--- # Create necessary federation pieces # You will need to address the certificates yourself. Right now we are trying # to figure out how to deal with SNI using FreeIPA. So instead we're using a # service account in IPA instead using a password. This isn't ideal and we're # looking into finding a way to address this in an easier manner. # /etc/rabbitmq/pubsub_federation.pem # /etc/rabbitmq/pubsub_federation.key # This public user can write UUID objects and read anything else - name: Create a public access user run_once: true delegate_to: "{{ rabbitmq_cluster_list[0] }}" community.rabbitmq.rabbitmq_user: user: rockypubsub permissions: - vhost: public_pubsub configure_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$" write_priv: "^(\\w{8}(-\\w{4}){3}-\\w{12})$" read_priv: ".*" state: present tags: - rabbitmq_cluster - name: Create a federation user run_once: true delegate_to: "{{ rabbitmq_cluster_list[0] }}" community.rabbitmq.rabbitmq_user: user: pubsub_federation permissions: - vhost: pubsub configure_priv: "^federation.*" write_priv: "^federation.*" read_priv: ".*" state: present tags: - rabbitmq_cluster - name: Configure Federation Upstream from pubsub to public run_once: true delegate_to: "{{ rabbitmq_cluster_list[0] }}" community.rabbitmq.rabbitmq_parameter: component: "federation-upstream" name: "pubsub-to-public_pubsub" value: '{"uri": "amqps://pubsub_federation:{{ pubsub_federation_pass }}@{{ rabbitmq_cluster_list[0] }}/%2Fpubsub", "ack-mode": "on-confirm"}' state: present vhost: public_pubsub when: - rabbitmq_enable_public - pubsub_federation_pass is defined - name: Configure a policy to federate the topic exchange to public run_once: true delegate_to: "{{ rabbitmq_cluster_list[0] }}" community.rabbitmq.rabbitmq_policy: apply_to: exchanges name: pubsub-to-public_pubsub state: present pattern: "^(amq|zmq)\\.topic$" tags: federation-upstream: "pubsub-to-public_pubsub" vhost: public_pubsub when: - rabbitmq_enable_public - pubsub_federation_pass is defined