Update AWS VPC and subnet ID assignment to support runlevel, then upstream, and finally discovery

wmudge · wmudge · commit ecb90c98e699 · 2021-11-04T12:01:58.000-04:00
Signed-off-by: Webster Mudge &lt;wmudge@cloudera.com&gt;
diff --git a/roles/platform/tasks/initialize_setup_aws.yml b/roles/platform/tasks/initialize_setup_aws.yml
@@ -47,11 +47,11 @@
     plat__aws_xaccount_external_id: "{{ plat__cdp_xaccount_external_id }}"
     plat__aws_xaccount_account_id: "{{ plat__cdp_xaccount_account_id }}"
 
-# TODO - Confirm the two following tasks are the design pattern we want: checking for a set_fact from another role before establishing its own role fact
-- name: Discover AWS VPC
-  when: infra__aws_vpc_id is undefined
+# Runlevel first, upstream second, and discover third
+- name: Discover AWS VPC if not defined or established by Infrastructure
+  when: plat__aws_vpc_id == "" and infra__aws_vpc_id is undefined
   block:
-    - name: Query AWS VPC
+    - name: Query AWS VPC by name
       amazon.aws.ec2_vpc_net_info:
         region: "{{ plat__region }}"
         filters:
@@ -63,49 +63,73 @@
       ansible.builtin.set_fact:
         plat__aws_vpc_id: "{{ __aws_vpc_info.vpcs[0].id }}"
 
-- name: Set fact for AWS VPC ID by assignment
-  when: infra__aws_vpc_id is defined
+- name: Set fact for AWS VPC ID if established by Infrastructure
+  when: plat__aws_vpc_id == "" and infra__aws_vpc_id is defined
   ansible.builtin.set_fact:
     plat__aws_vpc_id: "{{ infra__aws_vpc_id }}"
 
-- name: Discover AWS VPC Subnets
-  when: infra__aws_subnet_ids is undefined
+- name: Handle AWS Subnet IDs if not defined
+  when: not plat__aws_public_subnet_ids or not plat__aws_private_subnet_ids # Defaults are empty lists
   block:
     - name: Query AWS Subnets
       amazon.aws.ec2_vpc_subnet_info:
         region: "{{ plat__region }}"
         filters:
-          "tag:Name": "{{ plat__namespace }}"
+          vpc-id: "{{ plat__aws_vpc_id }}"
       register: __aws_subnets_info
 
-    - name: Set fact for AWS Subnet IDs
-      when: __aws_subnets_info is defined
+    - name: Assert discovered AWS Subnets
+      ansible.builtin.assert:
+        that: __aws_subnets_info.subnets | length > 0
+        fail_msg: "No subnets discovered for AWS VPC"
+        quiet: yes
+
+    - name: Set fact for AWS Public Subnet IDs if established by Infrastructure
+      when: not plat__aws_public_subnet_ids and infra__aws_public_subnet_ids is defined
+      ansible.builtin.set_fact:
+        plat__aws_public_subnet_ids: "{{ infra__aws_public_subnet_ids }}"
+
+    - name: Discover AWS VPC Public Subnets
+      when: not plat__aws_public_subnet_ids and infra__aws_public_subnet_ids is undefined
       ansible.builtin.set_fact:
-        plat__aws_subnet_ids: "{{ plat__aws_subnet_ids | default([]) | union([__aws_subnet_item.subnet.id | default('')]) }}"
+        __aws_public_subnet_ids: "{{ __aws_public_subnet_ids | default([]) | union([__aws_subnet_item.subnet_id | default('')]) }}"
       loop_control:
         loop_var: __aws_subnet_item
-        label: "{{ __aws_subnet_item.subnet.id }}"
-      loop: "{{ __aws_subnets_info.subnets }}"
+        label: "{{ __aws_subnet_item.subnet_id }}"
+      loop: "{{ __aws_subnets_info.subnets | selectattr('map_public_ip_on_launch') }}"
 
-- name: Set fact for AWS Subnet IDs by assignment
-  when: infra__aws_subnet_ids is defined
-  ansible.builtin.set_fact:
-    plat__aws_subnet_ids: "{{ infra__aws_subnet_ids }}"
+    - name: Set fact for AWS Private Subnet IDs if established by Infrastructure
+      when: not plat__aws_private_subnet_ids and infra__aws_private_subnet_ids is defined
+      ansible.builtin.set_fact:
+        plat__aws_private_subnet_ids: "{{ infra__aws_private_subnet_ids }}"
+
+    - name: Discover AWS VPC Private Subnets
+      when: not plat__aws_private_subnet_ids and infra__aws_private_subnet_ids is undefined
+      ansible.builtin.set_fact:
+        __aws_private_subnet_ids: "{{ __aws_private_subnet_ids | default([]) | union([__aws_subnet_item.subnet_id | default('')]) }}"
+      loop_control:
+        loop_var: __aws_subnet_item
+        label: "{{ __aws_subnet_item.subnet_id }}"
+      loop: "{{ __aws_subnets_info.subnets | rejectattr('map_public_ip_on_launch') }}"
+
+    - name: Set fact for AWS VPC Subnets
+      ansible.builtin.set_fact:
+        plat__aws_public_subnet_ids: "{{ __aws_public_subnet_ids | default([]) }}"
+        plat__aws_private_subnet_ids: "{{ __aws_private_subnet_ids | default([]) }}"
 
-# TODO: Discover AWS VPC Public Subnets if infra__ is not present
-- name: Set public subnets for public endpoint access
-  when: plat__public_endpoint_access
+- name: Set fact for AWS Subnet IDs
   ansible.builtin.set_fact:
-    plat__aws_public_subnet_ids: "{{ infra__aws_public_subnet_ids }}"
-    plat__endpoint_access_scheme: "PUBLIC"
+    plat__aws_subnet_ids: "{{ plat__aws_public_subnet_ids | union(plat__aws_private_subnet_ids) }}"
 
+# TODO Collapse the two SG queries together
 - name: Discover AWS Security Group for Knox
   when: infra__aws_security_group_knox_id is undefined
   block:
     - name: Query AWS Security Group for Knox
       amazon.aws.ec2_group_info:
         region: "{{ plat__region }}"
         filters:
+          vpc-id: "{{ plat__aws_vpc_id }}"
           group-name: "{{ plat__security_group_knox_name }}"
       register: __aws_security_group_knox_info
 
@@ -126,6 +150,7 @@
       amazon.aws.ec2_group_info:
         region: "{{ plat__region }}"
         filters:
+          vpc-id: "{{ plat__aws_vpc_id }}"
           group-name: "{{ plat__security_group_default_name }}"
       register: __aws_security_group_default_info
 
