Browse Source

Append clusterid to default iam role and policy names.

Andrew Butcher 7 years ago
parent
commit
94d5cffd08

+ 2 - 2
roles/openshift_aws/defaults/main.yml

@@ -18,9 +18,9 @@ openshift_aws_iam_cert_name: "{{ openshift_aws_clusterid }}-master-external"
 openshift_aws_iam_cert_path: ''
 openshift_aws_iam_cert_key_path: ''
 
-openshift_aws_iam_role_name: openshift_node_describe_instances
+openshift_aws_iam_role_name: "openshift_node_describe_instances_{{ openshift_aws_clusterid }}"
 openshift_aws_iam_role_policy_json: "{{ lookup('file', 'describeinstances.json') }}"
-openshift_aws_iam_role_policy_name: "describe_instances"
+openshift_aws_iam_role_policy_name: "describe_instances_{{ openshift_aws_clusterid }}"
 
 openshift_aws_iam_kms_alias: "alias/{{ openshift_aws_clusterid }}_kms"
 openshift_aws_ami: ''

+ 12 - 2
roles/openshift_aws/templates/launchinstances.json.j2

@@ -2,6 +2,16 @@
     "Version": "2012-10-17",
     "Statement": [
 	{
+	    "Sid": "AllowPassDescribeInstancesRole",
+	    "Effect": "Allow",
+	    "Action": [
+		"iam:PassRole"
+	    ],
+	    "Resource": [
+		"arn:aws:iam::*:role/openshift_node_describe_instances_{{ openshift_aws_clusterid }}"
+	    ]
+	},
+	{
 	    "Sid": "AllowDescribeResources",
 	    "Effect": "Allow",
 	    "Action": [
@@ -45,7 +55,7 @@
                 "StringEquals": {
                     "aws:RequestTag/clusterid": "{{ openshift_aws_clusterid }}"
                 },
-                "ForAllValues:StringEquals": {
+                "ForAnyValue:StringEquals": {
                     "aws:TagKeys": [
                         "clusterid"
                     ]
@@ -78,7 +88,7 @@
 		"StringEquals": {
 		    "aws:RequestTag/clusterid": "{{ openshift_aws_clusterid }}"
 		},
-		"ForAllValues:StringEquals": {
+		"ForAnyValue:StringEquals": {
 		    "aws:TagKeys": [
 			"clusterid"
 		    ]