Infra role: AWS sandbox accounts (#341)
SUMMARY
This change adds a new role: infra-aws-sandbox.
The role automates the creation of AWS account in our organization.
The goal is to have a pool of accounts to deploy labs or demos on. This will prevent future rate-limit and limit issues since their are per-account.
It will also help us creating new kind of labs in which we give student temporary AWS credentials.
A.K.A.:
No more centralised, "bloated" and shared AWS account
Divide to conquer.
ISSUE TYPE: New role Pull Request
COMPONENT NAME: infra-aws-sandbox
Squashed commits:
* Create infra-aws-sandbox role
* Add keypairs, add report.txt
* Add prechecks file
* Retrieve account ID when account already exists (idempotency)
* Fix cloudformation by retrying
* Do not generate ipa commands for creation as it's done by role
* Tune ipa command failed_when and changed_when
* Update readme with another example
* Remove from IPA NS records that are not needed anymore
* Add RESET action
* use alias suffix
* Do not delete the main route53 zone. Parameterize aws_nuke_filters
Use 'combine' filter and a default aws_nuke_filters_default variable.
* Change 'action' to 'operation' since 'action is reserved name
Fix [WARNING]
* Create vaul password file to encrypt secret access key
* Fix hosted zone id filter
* Add pool management (PoC with dynamodb)
* Add tags and fix names
* Fix ipa-add NS-record when operation=CREATE
* Update DB with account information at creation too
* Add nuke-config jinja2 template
* Unify report, use ansible variable names. Fix 2.6 compat
* Use put-item instead of update-item for RESET operation
We want to cleanup everything and don't want to keep GUID or ENVTYPE
information.
* Do not fail at sudo. If sudo fails, assume aws-nuke is installed.
* Add an option to use kerberos keytab instead of passwords
* Add tags profile
* Fix report variable secret access key
* Create user AFTER reset, not before.
* Do not re-import opentlc backdoor key when operation == RESET
* Make Nuke async task with polling
* Fix templating error due to skipped task
TASK [infra-aws-sandbox : Import OPENTLC backdoor key] ********************************
Friday 08 March 2019 12:45:14 +0100 (0:00:00.071) 0:03:49.662 **********
fatal: [admin-dev.na.shared.opentlc.com]: FAILED! =>
msg: 'Unexpected templating type error occurred on ({{ _regions.stdout | from_json | list }}):
expected string or buffer'
* FIX IPA condition. It was is skipped when used with kerberos_keytab
* Add new variable available_after_reset
* Do not get the list of accounts everytime, just at the beginning
In case it's used in a loop.
* Add OU tags
* Add account tag
* Don't delete IAM user keys when operation == CREATE
* Remove comments
* Get OU root id only once
* Fix ipa condition: add keytab