Right now, we have a custom infofas.py in https://pagure.io/fedora-infra/ansible which implements just this:
infofas.py
--- ipsilon/info/infofas.py 2020-08-25 15:18:14.576365008 +0200 +++ /home/nils/src/fedora-infra/ansible/roles/ipsilon/files/infofas.py 2020-02-29 19:47:01.911344737 +0100 @@ -37,6 +37,24 @@ fas_mapper = Policy(fas_mapping) +aws_idp_arn = 'arn:aws:iam::125523088429:saml-provider/id.fedoraproject.org' +aws_groups = { + 'aws-master': 'arn:aws:iam::125523088429:role/aws-master', + 'aws-iam': 'arn:aws:iam::125523088429:role/aws-iam', + 'aws-billing': 'arn:aws:iam::125523088429:role/aws-billing', + 'aws-atomic': 'arn:aws:iam::125523088429:role/aws-atomic', + 'aws-s3-readonly': 'arn:aws:iam::125523088429:role/aws-s3-readonly', + 'aws-fedoramirror': 'arn:aws:iam::125523088429:role/aws-fedoramirror', + 'aws-s3': 'arn:aws:iam::125523088429:role/aws-s3', + 'aws-cloud-poc': 'arn:aws:iam::125523088429:role/aws-cloud-poc', + 'aws-infra': 'arn:aws:iam::125523088429:role/aws-infra', + 'aws-docs': 'arn:aws:iam::125523088429:role/aws-docs', + 'aws-copr': 'arn:aws:iam::125523088429:role/aws-copr', + 'aws-centos': 'arn:aws:iam::125523088429:role/aws-centos', + 'aws-min': 'arn:aws:iam::125523088429:role/aws-min', + 'aws-fedora-ci': 'arn:aws:iam::125523088429:role/aws-fedora-ci', +} + def fas_make_userdata(fas_data): userdata, fas_extra = fas_mapper.map_attributes(fas_data) @@ -60,6 +78,12 @@ else: userdata['_groups'].append(group['name']) + userdata['_extras']['awsroles'] = [] + for group in userdata['_groups']: + if group in aws_groups: + userdata['_extras']['awsroles'].append( + '%s,%s' % (aws_idp_arn, aws_groups[group])) + return userdata
We should find a way to make these customizations configurable rather than replacing source code files wholesale.
Sounds like it would be really easy to provide a json config file to be read by fas_make_userdata, if you propose a patch I'll review
Metadata Update from @simo: - Custom field component adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Login to comment on this ticket.