Route 53, elastic IP, IAM Instance Profile use case

[danieldreier]

I'm trying to get new nodes provisioned using this module to get DNS records based on their hostname automatically. The way I'm going about it is by having each node include a profile:

class profile::aws::autodns (
  $ttl = 300
){
  if $::domain == 'aws.puppetlabs.com' {
    route53_a_record { $fqdn:
      ensure => present,
      zone   => $::domain,
      ttl    => $ttl,
      values => $::ipaddress,
    }
  }
}

I would prefer to assign this during initial provisioning, but I can't think of a good way to get the node's ip address at that stage. Consequently, this resource will be applied on the node, which does not have AWS credentials by default. I believe the best way to provide that access is via an IAM instance profile, more docs at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html, with which I can selectively grant access to the aws.puppetlabs.com route 53 domain (it's a delegated subdomain) so the node can register its' own name.

This IAM instance profile will also be useful/necessary in order to allow load balancers to re-assign an elastic IP to themselves for failover. I'm using three haproxy load balancers, one in each AZ, and using unicast keepalived for health checks. Load balancers will use the AWS CLI or a puppet apply using this module to take over the EIP when they get master status via VRRP election.

As a workaround, I'm creating IAM users with the necessary permissions and putting hiera-eyaml-encrypted secret access keys into hiera, to give those nodes access. It would be much more elegant to automatically provide access. All I would need is a way to specify the IAM JSON; I don't necessarily need a lot of DSL abstracting that.

[garethr]

I think the PR from @pjfoley supports this: https://github.com/puppetlabs/puppetlabs-aws/pull/59

[danieldreier]

@garethr you're correct - I'd missed that, so I'll close this.