agnosticd · wkulhanek · May 23, 2026
@@ -128,9 +128,25 @@
         aws_secret_access_key = {{ aws_secret_access_key }}
 
   - name: Call role to destroy the OpenShift cluster
-    when: bwait is successful
+    when:
+    - bwait is successful
+    - host_ocp4_deploy_installation_method != 'rosa'
     ansible.builtin.include_role:
       name: host_ocp4_destroy
 
+- name: Destroy ROSA cluster
+  hosts: bastions
+  gather_facts: false
+  become: false
+  environment:
+    AWS_ACCESS_KEY_ID: "{{ aws_access_key_id }}"
+    AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
+    AWS_DEFAULT_REGION: "{{ aws_region_final | default(aws_region) }}"
+  tasks:
+  - name: Destroy ROSA cluster
+    when: host_ocp4_deploy_installation_method == 'rosa'
+    ansible.builtin.include_role:
+      name: host_ocp4_rosa_destroy
+
 - name: Import default aws destroy playbook
   ansible.builtin.import_playbook: "../../../cloud_providers/aws/destroy_env.yml"
@@ -119,6 +119,7 @@ cluster_dns_zone: "{{ guid }}.{{ base_domain }}"
 # - openshift_install
 # - openshift_assisted
 # - openshift_hcp_cnv
+# - rosa
 host_ocp4_deploy_installation_method: openshift_install
 
 # Types of Nodes (workers / control_planes) are set in the
@@ -170,3 +171,48 @@ remove_workloads: []
 # Remove mint-mode cloud credentials at end of provision
 # https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/authentication_and_authorization/managing-cloud-provider-credentials
 remove_mint_mode_cloud_provider_credentials: true
+
+# -------------------------------------------------
+# ROSA (Red Hat OpenShift Service on AWS)
+# -------------------------------------------------
+
+# Cluster name for ROSA
+rosa_cluster_name: "rosa-{{ guid }}"
+
+# ROSA token - must come from secrets
+# rosa_token: ""
+
+# Version of ROSA to deploy
+# Options: default, latest, latest-upgrade, or specific (e.g. 4.20.3)
+rosa_version: default
+
+# Base version for latest/latest-upgrade resolution
+rosa_version_base: "openshift-v4.20"
+
+# ROSA CLI version and download URL
+rosa_installer_version: latest
+# rosa_installer_version: "1.2.53"
+rosa_installer_url: >-
+  https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/rosa/{{ rosa_installer_version }}/rosa-linux.tar.gz
+
+# Set up cluster-admin user on the cluster
+rosa_setup_cluster_admin: true
+
+# Log cluster-admin into OpenShift on bastion (creates .kube/config)
+rosa_setup_cluster_admin_login: false
+
+# Terraform for ROSA networking
+rosa_terraform_version: "1.15.3"
+rosa_terraform_url: >-
+  https://releases.hashicorp.com/terraform/{{ rosa_terraform_version }}/terraform_{{ rosa_terraform_version }}_linux_amd64.zip
+rosa_terraform_repo: https://github.com/openshift-cs/terraform-vpc-example
+rosa_terraform_repo_branch: main
+
+# AWS billing account ID (required for ROSA, comes from sandbox)
+# aws_billing_account_id: ""
+
+# Networking CIDRs (empty = use ROSA defaults)
+rosa_machine_cidr: ""
+rosa_service_cidr: ""
+rosa_pod_cidr: ""
+rosa_host_prefix: ""
@@ -67,6 +67,8 @@
   gather_facts: false
   tasks:
   - name: Approve CertificateSigningRequests
-    when: hostvars[groups['bastions'][0]]['r_wait'] is successful
+    when:
+    - hostvars[groups['bastions'][0]]['r_wait'] is successful
+    - host_ocp4_deploy_installation_method != 'rosa'
     ansible.builtin.include_role:
       name: ocp4_approve_certificate_signing_requests
@@ -11,7 +11,9 @@
       msg: "Post-Software Steps starting"
 
   - name: Remove AWS Credentials from bastion
-    when: cloud_provider == 'aws'
+    when:
+    - cloud_provider == 'aws'
+    - host_ocp4_deploy_installation_method != 'rosa'
     ansible.builtin.file:
       path: "/home/{{ ansible_user }}/.aws/credentials"
       state: absent
@@ -48,6 +50,16 @@
   environment:
     KUBECONFIG: "{{ hostvars.localhost.output_dir }}/{{ config }}_{{ guid }}_kubeconfig"
   tasks:
+  - name: Wait for OpenShift API to be reachable
+    kubernetes.core.k8s_info:
+      api_version: config.openshift.io/v1
+      kind: Infrastructure
+      name: cluster
+    register: r_api_check
+    retries: 30
+    delay: 10
+    until: r_api_check is success
+
   - name: Setup cluster-admin service account
     when: openshift_cluster_admin_service_account_enable | bool
     ansible.builtin.include_role:
@@ -75,7 +87,9 @@
     KUBECONFIG: "{{ hostvars.localhost.output_dir }}/{{ config }}_{{ guid }}_kubeconfig"
   tasks:
   - name: Remove mint-mode cloud provider credentials
-    when: remove_mint_mode_cloud_provider_credentials | bool
+    when:
+    - remove_mint_mode_cloud_provider_credentials | bool
+    - host_ocp4_deploy_installation_method != 'rosa'
     kubernetes.core.k8s:
       state: absent
       api_version: v1

@@ -9,18 +9,29 @@
     ansible.builtin.debug:
       msg: "Step 000 Pre Infrastructure"
 
-  - name: Ensure variables are set
+  - name: Ensure pull secret is set
+    when: host_ocp4_deploy_installation_method != 'rosa'
     ansible.builtin.assert:
       that: ocp4_pull_secret | default("") | length > 0
       fail_msg: ocp4_pull_secret variable must be defined
       success_msg: ocp4_pull_secret variable is defined
       quiet: true
 
+  - name: Ensure ROSA token is set
+    when: host_ocp4_deploy_installation_method == 'rosa'
+    ansible.builtin.assert:
+      that: rosa_token | default("") | length > 0
+      fail_msg: rosa_token variable must be defined for ROSA deployments
+      success_msg: rosa_token variable is defined
+      quiet: true
+
   - name: AWS Pre Infrastructure tasks
     when: cloud_provider == "aws"
     block:
     - name: Set availability zones for Cloudformation and install-config.yml
-      when: agnosticd_aws_capacity_reservation_results.reservations | default({}) | length > 0
+      when:
+      - agnosticd_aws_capacity_reservation_results.reservations | default({}) | length > 0
+      - host_ocp4_deploy_installation_method != 'rosa'
       block:
       - name: Set availability zone for bastion, control_plane, and worker nodes
         vars:

@@ -0,0 +1,81 @@
+---
+# ===================================================================
+# Mandatory Variables
+# ===================================================================
+cloud_provider: aws
+config: openshift-cluster
+host_ocp4_deploy_installation_method: rosa
+# ===================================================================
+# End Mandatory Variables
+# ===================================================================
+
+# ===================================================================
+# AWS Specific settings
+# ===================================================================
+aws_region: us-east-2
+
+cloud_tags:
+- owner: wkulhane@redhat.com
+- Purpose: development
+- config: "{{ config }}"
+- guid: "{{ guid }}"
+
+# -------------------------------------------------------------------
+# Set authorized keys on all created instances
+# -------------------------------------------------------------------
+host_ssh_authorized_keys:
+- key: https://github.com/wkulhanek.keys
+
+# ===================================================================
+# ROSA settings
+# ===================================================================
+
+# ROSA token from cloud.redhat.com/openshift/token/rosa
+# Must be provided via secrets
+# rosa_token: ""
+
+# AWS billing account ID - required for ROSA
+# Must be provided via secrets or sandbox
+# aws_billing_account_id: ""
+
+# ROSA version: default, latest, latest-upgrade, or specific
+rosa_version: default
+rosa_version_base: "openshift-v4.20"
+
+# Set up cluster-admin and log in on bastion
+rosa_setup_cluster_admin: true
+rosa_setup_cluster_admin_login: true
+
+# -------------------------------------------------------------------
+# Bastion VM settings
+# -------------------------------------------------------------------
+bastion_setup_student_user: true
+bastion_student_user_name: rosa
+
+# ROSA only needs a bastion - no control plane or worker instances
+agnosticd_aws_capacity_reservation_enable: false
+control_plane_instance_count: 0
+worker_instance_count: 0
+
+# Simplified instances list - bastion only
+instances:
+- name: bastion
+  count: 1
+  unique: true
+  public_dns: true
+  image: "{{ bastion_instance_image }}"
+  flavor:
+    ec2: t3a.small
+  tags:
+  - key: AnsibleGroup
+    value: bastions
+  - key: Purpose
+    value: "{{ purpose }}"
+  rootfs_size: 30
+  security_groups:
+  - BastionSG
+
+# -------------------------------------------------------------------
+# Workloads
+# -------------------------------------------------------------------
+workloads: []
@@ -0,0 +1,8 @@
+---
+- name: Install ROSA cluster on bastion
+  delegate_to: "{{ groups['bastions'][0] }}"
+  block:
+  - name: Call role to install ROSA cluster
+    when: host_ocp4_deploy_install_ocp4 | default(true) | bool
+    ansible.builtin.include_role:
+      name: host_ocp4_rosa_install
@@ -0,0 +1,11 @@
+---
+rosa_cluster_name: "rosa-{{ guid }}"
+
+rosa_installer_version: "1.2.53"
+rosa_installer_url: >-
+  https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/rosa/{{ rosa_installer_version }}/rosa-linux.tar.gz
+rosa_binary_path: /usr/local/bin
+
+rosa_terraform_version: "1.11.2"
+rosa_terraform_url: >-
+  https://releases.hashicorp.com/terraform/{{ rosa_terraform_version }}/terraform_{{ rosa_terraform_version }}_linux_amd64.zip
@@ -0,0 +1,36 @@
+---
+- name: Delete ROSA cluster {{ item.name }}
+  ansible.builtin.command: >-
+    {{ rosa_binary_path }}/rosa delete cluster
+    --cluster {{ item.name }}
+    --yes
+  register: r_rosa_delete
+  failed_when: >-
+    r_rosa_delete.rc != 0
+    and 'ERR: There is no cluster with identifier or name' not in r_rosa_delete.stderr
+
+- name: Wait for ROSA cluster {{ item.name }} deletion
+  ansible.builtin.shell: |
+    for i in $(seq 1 30); do
+      {{ rosa_binary_path }}/rosa describe cluster --cluster {{ item.name }} 2>&1
+      if [ $? -ne 0 ]; then
+        echo "Cluster {{ item.name }} has been deleted"
+        exit 0
+      fi
+      echo "Attempt $i: cluster still exists, waiting..."
+      sleep 60
+    done
+    echo "Timed out waiting for cluster deletion"
+    exit 1
+  register: r_rosa_cluster_status
+  changed_when: false
+  async: 2400
+  poll: 30
+
+- name: Force ROSA cluster {{ item.name }} removal
+  when: r_rosa_cluster_status.rc != 0
+  ansible.builtin.command: >-
+    {{ rosa_binary_path }}/rosa delete cluster
+    --cluster {{ item.name }}
+    --yes
+    --best-effort=true
@@ -0,0 +1,42 @@
+---
+- name: Check if terraform archive exists in output dir
+  ansible.builtin.stat:
+    path: "{{ output_dir }}/terraform-vpc.tar.gz"
+  register: r_terraform_archive
+
+- name: Destroy Terraform VPC resources
+  when: r_terraform_archive.stat.exists
+  block:
+  - name: Install Terraform
+    ansible.builtin.unarchive:
+      src: "{{ rosa_terraform_url }}"
+      remote_src: true
+      dest: /tmp
+      mode: u=rwx,go=rx
+
+  - name: Restore terraform-vpc directory from output dir
+    ansible.builtin.unarchive:
+      src: "{{ output_dir }}/terraform-vpc.tar.gz"
+      dest: /tmp/
+      extra_opts:
+      - --no-same-owner
+
+  - name: Run Terraform destroy
+    ansible.builtin.command:
+      cmd: >-
+        /tmp/terraform destroy
+        -var region={{ aws_region }}
+        -var cluster_name={{ rosa_cluster_name }}
+        -auto-approve
+      chdir: /tmp/terraform-vpc/
+    ignore_errors: true
+    register: r_terraform_destroy
+
+  - name: Print Terraform destroy output
+    ansible.builtin.debug:
+      var: r_terraform_destroy
+
+- name: Skip Terraform destroy (no archive found)
+  when: not r_terraform_archive.stat.exists
+  ansible.builtin.debug:
+    msg: "No terraform-vpc.tar.gz found in output_dir, skipping Terraform destroy"
@@ -0,0 +1,21 @@
+---
+- name: Login to ROSA
+  ansible.builtin.command: >-
+    {{ rosa_binary_path }}/rosa login --token {{ rosa_token }}
+
+- name: Get list of ROSA clusters
+  ansible.builtin.command: >-
+    {{ rosa_binary_path }}/rosa list clusters --output json
+  register: r_rosa_list
+  changed_when: false
+
+- name: Print number of clusters to destroy
+  ansible.builtin.debug:
+    msg: "Found {{ r_rosa_list.stdout | from_json | length }} cluster(s) to destroy"
+
+- name: Destroy each ROSA cluster
+  ansible.builtin.include_tasks: destroy_cluster.yml
+  loop: "{{ r_rosa_list.stdout | from_json }}"
+
+- name: Destroy Terraform VPC resources
+  ansible.builtin.include_tasks: destroy_terraform.yml