From a0b1fe648b368dab85b7e3e905a414b2673410d6 Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Mon, 25 Sep 2023 17:28:43 +0100 Subject: [PATCH] use ssm-parameters role for nomis weblogic creds --- .../environment_name_nomis_development.yml | 4 ++ .../environment_name_nomis_preproduction.yml | 4 ++ .../environment_name_nomis_production.yml | 4 ++ .../environment_name_nomis_test.yml | 4 ++ .../roles/nomis-weblogic/defaults/main.yml | 31 ++++++++++++- .../roles/nomis-weblogic/tasks/get-facts.yml | 45 +++++++------------ 6 files changed, 61 insertions(+), 31 deletions(-) diff --git a/ansible/group_vars/environment_name_nomis_development.yml b/ansible/group_vars/environment_name_nomis_development.yml index b8378d46b..6ef1a6172 100644 --- a/ansible/group_vars/environment_name_nomis_development.yml +++ b/ansible/group_vars/environment_name_nomis_development.yml @@ -7,3 +7,7 @@ dns_search_domains: - hmpps-oem.hmpps-development.modernisation-platform.internal - azure.noms.root PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219 + +db_configs: + qa11r: + ssm_parameter_path: "/oracle/database/qa11r" diff --git a/ansible/group_vars/environment_name_nomis_preproduction.yml b/ansible/group_vars/environment_name_nomis_preproduction.yml index 3169dd830..82c78d92c 100644 --- a/ansible/group_vars/environment_name_nomis_preproduction.yml +++ b/ansible/group_vars/environment_name_nomis_preproduction.yml @@ -7,3 +7,7 @@ dns_search_domains: - hmpps-oem.hmpps-preproduction.modernisation-platform.internal - azure.hmpp.root PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219 + +db_configs: + PPCNOM: + ssm_parameter_path: "/oracle/database/CNOMPP" diff --git a/ansible/group_vars/environment_name_nomis_production.yml b/ansible/group_vars/environment_name_nomis_production.yml index 41d6530be..09bce382e 100644 --- a/ansible/group_vars/environment_name_nomis_production.yml +++ b/ansible/group_vars/environment_name_nomis_production.yml @@ -7,3 +7,7 @@ dns_search_domains: - hmpps-oem.hmpps-production.modernisation-platform.internal - azure.hmpp.root PROD_SYSCON_WEB_RELEASE: DB_V11.2.1.1.219 + +db_configs: + PCNOM: + ssm_parameter_path: "/oracle/database/CNOMP" diff --git a/ansible/group_vars/environment_name_nomis_test.yml b/ansible/group_vars/environment_name_nomis_test.yml index 46901e937..973e5b79e 100644 --- a/ansible/group_vars/environment_name_nomis_test.yml +++ b/ansible/group_vars/environment_name_nomis_test.yml @@ -43,6 +43,7 @@ db_configs: db_name: T1CNOM db_unique_name: T1CNOM instance_name: T1CNOM + ssm_parameter_path: "/oracle/database/CNOMT1" host_name: t1-nomis-db-1-a.nomis.hmpps-test.modernisation-platform.service.justice.gov.uk port: 1521 tns_name: T1CNOM @@ -112,6 +113,7 @@ db_configs: db_name: T2CNOM db_unique_name: T2CNOM instance_name: T2CNOM + ssm_parameter_path: "/oracle/database/CNOMT2" host_name: t2-nomis-db-1-a port: 1521 tns_name: T2CNOM @@ -144,6 +146,8 @@ db_configs: asm_disk_groups: DATA service: - { name: TRDAT_TAF, role: PRIMARY } + T3CNOM: + ssm_parameter_path: "/oracle/database/CNOMT3" # T2CNOMS1: # db_name: T2CNOM # db_unique_name: T2CNOMS1 diff --git a/ansible/roles/nomis-weblogic/defaults/main.yml b/ansible/roles/nomis-weblogic/defaults/main.yml index 4f2f95ce6..3627455c1 100644 --- a/ansible/roles/nomis-weblogic/defaults/main.yml +++ b/ansible/roles/nomis-weblogic/defaults/main.yml @@ -1,5 +1,18 @@ --- -ssm_parameters_prefix: "weblogic" +# Following tags must be set on the ASG +# nomis-environment: e.g. t1 +# oracle-db-name: T1CNOM +# oracle-db-hostname-a: t1-nomis-db-1-a.fqdn +# oracle-db-hostname-b: none +nomis_environment: "{{ ec2.tags['nomis-environment'] }}" +weblogic_db_name: "{{ ec2.tags['oracle-db-name'] }}" +weblogic_db_hostname_a: "{{ ec2.tags['oracle-db-hostname-a'] }}" +weblogic_db_hostname_b: "{{ ec2.tags['oracle-db-hostname-b'] }}" + +# The db_configs map must be defined and have an entry +# corresponding to oracle-db-name. Define in group_vars. +db_configs: {} + weblogic_domain_hostname: "{{ ansible_facts.hostname }}" weblogic_servername: "{{ ansible_facts.hostname }}" weblogic_cluster: "{{ ansible_facts.hostname }}" @@ -7,6 +20,11 @@ weblogic_report_servername_long: "RptSvr_{{ ansible_facts.hostname }}_forms_inst weblogic_report_servername: "{{ weblogic_report_servername_long[:30] }}" weblogic_db_port: 1521 weblogic_db_tns_service_name: NOMIS_TAF +weblogic_admin_username: weblogic +weblogic_db_username: oms_owner +weblogic_db_tagsar_username: tagsar +db_config: "{{ db_configs[weblogic_db_name] }}" +rms_ssm_parameter: "/oracle/weblogic/{{ nomis_environment }}/rms" weblogic_additional_form_servers: - { name: WLS_FORMS1A, port: 9011, properties_src: WLS_FORMS1X } @@ -22,3 +40,14 @@ weblogic_other_form_servers: - { name: WLS_HOTPAGE } weblogic_all_form_servers: "{{ weblogic_other_form_servers + weblogic_additional_form_servers }}" + +weblogic_ssm_passwords: + - key: "weblogic" + parameter: "/oracle/weblogic/{{ nomis_environment }}/passwords" + users: + - weblogic: + - key: "db" + parameter: "{{ db_config.ssm_parameter_path }}/weblogic-passwords" + users: + - tagsar: + - oms_owner: diff --git a/ansible/roles/nomis-weblogic/tasks/get-facts.yml b/ansible/roles/nomis-weblogic/tasks/get-facts.yml index 60af6e6a9..f6c6b2e0b 100644 --- a/ansible/roles/nomis-weblogic/tasks/get-facts.yml +++ b/ansible/roles/nomis-weblogic/tasks/get-facts.yml @@ -1,38 +1,23 @@ --- -- name: Set SSM parameters path fact from ec2 ssm-parameters-prefix and Name tag - set_fact: - ssm_parameters_path: '/{{ ssm_parameters_prefix }}/{{ ec2.tags["Name"] }}' - -- name: Set SSM parameters weblogic path facts - set_fact: - ssm_parameters_path_weblogic_admin_username: "{{ ssm_parameters_path }}/admin_username" - ssm_parameters_path_weblogic_admin_password: "{{ ssm_parameters_path }}/admin_password" - ssm_parameters_path_weblogic_db_username: "{{ ssm_parameters_path }}/db_username" - ssm_parameters_path_weblogic_db_password: "{{ ssm_parameters_path }}/db_password" - ssm_parameters_path_weblogic_db_tagsar_username: "{{ ssm_parameters_path }}/db_tagsar_username" - ssm_parameters_path_weblogic_db_tagsar_password: "{{ ssm_parameters_path }}/db_tagsar_password" - ssm_parameters_path_weblogic_rms_hosts: "{{ ssm_parameters_path }}/rms_hosts" - ssm_parameters_path_weblogic_rms_key: "{{ ssm_parameters_path }}/rms_key" - - name: Get SSM parameters - set_fact: - weblogic_admin_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_admin_username, region=ansible_ec2_placement_region) }}" - weblogic_admin_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_admin_password, region=ansible_ec2_placement_region) }}" - weblogic_db_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_username, region=ansible_ec2_placement_region) }}" - weblogic_db_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_password, region=ansible_ec2_placement_region) }}" - weblogic_db_tagsar_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_tagsar_username, region=ansible_ec2_placement_region) }}" - weblogic_db_tagsar_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_tagsar_password, region=ansible_ec2_placement_region) }}" - weblogic_rms_hosts: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_rms_hosts, region=ansible_ec2_placement_region) }}" - weblogic_rms_key: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_rms_key, region=ansible_ec2_placement_region) }}" + import_role: + name: ssm-passwords + vars: + ssm_passwords: "{{ weblogic_ssm_passwords }}" -- name: Set db hostname from ec2 oracle-db-hostname tag +- name: Get SSM parameters set_fact: - weblogic_db_hostname_a: "{{ ec2.tags['oracle-db-hostname-a'] }}" - weblogic_db_hostname_b: "{{ ec2.tags['oracle-db-hostname-b'] }}" - -- name: Set db name from ec2 oracle-db-name tag + weblogic_admin_password: "{{ ssm_passwords_dict['weblogic'].passwords[weblogic_admin_username] }}" + weblogic_db_password: "{{ ssm_passwords_dict['db'].passwords[weblogic_db_username] }}" + weblogic_db_tagsar_password: "{{ ssm_passwords_dict['db'].passwords[weblogic_db_tagsar_username] }}" + weblogic_rms: "{{ lookup('aws_ssm', rms_ssm_parameter , region='eu-west-2') }}" + +# Ensure the secrets are uploaded, e.g. +# aws ssm put-parameter --name '/oracle/weblogic/t3/rms' --type SecureString --data-type text --value '{"hosts": "notimplemented.azure.noms.root", "key": "notimplemented"}' --profile nomis-test --overwrite +- name: Set RMS facts set_fact: - weblogic_db_name: "{{ ec2.tags['oracle-db-name'] }}" + weblogic_rms_hosts: "{{ weblogic_rms.hosts }}" + weblogic_rms_key: "{{ weblogic_rms.key }}" - debug: msg: "Configuring Oracle DB {{ weblogic_db_name }} on {{ weblogic_db_hostname_a }},{{ weblogic_db_hostname_b }} with username {{ weblogic_db_username }}"