[#270] add per enclave bucket policy

legion-platform · Aug 22, 2018 · 87c14ca · 87c14ca
1 parent 058342c
commit 87c14ca
Showing 1 changed file with 25 additions and 8 deletions.
diff --git a/deploy/ansible/roles/legion_core_chart/tasks/main.yml b/deploy/ansible/roles/legion_core_chart/tasks/main.yml
@@ -1,28 +1,42 @@
 ---
 
 # Create Jenkins IAM role for airflow s3 access
-- name: Generate policy documents
+- name: Generate trust policy document
   template:
-    src: "{{ item }}.yaml.j2"
-    dest: "{{ tmp_dir }}/{{ item }}.{{ cluster_name }}.yaml"
-  with_items:
-    - trust_policy
-    - airflow_s3_access_policy
+    src: "trust_policy.yaml.j2"
+    dest: "{{ tmp_dir }}/trust_policy.{{ enclave }}.{{ cluster_name }}.yaml"
+  with_items: "{{ enclaves }}"
+  loop_control:
+    loop_var: enclave
+
+- name: Generate airflow s3 access policy document
+  template:
+    src: "airflow_s3_access_policy.yaml.j2"
+    dest: "{{ tmp_dir }}/airflow_s3_access_policy.{{ enclave }}.{{ cluster_name }}.yaml"
+  with_items: "{{ enclaves }}"
+  loop_control:
+    loop_var: enclave
 
 - name: Create Airflow S3 access role
   iam:
     iam_type: role
     name: "{{ cluster_name }}-jenkins-role"
-    trust_policy_filepath: "{{ tmp_dir }}/trust_policy.{{ cluster_name }}.yaml"
+    trust_policy_filepath: "{{ tmp_dir }}/trust_policy.{{ enclave }}.{{ cluster_name }}.yaml"
     state: present
+  with_items: "{{ enclaves }}"
+  loop_control:
+    loop_var: enclave
 
 - name: Attach Airflow S3 accesse policy to the role
   iam_policy:
     iam_type: role
     iam_name: "{{ cluster_name }}-jenkins-role"
     policy_name: "{{ cluster_name }}-jenkins-airflow-s3-access-policy"
-    policy_document: "{{ tmp_dir }}/airflow_s3_access_policy.{{ cluster_name }}.yaml"
+    policy_document: "{{ tmp_dir }}/airflow_s3_access_policy.{{ enclave }}.{{ cluster_name }}.yaml"
     state: present
+  with_items: "{{ enclaves }}"
+  loop_control:
+    loop_var: enclave
 
 # Install Legion core chart
 - name: Get legion-core chart status
@@ -60,6 +74,9 @@
     mode: 0644
   vars:
     git_secret_name: legion-git-deploy
+  with_items: "{{ enclaves }}"
+  loop_control:
+    loop_var: enclave
 
 - name: Pre run with dumping
   shell: helm --kube-context {{ cluster_name }} install legion-core --name legion-core --debug --dry-run -f  {{ tmp_dir }}/legion-core-values.{{ cluster_name }}.yaml