12/sts_instance_controlplane_permission_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_instance_controlplane_permission_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.12/sts_instance_controlplane_permission_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_instance_controlplane_permission_policy.json diff --git a/roles/account_roles_create/files/classic/4.12/sts_instance_controlplane_trust_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_instance_controlplane_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.12/sts_instance_controlplane_trust_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_instance_controlplane_trust_policy.json diff --git a/roles/account_roles_create/files/classic/4.12/sts_instance_worker_permission_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_instance_worker_permission_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.12/sts_instance_worker_permission_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_instance_worker_permission_policy.json diff --git a/roles/account_roles_create/files/classic/4.12/sts_instance_worker_trust_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_instance_worker_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.12/sts_instance_worker_trust_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_instance_worker_trust_policy.json diff --git a/roles/account_roles_create/files/classic/4.14/sts_support_permission_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_support_permission_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.14/sts_support_permission_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_support_permission_policy.json diff --git a/roles/account_roles_create/files/classic/4.12/sts_support_trust_policy.json b/roles/rosa_account_roles/files/classic/4.14/sts_support_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.12/sts_support_trust_policy.json rename to roles/rosa_account_roles/files/classic/4.14/sts_support_trust_policy.json diff --git a/roles/account_roles_create/files/classic/4.13/sts_installer_trust_policy.json b/roles/rosa_account_roles/files/hcp/4.14/sts_installer_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.13/sts_installer_trust_policy.json rename to roles/rosa_account_roles/files/hcp/4.14/sts_installer_trust_policy.json diff --git a/roles/account_roles_create/files/classic/4.13/sts_instance_worker_trust_policy.json b/roles/rosa_account_roles/files/hcp/4.14/sts_instance_worker_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.13/sts_instance_worker_trust_policy.json rename to roles/rosa_account_roles/files/hcp/4.14/sts_instance_worker_trust_policy.json diff --git a/roles/account_roles_create/files/classic/4.13/sts_support_trust_policy.json b/roles/rosa_account_roles/files/hcp/4.14/sts_support_trust_policy.json similarity index 100% rename from roles/account_roles_create/files/classic/4.13/sts_support_trust_policy.json rename to roles/rosa_account_roles/files/hcp/4.14/sts_support_trust_policy.json diff --git a/roles/rosa_account_roles/handlers/main.yml b/roles/rosa_account_roles/handlers/main.yml new file mode 100644 index 0000000..c92f980 --- /dev/null +++ b/roles/rosa_account_roles/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for rosa_account_roles diff --git a/roles/rosa_account_roles/meta/main.yml b/roles/rosa_account_roles/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/rosa_account_roles/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/account_roles_delete/tasks/classic.yml b/roles/rosa_account_roles/tasks/absent/classic.yml similarity index 62% rename from roles/account_roles_delete/tasks/classic.yml rename to roles/rosa_account_roles/tasks/absent/classic.yml index f93185f..ed054fb 100644 --- a/roles/account_roles_delete/tasks/classic.yml +++ b/roles/rosa_account_roles/tasks/absent/classic.yml @@ -1,12 +1,13 @@ # Classic Roles - set_fact: - _rosa_account_roles_prefix: "{{ rosa_account_roles_prefix }}" + _rosa_account_roles: + prefix: "{{ rosa_account_roles.prefix }}" - name: delete support policy iam_policy: - policy_name: "{{ _rosa_account_roles_prefix }}-Support-Role-Policy" + policy_name: "{{ _rosa_account_roles.prefix }}-Support-Role-Policy" iam_type: role - iam_name: "{{ _rosa_account_roles_prefix }}-Support-Role" + iam_name: "{{ _rosa_account_roles.prefix }}-Support-Role" state: absent register: _delete failed_when: ('error' in _delete.keys()) and (_delete.error.code != 'NoSuchEntity') @@ -14,14 +15,14 @@ - name: delete support role iam_role: - name: "{{ _rosa_account_roles_prefix }}-Support-Role" + name: "{{ _rosa_account_roles.prefix }}-Support-Role" state: absent - name: delete installer policy iam_policy: - policy_name: "{{ _rosa_account_roles_prefix }}-Installer-Role-Policy" + policy_name: "{{ _rosa_account_roles.prefix }}-Installer-Role-Policy" iam_type: role - iam_name: "{{ _rosa_account_roles_prefix }}-Installer-Role" + iam_name: "{{ _rosa_account_roles.prefix }}-Installer-Role" state: absent register: _delete failed_when: ('error' in _delete.keys()) and (_delete.error.code != 'NoSuchEntity') @@ -29,14 +30,14 @@ - name: delete installer role iam_role: - name: "{{ _rosa_account_roles_prefix }}-Installer-Role" + name: "{{ _rosa_account_roles.prefix }}-Installer-Role" state: absent - name: delete ControlPlane policy iam_policy: - policy_name: "{{ _rosa_account_roles_prefix }}-ControlPlane-Role-Policy" + policy_name: "{{ _rosa_account_roles.prefix }}-ControlPlane-Role-Policy" iam_type: role - iam_name: "{{ _rosa_account_roles_prefix }}-ControlPlane-Role" + iam_name: "{{ _rosa_account_roles.prefix }}-ControlPlane-Role" state: absent register: _delete failed_when: ('error' in _delete.keys()) and (_delete.error.code != 'NoSuchEntity') @@ -44,15 +45,15 @@ - name: delete ControlPlane role iam_role: - name: "{{ _rosa_account_roles_prefix }}-ControlPlane-Role" + name: "{{ _rosa_account_roles.prefix }}-ControlPlane-Role" state: absent when: not rosa_hosted_cp | default('False') | bool - name: delete Worker policy iam_policy: - policy_name: "{{ _rosa_account_roles_prefix }}-Worker-Role-Policy" + policy_name: "{{ _rosa_account_roles.prefix }}-Worker-Role-Policy" iam_type: role - iam_name: "{{ _rosa_account_roles_prefix }}-Worker-Role" + iam_name: "{{ _rosa_account_roles.prefix }}-Worker-Role" state: absent register: _delete failed_when: ('error' in _delete.keys()) and (_delete.error.code != 'NoSuchEntity') diff --git a/roles/rosa_account_roles/tasks/absent/hcp.yml b/roles/rosa_account_roles/tasks/absent/hcp.yml new file mode 100644 index 0000000..d5c2cb8 --- /dev/null +++ b/roles/rosa_account_roles/tasks/absent/hcp.yml @@ -0,0 +1,18 @@ +- fail: + msg: "rosa_account_roles.prefix should end in '-HCP-ROSA'" + when: rosa_account_roles.prefix is not search("^.*-HCP-ROSA$") + +- name: delete HCP Worker role + iam_role: + name: "{{ rosa_account_roles.prefix }}-Worker-Role" + state: absent + +- name: delete HCP Installer role + iam_role: + name: "{{ rosa_account_roles.prefix }}-Installer-Role" + state: absent + +- name: delete HCP Support role + iam_role: + name: "{{ rosa_account_roles.prefix }}-Support-Role" + state: absent diff --git a/roles/rosa_account_roles/tasks/absent/main.yml b/roles/rosa_account_roles/tasks/absent/main.yml new file mode 100644 index 0000000..a2e4455 --- /dev/null +++ b/roles/rosa_account_roles/tasks/absent/main.yml @@ -0,0 +1,21 @@ +--- +# tasks file for roles/account-roles + + # only delete default account roles when force is set +- when: ( + rosa_account_roles.prefix != "ManagedOpenShift" and + rosa_account_roles.prefix != "ManagedOpenShift-HCP" + ) + or + ( rosa_account_roles.force | bool and + ( rosa_account_roles.prefix == "ManagedOpenShift" or + rosa_account_roles.prefix == "ManagedOpenShift-HCP" + ) + ) + + block: + - include_tasks: classic.yml + when: not rosa_account_roles.hosted_cp | bool + + - include_tasks: hcp.yml + when: rosa_account_roles.hosted_cp | bool diff --git a/roles/rosa_account_roles/tasks/main.yml b/roles/rosa_account_roles/tasks/main.yml new file mode 100644 index 0000000..19a8eb7 --- /dev/null +++ b/roles/rosa_account_roles/tasks/main.yml @@ -0,0 +1,19 @@ +--- +# tasks file for rosa_account_roles + +- fail: + msg: | + rosa_account_roles.prefix must end in "-HCP-ROSA" for Hosted Control Plane Clusters + rosa_account_roles.prefix currently set to: "{{ rosa_account_roles.prefix }}" + when: + - rosa_account_roles.prefix is not search("^.*-HCP-ROSA$") + - rosa_account_roles.hosted_cp | bool + + +- name: "run rosa_account_roles present tasks" + import_tasks: present/main.yml + when: state == 'present' + +- name: "run rosa_account_roles absent tasks" + import_tasks: absent/main.yml + when: state == 'absent' diff --git a/roles/rosa_account_roles/tasks/present/classic.yml b/roles/rosa_account_roles/tasks/present/classic.yml new file mode 100644 index 0000000..092bb99 --- /dev/null +++ b/roles/rosa_account_roles/tasks/present/classic.yml @@ -0,0 +1,72 @@ +--- +# tasks file for roles/account-roles + +- name: create support role + iam_role: + name: "{{ rosa_account_roles.prefix }}-Support-Role" + assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_support_trust_policy.json')|path_join) }}" + tags: + red-hat-managed: 'true' + rosa_role_type: support + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" + +- name: create support policy + iam_policy: + iam_type: role + iam_name: "{{ rosa_account_roles.prefix }}-Support-Role" + policy_name: "{{ rosa_account_roles.prefix }}-Support-Role-Policy" + policy_json: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_support_permission_policy.json')|path_join) }}" + +- name: create installer role + iam_role: + name: "{{ rosa_account_roles.prefix }}-Installer-Role" + assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_installer_trust_policy.json')|path_join) }}" + tags: + red-hat-managed: 'true' + rosa_role_type: installer + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" + +- name: create installer policy + iam_policy: + iam_type: role + iam_name: "{{ rosa_account_roles.prefix }}-Installer-Role" + policy_name: "{{ rosa_account_roles.prefix }}-Installer-Role-Policy" + policy_json: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_installer_permission_policy.json')|path_join) }}" + +- name: create controlplane role + iam_role: + name: "{{ rosa_account_roles.prefix }}-ControlPlane-Role" + assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_instance_controlplane_trust_policy.json')|path_join) }}" + tags: + red-hat-managed: 'true' + rosa_role_type: instance_controlplane + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" + +- name: create controlplane policy + iam_policy: + iam_type: role + iam_name: "{{ rosa_account_roles.prefix }}-ControlPlane-Role" + policy_name: "{{ rosa_account_roles.prefix }}-ControlPlane-Role-Policy" + policy_json: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_instance_controlplane_permission_policy.json')|path_join) }}" + +- name: create worker role + iam_role: + name: "{{ rosa_account_roles.prefix }}-Worker-Role" + assume_role_policy_document: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_instance_worker_trust_policy.json')|path_join) }}" + tags: + red-hat-managed: 'true' + rosa_role_type: instance_worker + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" + +- name: create worker policy + iam_policy: + iam_type: role + iam_name: "{{ rosa_account_roles.prefix }}-Worker-Role" + policy_name: "{{ rosa_account_roles.prefix }}-Worker-Role-Policy" + policy_json: "{{ lookup('file',('classic',rosa_account_roles.version,'sts_instance_worker_permission_policy.json')|path_join) }}" + +# - fail: diff --git a/roles/account_roles_create/tasks/hcp.yml b/roles/rosa_account_roles/tasks/present/hcp.yml similarity index 56% rename from roles/account_roles_create/tasks/hcp.yml rename to roles/rosa_account_roles/tasks/present/hcp.yml index e549af9..5a19364 100644 --- a/roles/account_roles_create/tasks/hcp.yml +++ b/roles/rosa_account_roles/tasks/present/hcp.yml @@ -1,38 +1,41 @@ +- fail: + when: rosa_account_roles.prefix is not search("^.*-HCP-ROSA$") + - name: create support role iam_role: - name: "{{ rosa_account_roles_prefix }}-HCP-ROSA-Support-Role" - assume_role_policy_document: "{{ lookup('file',('hcp',rosa_account_roles_version,'sts_support_trust_policy.json')|path_join) }}" + name: "{{ rosa_account_roles.prefix }}-Support-Role" + assume_role_policy_document: "{{ lookup('file',('hcp',rosa_account_roles.version,'sts_support_trust_policy.json')|path_join) }}" managed_policies: ["arn:aws:iam::aws:policy/service-role/ROSASRESupportPolicy"] tags: red-hat-managed: "true" rosa_hcp_policies: "true" rosa_managed_policies: "true" - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" rosa_role_type: "support" - name: create installer role iam_role: - name: "{{ rosa_account_roles_prefix }}-HCP-ROSA-Installer-Role" - assume_role_policy_document: "{{ lookup('file',('hcp',rosa_account_roles_version,'sts_installer_trust_policy.json')|path_join) }}" + name: "{{ rosa_account_roles.prefix }}-Installer-Role" + assume_role_policy_document: "{{ lookup('file',('hcp',rosa_account_roles.version,'sts_installer_trust_policy.json')|path_join) }}" managed_policies: ["arn:aws:iam::aws:policy/service-role/ROSAInstallerPolicy"] tags: red-hat-managed: "true" rosa_hcp_policies: "true" rosa_managed_policies: "true" - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" rosa_role_type: "installer" - name: create worker role iam_role: - name: "{{ rosa_account_roles_prefix }}-HCP-ROSA-Worker-Role" - assume_role_policy_document: "{{ lookup('file',('hcp',rosa_account_roles_version,'sts_instance_worker_trust_policy.json')|path_join) }}" + name: "{{ rosa_account_roles.prefix }}-Worker-Role" + assume_role_policy_document: "{{ lookup('file',('hcp',rosa_account_roles.version,'sts_instance_worker_trust_policy.json')|path_join) }}" managed_policies: ["arn:aws:iam::aws:policy/service-role/ROSAWorkerInstancePolicy"] tags: red-hat-managed: "true" rosa_hcp_policies: "true" rosa_managed_policies: "true" - rosa_openshift_version: "{{ rosa_account_roles_version }}" - rosa_role_prefix: "{{ rosa_account_roles_prefix }}" + rosa_openshift_version: "{{ rosa_account_roles.version }}" + rosa_role_prefix: "{{ rosa_account_roles.prefix }}" rosa_role_type: "instance_worker" diff --git a/roles/rosa_account_roles/tasks/present/main.yml b/roles/rosa_account_roles/tasks/present/main.yml new file mode 100644 index 0000000..73c131c --- /dev/null +++ b/roles/rosa_account_roles/tasks/present/main.yml @@ -0,0 +1,7 @@ +- include_tasks: classic.yml + when: not rosa_account_roles.hosted_cp | bool + +- include_tasks: hcp.yml + when: rosa_account_roles.hosted_cp | bool + + diff --git a/roles/rosa_account_roles/tests/inventory b/roles/rosa_account_roles/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/rosa_account_roles/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/rosa_account_roles/tests/test.yml b/roles/rosa_account_roles/tests/test.yml new file mode 100644 index 0000000..6a2400b --- /dev/null +++ b/roles/rosa_account_roles/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - rosa_account_roles diff --git a/roles/rosa_account_roles/vars/main.yml b/roles/rosa_account_roles/vars/main.yml new file mode 100644 index 0000000..1444b24 --- /dev/null +++ b/roles/rosa_account_roles/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for rosa_account_roles diff --git a/roles/rosa_cluster/README.md b/roles/rosa_cluster/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/rosa_cluster/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/rosa_cluster/defaults/main.yml b/roles/rosa_cluster/defaults/main.yml new file mode 100644 index 0000000..20258e7 --- /dev/null +++ b/roles/rosa_cluster/defaults/main.yml @@ -0,0 +1,34 @@ +--- +# defaults file for rosa_cluster + +rosa_cluster: + name: rosa-cluster + subnet_ids: [] + # http_proxy: http://{{ proxy_private_ip }}:3128 + # https_proxy: http://{{ proxy_private_ip }}:3128 + # no_proxy: ~ + # additional_trust_bundle_file: "roles/proxy_create/files/squid-ca-cert.pem" + disable_workload_monitoring: false + aws_account_id: ~ + account_roles_prefix: Managed-OpenShift + region: us-east-2 + private_link: false + vpc_cidr: 10.0.0.0/20 + multi_az: false + version: 4.14.6 + hosted_cp: false + autoscaling: false + min_replicas: + max_replicas: + compute_nodes: # 3 for multi-az, 2 for single-az + compute_machine_type: "m5.xlarge" + role_arn: + support_role_arn: + controlplane_iam_role: + worker_iam_role: + operator_roles_prefix: + kms_key_arn: + tags: {} + wait: true + + diff --git a/roles/rosa_cluster/handlers/main.yml b/roles/rosa_cluster/handlers/main.yml new file mode 100644 index 0000000..ff0c1ae --- /dev/null +++ b/roles/rosa_cluster/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for rosa_cluster diff --git a/roles/rosa_cluster/meta/main.yml b/roles/rosa_cluster/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/rosa_cluster/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/rosa_cluster/tasks/absent/main.yml b/roles/rosa_cluster/tasks/absent/main.yml new file mode 100644 index 0000000..2fade69 --- /dev/null +++ b/roles/rosa_cluster/tasks/absent/main.yml @@ -0,0 +1,66 @@ +--- +- name: what cluster am i deleting? + debug: + msg: | + *************************************** + Preparing to delete {{ rosa_cluster.name }}. + This task may take up to an hour. + *************************************** + verbosity: 0 + +- name: check if cluster exists + ocm_cluster_info: + name: "{{ rosa_cluster.name }}" + register: _cluster_exists + +## Delete the cluster +- when: _cluster_exists.cluster != {} + block: + - set_fact: + _cluster_id: "{{ _cluster_exists.cluster.id }}" + _operator_roles_prefix: "{{ _cluster_exists.cluster.aws.sts.operator_role_prefix }}" + _oidc_endpoint_url: "{{ _cluster_exists.cluster.aws.sts.oidc_endpoint_url }}" + + - name: check for oidc config + set_fact: + _oidc_config_id: "{{ _cluster_exists.cluster.aws.sts.oidc_config.id | default(None) }}" + when: '"oidc_config" in _cluster_exists.cluster.aws.sts.keys()' + + - name: delete cluster + ocm_cluster: + name: "{{ rosa_cluster.name }}" + state: absent + register: _delete_cluster + + - name: verify the cluster is deleted + ocm_cluster_info: + name: "{{ rosa_cluster.name }}" + register: _cluster_deleted + changed_when: false + failed_when: false + until: _cluster_deleted.cluster == {} + retries: 120 + delay: 10 + + - fail: + msg: "Cluster took too long to delete" + when: _cluster_deleted.cluster != {} + +# - debug: +# var: _cluster_exists + +- name: delete oidc config + ocm_oidc_config: + id: "{{ _oidc_config_id }}" + state: absent + when: _oidc_config_id | default(None) + +- include_role: + name: operator_roles_delete + vars: + cluster_id: "{{ _cluster_id }}" + operator_roles_prefix: "{{ _operator_roles_prefix }}" + oidc_endpoint_url: "{{ _oidc_endpoint_url }}" + # when: (_cluster_exists.cluster == {} and _cluster_id is defined) or + # ((_cluster_deleted.cluster is defined) and (_cluster_deleted.cluster == {})) + diff --git a/roles/rosa_cluster/tasks/main.yml b/roles/rosa_cluster/tasks/main.yml new file mode 100644 index 0000000..93bff41 --- /dev/null +++ b/roles/rosa_cluster/tasks/main.yml @@ -0,0 +1,10 @@ +--- +# tasks file for rosa_cluster + +- name: "run rosa_cluster present tasks" + import_tasks: present/main.yml + when: state == 'present' + +- name: "run rosa_cluster absent tasks" + import_tasks: absent/main.yml + when: state == 'absent' diff --git a/roles/rosa_cluster/tasks/present/main.yml b/roles/rosa_cluster/tasks/present/main.yml new file mode 100644 index 0000000..9f0c94d --- /dev/null +++ b/roles/rosa_cluster/tasks/present/main.yml @@ -0,0 +1,150 @@ +--- +- name: what cluster am i creating? + debug: + msg: | + *************************************** + Preparing to create {{ rosa_cluster.name }}. + This task may take up to an hour. + *************************************** + + verbosity: 0 + +# do this better ... maybe better set during vpc creation and inherited. +- when: rosa_cluster.subnet_ids | length == 0 + block: + - name: figure out list of subnets + set_fact: + _private_subnet_ids: "{{ _private_subnets.results | default([]) | json_query('[*].subnet.id') }}" + _public_subnet_ids: "{{ _public_subnets.results | default([]) | json_query('[*].subnet.id') }}" + when: + - _private_subnets is defined or _public_subnets is defined + - name: set subnet_ids when private-link cluster + set_fact: + rosa_cluster: + subnet_ids: "{{ _private_subnet_ids }}" + when: (rosa_private_link | bool) + - name: set subnet_ids when public or private cluster + set_fact: + rosa_cluster: + subnet_ids: "{{ _private_subnet_ids + _public_subnet_ids }}" + when: (not rosa_private_link | bool) + +- name: check if cluster exists + ocm_cluster_info: + name: "{{ rosa_cluster.name }}" + register: _cluster_info + +- when: _cluster_info.cluster == {} + block: + - name: create oidc config + ocm_oidc_config: + state: present + register: _oidc_config + when: rosa_cluster.hosted_cp | bool + + - set_fact: + _oidc_id: "{{ _oidc_config.oidc_config.id }}" + when: rosa_cluster.hosted_cp | bool + + # HCP roles + - set_fact: + _role_arn: "arn:aws:iam::{{ rosa_cluster.aws_account_id }}:role/{{ rosa_cluster.account_roles_prefix }}-Installer-Role" + _support_role_arn: "arn:aws:iam::{{ rosa_cluster.aws_account_id }}:role/{{ rosa_cluster.account_roles_prefix }}-Support-Role" + _worker_iam_role: "arn:aws:iam::{{ rosa_cluster.aws_account_id }}:role/{{ rosa_cluster.account_roles_prefix }}-Worker-Role" + + # Extra Classic roles + - set_fact: + _controlplane_iam_role: "arn:aws:iam::{{ rosa_cluster.aws_account_id }}:role/{{ rosa_cluster.account_roles_prefix }}-ControlPlane-Role" + when: not rosa_cluster.hosted_cp | default(False) | bool + + - name: create cluster + ocm_cluster: + name: "{{ rosa_cluster.name }}" + region: "{{ rosa_cluster.region }}" + private_link: "{{ rosa_private_link }}" + sts: true + aws_account_id: "{{ rosa_cluster.aws_account_id | default(omit) }}" + machine_cidr: "{{ rosa_cluster.vpc_cidr }}" + multi_az: "{{ rosa_cluster.multi_az | bool }}" + subnet_ids: "{{ rosa_cluster.subnet_ids | join(',') }}" + version: "{{ rosa_cluster.version | default(omit) }}" + hosted_cp: "{{ rosa_cluster.hosted_cp | default(omit) }}" + oidc_config_id: "{{ _oidc_id | default(omit) }}" + http_proxy: "{{ rosa_cluster.http_proxy | default(omit) }}" + https_proxy: "{{ rosa_cluster.https_proxy | default(omit) }}" + no_proxy: "{{ rosa_cluster.no_proxy | default(omit) }}" + additional_trust_bundle_file: "{{ rosa_cluster.additional_trust_bundle_file | default(omit) }}" + disable_workload_monitoring: "{{ rosa_cluster.disable_workload_monitoring | bool }}" + min_replicas: "{{ rosa_cluster.min_replicas | default(omit) }}" + max_replicas: "{{ rosa_cluster.max_replicas | default(omit) }}" + compute_nodes: "{{ rosa_cluster.compute_nodes | default(omit) }}" + compute_machine_type: "{{ rosa_cluster.compute_machine_type | default(omit) }}" + role_arn: "{{ _role_arn }}" + support_role_arn: "{{ _support_role_arn }}" + controlplane_iam_role: "{{ _controlplane_iam_role | default(omit) }}" + worker_iam_role: "{{ _worker_iam_role }}" + operator_roles_prefix: "{{ rosa_cluster.name }}" + kms_key_arn: "{{ rosa_cluster.kms_key_arn | default(None) }}" + tags: "{{ rosa_cluster.tags }}" + register: _rosa_cluster + +- name: get info about the cluster + ocm_cluster_info: + name: "{{ rosa_cluster.name }}" + register: _cluster_info + +- when: _cluster_info.cluster.state == 'waiting' + block: + - include_role: + name: operator_roles_create + vars: + cluster_id: "{{ _cluster_info.cluster.id }}" + oidc_endpoint_url: "{{ _cluster_info.cluster.aws.sts.oidc_endpoint_url }}" + oidc_id: "{{ _oidc_id | default(omit) }}" + + - include_role: + name: kms_create + when: rosa_cluster.kms_key_arn + + - debug: + msg: | + ******************************************* + * Waiting for cluster to start installing * + ******************************************* + + - name: waiting for cluster to start installing + ocm_cluster_info: + name: "{{ rosa_cluster.name }}" + register: _cluster_info + until: _cluster_info.cluster.state in ["installing","error"] + retries: 10 + delay: 60 + no_log: true + +- when: rosa_cluster.wait | bool + block: + - debug: + msg: | + *********************************** + * Waiting for cluster to be ready * + *********************************** + + You can watch progress logs by running: + $ rosa logs -c {{ rosa_cluster.name }} install -w + + - name: wait for cluster to be ready + ocm_cluster_info: + name: "{{ rosa_cluster.name }}" + register: _cluster_info + until: _cluster_info.cluster.state in ["ready","error"] + retries: 120 + delay: 60 + no_log: true + +- fail: + msg: | + ***************************************** + Cluster Install Failed + {{ _cluster_info.cluster | to_nice_yaml }} + ***************************************** + when: _cluster_info.cluster.state == 'error' diff --git a/roles/rosa_cluster/tests/inventory b/roles/rosa_cluster/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/rosa_cluster/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/rosa_cluster/tests/test.yml b/roles/rosa_cluster/tests/test.yml new file mode 100644 index 0000000..b2db817 --- /dev/null +++ b/roles/rosa_cluster/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - rosa_cluster diff --git a/roles/rosa_cluster/vars/main.yml b/roles/rosa_cluster/vars/main.yml new file mode 100644 index 0000000..f067636 --- /dev/null +++ b/roles/rosa_cluster/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for rosa_cluster diff --git a/roles/vpc_create/tasks/main.yml b/roles/vpc_create/tasks/main.yml index 8356d98..ab9eeeb 100644 --- a/roles/vpc_create/tasks/main.yml +++ b/roles/vpc_create/tasks/main.yml @@ -1,6 +1,6 @@ --- - pause: - seconds: 30 + seconds: 5 prompt: | the rh_mobb {{ role_name }} role is being deprecated for the more modular rh_mobb rosa_vpc role. Consider switching. diff --git a/roles/vpc_delete/tasks/main.yml b/roles/vpc_delete/tasks/main.yml index fd2b47b..7e5e3ca 100644 --- a/roles/vpc_delete/tasks/main.yml +++ b/roles/vpc_delete/tasks/main.yml @@ -1,6 +1,6 @@ --- - pause: - seconds: 30 + seconds: 5 prompt: | the rh_mobb {{ role_name }} role is being deprecated for the more modular rh_mobb rosa_vpc role. Consider switching. diff --git a/uninstall.yml b/uninstall.yml index 27ded15..e1f2f70 100644 --- a/uninstall.yml +++ b/uninstall.yml @@ -33,12 +33,26 @@ # - vars/main.yaml roles: - # - name: roles/_vars + - name: roles/_vars # - name: roles/network_math # - name: roles/tgw_create # when: rosa_tgw_enabled | bool # - name: roles/egress_vpc_create # when: rosa_egress_vpc_enabled | bool + + - name: roles/rosa_cluster + vars: + rosa_cluster: + name: "{{ cluster_name }}" + aws_account_id: "{{ aws_account_id }}" + + - name: roles/rosa_account_roles + vars: + rosa_account_roles: + hosted_cp: "{{ rosa_hosted_cp }}" + version: "{{ rosa_account_roles_version }}" + prefix: "{{ rosa_account_roles_prefix }}" + - name: roles/rosa_vpc vars: rosa_vpc: