From 7837a2f7ab15fe40720d4588cf7bba7e4528511e Mon Sep 17 00:00:00 2001
From: Thomas Widhalm <thomas.widhalm@netways.de>
Date: Fri, 10 Nov 2023 11:46:55 +0100
Subject: [PATCH 1/2] Set passphrase for beats tls key

Side effect: Includes extra changes for listing names of pipelines in
task names

fixes #291
---
 roles/logstash/tasks/logstash-security.yml   |  2 +-
 roles/logstash/tasks/manage_pipeline.yml     | 14 +++++++-------
 roles/logstash/templates/beats-input.conf.j2 |  1 +
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
index 2cffd8c1..62174c87 100644
--- a/roles/logstash/tasks/logstash-security.yml
+++ b/roles/logstash/tasks/logstash-security.yml
@@ -304,7 +304,7 @@
     -topk8
     -passin pass:{{ logstash_tls_key_passphrase }}
     -out {{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key
-    -nocrypt
+    -passout pass:{{ logstash_tls_key_passphrase }}
   args:
     creates: "{{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key"
   no_log: "{{ elasticstack_no_log }}"
diff --git a/roles/logstash/tasks/manage_pipeline.yml b/roles/logstash/tasks/manage_pipeline.yml
index e11f4a2a..8c659cb5 100644
--- a/roles/logstash/tasks/manage_pipeline.yml
+++ b/roles/logstash/tasks/manage_pipeline.yml
@@ -1,11 +1,11 @@
 ---
 
-- name: Check if Logstash pipeline already exists
+- name: Check if Logstash pipeline {{ pipelinename.name }} already exists
   ansible.builtin.stat:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
   register: "logstash_pipeline_stat"
 
-- name: Check who managed pipeline in last run # noqa: risky-shell-pipe
+- name: Check who managed pipeline {{ pipelinename.name }} in last run # noqa: risky-shell-pipe
   ansible.builtin.shell: >
     if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     grep -e '^# source:{{ pipelinename.name }}' /etc/logstash/pipelines.yml |
@@ -16,7 +16,7 @@
     - logstash_pipeline_stat.stat.exists | bool
     - logstash_pipeline_stat.stat.isdir | bool
 
-- name: Delete directory if changing manager
+- name: Delete directory if changing manager of pipeline {{ pipelinename.name }}
   ansible.builtin.file:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
     state: absent
@@ -25,7 +25,7 @@
     - logstash_pipeline_manager.stdout == "local"
     - pipelinename.source is defined
 
-- name: Create Logstash pipeline directories
+- name: Create Logstash pipeline {{ pipelinename.name }} directory
   ansible.builtin.file:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
     state: directory
@@ -33,7 +33,7 @@
     group: root
     mode: 0755
 
-- name: Check out pipeline configuration
+- name: Check out pipeline configuration for {{ pipelinename.name }}
   ansible.builtin.git:
     repo: "{{ pipelinename.source }}"
     dest: "/etc/logstash/conf.d/{{ pipelinename.name }}"
@@ -42,7 +42,7 @@
   notify:
     - Restart Logstash noauto
 
-- name: Create simple input
+- name: Create simple input for {{ pipelinename.name }}
   ansible.builtin.template:
     src: simple-input.conf.j2
     dest: "/etc/logstash/conf.d/{{ pipelinename.name }}\
@@ -54,7 +54,7 @@
   notify:
     - Restart Logstash noauto
 
-- name: Create simple output
+- name: Create simple output for {{ pipelinename.name }}
   ansible.builtin.template:
     src: simple-output.conf.j2
     dest: "/etc/logstash/conf.d/{{ pipelinename.name }}\
diff --git a/roles/logstash/templates/beats-input.conf.j2 b/roles/logstash/templates/beats-input.conf.j2
index c37e7211..cd807977 100644
--- a/roles/logstash/templates/beats-input.conf.j2
+++ b/roles/logstash/templates/beats-input.conf.j2
@@ -8,6 +8,7 @@ input {
     ssl_verify_mode => force_peer
     ssl_certificate_authorities => ["{{ logstash_certs_dir }}/ca.crt"]
     ssl_peer_metadata => false
+    ssl_key_passphrase => "{{ logstash_tls_key_passphrase }}"
 {% endif %}
 {% if logstash_beats_timeout is defined %}
     client_inactivity_timeout => "{{ logstash_beats_timeout }}"

From 99d9621a037191b835cbd4bbb13aea76bffa747e Mon Sep 17 00:00:00 2001
From: Thomas Widhalm <thomas.widhalm@netways.de>
Date: Fri, 10 Nov 2023 11:51:27 +0100
Subject: [PATCH 2/2] Lint

---
 roles/logstash/tasks/manage_pipeline.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/logstash/tasks/manage_pipeline.yml b/roles/logstash/tasks/manage_pipeline.yml
index 8c659cb5..2144040e 100644
--- a/roles/logstash/tasks/manage_pipeline.yml
+++ b/roles/logstash/tasks/manage_pipeline.yml
@@ -1,11 +1,11 @@
 ---
 
-- name: Check if Logstash pipeline {{ pipelinename.name }} already exists
+- name: Check if Logstash pipeline already exists {{ pipelinename.name }}
   ansible.builtin.stat:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
   register: "logstash_pipeline_stat"
 
-- name: Check who managed pipeline {{ pipelinename.name }} in last run # noqa: risky-shell-pipe
+- name: Check who managed pipeline in last run {{ pipelinename.name }} # noqa: risky-shell-pipe
   ansible.builtin.shell: >
     if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
     grep -e '^# source:{{ pipelinename.name }}' /etc/logstash/pipelines.yml |
@@ -25,7 +25,7 @@
     - logstash_pipeline_manager.stdout == "local"
     - pipelinename.source is defined
 
-- name: Create Logstash pipeline {{ pipelinename.name }} directory
+- name: Create Logstash pipeline directory {{ pipelinename.name }}
   ansible.builtin.file:
     path: "/etc/logstash/conf.d/{{ pipelinename.name }}"
     state: directory