blob: cf3bb28fbbf240e630055ffcd2ca0188e9d94af8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
---
#####
# Instance profiles consist of two parts. The first part is creating a role
# in which the instance has access and will use this role's permissions
# to make API calls on his behalf. This role requires a trust policy
# which links a service (ec2) to the role. This states that this role
# has access to make call ec2 API calls.
# See ../files/trustpolicy.json
#
# Currently openshift-node requires
# access to the AWS API to call describeinstances.
# https://bugzilla.redhat.com/show_bug.cgi?id=1510519
#####
- name: Create an iam role
iam_role:
name: "{{ l_node_group_config[openshift_aws_node_group.group].iam_role }}"
assume_role_policy_document: "{{ lookup('file','trustpolicy.json') }}"
state: "{{ openshift_aws_iam_role_state | default('present') }}"
when: l_node_group_config[openshift_aws_node_group.group].iam_role is defined
#####
# The second part of this task file is linking the role to a policy
# that specifies which calls the role can make to the ec2 API.
# Currently all that is required is DescribeInstances.
# See ../files/describeinstances.json
#####
- name: create an iam policy
iam_policy:
iam_type: role
iam_name: "{{ l_node_group_config[openshift_aws_node_group.group].iam_role }}"
policy_json: "{{ l_node_group_config[openshift_aws_node_group.group].policy_json }}"
policy_name: "{{ l_node_group_config[openshift_aws_node_group.group].policy_name }}"
state: "{{ openshift_aws_iam_role_state | default('present') }}"
when: "'iam_role' in l_node_group_config[openshift_aws_node_group.group]"
|
