blob: d9910d93886bd5dde64f0c66834ba8c954bb3791 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
---
#####
# Instance profiles consist of two parts. The first part is creating a role
# in which the instance has access and will use this role's permissions
# to make API calls on his behalf. This role requires a trust policy
# which links a service (ec2) to the role. This states that this role
# has access to make call ec2 API calls.
# See ../files/trustpolicy.json
#
# Currently openshift-node requires
# access to the AWS API to call describeinstances.
# https://bugzilla.redhat.com/show_bug.cgi?id=1510519
#####
- name: Create an iam role
iam_role:
name: "{{ item.value.iam_role }}"
assume_role_policy_document: "{{ lookup('file','trustpolicy.json') }}"
state: "{{ openshift_aws_iam_role_state | default('present') }}"
when: item.value.iam_role is defined
with_dict: "{{ l_nodes_to_build }}"
#####
# The second part of this task file is linking the role to a policy
# that specifies which calls the role can make to the ec2 API.
# Currently all that is required is DescribeInstances.
# See ../files/describeinstances.json
#####
- name: create an iam policy
iam_policy:
iam_type: role
iam_name: "{{ item.value.iam_role }}"
policy_json: "{{ item.value.policy_json }}"
policy_name: "{{ item.value.policy_name }}"
state: "{{ openshift_aws_iam_role_state | default('present') }}"
when: item.value.iam_role is defined
with_dict: "{{ l_nodes_to_build }}"
|
