Add verification tasks, always tag NAT gateways, and fix typos

README.md

@@ -3,11 +3,11 @@
 This repository contains a set of tools and automation for deploying OpenShift
 4 in various environments.
 
-It is primarily focused on depolyments in situations that would require using
+It is primarily focused on deployments in situations that would require using
 the User-Provisioned Infrastructure (UPI) method to perform the installation.
 This includes environments where you are unable to provide administrator access
 to the installer, are deploying in an air-gapped environment, do not wish to
-have OpenShift 4 integreate with the cloud provider APIs, etc.
+have OpenShift 4 integrate with the cloud provider APIs, etc.
 
 > If you are deploying in an environment where there already exists an
 > Installer-Provisioned Infrastructure (IPI) method of installation and your
@@ -32,7 +32,7 @@ links for the platform you want to use above.
 
 If you used an earlier version of this repository and have a cluster deployed
 that used Terraform to create the infrastructure, a tag was created named
-`terraform` that points to the last commit that contains the Terraform
+[`terraform`][3] that points to the last commit that contains the Terraform
 artifacts. You will need to use this branch to destroy any clusters you have
 deployed that used Terraform. This branch will not be updated with any new
 code, but will be kept around to ensure that existing clusters can easily be
@@ -41,3 +41,4 @@ destroyed if there were created with an earlier version of this repository.
 
 [1]: docs/install/aws_generic.md
 [2]: docs/install/aws_govcloud_generic.md
+[3]: https://github.com/jaredhocutt/openshift4-deploy/releases/tag/terraform

playbooks/roles/infrastructure/defaults/main.yml

@@ -6,7 +6,7 @@ cluster_domain: "{{ cluster_name }}.{{ base_domain }}"
 
 vpc_cidr: 172.31.0.0/16
 vpc_subnet_bits: 24
-route53_hosted_zone_name: "{{ cluster_domain }}"
+route53_hosted_zone_name: "{{ cluster_domain }}"  #TODO: Does this need to have a trailing period?
 destroy_vpc: no
 
 openshift_version_major: "{{ openshift_version.split('.')[0] }}"
@@ -21,7 +21,7 @@ ec2_instance_type_bootstrap: i3.large
 ec2_instance_type_controller: m5.xlarge
 ec2_instance_type_worker: m5.large
 
-root_volume_size_bastion: 100  # +80GB to mirror the OLM images
+root_volume_size_bastion: 20  # 20GB base + 100GB to mirror OperatorHub
 root_volume_size_controller: 120
 root_volume_size_worker: "{{ root_volume_size_controller }}"
 root_volume_size_bootstrap: "{{ root_volume_size_controller }}"

playbooks/roles/infrastructure/tasks/aws/verifications.yml

@@ -0,0 +1,101 @@
+---
+
+# If vpc_id is given, public_subnet_ids and private_subnet_ids are required
+- block:
+  - name: Check if the user-defined vpc_id exists
+    ec2_vpc_net_info:
+      vpc_ids: "{{ vpc_id }}"
+
+  - name: Fail when subnet_ids are undefined
+    fail:
+      msg: |
+        ERROR: When vpc_id is provided a list of public and private subnet_ids
+        must also be provided.  For example:
+          public_subnet_ids:
+            - subnet-0123456789abcdef0
+          private_subnet_ids:
+            - subnet-1234567890abcdef1
+            - subnet-234567890abcdef12
+            - subnet-34567890abcdef123
+    when: (public_subnet_ids is undefined) or (private_subnet_ids is undefined)
+
+  # TODO: Figure out how to make this task faster
+  #       This task will takes ~7 minutes if a non-existent subnet_id is given
+  - name: Check if the user-defined subnets exist
+    ec2_vpc_subnet_info:
+      subnet_ids: "{{ public_subnet_ids + private_subnet_ids }}"
+    register: r_verify_subnet_ids
+
+  - name: Fail when all subnet_ids are not found
+    fail:
+      msg: |
+        ERROR: Unable to find all user-defined subnets.  Please make sure
+        all of these subnet_ids exist.
+          public_subnet_ids: "{{ public_subnet_ids }}"
+          private_subnet_ids: "{{ private_subnet_ids }}"
+    when: r_verify_subnet_ids.subnets | length != public_subnet_ids | length + private_subnet_ids | length
+  when: vpc_id is defined
+
+
+# If rhcos_ami or rhel_ami is given, check that they exist in the region
+- name: Check if the RHCOS AMI exists
+  ec2_ami_info:
+    image_ids: "{{ rhcos_ami }}"
+  when: rhcos_ami is defined
+
+- name: Check if the RHEL AMI exists
+  ec2_ami_info:
+    image_ids: "{{ rhel_ami }}"
+  when: rhel_ami is defined
+
+
+# If keypair_path is given, check that it exists
+- block:
+  - name: Check if bastion's keypair exists locally
+    stat:
+      path: "{{ keypair_path }}"
+    register: r_keypair_path
+
+  - name: Fail when bastion's private key is unavailable
+    fail:
+      msg: |
+        ERROR: A private key (keypair_path) was defined, but not found.  Please
+        make sure that "{{ keypair_path }}" is available, or leave it undefined
+        so that a new keypair can be auto-generated.
+    when: r_keypair_path.stat.exists is false
+  when: keypair_path is defined
+
+
+# If route53_hosted_zone_id is given, check that it exists
+- name: Check if the user-provided Route53 Hosted Zone exists
+  route53_info:
+    hosted_zone_id: "{{ route53_hosted_zone_id }}"
+    hosted_zone_method: details
+    query: hosted_zone
+  when: route53_hosted_zone_id is defined
+
+# If route53_hosted_zone_id is not given AND cloud == "aws"
+#   check that the default-named public Route53 Hosted Zone exists
+- block:
+  - name: Get Route53 Hosted Zone list
+    route53_info:
+      query: hosted_zone
+      max_items: "500"
+    register: r_route53_hosted_zones
+    failed_when: r_route53_hosted_zones.IsTruncated is true  #Too many items to list
+
+  - name: Fail when the default Route53 Hosted Zone (public) can't be found
+    fail:
+      msg: |
+        ERROR:  Unable to find public Route53 Hosted Zone named "{{ route53_hosted_zone_name }}"
+        Please complete the prequisite steps in README.md and try again.
+    when:  r_route53_hosted_zones.HostedZones |
+             selectattr('Name', 'match', route53_hosted_zone_name) |
+             selectattr('Config.PrivateZone', 'match', 'False') |
+             list |
+             length != 1
+  when:
+    - cloud == "aws"
+    - route53_hosted_zone_id is undefined
+
+- debug: msg="All verification checks succeeded!"

playbooks/roles/infrastructure/tasks/aws/vpc.yml

@@ -87,23 +87,26 @@
       OpenShiftCluster: "{{ cluster_domain }}"
       OpenShiftClusterId: "{{ cluster_id }}"
 
-- name: Create NAT gateways
-  ec2_vpc_nat_gateway:
-    subnet_id: "{{ item }}"
-    if_exist_do_not_create: yes
-  loop: "{{ public_subnet_ids }}"
-  register: r_create_nat_gateways
-
-# The ec2_vpc_nat_gateway does not allow you to add tags during creation, so
-# let's tag things after the fact
-- name: Add NAT gateway tags
-  ec2_tag:
-    resource: "{{ item.0.nat_gateway_id }}"
-    tags:
-      Name: "{{ cluster_id }}-{{ item.1 }}"
-      OpenShiftCluster: "{{ cluster_domain }}"
-      OpenShiftClusterId: "{{ cluster_id }}"
-  loop: "{{ r_create_nat_gateways.results | zip(availability_zone_names) | list }}"
+- block:
+  - name: Create NAT gateways
+    ec2_vpc_nat_gateway:
+      subnet_id: "{{ item }}"
+      if_exist_do_not_create: yes
+    loop: "{{ public_subnet_ids }}"
+    register: r_create_nat_gateways
+
+  # The ec2_vpc_nat_gateway doesn't allow you to add tags during creation, so
+  # let's tag things after the fact (even if not all of the NGWs were created)
+  always:
+  - name: Add NAT gateway tags
+    ec2_tag:
+      resource: "{{ item.0.nat_gateway_id }}"
+      tags:
+        Name: "{{ cluster_id }}-{{ item.1 }}"
+        OpenShiftCluster: "{{ cluster_domain }}"
+        OpenShiftClusterId: "{{ cluster_id }}"
+    loop: "{{ r_create_nat_gateways.results | zip(availability_zone_names) | list }}"
+    when: item.0.success
 
 - name: Create private subnets
   ec2_vpc_subnet:

playbooks/roles/infrastructure/tasks/aws_create.yml

@@ -1,16 +1,16 @@
 ---
 
+- import_tasks: aws/verifications.yml
+
 - import_tasks: aws/rhcos_ami_info.yml
   when: rhcos_ami is undefined
 
 - import_tasks: aws/rhel_ami_info.yml
   when: rhel_ami is undefined
 
-# TODO: add logic to check for all required variables if keypair_name is defined
 - import_tasks: aws/keypair.yml
   when: keypair_name is undefined
 
-# TODO: add logic to check for all required veriables if vpc_id is defined
 - import_tasks: aws/vpc.yml
   when: vpc_id is undefined