Merge branch 'main' into feature/update-216

Author: widhalmt

.github/workflows/test_elasticsearch_modules.yml

@@ -0,0 +1,63 @@
+---
+name: Test Elasticsearch modules
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - info
+          - warning
+          - debug
+  pull_request:
+    paths:
+      - '.github/workflows/test_elasticsearch_modules.yml'
+      - 'molecule/elasticsearch_test_modules/*'
+
+jobs:
+  molecule_elasticsearch_modules:
+    runs-on: ubuntu-latest
+
+    env:
+      COLLECTION_NAMESPACE: netways
+      COLLECTION_NAME: elasticstack
+
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [ubuntu2204]
+        scenario:
+          - elasticsearch_test_modules
+        release:
+          - 8
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install -r requirements-test.txt
+
+      - name: Install collection
+        run: |
+          mkdir -p ~/.ansible/collections/ansible_collections/$COLLECTION_NAMESPACE
+          cp -a ../ansible-collection-$COLLECTION_NAME ~/.ansible/collections/ansible_collections/$COLLECTION_NAMESPACE/$COLLECTION_NAME
+
+      - name: Test with molecule
+        run: |
+          molecule test -s ${{ matrix.scenario }}
+        env:
+          MOLECULE_DISTRO: ${{ matrix.distro }}
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          ELASTIC_RELEASE: ${{ matrix.release }}

.gitignore

@@ -1,3 +1,4 @@
 .cache
 *.swp
-__pycache__*
+__pycache__*
+.vscode

README.md

@@ -8,14 +8,19 @@ Every role is documented with all variables, please refer to the documentation f
 
 **Please note**: If you are already using this collection before version `1.0.0`, please note that we had to rename a significant amount of variables due to naming schema changes made by Ansible. Please review the variables you have set in your playbooks and variable files.
 
-## Roles Documentation
+## Roles documentation
 
 * [Beats](docs/role-beats.md)
 * [Elasticsearch](docs/role-elasticsearch.md)
 * [Kibana](docs/role-kibana.md)
 * [Logstash](docs/role-logstash.md)
 * [Repos](docs/role-repos.md)
 
+## Modules documentation
+
+* [elasticsearch_role](docs/module-elasticsearch_role.md)
+* [elasticsearch_user](docs/module-elasticsearch_user.md)
+
 ## Installation
 
 You can easily install the collection with the `ansible-galaxy` command.

docs/module-elasticsearch_role.md

@@ -0,0 +1,68 @@
+Ansible module: elasticsearch_role
+===
+
+This module creates, updates and deletes roles from your Elasticsearch.
+
+Requirements
+---
+
+As this module uses the Elasticsearch API you will need to install the `elasticsearch` Python3 library.
+```
+pip3 install elasticsearch
+```
+
+Module arguments
+---
+
+* *name*: Name of your role (**Required**)
+* *cluster*: List of clusters
+* *indicies*: List of indicies
+  * *names*: List of names (**Required**)
+  * *privileges*: List of privileges (**Required**)
+* *state*: State of the role (Default: `present`)
+* *host*: API endpoint (**Required**)
+* *auth_user*: User to authenticate on the Elasticsearch API (**Required**)
+* *auth_pass*: Password for the given user (**Required**)
+* *verify_certs*: Verify certificates (Default: `true`)
+* *ca_certs*: Verify HTTPS connection by using ca certificate. Path to ca needs to be given
+
+Example usage
+---
+```
+    - name: Create elasticsearch role 'new-role1'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role1
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - default01
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: true
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt
+
+    - name: Create elasticsearch role 'new-role2'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role2
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - default01
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+```

docs/module-elasticsearch_user.md

@@ -0,0 +1,65 @@
+Ansible module: elasticsearch_user
+===
+
+This module creates, updates and deletes users from your Elasticsearch.
+
+Requirements
+---
+
+As this module uses the Elasticsearch API you will need to install the `elasticsearch` Python3 library.
+```
+pip3 install elasticsearch
+```
+
+Module arguments
+---
+
+* *name*: Name of your user (**Required**)
+* *fullname*: Fullname of your user
+* *password*: Password for your user (**Required**)
+* *email*: Email for your user
+* *roles*: List of roles (**Required**)
+* *enabled*: Define wheter this user should be enabled (Default: `true`)
+* *state*: State of the role. `absent` to delete the user (Default: `present`)
+* *host*: API endpoint (**Required**)
+* *auth_user*: User to authenticate on the Elasticsearch API (**Required**)
+* *auth_pass*: Password for the given user (**Required**)
+* *verify_certs*: Verify certificates (Default: `true`)
+* *ca_certs*: Verify HTTPS connection by using ca certificate. Path to ca needs to be given
+
+Example usage
+---
+```
+    - name: Create elasticsearch user 'new-user1'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user1
+        fullname: New User 1
+        password: changeMe321!
+        email: [email protected]
+        roles:
+          - new-role
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: true
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt
+
+    - name: Create elasticsearch user 'new-user2'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user2
+        fullname: New User 2
+        password: changeMe321!
+        email: [email protected]
+        roles:
+          - new-role
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+```

docs/role-elasticsearch.md

@@ -32,7 +32,7 @@ Role Variables
 * *elasticsearch_pamlimits*: Set pam_limits neccessary for Elasticsearch. (Default: `true`)
 * *elasticsearch_check_calculation*: End play in checks (Default: `false`)
 * *elasticsearch_network_host*: You can configure multipe network addresses where the networking is bind to. You can assign IP addresses or interfaces by their names. You can also use elasticsearch internal variabels as it set as default. Example: `"_ens190_,_local_"` (Default: `"_local_,"_site_"`) (Optional; if not defined `default` is used)
-
+* *elasticsearch_api_host*: Hostname or IP elasticsearch is listening on. Only used for connection checks by ansible role. (Default: `localhost`)
 * *elasticsearch_extra_config*: You can set additional configuration in YAML-notation as you would write in the `elasaticsearch.yml`. Example:
 
 ```YAML
@@ -49,6 +49,10 @@ elasticsearch_extra_config:
 This variable activates a workaround to start on systems that have certain hardening measures active. See [Stackoverflow](https://stackoverflow.com/questions/47824643/unable-to-load-jna-native-support-library-elasticsearch-6-x/50371992#50371992) for details and logmessages to look for. **WARNING**: This will change your `/etc/sysconfig/elasticseach`or `/etc/default/elasticsearch` file and overwrite `ES_JAVA_OPTS`. See this [issue](https://github.com/netways/ansible-role-elasticsearch/issues/79) for details.
 
 * *elasticsearch_jna_workaround*: Activate JNA workaround. (default: `false`)
+* *elasticsearch_ssl_verification_mode*: Defines how to verify the certificates presented by another party in the TLS connection
+* *elasticsearch_transport_port*: The port to bind for communication between nodes
+* *elasticsearch_seed_hosts*: Set elasticsearch seed hosts
+* *elasticsearch_security_enrollment*: Controls enrollment (of nodes and Kibana) to a local node that’s been autoconfigured for security.
 
 These variables are identical over all our elastic related roles, hence the different naming schemes.
 

molecule/elasticsearch_test_modules/converge.yml

@@ -0,0 +1,65 @@
+---
+# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another
+# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  collections:
+    - netways.elasticstack
+  hosts: all
+  vars:
+    elasticstack_full_stack: false
+    elasticsearch_jna_workaround: true
+    elasticsearch_disable_systemcallfilterchecks: true
+    #elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticstack_release: 8
+    elasticsearch_heap: "1"
+    elasticstack_no_log: false
+  tasks:
+    - name: Include Elastics repos role
+      ansible.builtin.include_role:
+        name: repos
+    - name: Include Elasticsearch
+      ansible.builtin.include_role:
+        name: elasticsearch
+
+    - name: Fetch Elastic password # noqa: risky-shell-pipe
+      ansible.builtin.shell: >
+        if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+        grep "PASSWORD elastic" /usr/share/elasticsearch/initial_passwords |
+        awk {' print $4 '}
+      register: elasticstack_password
+      changed_when: false
+
+    - name: Create elasticsearch role 'new-role'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role1
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - foobar321
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: "{{ elasticstack_password.stdout }}"
+        verify_certs: false
+
+    - name: Create elasticsearch user 'new-user'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user1
+        fullname: New User
+        password: changeMe123!
+        email: [email protected]
+        roles:
+          - new-role1
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: "{{ elasticstack_password.stdout }}"
+        verify_certs: false
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt

molecule/elasticsearch_test_modules/molecule.yml

@@ -0,0 +1,24 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: elasticsearch_default
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 3
+verifier:
+  name: ansible

molecule/elasticsearch_test_modules/prepare.yml

@@ -0,0 +1,22 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install packages for Debian
+      ansible.builtin.apt:
+        name:
+          - gpg
+          - gpg-agent
+          - procps
+          - curl
+          - iproute2
+          - git
+          - openssl
+          - python3
+        update_cache: yes
+
+    - name: Install python module dependencies
+      ansible.builtin.pip:
+        name: "{{ item }}"
+      loop:
+        - elasticsearch

molecule/elasticsearch_test_modules/requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general

plugins/module_utils/api.py

@@ -0,0 +1,15 @@
+# !/usr/bin/python3
+
+# Copyright (c) 2024, Tobias Bauriedel <[email protected]>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from elasticsearch import Elasticsearch
+import ssl
+
+class Api():
+    def new_client_basic_auth(host, auth_user, auth_pass, ca_certs, verify_certs) -> Elasticsearch:
+        ctx = ssl.create_default_context(cafile=ca_certs)
+        ctx.check_hostname = False
+        ctx.verify_mode = False
+        return Elasticsearch(hosts=[host], basic_auth=(auth_user, auth_pass), ssl_context=ctx, verify_certs=verify_certs)