Update oracle-restore-point to use secrets (#428)

ansible/roles/oracle-restore-point/README.md

@@ -11,11 +11,11 @@ SYS user database Passwords stored in SSM parameter store.
 1. Create Restore point 
 
 ```
-no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM -e action=create 
+no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM --tags create_restore_point
 ```
 
 2. Drop restore point 
 
 ```
-no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM -e action=drop
-```
+no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM --tags drop_restore_point
+```

ansible/roles/oracle-restore-point/defaults/main.yml

@@ -2,12 +2,6 @@
 stage: /u02/stage
 oracle_install_user: oracle
 oracle_install_group: oinstall
-use_ssm_params: false
-db_secretsmanager_passwords:
-  db:
-    parameter: "/oracle/database/{{ db_name }}/passwords"
-    secret: "/oracle/database/{{ db_name }}/passwords"
-    users:
-      - sys:
 
-db_ssm_passwords: "{{ db_secretsmanager_passwords }}"
+#db_tns_list:   # comma separate listed of db names that must be defined in db_configs. Pass in via cmdline
+db_configs: {}

ansible/roles/oracle-restore-point/tasks/create_restore_point.yml

@@ -1,4 +1,29 @@
 ---
+- name: Set DB facts
+  set_fact:
+    db_sid: "{{ db_configs[ db_name ].instance_name }}"
+    db_passwords_secret: "/oracle/database/{{ db_name }}/passwords"
+
+- name: Get DB secrets {{ db_passwords_secret }}
+  set_fact:
+    db_passwords: "{{ lookup('amazon.aws.aws_secret', db_passwords_secret) }}"
+
+- name: Get DB sys password
+  set_fact:
+    db_sys_password: "{{ db_passwords.sys }}"
+
+- name: Check password is extracted
+  ansible.builtin.set_fact:
+    db_sys_password_set: true
+  when:
+    - db_sys_password |length > 0
+    - db_sid |length > 0
+
+- name: Fail if missing secrets
+  ansible.builtin.fail:
+    msg: Ensure SYS password exists for {{ db_name }} database
+  when: not  db_sys_password_set |default(false)
+
 - name: Copy restore point creation script
   ansible.builtin.template:
     src: "create_restore_point.sql.j2"

ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml

@@ -1,4 +1,31 @@
 ---
+- name: Set DB facts
+  set_fact:
+    db_sid: "{{ db_configs[ db_name ].instance_name }}"
+    db_passwords_secret: "/oracle/database/{{ db_name }}/passwords"
+
+- name: Get DB secrets {{ db_passwords_secret }}
+  set_fact:
+    db_passwords: "{{ lookup('amazon.aws.aws_secret', db_passwords_secret) }}"
+
+- name: Get DB sys password
+  set_fact:
+    db_sys_password: "{{ db_passwords.sys }}"
+
+- name: Check password is extracted
+  ansible.builtin.set_fact:
+    db_sys_password_set: true
+  when:
+    - db_sys_password |length > 0
+    - db_sid |length > 0
+
+- name: Fail if missing secrets
+  ansible.builtin.fail:
+    msg: Ensure SYS password exists for {{ db_name }} database
+  when: not  db_sys_password_set |default(false)
+- set_fact:
+    db_passwords_secret: "/oracle/database/{{ db_name }}/passwords"
+
 - name: Copy drop restore point script
   ansible.builtin.template:
     src: "drop_restore_point.sql.j2"

ansible/roles/oracle-restore-point/tasks/main.yml

@@ -1,27 +1,30 @@
 ---
-- name: Get facts for playbook execution
-  ansible.builtin.import_tasks: get_facts.yml
-  tags:
-    - always
-
 - name: Create restore point on databases specified by TNS
   ansible.builtin.include_tasks:
     file: create_restore_point.yml
     apply:
       tags:
         - create_restore_point
+        - never
   loop_control:
     loop_var: db_name
   loop: "{{ db_tns_list.split(',') }}"
-  when: db_server_file.stat.exists and db_tns_list is defined and restore_point_name is defined and action == "create"
+  tags:
+    - create_restore_point
+    - never
+  when: db_tns_list is defined and restore_point_name is defined
 
 - name: Drop restore point from databases specified by TNS
   ansible.builtin.include_tasks:
     file: drop_restore_point.yml
     apply:
       tags:
         - drop_restore_point
+        - never
   loop_control:
     loop_var: db_name
   loop: "{{ db_tns_list.split(',') }}"
-  when: db_server_file.stat.exists and db_tns_list is defined and restore_point_name is defined and action == "drop"
+  tags:
+    - drop_restore_point
+    - never
+  when: db_tns_list is defined and restore_point_name is defined