playbooks/aws/openshift-cluster/build_ami.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

---
- hosts: localhost
  connection: local
  gather_facts: no
  tasks:
  - name: get the necessary vars for ami building
    include_vars: vars.yml

  - name: create a vpc with the name <clusterid>
    include_role:
      name: openshift_aws_vpc
    vars:
      r_openshift_aws_vpc_clusterid: "{{ provision.clusterid }}"
      r_openshift_aws_vpc_cidr: "{{ provision.vpc.cidr }}"
      r_openshift_aws_vpc_subnets: "{{ provision.vpc.subnets }}"
      r_openshift_aws_vpc_region: "{{ provision.region }}"
      r_openshift_aws_vpc_tags: "{{ provision.vpc.tags }}"
      r_openshift_aws_vpc_name: "{{ provision.vpc.name | default(provision.clusterid) }}"

  - name: create aws ssh keypair
    include_role:
      name: openshift_aws_ssh_keys
    vars:
      r_openshift_aws_ssh_keys_users: "{{ provision.instance_users }}"
      r_openshift_aws_ssh_keys_region: "{{ provision.region }}"

  - name: fetch the default subnet id
    ec2_vpc_subnet_facts:
      region: "{{ provision.region }}"
      filters:
        "tag:Name": "{{ provision.vpc.subnets[provision.region][0].az }}"
    register: subnetout

  - name: create instance for ami creation
    ec2:
      assign_public_ip: yes
      region: "{{ provision.region }}"
      key_name: "{{ provision.node_group_config.ssh_key_name }}"
      group: "{{ provision.clusterid }}"
      instance_type: m4.xlarge
      vpc_subnet_id: "{{ subnetout.subnets[0].id }}"
      image: "{{ provision.build.base_image }}"
      volumes:
      - device_name: /dev/sdb
        volume_type: gp2
        volume_size: 100
        delete_on_termination: true
      wait: yes
      exact_count: 1
      count_tag:
        Name: ami_base
      instance_tags:
        Name: ami_base
    register: amibase

  - name: wait for ssh to become available
    wait_for:
      port: 22
      host: "{{ amibase.tagged_instances.0.public_ip }}"
      timeout: 300
      search_regex: OpenSSH

  - name: add host to nodes
    add_host:
      groups: nodes
      name: "{{ amibase.tagged_instances.0.public_dns_name }}"

  - name: set the user to perform installation
    set_fact:
      ansible_ssh_user: root

- name: normalize groups
  include: ../../byo/openshift-cluster/initialize_groups.yml

- name: run the std_include
  include: ../../common/openshift-cluster/evaluate_groups.yml

- name: run the std_include
  include: ../../common/openshift-cluster/initialize_facts.yml

- name: run the std_include
  include: ../../common/openshift-cluster/initialize_openshift_repos.yml

- hosts: nodes
  remote_user: root
  tasks:
  - name: get the necessary vars for ami building
    include_vars: vars.yml

  - set_fact:
      openshift_node_bootstrap: True

  - name: run openshift image preparation
    include_role:
      name: openshift_node

- hosts: localhost
  connection: local
  become: no
  tasks:
  - name: bundle ami
    ec2_ami:
      instance_id: "{{ amibase.tagged_instances.0.id }}"
      region: "{{ provision.region }}"
      state: present
      description: "This was provisioned {{ ansible_date_time.iso8601 }}"
      name: "{{ provision.build.ami_name }}{{ lookup('pipe', 'date +%Y%m%d%H%M')}}"
      tags: "{{ provision.build.openshift_ami_tags }}"
      wait: yes
    register: amioutput

  - debug: var=amioutput

  - when: provision.build.use_encryption | default(False)
    block:
    - name: setup kms key for encryption
      include_role:
        name: openshift_aws_iam_kms
      vars:
        r_openshift_aws_iam_kms_region: "{{ provision.region }}"
        r_openshift_aws_iam_kms_alias: "alias/{{ provision.clusterid }}_kms"

    - name: augment the encrypted ami tags with source-ami
      set_fact:
        source_tag:
          source-ami: "{{ amioutput.image_id }}"

    - name: copy the ami for encrypted disks
      include_role:
        name: openshift_aws_ami_copy
      vars:
        r_openshift_aws_ami_copy_region: "{{ provision.region }}"
        r_openshift_aws_ami_copy_name: "{{ provision.build.ami_name }}{{ lookup('pipe', 'date +%Y%m%d%H%M')}}-encrypted"
        r_openshift_aws_ami_copy_src_ami: "{{ amioutput.image_id }}"
        r_openshift_aws_ami_copy_kms_alias: "alias/{{ provision.clusterid }}_kms"
        r_openshift_aws_ami_copy_tags: "{{ source_tag | combine(provision.build.openshift_ami_tags) }}"
        r_openshift_aws_ami_copy_encrypt: "{{ provision.build.use_encryption }}"
        # this option currently fails due to boto waiters
        # when supported this need to be reapplied
        #r_openshift_aws_ami_copy_wait: True

    - name: Display newly created encrypted ami id
      debug:
        msg: "{{ r_openshift_aws_ami_copy_retval_custom_ami }}"

  - name: terminate temporary instance
    ec2:
      state: absent
      region: "{{ provision.region }}"
      instance_ids: "{{ amibase.tagged_instances.0.id }}"