Refactor Exoscale install instructions to work with Exoscale IAM v3

Note that as of writing, the latest `exo` CLI (v1.71.0) doesn't yet
support IAM v3, so we need to fall back to the generated OpenAPI client
(`exo x`) to interact with IAM v3.

docs/modules/ROOT/pages/how-tos/exoscale/install.adoc

@@ -33,9 +33,8 @@ include::partial$install/prerequisites.adoc[]
 * `md5sum`
 * `virt-edit`
 * `cpio`
-//* Clone of the https://github.com/appuio/terraform-openshift4-exoscale[terraform-openshift4-exoscale] repository
-* `exo` >= v1.48.0 https://community.exoscale.com/documentation/tools/exoscale-command-line-interface[Exoscale CLI]
-* An unrestricted Exoscale https://community.exoscale.com/documentation/iam/quick-start/#api-keys[API key]
+* `exo` >= v1.71.0 https://community.exoscale.com/documentation/tools/exoscale-command-line-interface[Exoscale CLI]
+* An Exoscale https://community.exoscale.com/documentation/iam/quick-start/#api-keys[API key] with full permissions
 * https://community.exoscale.com/documentation/dns/quick-start/#subscribing-to-the-service[DNS subscription] activated in the Exoscale organisation
 
 [WARNING]
@@ -56,14 +55,63 @@ include::partial$install/vshn-input.adoc[]
 [#_create_iam_keys]
 === Create restricted Exoscale IAM keys for the LBs and object storage
 
+[NOTE]
+====
+If creating the API key fails, please retry the commands starting from `exoscale_s3_credentials`.
+It may take a second or two for the newly created role to be available to reference for an API key.
+====
+
 . Create restricted API key for Exoscale object storage
 +
 [source,bash]
 ----
-exoscale_s3_credentials=$(exo iam access-key create "${CLUSTER_ID}_object_storage" \
-  --tag sos -O json)
-export EXOSCALE_S3_ACCESSKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.api_key')
-export EXOSCALE_S3_SECRETKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.api_secret')
+# Create SOS IAM role, if it doesn't exist yet in the organization
+sos_iam_role_id=$(exo x list-iam-roles  | jq -r '."iam-roles"[] | select(.name=="sos-full-access") | .id')
+if [ -z "${sos_iam_role_id}" ]; then
+sos_iam_role_id=$(echo '{"name": "sos-full-access", "policy": {"default-service-strategy": "deny", "services": {"sos": {"type": "allow"}}}}' | \
+  exo x  create-iam-role | jq -r '.reference.id')
+fi
+# Create access key
+exoscale_s3_credentials=$(echo '{"name": "'"${CLUSTER_ID}"'_object_storage", "role-id": "'"${sos_iam_role_id}"'"}' | \
+  exo x create-api-key)
+export EXOSCALE_S3_ACCESSKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.key')
+export EXOSCALE_S3_SECRETKEY=$(echo "${exoscale_s3_credentials}" | jq -r '.secret')
+----
+
+. Create restricted API key for Floaty
++
+[source,bash]
+----
+# Create SOS IAM role if it doesn't exist yet in the organization
+floaty_iam_role_id=$(exo x list-iam-roles  | jq -r '."iam-roles"[] | select(.name=="floaty") | .id')
+if [ -z "${floaty_iam_role_id}" ]; then
+cat >floaty-role.json <<EOF
+{
+  "name": "floaty",
+  "policy": {
+    "default-service-strategy": "deny",
+    "services": {
+      "compute-legacy": {
+        "type": "rules",
+        "rules": [
+          {
+            "action": "allow",
+            "expression": "operation in ['compute-add-ip-to-nic', 'compute-list-nics', 'compute-list-resource-details', 'compute-list-virtual-machines', 'compute-query-async-job-result', 'compute-remove-ip-from-nic']"
+          }
+        ]
+      }
+    }
+  }
+}
+EOF
+floaty_iam_role_id=$(cat floaty-role.json | exo x  create-iam-role | jq -r '.reference.id')
+rm floaty-role.json
+fi
+# Create access key
+exoscale_floaty_credentials=$(echo '{"name": "'"${CLUSTER_ID}"'_floaty", "role-id": "'"${floaty_iam_role_id}"'"}' | \
+  exo x create-api-key)
+export TF_VAR_lb_exoscale_api_key=$(echo "${exoscale_floaty_credentials}" | jq -r '.key')
+export TF_VAR_lb_exoscale_api_secret=$(echo "${exoscale_floaty_credentials}" | jq -r '.secret')
 ----
 
 [#_bootstrap_bucket]

docs/modules/ROOT/partials/exoscale/configure-terraform-secrets.adoc

@@ -5,6 +5,8 @@
 cat <<EOF > ./terraform.env
 EXOSCALE_API_KEY
 EXOSCALE_API_SECRET
+TF_VAR_lb_exoscale_api_key
+TF_VAR_lb_exoscale_api_secret
 TF_VAR_control_vshn_net_token
 GIT_AUTHOR_NAME
 GIT_AUTHOR_EMAIL