## TODO: What variables can we strip out of here to build complex variables?
## i.e. what can we add into group_vars as opposed to config_vars?
## Example: We don't really need "subdomain_base_short". If we want to use this,
## should just toss in group_vars/all.
### Also, we should probably just create a variable reference in the README.md
### For now, just tagging comments in line with configuration file.
### Vars that can be removed:
# use_satellite: true
# use_subscription_manager: false
# use_own_repos: false
###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT
###### OR PASS as "-e" args to ansible-playbook command
### Common Host settings
repo_method: file # Other Options are: file, satellite and rhn
windows_password: 'jVMijRwLbI02gFCo2xkjlZ9lxEA7bm7zgg=='
tower_admin_password: 'r3dh4t1!'
# Do you want to run a full yum update
update_packages: false
#If using repo_method: satellite, you must set these values as well.
# satellite_url: https://satellite.example.com
# satellite_org: Sat_org_name
# satellite_activationkey: "rhel7basic"
## guid is the deployment unique identifier, it will be appended to all tags,
## files and anything that identifies this environment from another "just like it"
guid: defaultguid
install_bastion: true
install_common: true
software_to_deploy: none
repo_version: "3.5"
### If you want a Key Pair name created and injected into the hosts,
# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
# you can use the key used to create the environment or use your own self generated key
# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}})
use_own_key: true
env_authorized_key: "{{guid}}key"
ansible_ssh_private_key_file: ~/.ssh/{{key_name}}.pem
set_env_authorized_key: true
vpcid_cidr_block: "192.168.1.0/24"
# Is this running from Red Hat Ansible Tower
tower_run: false
### AWS EC2 Environment settings
### Route 53 Zone ID (AWS)
# This is the Route53 HostedZoneId where you will create your Public DNS entries
# This only needs to be defined if your CF template uses route53
HostedZoneId: Z3IHLWJZOU9SRT
# The region to be used, if not specified by -e in the command line
aws_region: ap-southeast-2
# The key that is used to
key_name: "default_key_name"
## Networking (AWS)
subdomain_base_short: "{{ guid }}"
subdomain_base_suffix: ".example.opentlc.com"
subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}"
## Environment Sizing
bastion_instance_type: "t2.medium"
tower_instance_count: 3
tower_instance_type: "c4.large"
support_instance_count: 2
support_instance_type: "t2.medium"
frontend_instance_count: 1
frontend_instance_type: "t2.small"
app_instance_count: 2
app_instance_type: "{{frontend_instance_type}}"
appdb_instance_count: 1
appdb_instance_type: "{{frontend_instance_type}}"
activedirectory_instance_count: 1
activedirectory_instance_type: "t2.large"
subnets:
- name: PublicSubnet
cidr: "192.168.1.0/24"
routing_table: true
security_groups:
- name: BastionSG
rules:
- name: BasSSHPublic
description: "SSH public"
from_port: 22
to_port: 22
protocol: tcp
cidr: "0.0.0.0/0"
rule_type: Ingress
- name: TowerSG
rules:
- name: HTTPTower
description: "HTTP public"
from_port: 80
to_port: 80
protocol: tcp
cidr: "0.0.0.0/0"
rule_type: Ingress
- name: HTTPSTower
description: "HTTP public"
from_port: 443
to_port: 443
protocol: tcp
cidr: "0.0.0.0/0"
rule_type: Ingress
- name: BasTowerTcp
description: "ALL from bastion tcp"
from_port: 0
to_port: 65535
protocol: tcp
group: BastionSG
rule_type: Ingress
- name: BasTowerUdp
description: "ALL from bastion udp"
from_port: 0
to_port: 65535
protocol: udp
group: BastionSG
rule_type: Ingress
- name: AllInternaltcp
description: "All other nodes tcp"
from_port: 0
to_port: 65535
protocol: tcp
group: HostSG
rule_type: Ingress
- name: AllInternaludp
description: "All other nodes udp"
from_port: 0
to_port: 65535
protocol: udp
group: HostSG
rule_type: Ingress
- name: AllTowerNodestcp
description: "All tower nodes tcp"
from_port: 0
to_port: 65535
protocol: tcp
group: TowerSG
rule_type: Ingress
- name: AllTowerNodesudp
description: "All tower nodes udp"
from_port: 0
to_port: 65535
protocol: udp
group: TowerSG
rule_type: Ingress
- name: WINSG
rules:
# - name: BasUDPPorts
# description: "Udp from bastion"
# from_port: 0
# to_port: 65535
# protocol: udp
# group: BastionSG
# rule_type: Ingress
# - name: BasTCPPorts
# description: "TCP from bastion"
# from_port: 0
# to_port: 65535
# protocol: tcp
# group: BastionSG
# rule_type: Ingress
# - name: TowUDPPorts
# description: "Udp from tower"
# from_port: 0
# to_port: 65535
# protocol: udp
# group: TowerSG
# rule_type: Ingress
# - name: TowTCPPorts
# description: "TCP from Tower"
# from_port: 0
# to_port: 65535
# protocol: tcp
# group: TowerSG
# rule_type: Ingress
- name: WINPortsTCP
description: "Win tcp"
from_port: 0
to_port: 65535
protocol: tcp
cidr: "0.0.0.0/0"
rule_type: Ingress
- name: WINPortsUdp
description: "Win udp"
from_port: 0
to_port: 65535
protocol: udp
cidr: "0.0.0.0/0"
rule_type: Ingress
- name: HostSG
rules:
- name: HostUDPPorts
description: "Only from Itself udp"
from_port: 0
to_port: 65535
protocol: udp
group: HostSG
rule_type: Ingress
- name: HostTCPPorts
description: "Only from Itself tcp"
from_port: 0
to_port: 65535
protocol: tcp
group: HostSG
rule_type: Ingress
- name: TowerUDPPorts
description: "Only from tower"
from_port: 0
to_port: 65535
protocol: udp
group: TowerSG
rule_type: Ingress
- name: TowerTCPPorts
description: "Only from tower"
from_port: 0
to_port: 65535
protocol: tcp
group: TowerSG
rule_type: Ingress
- name: BastionUDPPorts
description: "Only from bastion"
from_port: 0
to_port: 65535
protocol: udp
group: BastionSG
rule_type: Ingress
- name: BastionTCPPorts
description: "Only from bastion"
from_port: 0
to_port: 65535
protocol: tcp
group: BastionSG
rule_type: Ingress
instances:
- name: "tower"
count: "{{tower_instance_count}}"
security_group: "TowerSG"
public_dns: true
dns_loadbalancer: true
flavor:
"ec2": "{{tower_instance_type}}"
tags:
- key: "AnsibleGroup"
value: "towers"
- key: "ostype"
value: "linux"
- name: "ad"
count: "{{activedirectory_instance_count}}"
public_dns: true
security_group: "WINSG"
flavor:
"ec2": "{{activedirectory_instance_type}}"
image_id: WIN2012R2AMI
UserData: |
UserData:
"Fn::Base64":
"Fn::Join":
- ""
- - "\n"
- "$admin = [adsi]('WinNT://./administrator, user')\n"
- "$admin.PSBase.Invoke('SetPassword', '{{windows_password}}')\n"
- "$scriptPath=((New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))\n"
- "Invoke-Command -ScriptBlock ([scriptblock]::Create($scriptPath)) -ArgumentList '-skipNetworkProfileCheck'\n"
- ""
tags:
- key: "AnsibleGroup"
value: "activedirectories,windows"
- key: "ostype"
value: "windows"
- name: "support"
count: "{{support_instance_count}}"
public_dns: true
security_group: "HostSG"
flavor:
"ec2": "{{support_instance_type}}"
tags:
- key: "AnsibleGroup"
value: "support"
- key: "ostype"
value: "rhel"
key_name: "{{key_name}}"
# - name: "frontend"
# count: "{{frontend_instance_count}}"
# public_dns: true
# security_group: "HostSG"
# dns_loadbalancer: true
# flavor:
# "ec2": "{{frontend_instance_type}}"
# tags:
# - key: "AnsibleGroup"
# value: "frontends"
# - key: "ostype"
# value: "linux"
# - name: "app"
# count: "{{app_instance_count}}"
# public_dns: true
# security_group: "HostSG"
# flavor:
# "ec2": "{{app_instance_type}}"
# tags:
# - key: "AnsibleGroup"
# value: "apps"
# - key: "ostype"
# value: "rhel"
# key_name: "{{key_name}}"
# - name: "appdb"
# count: "{{appdb_instance_count}}"
# public_dns: true
# security_group: "HostSG"
# flavor:
# "ec2": "{{appdb_instance_type}}"
# tags:
# - key: "AnsibleGroup"
# value: "appdbs"
# - key: "ostype"
# value: "rhel"
# key_name: "{{key_name}}"
install_win_ssh: true
install_win_ad: true
###### VARIABLES YOU SHOULD ***NOT*** CONFIGURE FOR YOUR DEPLOYEMNT
###### You can, but you usually wouldn't need to.
ansible_ssh_user: ec2-user
remote_user: ec2-user
common_packages:
- python
- unzip
- bash-completion
- tmux
- bind-utils
- wget
- git
- vim-enhanced
- at
- ansible
rhel_repos:
- rhel-7-server-rpms
- rhel-7-server-extras-rpms
- epel-release-latest-7
## Currently there is no NFS created for this Environment - See ocp-workshop for clues.
# ## NFS Server settings
# nfs_vg: nfsvg
# nfs_pvs: /dev/xvdb
# nfs_export_path: /srv/nfs
#
# nfs_shares:
# - es-storage
# - user-vols
# - jenkins
# - nexus
# - nexus2
project_tag: "{{ env_type }}-{{ guid }}"
create_internal_dns_entries: true
zone_internal_dns: "{{guid}}.internal."
chomped_zone_internal_dns: "{{guid}}.internal"
zone_public_dns: "{{subdomain_base}}."
cloudapps_dns: '*.apps.{{subdomain_base}}.'
tower_public_dns: "towerlb.{{subdomain_base}}."
#tower_public_dns: "tower.{{subdomain_base}}."
bastion_public_dns: "bastion.{{subdomain_base}}."
bastion_public_dns_chomped: "bastion.{{subdomain_base}}"
# we don't use this anymore
# activedirectory_public_dns: "ad.{{subdomain_base}}."
# activedirectory_public_dns_chomped: "ad.{{subdomain_base}}"
vpcid_cidr_block: "192.168.0.0/16"
vpcid_name_tag: "{{subdomain_base}}"
az_1_name: "{{ aws_region }}a"
az_2_name: "{{ aws_region }}b"
subnet_private_1_cidr_block: "192.168.2.0/24"
subnet_private_1_az: "{{ az_2_name }}"
subnet_private_1_name_tag: "{{subdomain_base}}-private"
subnet_private_2_cidr_block: "192.168.1.0/24"
subnet_private_2_az: "{{ az_1_name }}"
subnet_private_2_name_tag: "{{subdomain_base}}-private"
subnet_public_1_cidr_block: "192.168.10.0/24"
subnet_public_1_az: "{{ az_1_name }}"
subnet_public_1_name_tag: "{{subdomain_base}}-public"
subnet_public_2_cidr_block: "192.168.20.0/24"
subnet_public_2_az: "{{ az_2_name }}"
subnet_public_2_name_tag: "{{subdomain_base}}-public"
dopt_domain_name: "{{ aws_region }}.compute.internal"
rtb_public_name_tag: "{{subdomain_base}}-public"
rtb_private_name_tag: "{{subdomain_base}}-private"
cf_template_description: "{{ env_type }}-{{ guid }} Ansible Agnostic Deployer "
deploy_tower_demo: false