10 files changed, 170 insertions, 98 deletions

diff --git a/roles/openshift_aws/defaults/main.yml b/roles/openshift_aws/defaults/main.yml
index 8c8227b5e..178e0849c 100644
--- a/roles/openshift_aws/defaults/main.yml
+++ b/roles/openshift_aws/defaults/main.yml
@@ -42,68 +42,93 @@ openshift_aws_ami_tags:
 openshift_aws_s3_mode: create
 openshift_aws_s3_bucket_name: "{{ openshift_aws_clusterid }}-docker-registry"
 
-openshift_aws_elb_health_check:
-  ping_protocol: tcp
-  ping_port: 443
-  response_timeout: 5
-  interval: 30
-  unhealthy_threshold: 2
-  healthy_threshold: 2
-
 openshift_aws_elb_basename: "{{ openshift_aws_clusterid }}"
-openshift_aws_elb_name_dict:
-  master:
-    external: "{{ openshift_aws_elb_basename }}-master-external"
-    internal: "{{ openshift_aws_elb_basename }}-master-internal"
-  infra:
-    external: "{{ openshift_aws_elb_basename }}-infra"
-
-openshift_aws_elb_idle_timout: 400
-openshift_aws_elb_scheme: internet-facing
-openshift_aws_elb_cert_arn: ''
 
 openshift_aws_elb_dict:
   master:
     external:
-    - protocol: tcp
-      load_balancer_port: 80
-      instance_protocol: ssl
-      instance_port: 443
-    - protocol: ssl
-      load_balancer_port: 443
-      instance_protocol: ssl
-      instance_port: 443
-      # ssl certificate required for https or ssl
-      ssl_certificate_id: "{{ openshift_aws_elb_cert_arn }}"
+      cross_az_load_balancing: False
+      health_check:
+        ping_protocol: tcp
+        ping_port: "{{ openshift_master_api_port | default(8443) }}"
+        response_timeout: 5
+        interval: 30
+        unhealthy_threshold: 2
+        healthy_threshold: 2
+      idle_timout: 400
+      listeners:
+      - protocol: tcp
+        load_balancer_port: 80
+        instance_protocol: ssl
+        instance_port: "{{ openshift_master_api_port | default(8443) }}"
+      - protocol: ssl
+        load_balancer_port: "{{ openshift_master_api_port | default(8443) }}"
+        instance_protocol: ssl
+        instance_port: "{{ openshift_master_api_port | default(8443) }}"
+        ssl_certificate_id: ''
+      name: "{{ openshift_aws_elb_basename }}-master-external"
+      tags: "{{ openshift_aws_kube_tags }}"
     internal:
-    - protocol: tcp
-      load_balancer_port: 80
-      instance_protocol: tcp
-      instance_port: 80
-    - protocol: tcp
-      load_balancer_port: 443
-      instance_protocol: tcp
-      instance_port: 443
+      cross_az_load_balancing: False
+      health_check:
+        ping_protocol: tcp
+        ping_port: "{{ openshift_master_api_port | default(8443) }}"
+        response_timeout: 5
+        interval: 30
+        unhealthy_threshold: 2
+        healthy_threshold: 2
+      idle_timout: 400
+      listeners:
+      - protocol: tcp
+        load_balancer_port: 80
+        instance_protocol: tcp
+        instance_port: 80
+      - protocol: tcp
+        load_balancer_port: "{{ openshift_master_api_port | default(8443) }}"
+        instance_protocol: tcp
+        instance_port: "{{ openshift_master_api_port | default(8443) }}"
+      name: "{{ openshift_aws_elb_basename }}-master-internal"
+      tags: "{{ openshift_aws_kube_tags }}"
   infra:
     external:
-    - protocol: tcp
-      load_balancer_port: 80
-      instance_protocol: tcp
-      instance_port: 443
-      proxy_protocol: True
-    - protocol: tcp
-      load_balancer_port: 443
-      instance_protocol: tcp
-      instance_port: 443
-      proxy_protocol: True
+      cross_az_load_balancing: False
+      health_check:
+        ping_protocol: tcp
+        ping_port: 443
+        response_timeout: 5
+        interval: 30
+        unhealthy_threshold: 2
+        healthy_threshold: 2
+      idle_timout: 400
+      listeners:
+      - protocol: tcp
+        load_balancer_port: 80
+        instance_protocol: tcp
+        instance_port: 443
+        proxy_protocol: True
+      - protocol: tcp
+        load_balancer_port: 443
+        instance_protocol: tcp
+        instance_port: 443
+        proxy_protocol: True
+      name: "{{ openshift_aws_elb_basename }}-infra"
+      tags: "{{ openshift_aws_kube_tags }}"
 
 openshift_aws_node_group_config_master_volumes:
+- device_name: /dev/sda1
+  volume_size: 100
+  device_type: gp2
+  delete_on_termination: False
 - device_name: /dev/sdb
   volume_size: 100
   device_type: gp2
   delete_on_termination: False
 
 openshift_aws_node_group_config_node_volumes:
+- device_name: /dev/sda1
+  volume_size: 100
+  device_type: gp2
+  delete_on_termination: True
 - device_name: /dev/sdb
   volume_size: 100
   device_type: gp2
@@ -164,7 +189,7 @@ openshift_aws_master_group_config:
     iam_role: "{{ openshift_aws_iam_role_name }}"
     policy_name: "{{ openshift_aws_iam_role_policy_name }}"
     policy_json: "{{ openshift_aws_iam_role_policy_json }}"
-    elbs: "{{ openshift_aws_elb_name_dict['master'].keys()| map('extract', openshift_aws_elb_name_dict['master']) | list }}"
+    elbs: "{{ openshift_aws_elb_dict | json_query('master.[*][0][*].name') }}"
 
 openshift_aws_node_group_config:
   # The 'compute' key is always required here.
@@ -197,10 +222,7 @@ openshift_aws_node_group_config:
     iam_role: "{{ openshift_aws_iam_role_name }}"
     policy_name: "{{ openshift_aws_iam_role_policy_name }}"
     policy_json: "{{ openshift_aws_iam_role_policy_json }}"
-    elbs: "{{ openshift_aws_elb_name_dict['infra'].keys()| map('extract', openshift_aws_elb_name_dict['infra']) | list }}"
-
-openshift_aws_elb_tags: "{{ openshift_aws_kube_tags }}"
-openshift_aws_elb_az_load_balancing: False
+    elbs: "{{ openshift_aws_elb_dict | json_query('infra.[*][0][*].name') }}"
 
 # build_instance_tags is a custom filter in role lib_utils
 openshift_aws_kube_tags: "{{ openshift_aws_clusterid | build_instance_tags }}"
@@ -245,8 +267,8 @@ openshift_aws_node_security_groups:
       to_port: 80
       cidr_ip: 0.0.0.0/0
     - proto: tcp
-      from_port: 443
-      to_port: 443
+      from_port: "{{ openshift_master_api_port | default(8443) }}"
+      to_port: "{{ openshift_master_api_port | default(8443) }}"
       cidr_ip: 0.0.0.0/0
   compute:
     name: "{{ openshift_aws_clusterid }}_compute"
@@ -260,8 +282,8 @@ openshift_aws_node_security_groups:
       to_port: 80
       cidr_ip: 0.0.0.0/0
     - proto: tcp
-      from_port: 443
-      to_port: 443
+      from_port: "{{ openshift_master_api_port | default(8443) }}"
+      to_port: "{{ openshift_master_api_port | default(8443) }}"
       cidr_ip: 0.0.0.0/0
     - proto: tcp
       from_port: 30000
@@ -274,8 +296,6 @@ openshift_aws_node_security_groups:
 openshift_aws_vpc_tags:
   Name: "{{ openshift_aws_vpc_name }}"
 
-openshift_aws_subnet_az: us-east-1c
-
 openshift_aws_vpc:
   name: "{{ openshift_aws_vpc_name }}"
   cidr: 172.31.0.0/16
@@ -283,13 +303,20 @@ openshift_aws_vpc:
     us-east-1:
     - cidr: 172.31.48.0/20
       az: "us-east-1c"
+      default_az: true
     - cidr: 172.31.32.0/20
       az: "us-east-1e"
     - cidr: 172.31.16.0/20
       az: "us-east-1a"
 
+openshift_aws_subnet_az: "{{ openshift_aws_vpc.subnets[openshift_aws_region] | get_default_az }}"
+
 openshift_aws_node_run_bootstrap_startup: True
 openshift_aws_node_user_data: ''
 openshift_aws_node_config_namespace: openshift-node
 
 openshift_aws_masters_groups: masters,etcd,nodes
+
+# By default, don't delete things like the shared IAM instance
+# profile and uploaded ssh keys
+openshift_aws_enable_uninstall_shared_objects: False
diff --git a/roles/openshift_aws/tasks/accept_nodes.yml b/roles/openshift_aws/tasks/accept_nodes.yml
index c2a2cea30..db30fe5c9 100644
--- a/roles/openshift_aws/tasks/accept_nodes.yml
+++ b/roles/openshift_aws/tasks/accept_nodes.yml
@@ -1,4 +1,6 @@
 ---
+- include_tasks: setup_master_group.yml
+
 - name: fetch masters
   ec2_instance_facts:
     region: "{{ openshift_aws_region | default('us-east-1') }}"
@@ -36,4 +38,4 @@
     nodes: "{{ instancesout.instances|map(attribute='private_dns_name') | list  }}"
     timeout: 60
   register: nodeout
-  delegate_to: "{{ mastersout.instances[0].public_ip_address }}"
+  delegate_to: "{{ groups.masters.0 }}"
diff --git a/roles/openshift_aws/tasks/elb.yml b/roles/openshift_aws/tasks/elb.yml
index 5d371ec7a..d8257cf31 100644
--- a/roles/openshift_aws/tasks/elb.yml
+++ b/roles/openshift_aws/tasks/elb.yml
@@ -5,18 +5,18 @@
 
 - name: "Create ELB {{ l_elb_dict_item.key }}"
   ec2_elb_lb:
-    name: "{{ l_openshift_aws_elb_name_dict[l_elb_dict_item.key][item.key] }}"
+    name: "{{ item.value.name }}"
     state: present
-    cross_az_load_balancing: "{{ openshift_aws_elb_az_load_balancing }}"
+    cross_az_load_balancing: "{{ item.value.cross_az_load_balancing }}"
     security_group_names: "{{ l_elb_security_groups[l_elb_dict_item.key] }}"
-    idle_timeout: "{{ openshift_aws_elb_idle_timout }}"
+    idle_timeout: "{{ item.value.idle_timout }}"
     region: "{{ openshift_aws_region }}"
     subnets:
     - "{{ subnetout.subnets[0].id }}"
-    health_check: "{{ openshift_aws_elb_health_check }}"
-    listeners: "{{ item.value }}"
-    scheme: "{{ openshift_aws_elb_scheme }}"
-    tags: "{{ openshift_aws_elb_tags }}"
+    health_check: "{{ item.value.health_check }}"
+    listeners: "{{ item.value.listeners }}"
+    scheme: "{{ (item.key == 'internal') | ternary('internal','internet-facing') }}"
+    tags: "{{ item.value.tags }}"
     wait: True
   register: new_elb
   with_dict: "{{ l_elb_dict_item.value }}"
diff --git a/roles/openshift_aws/tasks/master_facts.yml b/roles/openshift_aws/tasks/master_facts.yml
index 530b0134d..c2e362acd 100644
--- a/roles/openshift_aws/tasks/master_facts.yml
+++ b/roles/openshift_aws/tasks/master_facts.yml
@@ -3,7 +3,7 @@
   ec2_elb_facts:
     region: "{{ openshift_aws_region }}"
     names:
-    - "{{ openshift_aws_elb_name_dict['master']['internal'] }}"
+    - "{{ openshift_aws_elb_dict['master']['internal']['name'] }}"
   delegate_to: localhost
   register: elbs
 
diff --git a/roles/openshift_aws/tasks/provision.yml b/roles/openshift_aws/tasks/provision.yml
index 786a2e4cf..2b5f317d8 100644
--- a/roles/openshift_aws/tasks/provision.yml
+++ b/roles/openshift_aws/tasks/provision.yml
@@ -1,23 +1,6 @@
 ---
-- when: openshift_aws_create_iam_cert | bool
-  name: create the iam_cert for elb certificate
-  include_tasks: iam_cert.yml
-
-- when: openshift_aws_create_s3 | bool
-  name: create s3 bucket for registry
-  include_tasks: s3.yml
-
 - include_tasks: vpc_and_subnet_id.yml
 
-- name: create elbs
-  include_tasks: elb.yml
-  with_dict: "{{ openshift_aws_elb_dict }}"
-  vars:
-    l_elb_security_groups: "{{ openshift_aws_elb_security_groups }}"
-    l_openshift_aws_elb_name_dict: "{{ openshift_aws_elb_name_dict }}"
-  loop_control:
-    loop_var: l_elb_dict_item
-
 - name: include scale group creation for master
   include_tasks: build_node_group.yml
   with_items: "{{ openshift_aws_master_group }}"
diff --git a/roles/openshift_aws/tasks/provision_elb.yml b/roles/openshift_aws/tasks/provision_elb.yml
new file mode 100644
index 000000000..fcc49c3ea
--- /dev/null
+++ b/roles/openshift_aws/tasks/provision_elb.yml
@@ -0,0 +1,14 @@
+---
+- when: openshift_aws_create_iam_cert | bool
+  name: create the iam_cert for elb certificate
+  include_tasks: iam_cert.yml
+
+- include_tasks: vpc_and_subnet_id.yml
+
+- name: create elbs
+  include_tasks: elb.yml
+  with_dict: "{{ openshift_aws_elb_dict }}"
+  vars:
+    l_elb_security_groups: "{{ openshift_aws_elb_security_groups }}"
+  loop_control:
+    loop_var: l_elb_dict_item
diff --git a/roles/openshift_aws/tasks/provision_nodes.yml b/roles/openshift_aws/tasks/provision_nodes.yml
index d82f18574..9105b5b4c 100644
--- a/roles/openshift_aws/tasks/provision_nodes.yml
+++ b/roles/openshift_aws/tasks/provision_nodes.yml
@@ -2,25 +2,12 @@
 # Get bootstrap config token
 # bootstrap should be created on first master
 # need to fetch it and shove it into cloud data
-- name: fetch master instances
-  ec2_instance_facts:
-    region: "{{ openshift_aws_region }}"
-    filters:
-      "tag:clusterid": "{{ openshift_aws_clusterid }}"
-      "tag:host-type": master
-      instance-state-name: running
-  register: instancesout
-  retries: 20
-  delay: 3
-  until:
-  - "'instances' in instancesout"
-  - instancesout.instances|length > 0
+- include_tasks: setup_master_group.yml
 
 - name: slurp down the bootstrap.kubeconfig
   slurp:
     src: /etc/origin/master/bootstrap.kubeconfig
-  delegate_to: "{{ instancesout.instances[0].public_ip_address }}"
-  remote_user: root
+  delegate_to: "{{ groups.masters.0 }}"
   register: bootstrap
 
 - name: set_fact for kubeconfig token
diff --git a/roles/openshift_aws/tasks/uninstall_security_group.yml b/roles/openshift_aws/tasks/uninstall_security_group.yml
new file mode 100644
index 000000000..55d40e8ec
--- /dev/null
+++ b/roles/openshift_aws/tasks/uninstall_security_group.yml
@@ -0,0 +1,14 @@
+---
+- name: delete the node group sgs
+  oo_ec2_group:
+    state: absent
+    name: "{{ item.value.name}}"
+    region: "{{ openshift_aws_region }}"
+  with_dict: "{{ openshift_aws_node_security_groups }}"
+
+- name: delete the k8s sgs for the node group
+  oo_ec2_group:
+    state: absent
+    name: "{{ item.value.name }}_k8s"
+    region: "{{ openshift_aws_region }}"
+  with_dict: "{{ openshift_aws_node_security_groups }}"
diff --git a/roles/openshift_aws/tasks/uninstall_ssh_keys.yml b/roles/openshift_aws/tasks/uninstall_ssh_keys.yml
new file mode 100644
index 000000000..27e42da53
--- /dev/null
+++ b/roles/openshift_aws/tasks/uninstall_ssh_keys.yml
@@ -0,0 +1,9 @@
+---
+- name: Remove the public keys for the user(s)
+  ec2_key:
+    state: absent
+    name: "{{ item.key_name }}"
+    region: "{{ openshift_aws_region }}"
+  with_items: "{{ openshift_aws_users }}"
+  no_log: True
+  when: openshift_aws_enable_uninstall_shared_objects | bool
diff --git a/roles/openshift_aws/tasks/uninstall_vpc.yml b/roles/openshift_aws/tasks/uninstall_vpc.yml
new file mode 100644
index 000000000..ecf39f694
--- /dev/null
+++ b/roles/openshift_aws/tasks/uninstall_vpc.yml
@@ -0,0 +1,36 @@
+---
+- name: Fetch the VPC for the vpc.id
+  ec2_vpc_net_facts:
+    region: "{{ openshift_aws_region }}"
+    filters:
+      "tag:Name": "{{ openshift_aws_clusterid }}"
+  register: vpcout
+- debug:
+    var: vpcout
+    verbosity: 1
+
+- when: vpcout.vpcs | length > 0
+  block:
+  - name: delete the vpc igw
+    ec2_vpc_igw:
+      state: absent
+      region: "{{ openshift_aws_region }}"
+      vpc_id: "{{ vpcout.vpcs[0].id }}"
+    register: igw
+
+  - name: delete the vpc subnets
+    ec2_vpc_subnet:
+      state: absent
+      region: "{{ openshift_aws_region }}"
+      vpc_id: "{{ vpcout.vpcs[0].id }}"
+      cidr: "{{ item.cidr }}"
+      az: "{{ item.az }}"
+    with_items: "{{ openshift_aws_vpc.subnets[openshift_aws_region] }}"
+
+  - name: Delete AWS VPC
+    ec2_vpc_net:
+      state: absent
+      region: "{{ openshift_aws_region }}"
+      name: "{{ openshift_aws_clusterid }}"
+      cidr_block: "{{ openshift_aws_vpc.cidr }}"
+    register: vpc