---
#####
# Instance profiles consist of two parts. The first part is creating a role
# in which the instance has access and will use this role's permissions
# to make API calls on his behalf.  This role requires a trust policy
# which links a service (ec2) to the role.  This states that this role
# has access to make call ec2 API calls.
# See ../files/trustpolicy.json
#
# Currently openshift-node requires
# access to the AWS API to call describeinstances.
# https://bugzilla.redhat.com/show_bug.cgi?id=1510519
#####
- name: Create an iam role
  iam_role:
    name: "{{ l_node_group_config[openshift_aws_node_group.group].iam_role }}"
    assume_role_policy_document: "{{ lookup('file','trustpolicy.json') }}"
    state: "{{ openshift_aws_iam_role_state | default('present') }}"
  when: l_node_group_config[openshift_aws_node_group.group].iam_role is defined

#####
# The second part of this task file is linking the role to a policy
# that specifies which calls the role can make to the ec2 API.
# Currently all that is required is DescribeInstances.
# See ../files/describeinstances.json
#####
- name: create an iam policy
  iam_policy:
    iam_type: role
    iam_name: "{{ l_node_group_config[openshift_aws_node_group.group].iam_role }}"
    policy_json: "{{ l_node_group_config[openshift_aws_node_group.group].policy_json }}"
    policy_name: "{{ l_node_group_config[openshift_aws_node_group.group].policy_name }}"
    state: "{{ openshift_aws_iam_role_state | default('present') }}"
  when: "'iam_role' in l_node_group_config[openshift_aws_node_group.group]"