From e9ec19188640bfbf301928913025251dcd2051db Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 8 Mar 2023 16:43:20 +0100 Subject: [PATCH 1/7] Add badge to Readme fixes #93 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d26dedca..61b044e3 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Ansible Collection - netways.elasticstack +[![Test ElasticStack](https://github.com/NETWAYS/ansible-collection-elasticstack/actions/workflows/test_full_stack.yml/badge.svg)](https://github.com/NETWAYS/ansible-collection-elasticstack/actions/workflows/test_full_stack.yml) + This collection installs and manages the Elastic Stack. It provides roles every component which is part of the Stack. Furthermore it is possible to differentiate between Enterprise or OSS releases. Every role is documented with all variables, please refer to the documentation found in **[Getting-Started](./docs/getting-started.md)** From 06ffffd951017face18e0ccc62b20bc6690056b3 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 8 Mar 2023 16:54:44 +0100 Subject: [PATCH 2/7] Add contributing section to README fixes #91 --- README.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 61b044e3..de78ac17 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,6 @@ This collection installs and manages the Elastic Stack. It provides roles every component which is part of the Stack. Furthermore it is possible to differentiate between Enterprise or OSS releases. Every role is documented with all variables, please refer to the documentation found in **[Getting-Started](./docs/getting-started.md)** - - ## Roles Documentation * [Beats](docs/role-beats.md) @@ -117,3 +115,15 @@ The execution order of the roles is important! (see below) - kibana - beats ``` + +## Contributing + +Every kind of contribution is very welcome. Open [issues](https://github.com/NETWAYS/ansible-collection-elasticstack/issues) or provide [pull requests](https://github.com/NETWAYS/ansible-collection-elasticstack/pulls). + +Please note that we have some actions bound to specific names of branches. So please stick to the following naming scheme: + +* `fix/` as a prefix for every branch that fixes a problem +* `feature/` for every branch that enhances the code with new features +* `doc/` as a prefix for every branch that only changes documentation + +For now we open pull requests against `main`. We are planning to introduce dedicated branches to support older versions without breaking changes. Since we don't need them for now, please check back with this section because when we decided on how to proceed, you will find the information here. For now `main` always has the newest changes and if you want a stable version, please use the newest release. From 368c2ab245633abf39312c51c1734de0e1cf0fbb Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 9 Mar 2023 12:30:23 +0100 Subject: [PATCH 3/7] Fix some lint --- roles/logstash/tasks/logstash-security.yml | 35 ++++++++++++---------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index b463d882..1c9aec8a 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -26,7 +26,7 @@ path: "{{ logstash_certs_dir }}/{{ ansible_hostname }}-ls.p12" register: logstash_cert_exists -- name: Get the logstash certificate expiration date +- name: Get the logstash certificate expiration date # noqa: risky-shell-pipe shell: >- if test -v BASH; then set -o pipefail; fi; openssl pkcs12 @@ -46,7 +46,7 @@ - name: Set the logstash certificate expiration date in days set_fact: - logstash_cert_expiration_days: "{{ ((logstash_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - ( ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" + logstash_cert_expiration_days: "{{ ((logstash_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" when: logstash_cert_expiration_date.skipped is not defined - name: Set logstash certificate will expire soon to true @@ -62,6 +62,11 @@ when: logstash_cert_expiration_days is defined and logstash_cert_expiration_days | int <= logstash_expiration_buffer | int - name: Backup logstash certs then remove + when: "'renew_logstash_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags" + tags: + - renew_ca + - renew_logstash_cert + - never block: - name: Check if cert directory exists on logstash stat: @@ -82,13 +87,14 @@ path: "{{ logstash_certs_dir }}" state: absent when: logstash_move_cert_directory.changed + +- name: Backup logstash certs on elasticsearch_ca host then remove when: "'renew_logstash_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags" + delegate_to: "{{ elasticsearch_ca }}" tags: - renew_ca - renew_logstash_cert - never - -- name: Backup logstash certs on elasticsearch_ca host then remove block: - name: Check if cert file exists on elasticsearch_ca host stat: @@ -129,14 +135,14 @@ path: "{{ elastic_ca_dir }}/{{ ansible_hostname }}-ls.zip" state: absent when: logstash_move_cert_zip_file_ca_host.changed + +- name: Backup logstash cert on Ansible controler then remove when: "'renew_logstash_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags" - delegate_to: "{{ elasticsearch_ca }}" + delegate_to: localhost tags: - renew_ca - renew_logstash_cert - never - -- name: Backup logstash cert on Ansible controler then remove block: - name: Check the existance of cert on Ansible controler stat: @@ -175,12 +181,6 @@ path: /tmp/{{ ansible_hostname }}-ls.zip state: absent when: logstash_move_cert_zip_ansible_controler.changed - delegate_to: localhost - when: "'renew_logstash_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags" - tags: - - renew_ca - - renew_logstash_cert - - never - name: Create individual certificates for Logstash command: > @@ -383,8 +383,9 @@ delegate_to: "{{ elasticsearch_ca }}" run_once: true -- name: Fetch Elastic password +- name: Fetch Elastic password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} register: elastic_password_logstash @@ -395,8 +396,9 @@ - configuration - logstash_configuration -- name: Check for logstash_writer role +- name: Check for logstash_writer role # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; curl --cacert {{ elastic_ca_dir }}/ca.crt -u elastic:{{ elastic_password_logstash.stdout }} https://{{ elasticsearch_ca }}:9200/_security/role/logstash_writer @@ -440,8 +442,9 @@ - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool - elastic_release | int > 7 -- name: Check for logstash_writer user +- name: Check for logstash_writer user # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; curl --cacert {{ elastic_ca_dir }}/ca.crt -u elastic:{{ elastic_password_logstash.stdout }} https://{{ elasticsearch_ca }}:9200/_security/user/{{ logstash_user }} From 30df38e4480a9da719d841f775f872b2b1931506 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 9 Mar 2023 15:18:31 +0100 Subject: [PATCH 4/7] Fix a huge load of lint Don't be intimidated by the mass of changes. It's mostly indentation and Jinja spacing --- .github/workflows/test_role_beats.yml | 6 +- .github/workflows/test_role_elasticsearch.yml | 6 +- .github/workflows/test_role_kibana.yml | 6 +- molecule/elasticsearch_cluster/verify.yml | 82 ++++++++-------- molecule/elasticsearch_no-security/verify.yml | 52 +++++----- molecule/kibana_full_stack/verify.yml | 95 ++++++++++--------- .../logstash_specific_version/converge.yml | 28 +++--- molecule/repos_default/prepare.yml | 6 +- molecule/repos_oss/prepare.yml | 6 +- roles/beats/handlers/main.yml | 4 +- roles/beats/meta/main.yml | 20 ++-- roles/beats/tasks/beats-security.yml | 27 +++--- roles/elasticsearch/meta/main.yml | 59 ++---------- .../tasks/elasticsearch-security.yml | 92 ++++++++++-------- roles/kibana/meta/main.yml | 20 ++-- roles/kibana/tasks/kibana-security.yml | 45 +++++---- roles/logstash/meta/main.yml | 20 ++-- roles/logstash/tasks/manage_pipeline.yml | 3 +- roles/repos/meta/main.yml | 20 ++-- 19 files changed, 292 insertions(+), 305 deletions(-) diff --git a/.github/workflows/test_role_beats.yml b/.github/workflows/test_role_beats.yml index fe1ee346..85e599bf 100644 --- a/.github/workflows/test_role_beats.yml +++ b/.github/workflows/test_role_beats.yml @@ -9,9 +9,9 @@ on: default: 'warning' type: choice options: - - info - - warning - - debug + - info + - warning + - debug push: branches: - 'feature/**' diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml index 5cf8e302..f7b4ba5d 100644 --- a/.github/workflows/test_role_elasticsearch.yml +++ b/.github/workflows/test_role_elasticsearch.yml @@ -9,9 +9,9 @@ on: default: 'warning' type: choice options: - - info - - warning - - debug + - info + - warning + - debug push: branches: - 'feature/**' diff --git a/.github/workflows/test_role_kibana.yml b/.github/workflows/test_role_kibana.yml index b58ad870..401a71a6 100644 --- a/.github/workflows/test_role_kibana.yml +++ b/.github/workflows/test_role_kibana.yml @@ -9,9 +9,9 @@ on: default: 'warning' type: choice options: - - info - - warning - - debug + - info + - warning + - debug push: branches: - 'feature/**' diff --git a/molecule/elasticsearch_cluster/verify.yml b/molecule/elasticsearch_cluster/verify.yml index dc89792a..0d1f8263 100644 --- a/molecule/elasticsearch_cluster/verify.yml +++ b/molecule/elasticsearch_cluster/verify.yml @@ -8,48 +8,48 @@ elastic_elasticsearch_http_port: 9200 tasks: - - name: Set elasticsearch_ca variable if not already done by user - set_fact: - elasticsearch_ca: "{{ groups['elasticsearch'][0] }}" - when: elasticsearch_ca is undefined + - name: Set elasticsearch_ca variable if not already done by user + set_fact: + elasticsearch_ca: "{{ groups['elasticsearch'][0] }}" + when: elasticsearch_ca is undefined - - name: Fetch Elastic password - shell: grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} - register: elastic_password - changed_when: false - delegate_to: "{{ elasticsearch_ca }}" + - name: Fetch Elastic password + shell: grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} + register: elastic_password + changed_when: false + delegate_to: "{{ elasticsearch_ca }}" - - name: Health check - uri: - url: https://localhost:{{ elastic_elasticsearch_http_port }}/_cluster/health - method: GET - force_basic_auth: yes - user: elastic - password: "{{ elastic_password.stdout }}" - return_content: yes - status_code: 200 - validate_certs: false - register: result - until: result.json.status == "green" - retries: 6 - delay: 10 + - name: Health check + uri: + url: https://localhost:{{ elastic_elasticsearch_http_port }}/_cluster/health + method: GET + force_basic_auth: yes + user: elastic + password: "{{ elastic_password.stdout }}" + return_content: yes + status_code: 200 + validate_certs: false + register: result + until: result.json.status == "green" + retries: 6 + delay: 10 - - name: Node check - uri: - url: https://localhost:{{ elastic_elasticsearch_http_port }}/_cat/nodes - method: GET - force_basic_auth: yes - user: elastic - password: "{{ elastic_password.stdout }}" - return_content: yes - status_code: 200 - validate_certs: false - register: nodes + - name: Node check + uri: + url: https://localhost:{{ elastic_elasticsearch_http_port }}/_cat/nodes + method: GET + force_basic_auth: yes + user: elastic + password: "{{ elastic_password.stdout }}" + return_content: yes + status_code: 200 + validate_certs: false + register: nodes - - name: Check if all Nodes see each other - ansible.builtin.assert: - that: - - "'{{ item }}' in nodes.content" - fail_msg: "'{{ item }}' was not found in nodes.content" - success_msg: "'{{ item }}' was found in nodes.content" - with_inventory_hostnames: all + - name: Check if all Nodes see each other + ansible.builtin.assert: + that: + - "'{{ item }}' in nodes.content" + fail_msg: "'{{ item }}' was not found in nodes.content" + success_msg: "'{{ item }}' was found in nodes.content" + with_inventory_hostnames: all diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml index 7b216863..cf10833b 100644 --- a/molecule/elasticsearch_no-security/verify.yml +++ b/molecule/elasticsearch_no-security/verify.yml @@ -6,31 +6,31 @@ tasks: # Remember, this is the no-security scenario. So no https - - name: Health check - uri: - url: http://localhost:{{ elastic_elasticsearch_http_port }}/_cluster/health - method: GET - return_content: yes - status_code: 200 - validate_certs: false - register: result - until: result.json.status == "green" - retries: 6 - delay: 10 + - name: Health check + uri: + url: http://localhost:{{ elastic_elasticsearch_http_port }}/_cluster/health + method: GET + return_content: yes + status_code: 200 + validate_certs: false + register: result + until: result.json.status == "green" + retries: 6 + delay: 10 - - name: Node check - uri: - url: http://localhost:{{ elastic_elasticsearch_http_port }}/_cat/nodes - method: GET - return_content: yes - status_code: 200 - validate_certs: false - register: nodes + - name: Node check + uri: + url: http://localhost:{{ elastic_elasticsearch_http_port }}/_cat/nodes + method: GET + return_content: yes + status_code: 200 + validate_certs: false + register: nodes - - name: Check if all Nodes see each other - ansible.builtin.assert: - that: - - "'{{ item }}' in nodes.content" - fail_msg: "'{{ item }}' was not found in nodes.content" - success_msg: "'{{ item }}' was found in nodes.content" - with_inventory_hostnames: all + - name: Check if all Nodes see each other + ansible.builtin.assert: + that: + - "'{{ item }}' in nodes.content" + fail_msg: "'{{ item }}' was not found in nodes.content" + success_msg: "'{{ item }}' was found in nodes.content" + with_inventory_hostnames: all diff --git a/molecule/kibana_full_stack/verify.yml b/molecule/kibana_full_stack/verify.yml index 7e4aa632..4e0f6d5e 100644 --- a/molecule/kibana_full_stack/verify.yml +++ b/molecule/kibana_full_stack/verify.yml @@ -8,50 +8,51 @@ tasks: - - name: Give some time for all services to connect - wait_for: - timeout: 120 - - - name: Kibana checks - when: "'kibana' in group_names" - block: - - - name: fetch kibana.yml - command: cat /etc/kibana/kibana.yml - register: kibanayml - - - name: Show kibana.yml - debug: - var: kibanayml.stdout_lines - - - name: Check for Kibana port - wait_for: - port: 5601 - timeout: 120 - - - name: fetch Elastic password - shell: grep "PASSWORD elastic " /usr/share/elasticsearch/initial_passwords | awk {' print $4 '} - register: elastic_password - changed_when: false - delegate_to: "{{ groups['elasticsearch'][0] }}" - - - name: Connect to Elasticsearch - command: "curl -s --cacert /etc/kibana/certs/ca.crt -u elastic:{{ elastic_password.stdout }} https://{{ groups['elasticsearch'][0] }}:{{ elastic_elasticsearch_http_port }}/_cat/indices" - - - name: Connect to Kibana - command: "curl -s -u elastic:{{ elastic_password.stdout }} http://{{ ansible_hostname }}:5601/api/status" - register: curl_out - failed_when: - - "'green' not in curl_out.stdout" - - "'Elasticsearch is available' not in curl_out.stdout" - - # The following might be nicer but doesn't work - #- name: Connect to Kibana - # uri: - # url: http://ansible-role-kibana_full_stack:5601/api/status - # user: elastic - # password: "{{ elastic_password.stdout }}" - # return_content: yes - # register: kibana_status - # #failed_when: "'"title": "Green"' not in kibana_status.content" - # failed_when: "'Green' not in kibana_status.content" + - name: Give some time for all services to connect + wait_for: + timeout: 120 + + - name: Kibana checks + when: "'kibana' in group_names" + block: + + - name: fetch kibana.yml + command: cat /etc/kibana/kibana.yml + register: kibanayml + + - name: Show kibana.yml + debug: + var: kibanayml.stdout_lines + + - name: Check for Kibana port + wait_for: + port: 5601 + timeout: 120 + + - name: fetch Elastic password + shell: grep "PASSWORD elastic " /usr/share/elasticsearch/initial_passwords | awk {' print $4 '} + register: elastic_password + changed_when: false + delegate_to: "{{ groups['elasticsearch'][0] }}" + + - name: Connect to Elasticsearch + command: "curl -s --cacert /etc/kibana/certs/ca.crt -u elastic:{{ elastic_password.stdout }} https://{{ groups['elasticsearch'][0] }}:{{ elastic_elasticsearch_http_port }}/_cat/indices" + + - name: Connect to Kibana + command: "curl -s -u elastic:{{ elastic_password.stdout }} http://{{ ansible_hostname }}:5601/api/status" + register: curl_out + failed_when: + - "'green' not in curl_out.stdout" + - "'Elasticsearch is available' not in curl_out.stdout" + + # The following might be nicer but doesn't work + # Needs more digging - just failed + #- name: Connect to Kibana + # uri: + # url: http://ansible-role-kibana_full_stack:5601/api/status + # user: elastic + # password: "{{ elastic_password.stdout }}" + # return_content: yes + # register: kibana_status + # #failed_when: "'"title": "Green"' not in kibana_status.content" + # failed_when: "'Green' not in kibana_status.content" diff --git a/molecule/logstash_specific_version/converge.yml b/molecule/logstash_specific_version/converge.yml index a650256b..fde564e6 100644 --- a/molecule/logstash_specific_version/converge.yml +++ b/molecule/logstash_specific_version/converge.yml @@ -16,20 +16,20 @@ elastic_stack_full_stack: false tasks: - - name: Set Logstash version on RedHat - set_fact: - logstash_version: "-7.10.1" - when: ansible_os_family == "RedHat" + - name: Set Logstash version on RedHat + set_fact: + logstash_version: "-7.10.1" + when: ansible_os_family == "RedHat" - - name: Set Logstash version on Debian - set_fact: - logstash_version: "=1:7.10.1-1" - when: ansible_os_family == "Debian" + - name: Set Logstash version on Debian + set_fact: + logstash_version: "=1:7.10.1-1" + when: ansible_os_family == "Debian" - - name: "Include Elastics repos role" - include_role: - name: repos + - name: "Include Elastics repos role" + include_role: + name: repos - - name: "Include Logstash" - include_role: - name: logstash + - name: "Include Logstash" + include_role: + name: logstash diff --git a/molecule/repos_default/prepare.yml b/molecule/repos_default/prepare.yml index 0f484d55..74162f3f 100644 --- a/molecule/repos_default/prepare.yml +++ b/molecule/repos_default/prepare.yml @@ -5,13 +5,13 @@ - name: Install requirements for Debian ansible.builtin.apt: name: - - gpg - - apt-transport-https + - gpg + - apt-transport-https update_cache: yes when: ansible_os_family == "Debian" - name: Install requirements for Ubuntu ansible.builtin.apt: name: - - gpg-agent + - gpg-agent update_cache: yes when: ansible_os_family == "Debian" and ansible_distribution == "Ubuntu" diff --git a/molecule/repos_oss/prepare.yml b/molecule/repos_oss/prepare.yml index 0f484d55..74162f3f 100644 --- a/molecule/repos_oss/prepare.yml +++ b/molecule/repos_oss/prepare.yml @@ -5,13 +5,13 @@ - name: Install requirements for Debian ansible.builtin.apt: name: - - gpg - - apt-transport-https + - gpg + - apt-transport-https update_cache: yes when: ansible_os_family == "Debian" - name: Install requirements for Ubuntu ansible.builtin.apt: name: - - gpg-agent + - gpg-agent update_cache: yes when: ansible_os_family == "Debian" and ansible_distribution == "Ubuntu" diff --git a/roles/beats/handlers/main.yml b/roles/beats/handlers/main.yml index a6094f43..3f8d70e8 100644 --- a/roles/beats/handlers/main.yml +++ b/roles/beats/handlers/main.yml @@ -22,5 +22,5 @@ name: metricbeat state: restarted when: - - beats_metricbeat | bool - - metricbeat_enable | bool + - beats_metricbeat | bool + - metricbeat_enable | bool diff --git a/roles/beats/meta/main.yml b/roles/beats/meta/main.yml index c1f28be9..7060c661 100644 --- a/roles/beats/meta/main.yml +++ b/roles/beats/meta/main.yml @@ -8,16 +8,16 @@ galaxy_info: license: GPL-3.0-or-later min_ansible_version: "2.4" platforms: - - name: EL - versions: - - "8" - - name: Debian - versions: - - bullseye - - name: Ubuntu - versions: - - focal - - jammy + - name: EL + versions: + - "8" + - name: Debian + versions: + - bullseye + - name: Ubuntu + versions: + - focal + - jammy galaxy_tags: - elk - beats diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml index f04e5d94..7f73d94a 100644 --- a/roles/beats/tasks/beats-security.yml +++ b/roles/beats/tasks/beats-security.yml @@ -13,7 +13,7 @@ path: "/etc/beats/certs/{{ inventory_hostname }}-beats.crt" register: beats_cert_exists -- name: Get the beats certificate expiration date +- name: Get the beats certificate expiration date # noqa: risky-shell-pipe shell: >- if test -v BASH; then set -o pipefail; fi; openssl x509 @@ -28,7 +28,7 @@ - name: Set the beats certificate expiration date in days set_fact: - beats_cert_expiration_days: "{{ ((beats_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - ( ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" + beats_cert_expiration_days: "{{ ((beats_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" when: beats_cert_expiration_date.skipped is not defined - name: Set beats certificate will expire soon to true @@ -44,6 +44,10 @@ when: beats_cert_expiration_days is defined and beats_cert_expiration_days | int <= beats_cert_expiration_buffer | int - name: Backup beats certs then remove + when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool" + tags: + - renew_ca + - renew_beats_cert block: - name: Check if cert directory exists stat: @@ -64,12 +68,13 @@ path: /etc/beats/certs state: absent when: beats_move_cert_directory.changed + +- name: Backup beats certs on elasticsearch_ca host then remove when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool" + delegate_to: "{{ elasticsearch_ca }}" tags: - renew_ca - renew_beats_cert - -- name: Backup beats certs on elasticsearch_ca host then remove block: - name: Check if cert file exists stat: @@ -90,13 +95,13 @@ path: "{{ elastic_ca_dir }}/{{ ansible_hostname }}-beats.zip" state: absent when: beats_move_cert_file.changed + +- name: Backup beats zip file on localhost then remove when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool" - delegate_to: "{{ elasticsearch_ca }}" + delegate_to: localhost tags: - renew_ca - renew_beats_cert - -- name: Backup beats zip file on localhost then remove block: - name: Check the existance of cert on localhost stat: @@ -116,11 +121,6 @@ path: /tmp/{{ ansible_hostname }}-beats.zip state: absent when: beats_move_cert_file.changed - delegate_to: localhost - when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool" - tags: - - renew_ca - - renew_beats_cert - name: Create certificate directory file: @@ -237,8 +237,9 @@ - renew_ca - renew_beats_cert -- name: Fetch Beats password +- name: Fetch Beats password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} register: beats_writer_password diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml index 98999efc..fc06634b 100644 --- a/roles/elasticsearch/meta/main.yml +++ b/roles/elasticsearch/meta/main.yml @@ -4,57 +4,18 @@ galaxy_info: role_name: elasticsearch company: Netways GmbH namespace: netways - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 license: GPL-3.0-or-later - min_ansible_version: "2.4" - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # platforms: - - name: EL - versions: - - "8" - - name: Debian - versions: - - bullseye - - name: Ubuntu - versions: - - focal - - jammy - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - + - name: EL + versions: + - "8" + - name: Debian + versions: + - bullseye + - name: Ubuntu + versions: + - focal + - jammy galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 3e413f8f..ae3cc7ff 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -15,7 +15,7 @@ register: ca_exists when: inventory_hostname == elasticsearch_ca -- name: Get the ca expiration date +- name: Get the ca expiration date # noqa: risky-shell-pipe shell: >- if test -v BASH; then set -o pipefail; fi; openssl pkcs12 @@ -33,7 +33,7 @@ - name: Set the ca expiration date in days set_fact: - elastic_ca_expiration_days: "{{ ((ca_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - ( ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" + elastic_ca_expiration_days: "{{ ((ca_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" when: inventory_hostname == elasticsearch_ca and ca_expiration_date.skipped is not defined - name: Set ca will expire soon to true @@ -59,6 +59,9 @@ - groups['logstash'] is defined - name: Backup ca directory on elasticsearch ca host then remove + when: (inventory_hostname == elasticsearch_ca) and ('renew_ca' in "ansible_run_tags" or elastic_ca_will_expire_soon | bool) + tags: + - renew_ca block: - name: Check if ca directory exists on elasticsearch ca host stat: @@ -102,16 +105,12 @@ when: elasticsearch_move_ca_file.changed delegate_to: localhost - when: (inventory_hostname == elasticsearch_ca) and ('renew_ca' in "ansible_run_tags" or elastic_ca_will_expire_soon | bool) - tags: - - renew_ca - - name: Ensure elasticsearch certificate exists stat: path: "/etc/elasticsearch/certs/{{ ansible_hostname }}.p12" register: elasticsearch_cert_exists -- name: Get the elasticsearch certificate expiration date +- name: Get the elasticsearch certificate expiration date # noqa: risky-shell-pipe shell: >- if test -v BASH; then set -o pipefail; fi; openssl pkcs12 @@ -127,7 +126,7 @@ - name: Set the elasticsearch certificate expiration date in days set_fact: - elasticsearch_cert_expiration_days: "{{ ((elasticsearch_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - ( ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" + elasticsearch_cert_expiration_days: "{{ ((elasticsearch_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" when: elasticsearch_cert_expiration_date.skipped is not defined - name: Set elasticsearch certificate will expire soon to true @@ -143,6 +142,10 @@ when: elasticsearch_cert_expiration_day is defined and elastic_ca_expiration_days | int <= elastic_ca_expiration_buffer | int - name: Backup elasticsearch certs on node then remove + when: "'renew_es_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or elasticsearch_cert_will_expire_soon | bool" + tags: + - renew_ca + - renew_es_cert block: - name: Check if cert directory exists on elasticsearch node stat: @@ -163,12 +166,13 @@ path: /etc/elasticsearch/certs state: absent when: elasticsearch_move_cert_directory.changed + +- name: Backup elasticsearch certs on elasticsearch_ca host then remove when: "'renew_es_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or elasticsearch_cert_will_expire_soon | bool" + delegate_to: "{{ elasticsearch_ca }}" tags: - renew_ca - renew_es_cert - -- name: Backup elasticsearch certs on elasticsearch_ca host then remove block: - name: Check if cert file exists on elasticsearch_ca host stat: @@ -189,13 +193,13 @@ path: "{{ elastic_ca_dir }}/{{ ansible_hostname }}.p12" state: absent when: elasticsearch_move_cert_file.changed + +- name: Backup elasticsearch cert on localhost then remove when: "'renew_es_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or elasticsearch_cert_will_expire_soon | bool" - delegate_to: "{{ elasticsearch_ca }}" + delegate_to: localhost tags: - - renew_ca - renew_es_cert - -- name: Backup elasticsearch cert on localhost then remove + - renew_ca block: - name: Check the existance of cert on Ansible controler stat: @@ -215,11 +219,6 @@ path: /tmp/{{ ansible_hostname }}.p12 state: absent when: elasticsearch_move_cert_file.changed - delegate_to: localhost - when: "'renew_es_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or elasticsearch_cert_will_expire_soon | bool" - tags: - - renew_es_cert - - renew_ca - name: Create directory for Elasticsearch CA file: @@ -243,8 +242,9 @@ changed_when: false register: es_keystore -- name: Set bootstrap password +- name: Set bootstrap password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; echo "{{ elasticsearch_bootstrap_pw }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -x 'bootstrap.password' @@ -256,8 +256,9 @@ ignore_errors: "{{ ansible_check_mode }}" -- name: Get xpack.security.http.ssl.keystore.secure_password +- name: Get xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore show 'xpack.security.http.ssl.keystore.secure_password' when: @@ -268,8 +269,9 @@ no_log: true changed_when: false -- name: Set xpack.security.http.ssl.keystore.secure_password +- name: Set xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.http.ssl.keystore.secure_password' @@ -282,8 +284,9 @@ - Restart Elasticsearch -- name: Remove xpack.security.http.ssl.keystore.secure_password +- name: Remove xpack.security.http.ssl.keystore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.http.ssl.keystore.secure_password' changed_when: false @@ -295,8 +298,9 @@ - Restart Elasticsearch -- name: Get xpack.security.http.ssl.truststore.secure_password +- name: Get xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore show 'xpack.security.http.ssl.truststore.secure_password' when: @@ -307,8 +311,9 @@ no_log: true changed_when: false -- name: Set xpack.security.http.ssl.truststore.secure_password +- name: Set xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.http.ssl.truststore.secure_password' @@ -320,8 +325,9 @@ notify: - Restart Elasticsearch -- name: Remove xpack.security.http.ssl.truststore.secure_password +- name: Remove xpack.security.http.ssl.truststore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.http.ssl.truststore.secure_password' changed_when: false @@ -332,8 +338,9 @@ notify: - Restart Elasticsearch -- name: Get xpack.security.transport.ssl.keystore.secure_password +- name: Get xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore show 'xpack.security.transport.ssl.keystore.secure_password' when: @@ -344,8 +351,9 @@ no_log: true changed_when: false -- name: Set xpack.security.transport.ssl.keystore.secure_password +- name: Set xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.transport.ssl.keystore.secure_password' @@ -357,8 +365,9 @@ notify: - Restart Elasticsearch -- name: Remove xpack.security.transport.ssl.keystore.secure_password +- name: Remove xpack.security.transport.ssl.keystore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.transport.ssl.keystore.secure_password' changed_when: false @@ -369,8 +378,9 @@ notify: - Restart Elasticsearch -- name: Get xpack.security.transport.ssl.truststore.secure_password +- name: Get xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore show 'xpack.security.transport.ssl.truststore.secure_password' when: @@ -381,8 +391,9 @@ no_log: true changed_when: false -- name: Set xpack.security.transport.ssl.truststore.secure_password +- name: Set xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.transport.ssl.truststore.secure_password' @@ -394,8 +405,9 @@ notify: - Restart Elasticsearch -- name: Remove xpack.security.transport.ssl.truststore.secure_password +- name: Remove xpack.security.transport.ssl.truststore.secure_password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.transport.ssl.truststore.secure_password' changed_when: false @@ -550,8 +562,9 @@ elasticsearch_http_protocol: "https" when: elasticsearch_http_security -- name: Check for cluster status with bootstrap password +- name: Check for cluster status with bootstrap password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; curl -ks {{ elasticsearch_http_protocol }}://elastic:{{ elasticsearch_bootstrap_pw }}@localhost:{{ elastic_elasticsearch_http_port }}/_cluster/health?pretty | grep status | @@ -561,16 +574,20 @@ no_log: true when: not elasticsearch_passwords_file.stat.exists | bool -- name: Fetch Elastic password - shell: grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} +- name: Fetch Elastic password # noqa: risky-shell-pipe + shell: > + if test -v BASH; then set -o pipefail; fi; + grep "PASSWORD elastic" {{ elastic_initial_passwords }} | + awk {' print $4 '} register: elastic_password changed_when: false no_log: true delegate_to: "{{ elasticsearch_ca }}" #when: elasticsearch_passwords_file.stat.exists -- name: Check for cluster status with elastic password +- name: Check for cluster status with elastic password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; curl -ks {{ elasticsearch_http_protocol }}://elastic:{{ elastic_password.stdout }}@localhost:{{ elastic_elasticsearch_http_port }}/_cluster/health?pretty | grep status | @@ -603,8 +620,9 @@ tags: - notest -- name: Create initial passwords +- name: Create initial passwords # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b > {{ elastic_initial_passwords }} when: inventory_hostname == elasticsearch_ca diff --git a/roles/kibana/meta/main.yml b/roles/kibana/meta/main.yml index 8be73aa4..3e42337f 100644 --- a/roles/kibana/meta/main.yml +++ b/roles/kibana/meta/main.yml @@ -7,16 +7,16 @@ galaxy_info: min_ansible_version: "2.4" platforms: - - name: EL - versions: - - "8" - - name: Debian - versions: - - bullseye - - name: Ubuntu - versions: - - focal - - jammy + - name: EL + versions: + - "8" + - name: Debian + versions: + - bullseye + - name: Ubuntu + versions: + - focal + - jammy galaxy_tags: [] dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index df0d0e6b..62d850bc 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -24,7 +24,7 @@ path: "/etc/kibana/certs/{{ ansible_hostname }}-kibana.p12" register: kibana_cert_exists -- name: Get the kibana certificate expiration date +- name: Get the kibana certificate expiration date # noqa: risky-shell-pipe shell: >- if test -v BASH; then set -o pipefail; fi; openssl pkcs12 @@ -41,7 +41,7 @@ - name: Set the kibana certificate expiration date in days set_fact: - kibana_cert_expiration_days: "{{ ((kibana_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - ( ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" + kibana_cert_expiration_days: "{{ ((kibana_cert_expiration_date.stdout | to_datetime('%b %d %H:%M:%S %Y %Z')) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" when: kibana_cert_expiration_date.skipped is not defined - name: Set kibana certificate will expire soon to true @@ -57,6 +57,10 @@ when: kibana_cert_expiration_days is defined and kibana_cert_expiration_days | int <= kibana_cert_expiration_buffer | int - name: Backup kibana certs then remove + when: "'renew_kibana_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or kibana_cert_will_expire_soon | bool" + tags: + - renew_ca + - renew_kibana_cert block: - name: Check if cert directory exists stat: @@ -77,12 +81,13 @@ path: /etc/kibana/certs state: absent when: kibana_move_cert_directory.changed + +- name: Backup kibana certs on elasticsearch_ca host then remove when: "'renew_kibana_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or kibana_cert_will_expire_soon | bool" + delegate_to: "{{ elasticsearch_ca }}" tags: - renew_ca - renew_kibana_cert - -- name: Backup kibana certs on elasticsearch_ca host then remove block: - name: Check if cert file exists stat: @@ -103,13 +108,13 @@ path: "{{ elastic_ca_dir }}/{{ ansible_hostname }}-kibana.p12" state: absent when: kibana_move_cert_file.changed + +- name: Backup kibana cert on localhost then remove + delegate_to: localhost when: "'renew_kibana_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or kibana_cert_will_expire_soon | bool" - delegate_to: "{{ elasticsearch_ca }}" tags: - renew_ca - renew_kibana_cert - -- name: Backup kibana cert on localhost then remove block: - name: Check the existance of cert on localhost stat: @@ -129,18 +134,20 @@ path: /tmp/{{ ansible_hostname }}-kibana.p12 state: absent when: kibana_move_cert_file.changed - delegate_to: localhost - when: "'renew_kibana_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or kibana_cert_will_expire_soon | bool" - tags: - - renew_ca - - renew_kibana_cert - name: Block for key generation delegate_to: "{{ elasticsearch_ca }}" run_once: true + tags: + - certificates + - renew_ca + - renew_kibana_cert block: - - name: Generate encryption key - shell: openssl rand -base64 36 > {{ elastic_ca_dir }}/encryption_key + - name: Generate encryption key # noqa: risky-shell-pipe + shell: > + if test -v BASH; then set -o pipefail; fi; + openssl rand -base64 36 > + {{ elastic_ca_dir }}/encryption_key changed_when: false args: creates: "{{ elastic_ca_dir }}/encryption_key" @@ -150,8 +157,9 @@ changed_when: false register: kibana_encryption_key - - name: Generate saved objects encryption key + - name: Generate saved objects encryption key # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; openssl rand -base64 36 > {{ elastic_ca_dir }}/savedobjects_encryption_key @@ -163,10 +171,6 @@ command: cat {{ elastic_ca_dir }}/savedobjects_encryption_key changed_when: false register: kibana_savedobjects_encryption_key - tags: - - certificates - - renew_ca - - renew_kibana_cert - name: Create certificate directory file: @@ -224,8 +228,9 @@ - renew_ca - renew_kibana_cert -- name: Fetch Kibana password +- name: Fetch Kibana password # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; grep "PASSWORD kibana_system " /usr/share/elasticsearch/initial_passwords | awk {' print $4 '} register: kibana_password diff --git a/roles/logstash/meta/main.yml b/roles/logstash/meta/main.yml index eb06b1e1..3a3cd722 100644 --- a/roles/logstash/meta/main.yml +++ b/roles/logstash/meta/main.yml @@ -7,16 +7,16 @@ galaxy_info: license: license (GPL-3.0-or-later) min_ansible_version: "2.4" platforms: - - name: EL - versions: - - "8" - - name: Debian - versions: - - bullseye - - name: Ubuntu - versions: - - focal - - jammy + - name: EL + versions: + - "8" + - name: Debian + versions: + - bullseye + - name: Ubuntu + versions: + - focal + - jammy galaxy_tags: - elk - logstash diff --git a/roles/logstash/tasks/manage_pipeline.yml b/roles/logstash/tasks/manage_pipeline.yml index 85b64a9a..f4a4a53e 100644 --- a/roles/logstash/tasks/manage_pipeline.yml +++ b/roles/logstash/tasks/manage_pipeline.yml @@ -5,8 +5,9 @@ path: "/etc/logstash/conf.d/{{ pipelinename.name }}" register: "pipeline_stat" -- name: Check who managed pipeline in last run +- name: Check who managed pipeline in last run # noqa: risky-shell-pipe shell: > + if test -v BASH; then set -o pipefail; fi; grep -e '^# source:{{ pipelinename.name }}' /etc/logstash/pipelines.yml | cut -d: -f3 register: "pipeline_manager" diff --git a/roles/repos/meta/main.yml b/roles/repos/meta/main.yml index be33d933..f70736a6 100644 --- a/roles/repos/meta/main.yml +++ b/roles/repos/meta/main.yml @@ -8,16 +8,16 @@ galaxy_info: min_ansible_version: "2.9" platforms: - - name: EL - versions: - - "8" - - name: Debian - versions: - - bullseye - - name: Ubuntu - versions: - - focal - - jammy + - name: EL + versions: + - "8" + - name: Debian + versions: + - bullseye + - name: Ubuntu + versions: + - focal + - jammy galaxy_tags: - logmanagement - elasticstack From 6d5d2d434095a82b3123f790cda8f0f056c3b34e Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 15 Mar 2023 13:25:47 +0100 Subject: [PATCH 5/7] Remoe, hopefully, last lint --- molecule/beats_peculiar/verify.yml | 36 +++++++++---------- molecule/logstash_specific_version/verify.yml | 31 ++++++++-------- roles/beats/tasks/auditbeat.yml | 12 +++---- roles/beats/tasks/filebeat.yml | 12 +++---- roles/beats/tasks/metricbeat.yml | 11 +++--- roles/elasticsearch/tasks/main.yml | 13 +++---- roles/kibana/tasks/main.yml | 14 ++++---- roles/logstash/tasks/main.yml | 13 +++---- 8 files changed, 72 insertions(+), 70 deletions(-) diff --git a/molecule/beats_peculiar/verify.yml b/molecule/beats_peculiar/verify.yml index b766ed89..f8514512 100644 --- a/molecule/beats_peculiar/verify.yml +++ b/molecule/beats_peculiar/verify.yml @@ -5,24 +5,24 @@ vars: elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - - name: fetch Filebeat version - command: "filebeat version | grep ^filebeat" - register: filebeat_version + - name: fetch Filebeat version + command: "filebeat version | grep ^filebeat" + register: filebeat_version - - name: DEBUG show filebeat version output - debug: - var: filebeat_version.stdout + - name: DEBUG show filebeat version output + debug: + var: filebeat_version.stdout - - name: Fail if Filebeat has the wrong version - fail: - msg: "Filebeat has the wrong version" - when: - - filebeat_version.stdout.find('7.17.1') == -1 - - elastic_release == 7 + - name: Fail if Filebeat has the wrong version + fail: + msg: "Filebeat has the wrong version" + when: + - filebeat_version.stdout.find('7.17.1') == -1 + - elastic_release == 7 - - name: Fail if Filebeat has the wrong version - fail: - msg: "Filebeat has the wrong version" - when: - - filebeat_version.stdout.find('8.4.1') == -1 - - elastic_release == 8 + - name: Fail if Filebeat has the wrong version + fail: + msg: "Filebeat has the wrong version" + when: + - filebeat_version.stdout.find('8.4.1') == -1 + - elastic_release == 8 diff --git a/molecule/logstash_specific_version/verify.yml b/molecule/logstash_specific_version/verify.yml index d7351f29..3b38a350 100644 --- a/molecule/logstash_specific_version/verify.yml +++ b/molecule/logstash_specific_version/verify.yml @@ -5,21 +5,20 @@ vars: elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - - name: Run syntax check - command: "/usr/share/logstash/bin/logstash --version | grep ^logstash" - register: logstash_version + - name: Run syntax check + command: "/usr/share/logstash/bin/logstash --version | grep ^logstash" + register: logstash_version - - name: Fail if Logstash has the wrong version - fail: - msg: "Logstash has the wrong version" - when: - - logstash_version.stdout.find('7.17.1') == -1 - - elastic_release == 7 - - - name: Fail if Logstash has the wrong version - fail: - msg: "Logstash has the wrong version" - when: - - logstash_version.stdout.find('8.4.1') == -1 - - elastic_release == 8 + - name: Fail if Logstash has the wrong version + fail: + msg: "Logstash has the wrong version" + when: + - logstash_version.stdout.find('7.17.1') == -1 + - elastic_release == 7 + - name: Fail if Logstash has the wrong version + fail: + msg: "Logstash has the wrong version" + when: + - logstash_version.stdout.find('8.4.1') == -1 + - elastic_release == 8 diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 7b02c46e..750b12fd 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -2,14 +2,14 @@ - name: Construct exact name of Auditbeat package set_fact: - auditbeat_package: >- + auditbeat_package: > {{ - 'auditbeat' - + (elastic_versionseparator + elastic_version - | string if elastic_version is defined else '') - | replace(' ','') + 'auditbeat' + + (elastic_versionseparator + + elastic_version | + string if elastic_version is defined else '') | + replace(' ', '') }} - - name: Install Auditbeat - rpm package: name: "{{ auditbeat_package }}" diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 10834d7c..68348d6e 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -2,13 +2,13 @@ - name: Construct exact name of Filebeat package set_fact: - filebeat_package: >- + filebeat_package: > {{ - 'filebeat' - + (elastic_versionseparator + elastic_version - | string if elastic_version is defined else '') - | replace(' ','') - }} + 'filebeat' + + (elastic_versionseparator + + elastic_version | + string if elastic_version is defined else '') | + replace(' ', '') }} - name: Install Filebeat - rpm package: diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index 9e6d1412..1748ee6f 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -2,12 +2,13 @@ - name: Construct exact name of Metricbeat package set_fact: - metricbeat_package: >- + metricbeat_package: > {{ - 'metricbeat' - + (elastic_versionseparator + elastic_version - | string if elastic_version is defined else '') - | replace(' ','') + 'metricbeat' + + (elastic_versionseparator + + elastic_version | + string if elastic_version is defined else '') | + replace(' ', '') }} - name: Install Metricbeat - rpm diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 04914bc5..0cea03a8 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -35,13 +35,14 @@ - name: Construct exact name of Elasticsearch package set_fact: - elasticsearch_package: >- + elasticsearch_package: > {{ - 'elasticsearch' - + ('-oss' if elastic_variant == 'oss' else '') - + (elastic_versionseparator + elastic_version - | string if elastic_version is defined else '') - | replace(' ','') + 'elasticsearch' + + ('-oss' if elastic_variant == 'oss' else '') + + (elastic_versionseparator + + elastic_version | + string if elastic_version is defined else '') | + replace(' ', '') }} - name: Install Elasticsearch - rpm diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 10be289c..217d15b6 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -29,14 +29,14 @@ - name: Construct exact name of Kibana package set_fact: - kibana_package: >- + kibana_package: > {{ - 'kibana' - + ('-oss' if elastic_variant == 'oss' else '') - + (elastic_versionseparator + elastic_version - | string if elastic_version is defined else '') - | replace(' ','') - }} + 'kibana' + + ('-oss' if elastic_variant == 'oss' else '') + + (elastic_versionseparator + + elastic_version | + string if elastic_version is defined else '') | + replace(' ', '') }} - name: Install Kibana - rpm package: diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 26aefd06..6940c363 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -53,13 +53,14 @@ - name: Construct exact name of Logstas package set_fact: - logstash_package: >- + logstash_package: > {{ - 'logstash' - + ('-oss' if elastic_variant == 'oss' else '') - + (elastic_versionseparator + elastic_version - | string if elastic_version is defined else '') - | replace(' ','') + 'logstash' + + ('-oss' if elastic_variant == 'oss' else '') + + (elastic_versionseparator + + elastic_version | + string if elastic_version is defined else '') | + replace(' ', '') }} - name: Install Logstash - rpm From 00dbdcdd32ecef3b1ae9abbe058d294e5e0a9a68 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 15 Mar 2023 16:34:05 +0100 Subject: [PATCH 6/7] Remove wrong comment symbol --- roles/elasticsearch/tasks/elasticsearch-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index a55f7f8e..580dfacf 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -586,7 +586,7 @@ changed_when: false no_log: true delegate_to: "{{ elasticsearch_ca }}" - #when: elasticsearch_passwords_file.stat.exists + when: elasticsearch_passwords_file.stat.exists | bool - name: Check for cluster status with elastic password # noqa: risky-shell-pipe shell: > From 8676b305b6f652bea0a3cb1814b1af110e90d7b3 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 15 Mar 2023 17:26:09 +0100 Subject: [PATCH 7/7] Missed to set a variable --- molecule/elasticsearch_no-security/verify.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml index cf10833b..d89d4320 100644 --- a/molecule/elasticsearch_no-security/verify.yml +++ b/molecule/elasticsearch_no-security/verify.yml @@ -3,6 +3,8 @@ - name: Verify hosts: all + vars: + elastic_elasticsearch_http_port: 9200 tasks: # Remember, this is the no-security scenario. So no https