2018-10-21
So when you get jiggy with a role and later find that ‘holy crap! I need to run this role over an array of stuff’ you can just rig it so you can use ansible inherent hostiness as a loop.
We built up the setup_account role to wire in all the stuff that we want in a basic account rig (adfs roles, cloudtrail, cloudwatch alarms etc)
Here’s the singular version of the playbook
- hosts: localhost
connection: local
gather_facts: no
vars:
region: eu-west-1
roles:
- name: sts_assume_role
target_account: "{{aws_accounts[acc]}}"
- name: setup_account
roles: "{{commonRoles|union(accRoles[acc])}}"
which we run with an -e acc=foo to run the setup_account role for one account
The need for continuous compliance :D, caused us to want to bulk up on make it so, Mr Sulu accross all the accounts with just whan cleek.
but without having to tell setup_account to know it is actually a precious role to rule them all
Using add_host in a new play you add a fake-o host to a group called account_hosts
and add the acc variable from the aws_accounts list
Then in the next play you tell ansible to run the role for all the ‘hosts’ in account_hosts group
- hosts: localhost
connection: local
gather_facts: no
vars:
region: eu-west-1
tasks:
- add_host:
name: "{{item.key}}"
acc: "{{item.key}}"
ansible_host: localhost
ansible_python_interpreter: /usr/local/bin/python
groups: account_hosts
with_dict: "{{aws_accounts}}"
- hosts: account_hosts
connection: local
gather_facts: no
vars:
region: eu-west-1
account_id: "{{aws_accounts[acc]}}"
roles:
- name: sts_assume_role
target_account: "{{aws_accounts[acc]}}"
- name: setup_account
roles: "{{commonRoles|union(accRoles[acc])}}"
The ansible_python_interpreter is a quirk of localhost without gather_facts