Create a rabbit/user role

playbooks/groups/koji-hub.yml

@@ -79,6 +79,9 @@
     nfs_src_dir: 'fedora_koji'
     when: env == 'staging' and inventory_hostname.startswith('koji')
   - sudo
+  - role: rabbit/user
+    username: "koji{{ env_suffix }}"
+    when: env == 'staging'
 
   tasks:
   - import_tasks: "{{ tasks_path }}/2fa_client.yml"
@@ -110,30 +113,3 @@
 
   handlers:
   - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-
-# Setup the rabbitmq user so fedora-messaging can send messages
-- name: setup RabbitMQ
-  hosts: rabbitmq-stg[0]
-  #hosts: rabbitmq[0]:rabbitmq-stg[0]
-  user: root
-  gather_facts: False
-
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - "/srv/private/ansible/vars.yml"
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
-    - name: Create the RabbitMQ user
-      when: env == 'staging'
-      rabbitmq_user:
-        user: "koji{{ env_suffix }}"
-        vhost: /pubsub
-        read_priv: "^$"
-        write_priv: "amq\\.topic"
-        configure_priv: "^$"
-        state: present
-      tags:
-        - config
-        - fedora-messaging

playbooks/openshift-apps/release-monitoring.yml

@@ -1,26 +1,3 @@
-# Create the RabbitMQ users
-
-- name: setup RabbitMQ
-  hosts: rabbitmq[0]:rabbitmq-stg[0]
-  user: root
-  gather_facts: False
-
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - "/srv/private/ansible/vars.yml"
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
-    - name: Create the RabbitMQ user
-      rabbitmq_user:
-        user: "anitya{{ env_suffix }}"
-        vhost: /pubsub
-        read_priv: "^anitya.*$"
-        write_priv: "amq.topic"
-        configure_priv: "^$"
-      tags:
-        - config
-
 # Deploy the app
 
 - name: make the app be real
@@ -34,6 +11,8 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
+  - role: rabbit/user
+    username: "anitya{{ env_suffix }}"
   - role: openshift/project
     app: release-monitoring
     description: release-monitoring

roles/rabbit/user/defaults/main.yml

@@ -0,0 +1,2 @@
+rabbitmq_server: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org"
+vhost: /pubsub

roles/rabbit/user/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+
+# Ensure a user exists in RabbitMQ with permissions to only publish.
+# This is intended to be something most applications can use, but if you need
+# more flexibility, just use the rabbitmq_user module directly.
+#
+# Required parameters:
+#
+#   - username (str): the username to create in RabbitMQ, which should match the
+#                     CN of the certificate.
+
+# See https://www.rabbitmq.com/access-control.html#permissions for details on
+# the RabbitMQ permissions configuration.
+- name: Create the user in RabbitMQ
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_user:
+    user: "{{ username }}"
+    vhost: "{{ vhost }}"
+    read_priv: "^$"  # Publish only, no reading
+    write_priv: "amq\\.topic"
+    configure_priv: "^$"  # No configuration permissions
+    state: present
+  tags:
+    - config
+    - fedora-messaging