#jinja2: lstrip_blocks: True
|
---
|
AWSTemplateFormatVersion: "2010-09-09"
|
Mappings:
|
RegionMapping:
|
us-east-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-6871a115
|
{% else %}
|
RHELAMI: ami-c998b6b2
|
{% endif %}
|
us-east-2:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-03291866
|
{% else %}
|
RHELAMI: ami-cfdafaaa
|
{% endif %}
|
us-west-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-18726478
|
{% else %}
|
RHELAMI: ami-66eec506
|
{% endif %}
|
us-west-2:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-28e07e50
|
{% else %}
|
RHELAMI: ami-223f945a
|
{% endif %}
|
eu-west-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-7c491f05
|
{% else %}
|
RHELAMI: ami-bb9a6bc2
|
{% endif %}
|
eu-central-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-c86c3f23
|
{% else %}
|
RHELAMI: ami-d74be5b8
|
{% endif %}
|
ap-northeast-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-6b0d5f0d
|
{% else %}
|
RHELAMI: ami-30ef0556
|
{% endif %}
|
ap-northeast-2:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-3eee4150
|
{% else %}
|
RHELAMI: ami-0f5a8361
|
{% endif %}
|
ap-southeast-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-76144b0a
|
{% else %}
|
RHELAMI: ami-10bb2373
|
{% endif %}
|
ap-southeast-2:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-67589505
|
{% else %}
|
RHELAMI: ami-ccecf5af
|
{% endif %}
|
ap-south-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-5b673c34
|
{% else %}
|
RHELAMI: ami-cdbdd7a2
|
{% endif %}
|
sa-east-1:
|
{% if osrelease is version_compare('3.9.25', '>=') %}
|
RHELAMI: ami-b0b7e3dc
|
{% else %}
|
RHELAMI: ami-a789ffcb
|
{% endif %}
|
DNSMapping:
|
us-east-1:
|
domain: "us-east-1.compute.internal"
|
us-west-1:
|
domain: "us-west-1.compute.internal"
|
us-west-2:
|
domain: "us-west-2.compute.internal"
|
eu-west-1:
|
domain: "eu-west-1.compute.internal"
|
eu-central-1:
|
domain: "eu-central-1.compute.internal"
|
ap-northeast-1:
|
domain: "ap-northeast-1.compute.internal"
|
ap-northeast-2:
|
domain: "ap-northeast-2.compute.internal"
|
ap-southeast-1:
|
domain: "ap-southeast-1.compute.internal"
|
ap-southeast-2:
|
domain: "ap-southeast-2.compute.internal"
|
sa-east-1:
|
domain: "sa-east-1.compute.internal"
|
ap-south-1:
|
domain: "ap-south-1.compute.internal"
|
|
Resources:
|
Vpc:
|
Type: "AWS::EC2::VPC"
|
Properties:
|
CidrBlock: "192.199.0.0/16"
|
EnableDnsSupport: true
|
EnableDnsHostnames: true
|
Tags:
|
- Key: Name
|
Value: "{{vpcid_name_tag}}"
|
- Key: Hostlication
|
Value:
|
Ref: "AWS::StackId"
|
|
VpcInternetGateway:
|
Type: "AWS::EC2::InternetGateway"
|
|
VpcGA:
|
Type: "AWS::EC2::VPCGatewayAttachment"
|
Properties:
|
InternetGatewayId:
|
Ref: VpcInternetGateway
|
VpcId:
|
Ref: Vpc
|
|
VpcRouteTable:
|
Type: "AWS::EC2::RouteTable"
|
Properties:
|
VpcId:
|
Ref: Vpc
|
|
VPCRouteInternetGateway:
|
DependsOn: VpcGA
|
Type: "AWS::EC2::Route"
|
Properties:
|
GatewayId:
|
Ref: VpcInternetGateway
|
DestinationCidrBlock: "0.0.0.0/0"
|
RouteTableId:
|
Ref: VpcRouteTable
|
|
PublicSubnet:
|
Type: "AWS::EC2::Subnet"
|
DependsOn:
|
- Vpc
|
Properties:
|
CidrBlock: "192.199.0.0/24"
|
Tags:
|
- Key: Name
|
Value: "{{project_tag}}"
|
- Key: Hostlication
|
Value:
|
Ref: "AWS::StackId"
|
MapPublicIpOnLaunch: true
|
VpcId:
|
Ref: Vpc
|
|
PublicSubnetRTA:
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
Properties:
|
RouteTableId:
|
Ref: VpcRouteTable
|
SubnetId:
|
Ref: PublicSubnet
|
|
HostSG:
|
Type: "AWS::EC2::SecurityGroup"
|
Properties:
|
GroupDescription: Host
|
VpcId:
|
Ref: Vpc
|
Tags:
|
- Key: Name
|
Value: host_sg
|
|
HostUDPPorts:
|
Type: "AWS::EC2::SecurityGroupIngress"
|
Properties:
|
GroupId:
|
Fn::GetAtt:
|
- HostSG
|
- GroupId
|
IpProtocol: udp
|
FromPort: 0
|
ToPort: 65535
|
CidrIp: "0.0.0.0/0"
|
|
HostTCPPorts:
|
Type: "AWS::EC2::SecurityGroupIngress"
|
Properties:
|
GroupId:
|
Fn::GetAtt:
|
- HostSG
|
- GroupId
|
IpProtocol: tcp
|
FromPort: 0
|
ToPort: 65535
|
CidrIp: "0.0.0.0/0"
|
|
zoneinternalidns:
|
Type: "AWS::Route53::HostedZone"
|
Properties:
|
Name: "{{ zone_internal_dns }}"
|
VPCs:
|
- VPCId:
|
Ref: Vpc
|
VPCRegion:
|
Ref: "AWS::Region"
|
HostedZoneConfig:
|
Comment: "Created By ansible agnostic deployer"
|
|
CerttestDNS:
|
Type: AWS::Route53::RecordSetGroup
|
DependsOn:
|
- master1EIP
|
Properties:
|
HostedZoneId: "{{HostedZoneId}}"
|
RecordSets:
|
- Name: "{{certtest_public_dns}}"
|
Type: A
|
TTL: 10
|
ResourceRecords:
|
- Fn::GetAtt:
|
- master1
|
- PublicIp
|
|
CloudDNS:
|
Type: AWS::Route53::RecordSetGroup
|
DependsOn:
|
{% for c in range(1,(infranode_instance_count|int)+1) %}
|
- "infranode{{loop.index}}EIP"
|
{% endfor %}
|
Properties:
|
HostedZoneId: "{{HostedZoneId}}"
|
RecordSets:
|
- Name: "{{cloudapps_dns}}"
|
Type: A
|
TTL: 900
|
ResourceRecords:
|
{% for c in range(1,(infranode_instance_count|int)+1) %}
|
- Fn::GetAtt:
|
- infranode{{loop.index}}
|
- PublicIp
|
{% endfor %}
|
|
{% for instance in instances %}
|
{% if instance['dns_loadbalancer']|d(false)|bool and not instance['unique']|d(false)|bool %}
|
{{instance['name']}}DNSLoadBalancer:
|
Type: "AWS::Route53::RecordSetGroup"
|
DependsOn:
|
{% for c in range(1, (instance['count']|int)+1) %}
|
- {{instance['name']}}{{c}}EIP
|
{% endfor %}
|
Properties:
|
HostedZoneId: {{HostedZoneId}}
|
RecordSets:
|
- Name: "{{instance['name']}}.{{subdomain_base}}."
|
Type: A
|
TTL: 900
|
ResourceRecords:
|
{% for c in range(1,(instance['count'] |int)+1) %}
|
- "Fn::GetAtt":
|
- {{instance['name']}}{{c}}
|
- PublicIp
|
{% endfor %}
|
{% endif %}
|
|
{% for c in range(1,(instance['count'] |int)+1) %}
|
{{instance['name']}}{{loop.index}}:
|
Type: "AWS::EC2::Instance"
|
Properties:
|
{% if (instance_default_image is defined
|
and env_type in instance_default_image
|
and osrelease in instance_default_image[env_type]
|
and aws_region in instance_default_image[env_type][osrelease])
|
%}
|
ImageId: {{ instance_default_image[env_type][osrelease][aws_region] }}
|
{% else %}
|
ImageId:
|
Fn::FindInMap:
|
- RegionMapping
|
- Ref: AWS::Region
|
- {{ instance['image_id'] | default('RHELAMI') }}
|
{% endif %}
|
InstanceType: "{{instance['flavor'][cloud_provider]}}"
|
KeyName: "{{instance['key_name'] | default(key_name)}}"
|
{% if instance['UserData'] is defined %}
|
{{instance['UserData']}}
|
{% endif %}
|
SecurityGroupIds:
|
- "Fn::GetAtt":
|
- HostSG
|
- GroupId
|
SubnetId:
|
Ref: PublicSubnet
|
Tags:
|
{% if instance['unique'] | d(false) | bool %}
|
- Key: Name
|
Value: {{instance['name']}}
|
- Key: internaldns
|
Value: {{instance['name']}}.{{chomped_zone_internal_dns}}
|
{% else %}
|
- Key: Name
|
Value: {{instance['name']}}{{loop.index}}
|
- Key: internaldns
|
Value: {{instance['name']}}{{loop.index}}.{{chomped_zone_internal_dns}}
|
{% endif %}
|
{% if instance['name'] == 'node' %}
|
{% if c > (node_instance_count|int) - (new_node_instance_count|int) %}
|
- Key: newnode
|
Value: true
|
{% endif %}
|
{% endif %}
|
- Key: "owner"
|
Value: "{{ email | default('unknownuser') }}"
|
- Key: "Project"
|
Value: "{{project_tag}}"
|
- Key: "{{project_tag}}"
|
Value: "{{ instance['name'] }}"
|
{% for tag in instance['tags'] %}
|
- Key: {{tag['key']}}
|
Value: {{tag['value']}}
|
{% endfor %}
|
BlockDeviceMappings:
|
- DeviceName: "/dev/sda1"
|
Ebs:
|
VolumeSize: {{ instance['rootfs_size'] | default('50') }}
|
{% for vol in instance['volumes']|default([]) if
|
(vol.purpose|d('') == 'glusterfs' and install_glusterfs|bool)
|
or (vol.purpose|d('') == 'nfs' and install_nfs|bool)
|
or vol.purpose|d('') not in ['glusterfs', 'nfs'] %}
|
- DeviceName: "{{ vol['device_name'] }}"
|
Ebs:
|
VolumeType: "{{ vol['volume_type'] | d('gp2') }}"
|
VolumeSize: "{{ vol['volume_size'] | d('20') }}"
|
{% endfor %}
|
|
{{instance['name']}}{{loop.index}}InternalDNS:
|
Type: "AWS::Route53::RecordSetGroup"
|
Properties:
|
HostedZoneId:
|
Ref: zoneinternalidns
|
RecordSets:
|
{% if instance['unique'] | d(false) | bool %}
|
- Name: "{{instance['name']}}.{{zone_internal_dns}}"
|
{% else %}
|
- Name: "{{instance['name']}}{{loop.index}}.{{zone_internal_dns}}"
|
{% endif %}
|
Type: A
|
TTL: 10
|
ResourceRecords:
|
- "Fn::GetAtt":
|
- {{instance['name']}}{{loop.index}}
|
- PrivateIp
|
|
{% if instance['public_dns'] %}
|
{{instance['name']}}{{loop.index}}EIP:
|
Type: "AWS::EC2::EIP"
|
DependsOn:
|
- VpcGA
|
Properties:
|
InstanceId:
|
Ref: {{instance['name']}}{{loop.index}}
|
|
{{instance['name']}}{{loop.index}}PublicDNS:
|
Type: "AWS::Route53::RecordSetGroup"
|
DependsOn:
|
- {{instance['name']}}{{loop.index}}EIP
|
Properties:
|
HostedZoneId: {{HostedZoneId}}
|
RecordSets:
|
{% if instance['unique'] | d(false) | bool %}
|
- Name: "{{instance['name']}}.{{subdomain_base}}."
|
{% else %}
|
- Name: "{{instance['name']}}{{loop.index}}.{{subdomain_base}}."
|
{% endif %}
|
Type: A
|
TTL: 10
|
ResourceRecords:
|
- "Fn::GetAtt":
|
- {{instance['name']}}{{loop.index}}
|
- PublicIp
|
{% endif %}
|
{% endfor %}
|
{% endfor %}
|
|
|
|
Route53User:
|
Type: AWS::IAM::User
|
Properties:
|
Policies:
|
- PolicyName: Route53Access
|
PolicyDocument:
|
Statement:
|
- Effect: Allow
|
Action: route53domains:*
|
Resource: "*"
|
- Effect: Allow
|
Action: route53:*
|
Resource: "*"
|
|
Route53UserAccessKey:
|
DependsOn: Route53User
|
Type: AWS::IAM::AccessKey
|
Properties:
|
UserName:
|
Ref: Route53User
|
{% if s3bucket | d(false) | bool %}
|
RegistryS3:
|
Type: "AWS::S3::Bucket"
|
Properties:
|
BucketName: "{{ env_type }}-{{ guid }}"
|
Tags:
|
- Key: Name
|
Value: "s3-{{ env_type }}-{{ guid }}"
|
- Key: Project
|
Value: "{{project_tag}}"
|
- Key: owner
|
Value: "{{ email | default('unknown')}}"
|
|
S3User:
|
Type: AWS::IAM::User
|
DependsOn:
|
- RegistryS3
|
Properties:
|
Policies:
|
- PolicyName: S3Access
|
PolicyDocument:
|
Statement:
|
- Effect: Allow
|
Action: s3:ListAllMyBuckets
|
Resource: "*"
|
- Effect: Allow
|
Action: "s3:*"
|
Resource:
|
Fn::Join:
|
- ""
|
- - "arn:aws:s3:::"
|
- Ref: RegistryS3
|
- "/*"
|
|
S3UserAccessKey:
|
Type: AWS::IAM::AccessKey
|
DependsOn:
|
- S3User
|
Properties:
|
UserName:
|
Ref: S3User
|
|
BucketPolicy:
|
Type: AWS::S3::BucketPolicy
|
DependsOn:
|
- RegistryS3
|
Properties:
|
PolicyDocument:
|
Id: Give registry access to user
|
Statement:
|
- Sid: AllAccess
|
Action:
|
- "s3:*"
|
Effect: Allow
|
Resource:
|
Fn::Join:
|
- ""
|
- - "arn:aws:s3:::"
|
- Ref: RegistryS3
|
Principal:
|
AWS:
|
Fn::GetAtt:
|
- S3User
|
- Arn
|
Bucket:
|
Ref: RegistryS3
|
{% endif %}
|
|
|
Outputs:
|
Route53internalzoneOutput:
|
Description: The ID of the internal route 53 zone
|
Value:
|
Ref: zoneinternalidns
|
{% if s3bucket | d(false) | bool %}
|
S3User:
|
Value:
|
Ref: S3User
|
Description: IAM User for RegistryS3
|
S3UserAccessKey:
|
Value:
|
Ref: S3UserAccessKey
|
Description: IAM User for RegistryS3
|
S3UserSecretAccessKey:
|
Value:
|
Fn::GetAtt:
|
- S3UserAccessKey
|
- SecretAccessKey
|
Description: IAM User for RegistryS3
|
{% endif %}
|
|
Route53User:
|
Value:
|
Ref: Route53User
|
Description: IAM User for Route53 (Let's Encrypt)
|
Route53UserAccessKey:
|
Value:
|
Ref: Route53UserAccessKey
|
Description: IAM User for Route53 (Let's Encrypt)
|
Route53UserSecretAccessKey:
|
Value:
|
Fn::GetAtt:
|
- Route53UserAccessKey
|
- SecretAccessKey
|
Description: IAM User for Route53 (Let's Encrypt)
|