--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # We set the python interpreter to the ansible runtime venv if # the delegation is to localhost so that we get access to the # appropriate python libraries in that venv. If the delegation # is to another host, we assume that it is accessible by the # system python instead. - name: Setup the service delegate_to: "{{ heat_service_setup_host }}" vars: ansible_python_interpreter: "{{ heat_service_setup_host_python_interpreter }}" block: - name: Add service to the keystone service catalog os_keystone_service: cloud: default state: present name: "{{ item.name }}" service_type: "{{ item.service_type }}" description: "{{ item.description }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_service until: add_service is success retries: 5 delay: 10 with_items: - name: "{{ heat_service_name }}" service_type: "{{ heat_service_type }}" description: "{{ heat_service_description }}" - name: "{{ heat_cfn_service_name }}" service_type: "{{ heat_cfn_service_type }}" description: "{{ heat_cfn_service_description }}" loop_control: label: "{{ item.name }}" - name: Add owner/user roles os_keystone_role: cloud: default state: present name: "{{ item }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_service when: not heat_service_in_ldap | bool until: add_service is success retries: 5 delay: 10 with_items: - "{{ heat_stack_owner_name }}" - "heat_stack_user" - name: Add stack user domain os_keystone_domain: cloud: default state: present name: "{{ heat_stack_user_domain_name }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_stack_user_domain until: add_stack_user_domain is success retries: 5 delay: 10 - name: Add heat project os_project: cloud: default state: present name: "{{ heat_project_name }}" domain_id: "{{ heat_project_domain_name }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_project until: add_project is success retries: 5 delay: 10 - name: Add service/heat user os_user: cloud: default state: present name: "{{ item.name }}" password: "{{ item.password }}" domain: "{{ item.domain }}" default_project: "{{ item.default_project }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_service when: not heat_service_in_ldap | bool until: add_service is success retries: 5 delay: 10 no_log: True with_items: - name: "{{ heat_service_user_name }}" password: "{{ heat_service_password }}" domain: default default_project: "{{ heat_service_project_name }}" - name: "{{ heat_stack_domain_admin }}" password: "{{ heat_stack_domain_admin_password }}" domain: "{{ heat_stack_user_domain_name }}" default_project: "{{ heat_project_name }}" - name: Add service user to roles os_user_role: cloud: default state: present user: "{{ item.user }}" role: "{{ item.role }}" project: "{{ item.project }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_service when: not heat_service_in_ldap | bool until: add_service is success retries: 5 delay: 10 with_items: - user: "{{ heat_service_user_name }}" role: "{{ heat_service_role_name }}" project: "{{ heat_service_project_name }}" # We add the keystone role used by heat to delegate to the heat service user # for performing deferred operations via trusts. - user: "{{ heat_service_user_name }}" role: "{{ heat_stack_owner_name }}" project: "{{ heat_service_project_name }}" # Any user creating stacks needs to have the 'heat_stack_owner' role assigned. # We add to admin user here for testing purposes. - user: "{{ keystone_admin_user_name }}" role: "{{ heat_stack_owner_name }}" project: "{{ heat_service_project_name }}" - user: "{{ heat_stack_domain_admin }}" role: "{{ keystone_role_name | default('admin') }}" project: "{{ heat_project_name }}" - name: Add endpoints to keystone endpoint catalog os_keystone_endpoint: cloud: default state: present service: "{{ item.service }}" endpoint_interface: "{{ item.interface }}" url: "{{ item.url }}" region: "{{ heat_service_region }}" endpoint_type: admin verify: "{{ not keystone_service_adminuri_insecure }}" register: add_service until: add_service is success retries: 5 delay: 10 with_items: - interface: "public" url: "{{ heat_service_publicurl }}" service: "{{ heat_service_name }}" - interface: "internal" url: "{{ heat_service_internalurl }}" service: "{{ heat_service_name }}" - interface: "admin" url: "{{ heat_service_adminurl }}" service: "{{ heat_service_name }}" - interface: "public" url: "{{ heat_cfn_service_publicurl }}" service: "{{ heat_cfn_service_name }}" - interface: "internal" url: "{{ heat_cfn_service_internalurl }}" service: "{{ heat_cfn_service_name }}" - interface: "admin" url: "{{ heat_cfn_service_adminurl }}" service: "{{ heat_cfn_service_name }}"