use ssm-parameters role for nomis weblogic creds

ansible/group_vars/environment_name_nomis_development.yml

@@ -7,3 +7,7 @@ dns_search_domains:
   - hmpps-oem.hmpps-development.modernisation-platform.internal
   - azure.noms.root
 PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219
+
+db_configs:
+  qa11r:
+    ssm_parameter_path: "/oracle/database/qa11r"

ansible/group_vars/environment_name_nomis_preproduction.yml

@@ -7,3 +7,7 @@ dns_search_domains:
   - hmpps-oem.hmpps-preproduction.modernisation-platform.internal
   - azure.hmpp.root
 PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219
+
+db_configs:
+  PPCNOM:
+    ssm_parameter_path: "/oracle/database/CNOMPP"

ansible/group_vars/environment_name_nomis_production.yml

@@ -7,3 +7,7 @@ dns_search_domains:
   - hmpps-oem.hmpps-production.modernisation-platform.internal
   - azure.hmpp.root
 PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219
+
+db_configs:
+  PCNOM:
+    ssm_parameter_path: "/oracle/database/CNOMP"

ansible/group_vars/environment_name_nomis_test.yml

@@ -43,6 +43,7 @@ db_configs:
     db_name: T1CNOM
     db_unique_name: T1CNOM
     instance_name: T1CNOM
+    ssm_parameter_path: "/oracle/database/CNOMT1"
     host_name: t1-nomis-db-1-a.nomis.hmpps-test.modernisation-platform.service.justice.gov.uk
     port: 1521
     tns_name: T1CNOM
@@ -112,6 +113,7 @@ db_configs:
     db_name: T2CNOM
     db_unique_name: T2CNOM
     instance_name: T2CNOM
+    ssm_parameter_path: "/oracle/database/CNOMT2"
     host_name: t2-nomis-db-1-a
     port: 1521
     tns_name: T2CNOM
@@ -144,6 +146,8 @@ db_configs:
     asm_disk_groups: DATA
     service:
       - { name: TRDAT_TAF, role: PRIMARY }
+  T3CNOM:
+    ssm_parameter_path: "/oracle/database/CNOMT3"
   # T2CNOMS1:
   #   db_name: T2CNOM
   #   db_unique_name: T2CNOMS1

ansible/roles/nomis-weblogic/defaults/main.yml

@@ -1,12 +1,30 @@
 ---
-ssm_parameters_prefix: "weblogic"
+# Following tags must be set on the ASG
+# nomis-environment: e.g. t1
+# oracle-db-name: T1CNOM
+# oracle-db-hostname-a: t1-nomis-db-1-a.fqdn
+# oracle-db-hostname-b: none
+nomis_environment: "{{ ec2.tags['nomis-environment'] }}"
+weblogic_db_name: "{{ ec2.tags['oracle-db-name'] }}"
+weblogic_db_hostname_a: "{{ ec2.tags['oracle-db-hostname-a'] }}"
+weblogic_db_hostname_b: "{{ ec2.tags['oracle-db-hostname-b'] }}"
+
+# The db_configs map must be defined and have an entry
+# corresponding to oracle-db-name.  Define in group_vars.
+db_configs: {}
+
 weblogic_domain_hostname: "{{ ansible_facts.hostname }}"
 weblogic_servername: "{{ ansible_facts.hostname }}"
 weblogic_cluster: "{{ ansible_facts.hostname }}"
 weblogic_report_servername_long: "RptSvr_{{ ansible_facts.hostname }}_forms_instance"
 weblogic_report_servername: "{{ weblogic_report_servername_long[:30] }}"
 weblogic_db_port: 1521
 weblogic_db_tns_service_name: NOMIS_TAF
+weblogic_admin_username: weblogic
+weblogic_db_username: oms_owner
+weblogic_db_tagsar_username: tagsar
+db_config: "{{ db_configs[weblogic_db_name] }}"
+rms_ssm_parameter: "/oracle/weblogic/{{ nomis_environment }}/rms"
 
 weblogic_additional_form_servers:
   - { name: WLS_FORMS1A, port: 9011, properties_src: WLS_FORMS1X }
@@ -22,3 +40,14 @@ weblogic_other_form_servers:
   - { name: WLS_HOTPAGE }
 
 weblogic_all_form_servers: "{{ weblogic_other_form_servers + weblogic_additional_form_servers }}"
+
+weblogic_ssm_passwords:
+  - key: "weblogic"
+    parameter: "/oracle/weblogic/{{ nomis_environment }}/passwords"
+    users:
+      - weblogic:
+  - key: "db"
+    parameter: "{{ db_config.ssm_parameter_path }}/weblogic-passwords"
+    users:
+      - tagsar:
+      - oms_owner:

ansible/roles/nomis-weblogic/tasks/get-facts.yml

@@ -1,38 +1,23 @@
 ---
-- name: Set SSM parameters path fact from ec2 ssm-parameters-prefix and Name tag
-  set_fact:
-    ssm_parameters_path: '/{{ ssm_parameters_prefix }}/{{ ec2.tags["Name"] }}'
-
-- name: Set SSM parameters weblogic path facts
-  set_fact:
-    ssm_parameters_path_weblogic_admin_username: "{{ ssm_parameters_path }}/admin_username"
-    ssm_parameters_path_weblogic_admin_password: "{{ ssm_parameters_path }}/admin_password"
-    ssm_parameters_path_weblogic_db_username: "{{ ssm_parameters_path }}/db_username"
-    ssm_parameters_path_weblogic_db_password: "{{ ssm_parameters_path }}/db_password"
-    ssm_parameters_path_weblogic_db_tagsar_username: "{{ ssm_parameters_path }}/db_tagsar_username"
-    ssm_parameters_path_weblogic_db_tagsar_password: "{{ ssm_parameters_path }}/db_tagsar_password"
-    ssm_parameters_path_weblogic_rms_hosts: "{{ ssm_parameters_path }}/rms_hosts"
-    ssm_parameters_path_weblogic_rms_key: "{{ ssm_parameters_path }}/rms_key"
-
 - name: Get SSM parameters
-  set_fact:
-    weblogic_admin_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_admin_username, region=ansible_ec2_placement_region) }}"
-    weblogic_admin_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_admin_password, region=ansible_ec2_placement_region) }}"
-    weblogic_db_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_username, region=ansible_ec2_placement_region) }}"
-    weblogic_db_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_password, region=ansible_ec2_placement_region) }}"
-    weblogic_db_tagsar_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_tagsar_username, region=ansible_ec2_placement_region) }}"
-    weblogic_db_tagsar_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_tagsar_password, region=ansible_ec2_placement_region) }}"
-    weblogic_rms_hosts: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_rms_hosts, region=ansible_ec2_placement_region) }}"
-    weblogic_rms_key: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_rms_key, region=ansible_ec2_placement_region) }}"
+  import_role:
+    name: ssm-passwords
+  vars:
+    ssm_passwords: "{{ weblogic_ssm_passwords }}"
 
-- name: Set db hostname from ec2 oracle-db-hostname tag
+- name: Get SSM parameters
   set_fact:
-    weblogic_db_hostname_a: "{{ ec2.tags['oracle-db-hostname-a'] }}"
-    weblogic_db_hostname_b: "{{ ec2.tags['oracle-db-hostname-b'] }}"
-
-- name: Set db name from ec2 oracle-db-name tag
+    weblogic_admin_password: "{{ ssm_passwords_dict['weblogic'].passwords[weblogic_admin_username] }}"
+    weblogic_db_password: "{{ ssm_passwords_dict['db'].passwords[weblogic_db_username] }}"
+    weblogic_db_tagsar_password: "{{ ssm_passwords_dict['db'].passwords[weblogic_db_tagsar_username] }}"
+    weblogic_rms: "{{ lookup('aws_ssm', rms_ssm_parameter , region='eu-west-2') }}"
+
+# Ensure the secrets are uploaded, e.g.
+# aws ssm put-parameter --name '/oracle/weblogic/t3/rms' --type SecureString --data-type text --value '{"hosts": "notimplemented.azure.noms.root", "key": "notimplemented"}' --profile nomis-test --overwrite
+- name: Set RMS facts
   set_fact:
-    weblogic_db_name: "{{ ec2.tags['oracle-db-name'] }}"
+    weblogic_rms_hosts: "{{ weblogic_rms.hosts }}"
+    weblogic_rms_key: "{{ weblogic_rms.key }}"
 
 - debug:
     msg: "Configuring Oracle DB {{ weblogic_db_name }} on {{ weblogic_db_hostname_a }},{{ weblogic_db_hostname_b }} with username {{ weblogic_db_username }}"