From 1aa43a2d86c2b0c465eaa0a3a838a340679606a7 Mon Sep 17 00:00:00 2001
From: Justin Wind <j.wind@partner.samsung.com>
Date: Tue, 14 Mar 2017 13:01:58 -0700
Subject: [PATCH] create stacks with more generic role things

---
 init_vpcaccess.yml => init_vpcaccess-dev.yml  |   4 +-
 roles/autoscalinggroup/meta/main.yml          |   4 +
 roles/autoscalinggroup/tasks/main.yml         |  48 ++++++++
 roles/common-infrastructure/tasks/main.yml    |  20 ++++
 roles/launchconfig/meta/main.yml              |   3 +
 roles/launchconfig/tasks/main.yml             |  71 ++++++++++++
 roles/launchconfig/templates/userdata.sh.j2   |   4 +
 roles/module-aws-stack/meta/main.yml          |   4 +
 roles/module-aws-stack/tasks/main.yml         |  78 +++++++++++++
 .../defaults/main.yml                         |   8 ++
 .../files/vpcaccess-policy.json               |   0
 roles/vpcaccess-infrastructure/tasks/main.yml | 103 ++++--------------
 vpcaccess.yml => vpcaccess-d0dev.yml          |   2 +-
 13 files changed, 266 insertions(+), 83 deletions(-)
 rename init_vpcaccess.yml => init_vpcaccess-dev.yml (55%)
 create mode 100644 roles/autoscalinggroup/meta/main.yml
 create mode 100644 roles/autoscalinggroup/tasks/main.yml
 create mode 100644 roles/launchconfig/meta/main.yml
 create mode 100644 roles/launchconfig/tasks/main.yml
 create mode 100644 roles/launchconfig/templates/userdata.sh.j2
 create mode 100644 roles/module-aws-stack/meta/main.yml
 create mode 100644 roles/module-aws-stack/tasks/main.yml
 create mode 100644 roles/vpcaccess-infrastructure/defaults/main.yml
 rename roles/{vpcaccess => vpcaccess-infrastructure}/files/vpcaccess-policy.json (100%)
 rename vpcaccess.yml => vpcaccess-d0dev.yml (67%)

diff --git a/init_vpcaccess.yml b/init_vpcaccess-dev.yml
similarity index 55%
rename from init_vpcaccess.yml
rename to init_vpcaccess-dev.yml
index 3b9d624..ec38ac2 100644
--- a/init_vpcaccess.yml
+++ b/init_vpcaccess-dev.yml
@@ -4,4 +4,6 @@
   gather_facts: False
   become: no
   roles:
-  - vpcaccess-infrastructure
+  - role: vpcaccess-infrastructure
+    phase: dev
+    version: "0000"
diff --git a/roles/autoscalinggroup/meta/main.yml b/roles/autoscalinggroup/meta/main.yml
new file mode 100644
index 0000000..0995b3c
--- /dev/null
+++ b/roles/autoscalinggroup/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: aws-vpc }
+  - { role: aws-management-queues }
diff --git a/roles/autoscalinggroup/tasks/main.yml b/roles/autoscalinggroup/tasks/main.yml
new file mode 100644
index 0000000..d0c1692
--- /dev/null
+++ b/roles/autoscalinggroup/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+- assert:
+    that:
+    - zone in ('pub', 'priv')
+    - module != ''
+    - version != ''
+    - region|default(vpc_region) != ''
+  tags: ['check_vars']
+
+- set_fact:
+    asg_n:
+    - "{{ module }}"
+    - "{{ stack }}"
+    - "{{ country|ternary('c0', '') }}{{ country|default('') }}"
+    - "{{ phase|ternary('d0', '') }}{{ phase|default('') }}"
+
+- name: suss out our subnets
+  ec2_vpc_subnet_facts:
+    region: "{{ vpc_region }}"
+    filters:
+      vpc_id: "{{ vpc.vpc.id }}"
+      "tag:zone": "{{ zone }}"
+  register: partial_subnet_ids
+
+- name: autoscalinggroup
+  ec2_asg:
+    region: "{{ vpc_region }}"
+    name: "{{ asg_n|select|join('-') }}"
+    min_size: "{{ min_size|default(0) }}"
+    max_size: "{{ max_size|default(omit) }}"
+    desired_capacity: "{{ desired_capacity|default(omit) }}"
+    default_cooldown: 10
+    vpc_zone_identifier: "{{ partial_subnet_ids.subnets|default([])|map(attribute='id')|list }}"
+    launch_config_name: "{{ asg_n|select|join('-') }}-{{ version }}"
+    notification_topic: "{{ management_topic.sns_arn }}"
+    load_balancers: "{{ load_balancers|default(omit) }}"
+    tags:
+    - account: "{{ ACCT_NAME }}"
+      propagate_at_launch: yes
+    - module: "{{ module }}"
+      propagate_at_launch: yes
+    - stack: "{{ stack }}"
+      propagate_at_launch: yes
+    - country: "{{ country }}"
+      propagate_at_launch: yes
+    - phase: "{{ phase }}"
+      propagate_at_launch: yes
+
diff --git a/roles/common-infrastructure/tasks/main.yml b/roles/common-infrastructure/tasks/main.yml
index 0d3910b..c3495bc 100644
--- a/roles/common-infrastructure/tasks/main.yml
+++ b/roles/common-infrastructure/tasks/main.yml
@@ -18,3 +18,23 @@
     - proto: all
       cidr_ip: 0.0.0.0/0
   register: sg_ssh
+
+- name: sg icmp
+  delegate_to: localhost
+  become: no
+  ec2_group:
+    vpc_id: "{{ vpc.vpc.id }}"
+    region: "{{ vpc_region }}"
+    state: present
+    name: icmp
+    description: "allow icmp from anywhere"
+    purge_rules: false
+    rules:
+    - proto: icmp
+      from_port: -1
+      to_port: -1
+      cidr_ip: 0.0.0.0/0
+    rules_egress:
+    - proto: all
+      cidr_ip: 0.0.0.0/0
+  register: sg_icmp
diff --git a/roles/launchconfig/meta/main.yml b/roles/launchconfig/meta/main.yml
new file mode 100644
index 0000000..96ecf5e
--- /dev/null
+++ b/roles/launchconfig/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: aws-vpc }
\ No newline at end of file
diff --git a/roles/launchconfig/tasks/main.yml b/roles/launchconfig/tasks/main.yml
new file mode 100644
index 0000000..59768fd
--- /dev/null
+++ b/roles/launchconfig/tasks/main.yml
@@ -0,0 +1,71 @@
+---
+- assert:
+    that:
+    - module != ''
+    - version != ''
+    - ami|default(DEFAULT_AMI) != ''
+    - region|default(vpc_region) != ''
+    - security_group_ids != ''
+    - instance_type != ''
+  tags: ['check_vars']
+
+- set_fact:
+    ud_cluster:
+    - "{{ module }}"
+    - "{{ country|ternary('c0', '') }}{{ country|default('') }}"
+    - "{{ phase|ternary('d0', '') }}{{ phase|default('') }}"
+
+- set_fact:
+    ud_asgn:
+    - "{{ module }}"
+    - "{{ stack|default('') }}"
+    - "{{ country|ternary('c0', '') }}{{ country|default('') }}"
+    - "{{ phase|ternary('d0', '') }}{{ phase|default('') }}"
+
+- set_fact:
+    lc_n:
+    - "{{ module }}"
+    - "{{ stack|default('') }}"
+    - "{{ country|ternary('c0', '') }}{{ country|default('') }}"
+    - "{{ phase|ternary('d0', '') }}{{ phase|default('') }}"
+    - "{{ version }}"
+
+- name: assemble user data
+  set_fact:
+    user_data:
+      EC2_REGION: "{{ region|default(vpc_region) }}"
+      CLOUD_COUNTRIES: "{{ country|default() }}"
+      CLOUD_ENVIRONMENT: "{{ ACCT_NAME }}"
+      CLOUD_MONITOR_BUCKET: "{{ module }}"
+      CLOUD_APP: "{{ module }}"
+      CLOUD_STACK: "{{ stack|default('None') }}"
+      CLOUD_DEV_PHASE: "{{ phase|default() }}"
+      CLOUD_CLUSTER: "{{ ud_cluster|select|join('-') }}"
+      CLOUD_AUTO_SCALE_GROUP: "{{ ud_asgn|select|join('-') }}"
+      CLOUD_LAUNCH_CONFIG: "{{ lc_n|select|join('-') }}"
+
+- name: launchconfig
+  ec2_lc:
+    region: "{{ region|default(vpc_region) }}"
+    name: "{{ lc_n|select|join('-') }}"
+    image_id: "{{ ami|default(DEFAULT_AMI) }}"
+    key_name: "{{ MANAGEMENT_KEY_NAME }}"
+    instance_profile_name: "{{ module }}"
+    security_groups: "{{ security_group_ids }}"
+    instance_type: "{{ instance_type}}"
+    volumes:
+# setting the root volume seems to prevent instances from launching
+#    - device_name: /dev/sda
+#      volume_size: 8
+#      volume_type: gp2
+#      delete_on_termination: true
+    - device_name: /dev/sdb
+      ephemeral: ephemeral0
+    - device_name: /dev/sdc
+      ephemeral: ephemeral1
+    - device_name: /dev/sdd
+      ephemeral: ephemeral2
+    - device_name: /dev/sde
+      ephemeral: ephemeral3
+    user_data: "{{ lookup('template', 'userdata.sh.j2') }}"
+  register: launchconfig
diff --git a/roles/launchconfig/templates/userdata.sh.j2 b/roles/launchconfig/templates/userdata.sh.j2
new file mode 100644
index 0000000..e8a987e
--- /dev/null
+++ b/roles/launchconfig/templates/userdata.sh.j2
@@ -0,0 +1,4 @@
+{% for k,v in user_data.iteritems() %}
+export {{ k }}={{ v }}
+{% endfor %}
+{{ user_data_extra|default() }}
diff --git a/roles/module-aws-stack/meta/main.yml b/roles/module-aws-stack/meta/main.yml
new file mode 100644
index 0000000..17574a4
--- /dev/null
+++ b/roles/module-aws-stack/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: aws-vpc }
+  - { role: common-infrastructure }
diff --git a/roles/module-aws-stack/tasks/main.yml b/roles/module-aws-stack/tasks/main.yml
new file mode 100644
index 0000000..9700328
--- /dev/null
+++ b/roles/module-aws-stack/tasks/main.yml
@@ -0,0 +1,78 @@
+---
+- assert:
+    that:
+    - module != ''
+    - zone in ('pub', 'priv')
+    - sg_rules is defined
+    - elb_type|default('') in ('', 'internal', 'internet-facing')
+  tags: ['check_vars']
+
+- name: determine subnets for ELB
+  ec2_vpc_subnet_facts:
+    region: "{{ vpc_region }}"
+    filters:
+      vpc_id: "{{ vpc.vpc.id }}"
+      "tag:zone": "{{ zone }}"
+  register: elb_subnet_ids
+
+- name: module IAM role
+  iam:
+    name: "{{ module }}"
+    iam_type: role
+    state: present
+
+- name: module ELB securitygroup
+  when: elb_type is defined
+  ec2_group:
+    vpc_id: "{{ vpc.vpc.id }}"
+    region: "{{ vpc_region }}"
+    state: present
+    name: "{{ module }}-{{ (elb_type == 'internal')|ternary('int', 'ext') }}-elb"
+    description: "sg for {{ (elb_type == 'internal')|ternary('internal', 'external') }} elb for {{ module }}"
+    purge_rules: false
+    rules: "{{ elb_rules }}"
+    rules_egress:
+    - proto: all
+      cidr_ip: 0.0.0.0/0
+
+- name: module securitygroup
+  ec2_group:
+    vpc_id: "{{ vpc.vpc.id }}"
+    region: "{{ vpc_region }}"
+    state: present
+    name: "{{ module }}"
+    description: "{{ module }} rules"
+    purge_rules: false
+    rules: "{{ sg_rules }}"
+    rules_egress:
+    - proto: all
+      cidr_ip: 0.0.0.0/0
+  register: sg_module
+
+- name: module ELB
+  when: elb_type is defined
+  ec2_elb_lb:
+    region: "{{ vpc_region }}"
+    state: present
+    name: "{{ module }}-{{ (elb_type == 'internal')|ternary('int', 'ext') }}-elb"
+    cross_az_load_balancing: yes
+    scheme: "{{ elb_type }}"
+    subnets: "{{ elb_subnet_ids.subnets|default([])|map(attribute='id')|list }}"
+    security_group_names:
+    - "{{ module }}-{{ (elb_type == 'internal')|ternary('int', 'ext') }}-elb"
+    listeners: "{{ elb_listeners }}"
+    health_check: "{{ elb_healthcheck }}"
+  register: loadbalancer
+
+- include_role:
+    name: launchconfig
+  vars:
+    security_group_ids:
+    - "{{ sg_ssh.group_id }}"
+    - "{{ sg_icmp.group_id }}"
+    - "{{ sg_module.group_id }}"
+
+- include_role:
+    name: autoscalinggroup
+  vars:
+    load_balancers: "{{ loadbalancer.elb.name|default(omit) }}"
diff --git a/roles/vpcaccess-infrastructure/defaults/main.yml b/roles/vpcaccess-infrastructure/defaults/main.yml
new file mode 100644
index 0000000..bce0225
--- /dev/null
+++ b/roles/vpcaccess-infrastructure/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+module: vpcaccess
+stack:
+country:
+phase:
+version:
+instance_type: m4.large 
+zone: 'pub'
diff --git a/roles/vpcaccess/files/vpcaccess-policy.json b/roles/vpcaccess-infrastructure/files/vpcaccess-policy.json
similarity index 100%
rename from roles/vpcaccess/files/vpcaccess-policy.json
rename to roles/vpcaccess-infrastructure/files/vpcaccess-policy.json
diff --git a/roles/vpcaccess-infrastructure/tasks/main.yml b/roles/vpcaccess-infrastructure/tasks/main.yml
index 3faf612..878402e 100644
--- a/roles/vpcaccess-infrastructure/tasks/main.yml
+++ b/roles/vpcaccess-infrastructure/tasks/main.yml
@@ -3,91 +3,32 @@
     that:
   tags: ['check_vars']
 
-- name: vpcaccess iam
-  iam:
-    name: vpcaccess
-    iam_type: role
-    state: present
-
-- name: sg vpcaccess
-  ec2_group:
-    vpc_id: "{{ vpc.vpc.id }}"
-    region: "{{ vpc_region }}"
-    state: present
-    name: vpcaccess
-    description: "vpcaccess rules"
-    purge_rules: false
-    rules:
+- include_role:
+    name: module-aws-stack
+  vars:
+    sg_rules:
     - proto: all
+      from_port: -1
+      to_port: -1
       cidr_ip: "{{ vpc.vpc.cidr_block }}"
-    rules_egress:
-    - proto: all
+    elb_type: internal
+    elb_rules:
+    - proto: tcp
+      from_port: 22
+      to_port: 22
       cidr_ip: 0.0.0.0/0
-  register: sg_vpcaccess
-
-- name: vpcaccess lc
-  ec2_lc:
-    region: "{{ vpc_region }}"
-    name: vpcaccess-0000
-    image_id: "{{ DEFAULT_AMI }}"
-    key_name: "{{ MANAGEMENT_KEY_NAME }}"
-    instance_profile_name: vpcaccess
-    security_groups:
-      - "{{ sg_vpcaccess.group_id }}"
-      - "{{ sg_ssh.group_id }}"
-    instance_type: m4.large
-    volumes:
-# setting the root volume seems to prevent instances from launching
-#    - device_name: /dev/sda1
-#      volume_size: 8
-#      volume_type: gp2
-#      delete_on_termination: true
-    - device_name: /dev/sdb
-      ephemeral: ephemeral0
-    - device_name: /dev/sdc
-      ephemeral: ephemeral1
-    - device_name: /dev/sdd
-      ephemeral: ephemeral2
-    - device_name: /dev/sde
-      ephemeral: ephemeral3
-  register: vpcaccess_lc
-
-- name: suss out our subnets
-  ec2_vpc_subnet_facts:
-    region: "{{ vpc_region }}"
-    filters:
-      vpc_id: "{{ vpc.vpc.id }}"
-      "tag:zone": pub
-  register: public_subnet_ids
-
-- debug:
-    var: public_subnet_ids
-
-- name: vpcaccess asg
-  ec2_asg:
-    region: "{{ vpc_region }}"
-    name: vpcaccess
-    min_size: 1
+    elb_listeners:
+    - protocol: tcp
+      load_balancer_port: 22
+      instance_port: 22
+    elb_healthcheck:
+      ping_protocol: tcp
+      ping_port: 22
+      response_timeout: 5
+      interval: 30
+      unhealthy_threshold: 2
+      healthy_threshold: 2
     max_size: 1
-    desired_capacity: 1
-    default_cooldown: 10
-    vpc_zone_identifier: "{{ public_subnet_ids.subnets|map(attribute='id')|list }}"
-    launch_config_name: "{{ vpcaccess_lc.name|default('checkmode') }}"
-    notification_topic: "{{ management_topic.sns_arn }}"
-    notification_types:
-    - autoscaling:EC2_INSTANCE_LAUNCH
-    load_balancers:
-    tags:
-    - account: "{{ ACCT_NAME }}"
-      propagate_at_launch: yes
-    - module: vpcaccess
-      propagate_at_launch: yes
-    - stack: ""
-      propagate_at_launch: yes
-    - country: ""
-      propagate_at_launch: yes
-    - phase: dev
-      propagate_at_launch: yes
 
 - name: not implemented yet
   debug:
diff --git a/vpcaccess.yml b/vpcaccess-d0dev.yml
similarity index 67%
rename from vpcaccess.yml
rename to vpcaccess-d0dev.yml
index 1abeed9..f11242e 100644
--- a/vpcaccess.yml
+++ b/vpcaccess-d0dev.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: vpcaccess
+- hosts: vpcaccess-d0dev
   become: true
   roles:
   - common
-- 
2.43.2