NETWAYS · widhalmt · Feb 2, 2023 · Feb 1, 2023 · Feb 1, 2023 · Feb 1, 2023
diff --git a/docs/role-logstash.md b/docs/role-logstash.md
@@ -59,6 +59,13 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_tls_key_passphrase*: Passphrase for Logstash certificates (default: `ChangeMe`)
 * *logstash_elasticsearch*: Address of Elasticsearch instance for default output (default: list of Elasticsearch nodes from `elasticsearch` role or `localhost` when used standalone)
 * *logstash_security*: Enable X-Security (No default set, but will be activated when in full stack mode)
+* *logstash_user*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`)
+* *logstash_password*: Password of Elasticsearch user (Default: `password`)
+* *logstash_user_indices*: Indices the user has access to (Default: `'"ecs-logstash*", "logstash*", "logs*"'`)
+* *logstash_reset_writer_role*: Reset user and role with every run: (Default: `true`)
+
+
+
 * *logstash_legacy_monitoring*: Enables legacy monitoring - ignored when `elastic_stack_full_stack` is not set. (default: `true`)
 
 The following variables configure Log4j for Logstash. All default to `true` as this is the default after the installation.

diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml
@@ -40,6 +40,8 @@ logstash_beats_tls_encryptkey: true
 # logstash security
 logstash_user: logstash_writer
 logstash_password: password
+logstash_user_indices: '"ecs-logstash*", "logstash*", "logs*"'
+logstash_reset_writer_role: true
 
 logstash_tls_key_passphrase: ChangeMe
 logstash_certs_dir: /etc/logstash/certs

diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -220,15 +220,33 @@
   register: logstash_writer_role_present
   run_once: true
 
-- name: Put logstash_writer role into Elasticsearch
+# we doubled the task and didn't use a more sophisticated way to just change
+# the URI because we expect this task to be removed when ES 7 is out of
+# support
+
+- name: Put logstash_writer role into Elasticsearch < 8
   command: >
     curl -T /root/logstash_writer_role --header 'Content-Type: application/json'
     --cacert {{ elastic_ca_dir }}/ca.crt
     -u elastic:{{ elastic_password_logstash.stdout }}
     https://{{ elasticsearch_ca }}:9200/_xpack/security/role/logstash_writer
   delegate_to: "{{ elasticsearch_ca }}"
   run_once: true
-  when: logstash_writer_role_present.rc > 0
+  when:
+    - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool
+    - elastic_release | int < 8
+
+- name: Put logstash_writer role into Elasticsearch > 7
+  command: >
+    curl -T /root/logstash_writer_role --header 'Content-Type: application/json'
+    --cacert {{ elastic_ca_dir }}/ca.crt
+    -u elastic:{{ elastic_password_logstash.stdout }}
+    https://{{ elasticsearch_ca }}:9200/_security/role/logstash_writer
+  delegate_to: "{{ elasticsearch_ca }}"
+  run_once: true
+  when:
+    - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool
+    - elastic_release | int > 7
 
 - name: Check for logstash_writer user
   shell: >
@@ -242,12 +260,30 @@
   register: logstash_writer_user_present
   run_once: true
 
-- name: Put logstash_writer user into Elasticsearch
+# we doubled the task and didn't use a more sophisticated way to just change
+# the URI because we expect this task to be removed when ES 7 is out of
+# support
+
+- name: Put logstash_writer user into Elasticsearch < 8
   command: >
     curl -T /root/logstash_writer_user --header 'Content-Type: application/json'
     --cacert {{ elastic_ca_dir }}/ca.crt
     -u elastic:{{ elastic_password_logstash.stdout }}
     https://{{ elasticsearch_ca }}:9200/_xpack/security/user/{{ logstash_user }}
   delegate_to: "{{ elasticsearch_ca }}"
   run_once: true
-  when: logstash_writer_user_present.rc > 0
+  when:
+    - logstash_writer_user_present.rc > 0
+    - elastic_release | int < 8
+
+- name: Put logstash_writer user into Elasticsearch > 7
+  command: >
+    curl -T /root/logstash_writer_user --header 'Content-Type: application/json'
+    --cacert {{ elastic_ca_dir }}/ca.crt
+    -u elastic:{{ elastic_password_logstash.stdout }}
+    https://{{ elasticsearch_ca }}:9200/_security/user/{{ logstash_user }}
+  delegate_to: "{{ elasticsearch_ca }}"
+  run_once: true
+  when:
+    - logstash_writer_user_present.rc > 0
+    - elastic_release | int > 7
diff --git a/roles/logstash/templates/logstash_writer_role.j2 b/roles/logstash/templates/logstash_writer_role.j2
@@ -2,11 +2,7 @@
   "cluster": ["manage_index_templates", "monitor", "manage_ilm"], 
   "indices": [
     {
-{% if logstash_global_ecs is defined and logstash_global_ecs != "disabled" %}
-      "names": [ "ecs-logstash*", "logstash*" ],
-{% else %}
-      "names": [ "logstash*" ], 
-{% endif %}
+      "names": [ {{ logstash_user_indices }} ],
       "privileges": ["write","create","delete","create_index","manage","manage_ilm"]  
     }
   ]