DSOS-2151: asm password new code (#342)

* Use ssm-passwords role

* set default otherwise the entire ansible fails

* fix

* fix

* add ansible-script role

* remove debug

* use new password

* fix

* fix

* naming

* naming

* naming

* naming

* spelling

* fixes

* Readme

* Commit changes made by code formatters

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

ansible/roles/ansible-script/README.md

@@ -0,0 +1 @@
+Copy a script onto target host which will run ansible locally

ansible/roles/ansible-script/files/ansible.sh

@@ -0,0 +1,132 @@
+#!/bin/bash
+# Don't set set -u as ansible activate script fails with it on RHEL6
+set -eo pipefail
+
+branch="main"
+ansible_repo="modernisation-platform-configuration-management"
+ansible_repo_basedir="ansible"
+
+run_ansible() {
+  export PATH=/usr/local/bin:$PATH
+
+  echo "ansible_repo:         ${ansible_repo}"
+  echo "ansible_repo_basedir: ${ansible_repo_basedir}"
+  echo "ansible_args:         $@"
+  echo "branch:               $branch"
+
+  if [[ -z ${ansible_repo} ]]; then
+    echo "ansible_repo not defined, not installing any ansible" >&2
+    exit 0
+  fi
+
+  if ! command -v aws > /dev/null; then
+    echo "aws cli must be installed, not installing any ansible" >&2
+    exit 0
+  fi
+
+  if ! command -v git > /dev/null; then
+    echo "git must be installed, not installing any ansible" >&2
+    exit 0
+  fi
+
+  echo "# Retrieving API Token"
+  token=$(curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+
+  echo "# Retrieving Instance ID"
+  instance_id=$(curl -sS -H "X-aws-ec2-metadata-token: $token" -v http://169.254.169.254/latest/meta-data/instance-id)
+
+  echo "# Retrieving tags using aws cli"
+  IFS=$'\n'
+  tags=($(aws ec2 describe-tags --filters "Name=resource-id,Values=$instance_id" "Name=key,Values=Name,os-type,ami,server-type,environment-name" --output=text))
+  unset IFS
+
+  # clone ansible roles and playbook
+  ansible_dir=/root/ansible
+  cd $ansible_dir
+  if [[ ! -d $ansible_dir/${ansible_repo} ]]; then
+    echo "# Cloning ${ansible_repo} into $ansible_dir using branch=$branch"
+    git clone "https://github.com/ministryofjustice/${ansible_repo}.git"
+    cd $ansible_dir/${ansible_repo}
+    git checkout "$branch"
+  else
+    cd $ansible_dir/${ansible_repo}
+    git pull
+  fi
+  cd $ansible_dir
+
+  # find the group_var yaml files
+  ansible_group_vars=
+  for ((i=0; i<${#tags[@]}; i++)); do
+    tag=(${tags[i]})
+    group=$(echo "${tag[1]}_${tag[4]}" | tr [:upper:] [:lower:] | sed "s/-/_/g")
+    if [[ "${tag[1]}" == "Name" ]]; then
+      ansible_group_vars="$ansible_group_vars --extra-vars ec2_name=${tag[4]}"
+    elif [[ -e $ansible_dir/${ansible_repo}/${ansible_repo_basedir}/group_vars/$group.yml ]]; then
+      ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml"
+    elif [[ -e $ansible_dir/${ansible_repo}/${ansible_repo_basedir}/group_vars/$group/ansible.yml ]]; then
+      ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group/ansible.yml"
+    else
+      echo "Could not find group_vars $group yml"
+      exit 1
+    fi
+    if [[ "${tag[1]}" == "environment-name" ]]; then
+      aws_environment=$(echo ${tag[4]} | rev | cut -d- -f1 | rev)
+      application=$(echo ${tag[4]} | rev | cut -d- -f2- | rev)
+      ansible_group_vars="$ansible_group_vars --extra-vars aws_environment=$aws_environment --extra-vars application=$application"
+    fi
+  done
+
+  # set python version
+  if [[ $(which python3.9 2> /dev/null) ]]; then
+    python=$(which python3.9)
+  elif [[ $(which python3.6 2> /dev/null) ]]; then
+    python=$(which python3.6)
+  else
+    echo "Python3.9/3.6 not found"
+    exit 1
+  fi
+  echo "# Using python: $python"
+
+  # activate virtual environment
+  update=0
+  if [[ ! -d $ansible_dir/python-venv ]]; then
+    mkdir $ansible_dir/python-venv
+    update=1
+  fi
+  cd $ansible_dir/python-venv
+  $python -m venv ansible
+  source ansible/bin/activate
+  if [[ $update == 1 ]]; then
+    $python -m pip install --upgrade pip
+    if [[ "$python" =~ 3.6 ]]; then
+      $python -m pip install wheel
+      $python -m pip install cryptography==2.3
+      export LC_ALL=en_US.UTF-8
+      $python -m pip install ansible-core==2.11.12
+    else
+      $python -m pip install ansible==6.0.0
+    fi
+
+    # install requirements in virtual env
+    echo "# Installing ansible requirements"
+    cd $ansible_dir/${ansible_repo}/${ansible_repo_basedir}
+    $python -m pip install -r requirements.txt
+    ansible-galaxy role install -r requirements.yml
+    ansible-galaxy collection install -r requirements.yml
+  fi
+
+  # run ansible (comma after localhost deliberate)
+  cd $ansible_dir/${ansible_repo}/${ansible_repo_basedir}
+  echo "# Execute ansible $@ $ansible_group_vars ..."
+  ansible-playbook $@ $ansible_group_vars \
+   --connection=local \
+   --inventory localhost, \
+   --extra-vars "ansible_python_interpreter=$python" \
+   --extra-vars "target=localhost" \
+   --become
+
+  echo "# Deactivate: ansible_dir/${ansible_repo}/${ansible_repo_basedir}"
+  deactivate
+}
+
+run_ansible $@

ansible/roles/ansible-script/tasks/ansible-script.yml

@@ -0,0 +1,11 @@
+---
+- name: Create test ansible directory
+  ansible.builtin.file:
+    path: "~/ansible"
+    state: directory
+
+- name: Copy test ansible script
+  ansible.builtin.copy:
+    src: ansible.sh
+    dest: "~/ansible.sh"
+    mode: "0755"

ansible/roles/ansible-script/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- import_tasks: ansible-script.yml
+  tags:
+    - ec2provision
+    - ec2patch

ansible/roles/oracle-11g/README.md

@@ -11,3 +11,12 @@ and either use:
 
 - ec2provision tag if the EC2 name has changed.  This will reconfigure oracle
 - ec2patch tag if the EC2 name hasn't change.  This is less disruptive.
+
+### Pre-requisites
+
+An `asm-passwords` placeholder SSM Parameter is created in terraform prior to
+running role.  The parameter name should be
+/ec2/{{ hostname }}/asm-passwords.
+The initial value should contain the word "placeholder". Terraform should
+ignore subsequent changes to the parameter value since this role will auto
+generate a password and store it there.

ansible/roles/oracle-11g/defaults/main.yml

@@ -1,7 +1,6 @@
 ---
 artefacts_s3_bucket_name: mod-platform-image-artefact-bucket20230203091453221500000001
 artefacts_s3_bucket_path: hmpps/oracle-11g-software
-ssm_parameters_prefix: database
 oracle_home: /u01/app/oracle/product/11.2.0.4
 oracle_inventory: /u01/app/oraInventory
 
@@ -26,3 +25,10 @@ database_home: "{{ oracle_home }}/db_1"
 database_env:
   ORACLE_HOME: "{{ database_home }}"
   PATH: "{{ database_home }}/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/oracle/.local/bin:/home/oracle/bin"
+
+db_ssm_passwords:
+  - key: "asm"
+    parameter: "/ec2/{{ ec2_name }}/asm-passwords"
+    users:
+      - ASMSNMP:
+      - SYS:

ansible/roles/oracle-11g/tasks/get-facts.yml

@@ -1,17 +1,14 @@
 ---
-- name: Set SSM parameters path fact from ec2 ssm-parameters-prefix and Name tag
-  set_fact:
-    ssm_parameters_path: '/{{ ssm_parameters_prefix }}/{{ ec2.tags["Name"] }}'
-
-- name: Set SSM parameters weblogic path facts
-  set_fact:
-    ssm_parameters_path_database_asmsys_password: "{{ ssm_parameters_path }}/ASMSYS"
-    ssm_parameters_path_database_asmsnmp_password: "{{ ssm_parameters_path }}/ASMSNMP"
+- name: Get SSM parameters
+  import_role:
+    name: ssm-passwords
+  vars:
+    ssm_passwords: "{{ db_ssm_passwords }}"
 
 - name: Get SSM parameters
   set_fact:
-    database_asmsys_password: "{{ lookup('aws_ssm', ssm_parameters_path_database_asmsys_password, region=ansible_ec2_placement_region) }}"
-    database_asmsnmp_password: "{{ lookup('aws_ssm', ssm_parameters_path_database_asmsnmp_password, region=ansible_ec2_placement_region) }}"
+    database_asmsys_password: "{{ ssm_passwords_dict['asm'].passwords['SYS'] }}"
+    database_asmsnmp_password: "{{ ssm_passwords_dict['asm'].passwords['ASMSNMP'] }}"
 
 - block:
     - name: Get DB instances

ansible/roles/oracle-19c/README.md

@@ -1,5 +1,14 @@
 This role installs Oracle 19c. It assumes the installation disks `\u01` and `\u02` have already been setup (with `disks` role for example).
 
+### Pre-requisites
+
+An `asm-passwords` placeholder SSM Parameter is created in terraform prior to
+running role.  The parameter name should be
+/ec2/{{ hostname }}/asm-passwords.
+The initial value should contain the word "placeholder". Terraform should
+ignore subsequent changes to the parameter value since this role will auto
+generate a password and store it there.
+
 ### Ansible Tags
 
 Some tasks are optional and can be included in the play by adding the appropriate tag at the command line. Currently these are:

ansible/roles/oracle-19c/defaults/main.yml

@@ -35,6 +35,13 @@ grid_install_script: grid_install.sh
 
 password_response_file: grid_pw.rsp
 
+db_ssm_passwords:
+  - key: "asm"
+    parameter: "/ec2/{{ ec2_name }}/asm-passwords"
+    users:
+      - monitor:
+      - SYS:
+
 asmpassword: "{{ lookup('ansible.builtin.password', '/dev/null chars=ascii_letters length=2') }}{{ lookup('ansible.builtin.password', '/dev/null chars=ascii_letters,digits length=12') }}"
 asmmonitorpassword: "{{ lookup('ansible.builtin.password', '/dev/null chars=ascii_letters length=2') }}{{ lookup('ansible.builtin.password', '/dev/null chars=ascii_letters,digits length=12') }}"
 

ansible/roles/oracle-19c/tasks/get_facts.yml

@@ -0,0 +1,11 @@
+---
+- name: Get SSM parameters
+  import_role:
+    name: ssm-passwords
+  vars:
+    ssm_passwords: "{{ db_ssm_passwords }}"
+
+- name: Get SSM parameters
+  set_fact:
+    asmpassword: "{{ ssm_passwords_dict['asm'].passwords['SYS'] }}"
+    asmmonitorpassword: "{{ ssm_passwords_dict['asm'].passwords['monitor'] }}"

ansible/roles/oracle-19c/tasks/main.yml

@@ -10,6 +10,12 @@
     - oracle_19c_download
     - oracle_19c_download_software
 
+- import_tasks: get_facts.yml
+  tags:
+    - ec2provision
+    - oracle_db_get_facts
+    - oracle_19c_install_grid
+
 - import_tasks: pre_install_tasks.yml
   tags:
     - ec2provision

ansible/roles/oracle-db-backup/defaults/main.yml

@@ -1,7 +1,11 @@
 ---
 # scheduled backups go directly to S3
-# rman_backup_script: "" # define elsewhere, e.g. in group vars, e.g. rman_backup.sh
+rman_backup_script: "rman_backup.sh" # override this as necessary in group_vars
 rman_backup_monitoring_script: "rman_backup_monitoring.sh"
+rman_backup_cron:
+  backup_level_0: []
+  backup_level_1: []
+  monitoring: []
 catalog_parameter: ""
 recovery_catalog_defined_check: 0
 

ansible/roles/oracle-oem-agent-setup/defaults/main.yml

@@ -15,15 +15,20 @@ agentpatcher_patch: p33355570_135000_Generic.zip
 agentpatcher_version: 13.9.5.5.0
 agent_home: "{{ oem_agent_base }}/agent_13.5.0.0.0"
 oem_secretsmanager_passwords:
-  - key: "oem_passwords"
+  - key: "oem"
     account_name: "hmpps-oem-{{ aws_environment }}"
     assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
     secret: "/oracle/oem/passwords"
     users:
       - agentreg:
-  - key: "emrep_passwords"
+  - key: "emrep"
     account_name: "hmpps-oem-{{ aws_environment }}"
     assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
     secret: "/oracle/database/EMREP/passwords"
     users:
       - sysman:
+oem_ssm_passwords:
+  - key: "asm"
+    parameter: "/ec2/{{ ec2_name }}/asm-passwords"
+    users:
+      - ASMSNMP:

ansible/roles/oracle-oem-agent-setup/tasks/get_facts.yml

@@ -1,23 +1,21 @@
 ---
+- name: Get SSM parameters
+  import_role:
+    name: ssm-passwords
+  vars:
+    ssm_passwords: "{{ oem_ssm_passwords }}"
+
 - name: Get OEM secrets
   import_role:
     name: secretsmanager-passwords
   vars:
     secretsmanager_passwords: "{{ oem_secretsmanager_passwords }}"
 
-- name: Set SSM parameters path fact from ec2 ssm-parameters-prefix and Name tag
-  set_fact:
-    db_ssm_parameters_path: '/database/{{ ec2.tags["Name"] }}'
-
-- name: Set SSM parameters database path facts
-  set_fact:
-    ssm_parameter_path_asmsnmp_password: "{{ db_ssm_parameters_path }}/ASMSNMP"
-
-- name: Get SSM parameters
+- name: Set password facts
   set_fact:
-    oem_sysman_password: "{{ secretsmanager_passwords_dict['emrep_passwords'].passwords['sysman'] }}"
-    oem_agent_password: "{{ secretsmanager_passwords_dict['oem_passwords'].passwords['agentreg'] }}"
-    asmsnmp_password: "{{ lookup('aws_ssm', ssm_parameter_path_asmsnmp_password, region=ansible_ec2_placement_region) }}"
+    oem_sysman_password: "{{ secretsmanager_passwords_dict['emrep'].passwords['sysman'] }}"
+    oem_agent_password: "{{ secretsmanager_passwords_dict['oem'].passwords['agentreg'] }}"
+    asmsnmp_password: "{{ ssm_passwords_dict['asm'].passwords['ASMSNMP'] }}"
 
 - name: Get private ip address of the ec2 instance
   set_fact:
@@ -29,6 +27,7 @@
   when:
     - oem_sysman_password|length > 0
     - oem_agent_password|length > 0
+    - asmsnmp_password|length > 0
 
 - name: Fail if missing parameters
   fail:

ansible/roles/oracle-oms-setup/defaults/main.yml

@@ -1,7 +1,6 @@
 ---
 artefacts_s3_bucket_name: mod-platform-image-artefact-bucket20230203091453221500000001
 artefacts_s3_bucket_path: hmpps/oracle-oem-135
-ssm_parameters_prefix: oem
 artefact_dir: /u02
 app_dir: /u01/app/oracle/product
 oracle_inventory: /u01/app/oraInventory
@@ -45,3 +44,30 @@ oms_env:
 db_env:
   ORACLE_HOME: "{{ database_home }}"
   PATH: "{{ database_home }}/bin:{{ oracle_path }}"
+
+emrepo_db_name: "{{ db_configs[emrepo] }}"
+oms_ssm_passwords:
+  - key: "emrep"
+    parameter: "/oracle/database/{{ emrepo_db_name.emrepo_db_name }}/passwords"
+    users:
+      - sys:
+      - system:
+  - key: "oem"
+    parameter: "/oracle/oem/passwords"
+    users:
+      - weblogic_admin:
+      - nodemanager:
+
+oms_secretsmanager_passwords:
+  - key: "emrep"
+    assume_role_name: ""
+    account_name: "{{ application }}-{{ aws_environment }}"
+    secret: "/oracle/database/{{ emrepo_db_name.emrepo_db_name }}/passwords"
+    users:
+      - sysman:
+  - key: "oem"
+    assume_role_name: ""
+    account_name: "{{ application }}-{{ aws_environment }}"
+    secret: "/oracle/oem/passwords"
+    users:
+      - agentreg: