idp_node.yml

---
- hosts: localhost
  connection: local
  gather_facts: False

  tasks:

    - name: Build idp_node_rules security group rules - bastion hosts - SSH tcp/22
      set_fact:
        idp_node_rules: "{{ idp_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '22', 'cidr_ip': item, 'rule_desc': 'SSH from bastion'}] ) }}"
      loop: "{{ bastion_internal_ip }}"

    - name: Build idp_node_rules security group rules - ALB port tcp/8080
      set_fact:
        idp_node_rules: "{{ idp_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '8080', 'cidr_ip': '192.168.0.0/16', 'rule_desc': 'web traffic port 8080'}] ) }}"

    - name: Security group COmanage IdP node
      amazon.aws.ec2_group:
        name: "comanage-idp-node"
        tags:
          Name: "comanage-idp-node"
        description: "COmanage idp node"
        vpc_id: "{{ comanage_training_vpc.vpc.id }}"
        region: "{{ comanage_training_region }}"
        rules: "{{ idp_node_rules }}"
      register: idp_node_sg

    - name: Provision COmanage IdP node
      amazon.aws.ec2:
        key_name: "{{ training_node_ssh_key_name }}"
        group_id: "{{ idp_node_sg.group_id }}"
        instance_type: "{{ idp_node_instance_type }}"
        image: "{{ idp_node_ami_id }}"
        region: "{{ comanage_training_region }}"
        assign_public_ip: no
        instance_initiated_shutdown_behavior: stop
        monitoring: no
        # We only provision into one subnet since we do not need high
        # availability for training.
        vpc_subnet_id: "{{ private_subnet_id_by_az | dictsort | first | last }}"
        volumes:
          - device_name: "{{ idp_node_device_name }}"
            volume_type: "{{ idp_node_volume_type }}"
            volume_size: "{{ idp_node_volume_size }}"
            delete_on_termination: yes
        instance_tags:
            Name: "comanage-idp-node"
            private_fqdn: "login-private.{{ r53_dns_domain }}"
            public_fqdn: "login.{{ r53_dns_domain }}"
            comanage_training: True
            role: idp
        count_tag:
            Name: "comanage-idp-node"
        exact_count: 1
        wait: true
      register: idp_node

    - name: Build Ansible inventory host group of IdP node
      add_host:
        name: "{{ idp_node.tagged_instances[0].private_ip }}"
        groups: ssh_idp_node_host

    - name: Create A record entry for IdP node private interface
      community.aws.route53:
        state: present
        zone: "{{ r53_hosted_zone }}"
        record: "{{ idp_node.tagged_instances[0].tags.private_fqdn }}"
        value: "{{ idp_node.tagged_instances[0].private_ip }}"
        type: A
        ttl: 30
        overwrite: yes
        wait: no

    - name: Wait for SSH to come up on IdP node
      delegate_to: "{{ idp_node.tagged_instances[0].private_ip }}"
      wait_for_connection:
        timeout: 300
      register: idp_node_ssh_connection

    - name: Pause two minutes for IdP node to come up
      ansible.builtin.pause:
        minutes: 2

- hosts: ssh_idp_node_host
  become: yes
  gather_facts: True
  strategy: free

  tasks:

    - import_role:
        name: common
    - import_role:
        name: swarm
    - import_role:
        name: idp
	---
	- hosts: localhost
	connection: local
	gather_facts: False

	tasks:

	- name: Build idp_node_rules security group rules - bastion hosts - SSH tcp/22
	set_fact:
	idp_node_rules: "{{ idp_node_rules \| default([]) \| union( [{ 'proto': 'tcp' , 'ports': '22', 'cidr_ip': item, 'rule_desc': 'SSH from bastion'}] ) }}"
	loop: "{{ bastion_internal_ip }}"

	- name: Build idp_node_rules security group rules - ALB port tcp/8080
	set_fact:
	idp_node_rules: "{{ idp_node_rules \| default([]) \| union( [{ 'proto': 'tcp' , 'ports': '8080', 'cidr_ip': '192.168.0.0/16', 'rule_desc': 'web traffic port 8080'}] ) }}"

	- name: Security group COmanage IdP node
	amazon.aws.ec2_group:
	name: "comanage-idp-node"
	tags:
	Name: "comanage-idp-node"
	description: "COmanage idp node"
	vpc_id: "{{ comanage_training_vpc.vpc.id }}"
	region: "{{ comanage_training_region }}"
	rules: "{{ idp_node_rules }}"
	register: idp_node_sg

	- name: Provision COmanage IdP node
	amazon.aws.ec2:
	key_name: "{{ training_node_ssh_key_name }}"
	group_id: "{{ idp_node_sg.group_id }}"
	instance_type: "{{ idp_node_instance_type }}"
	image: "{{ idp_node_ami_id }}"
	region: "{{ comanage_training_region }}"
	assign_public_ip: no
	instance_initiated_shutdown_behavior: stop
	monitoring: no
	# We only provision into one subnet since we do not need high
	# availability for training.
	vpc_subnet_id: "{{ private_subnet_id_by_az \| dictsort \| first \| last }}"
	volumes:
	- device_name: "{{ idp_node_device_name }}"
	volume_type: "{{ idp_node_volume_type }}"
	volume_size: "{{ idp_node_volume_size }}"
	delete_on_termination: yes
	instance_tags:
	Name: "comanage-idp-node"
	private_fqdn: "login-private.{{ r53_dns_domain }}"
	public_fqdn: "login.{{ r53_dns_domain }}"
	comanage_training: True
	role: idp
	count_tag:
	Name: "comanage-idp-node"
	exact_count: 1
	wait: true
	register: idp_node

	- name: Build Ansible inventory host group of IdP node
	add_host:
	name: "{{ idp_node.tagged_instances[0].private_ip }}"
	groups: ssh_idp_node_host

	- name: Create A record entry for IdP node private interface
	community.aws.route53:
	state: present
	zone: "{{ r53_hosted_zone }}"
	record: "{{ idp_node.tagged_instances[0].tags.private_fqdn }}"
	value: "{{ idp_node.tagged_instances[0].private_ip }}"
	type: A
	ttl: 30
	overwrite: yes
	wait: no

	- name: Wait for SSH to come up on IdP node
	delegate_to: "{{ idp_node.tagged_instances[0].private_ip }}"
	wait_for_connection:
	timeout: 300
	register: idp_node_ssh_connection

	- name: Pause two minutes for IdP node to come up
	ansible.builtin.pause:
	minutes: 2

	- hosts: ssh_idp_node_host
	become: yes
	gather_facts: True
	strategy: free

	tasks:

	- import_role:
	name: common
	- import_role:
	name: swarm
	- import_role:
	name: idp