From f65dc727aa8cb16a24598507f51f5268e782453e Mon Sep 17 00:00:00 2001
From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com>
Date: Thu, 30 Nov 2023 11:28:02 +0000
Subject: [PATCH] Update oracle-restore-point to use secrets (#428)

---
 ansible/roles/oracle-restore-point/README.md  |  6 +-
 .../oracle-restore-point/defaults/main.yml    | 10 +--
 .../tasks/create_restore_point.yml            | 25 +++++++
 .../tasks/drop_restore_point.yml              | 27 ++++++++
 .../oracle-restore-point/tasks/get_facts.yml  | 65 -------------------
 .../roles/oracle-restore-point/tasks/main.yml | 17 +++--
 6 files changed, 67 insertions(+), 83 deletions(-)
 delete mode 100644 ansible/roles/oracle-restore-point/tasks/get_facts.yml

diff --git a/ansible/roles/oracle-restore-point/README.md b/ansible/roles/oracle-restore-point/README.md
index e17abec68..03c8f7ba1 100644
--- a/ansible/roles/oracle-restore-point/README.md
+++ b/ansible/roles/oracle-restore-point/README.md
@@ -11,11 +11,11 @@ SYS user database Passwords stored in SSM parameter store.
 1. Create Restore point 
 
 ```
-no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM -e action=create 
+no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM --tags create_restore_point
 ```
 
 2. Drop restore point 
 
 ```
-no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM -e action=drop
-```
\ No newline at end of file
+no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a  -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM --tags drop_restore_point
+```
diff --git a/ansible/roles/oracle-restore-point/defaults/main.yml b/ansible/roles/oracle-restore-point/defaults/main.yml
index 5670623d5..e0ba5a454 100644
--- a/ansible/roles/oracle-restore-point/defaults/main.yml
+++ b/ansible/roles/oracle-restore-point/defaults/main.yml
@@ -2,12 +2,6 @@
 stage: /u02/stage
 oracle_install_user: oracle
 oracle_install_group: oinstall
-use_ssm_params: false
-db_secretsmanager_passwords:
-  db:
-    parameter: "/oracle/database/{{ db_name }}/passwords"
-    secret: "/oracle/database/{{ db_name }}/passwords"
-    users:
-      - sys:
 
-db_ssm_passwords: "{{ db_secretsmanager_passwords }}"
+#db_tns_list:   # comma separate listed of db names that must be defined in db_configs. Pass in via cmdline
+db_configs: {}
diff --git a/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml b/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml
index e2acf83ae..e7fd22dd5 100644
--- a/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml
+++ b/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml
@@ -1,4 +1,29 @@
 ---
+- name: Set DB facts
+  set_fact:
+    db_sid: "{{ db_configs[ db_name ].instance_name }}"
+    db_passwords_secret: "/oracle/database/{{ db_name }}/passwords"
+
+- name: Get DB secrets {{ db_passwords_secret }}
+  set_fact:
+    db_passwords: "{{ lookup('amazon.aws.aws_secret', db_passwords_secret) }}"
+
+- name: Get DB sys password
+  set_fact:
+    db_sys_password: "{{ db_passwords.sys }}"
+
+- name: Check password is extracted
+  ansible.builtin.set_fact:
+    db_sys_password_set: true
+  when:
+    - db_sys_password |length > 0
+    - db_sid |length > 0
+
+- name: Fail if missing secrets
+  ansible.builtin.fail:
+    msg: Ensure SYS password exists for {{ db_name }} database
+  when: not  db_sys_password_set |default(false)
+
 - name: Copy restore point creation script
   ansible.builtin.template:
     src: "create_restore_point.sql.j2"
diff --git a/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml b/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml
index bb073a09e..d175a93bb 100644
--- a/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml
+++ b/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml
@@ -1,4 +1,31 @@
 ---
+- name: Set DB facts
+  set_fact:
+    db_sid: "{{ db_configs[ db_name ].instance_name }}"
+    db_passwords_secret: "/oracle/database/{{ db_name }}/passwords"
+
+- name: Get DB secrets {{ db_passwords_secret }}
+  set_fact:
+    db_passwords: "{{ lookup('amazon.aws.aws_secret', db_passwords_secret) }}"
+
+- name: Get DB sys password
+  set_fact:
+    db_sys_password: "{{ db_passwords.sys }}"
+
+- name: Check password is extracted
+  ansible.builtin.set_fact:
+    db_sys_password_set: true
+  when:
+    - db_sys_password |length > 0
+    - db_sid |length > 0
+
+- name: Fail if missing secrets
+  ansible.builtin.fail:
+    msg: Ensure SYS password exists for {{ db_name }} database
+  when: not  db_sys_password_set |default(false)
+- set_fact:
+    db_passwords_secret: "/oracle/database/{{ db_name }}/passwords"
+
 - name: Copy drop restore point script
   ansible.builtin.template:
     src: "drop_restore_point.sql.j2"
diff --git a/ansible/roles/oracle-restore-point/tasks/get_facts.yml b/ansible/roles/oracle-restore-point/tasks/get_facts.yml
deleted file mode 100644
index 952b5faac..000000000
--- a/ansible/roles/oracle-restore-point/tasks/get_facts.yml
+++ /dev/null
@@ -1,65 +0,0 @@
----
-- name: Check server has DB components
-  ansible.builtin.stat:
-    path: /etc/oratab
-  register: db_server_file
-
-- name: If database server , get DB from running process
-  ansible.builtin.shell: ps -ef | grep pmon | grep -v ASM|  grep -v grep | head -1 | awk -F_ '{ print $3 }'
-  register: db_instance_name
-  when: db_server_file.stat.exists
-
-- name: Set db name from ec2 oracle-db-name tag
-  set_fact:
-    db_sid: "{{ db_instance_name.stdout }}"
-  when: db_server_file.stat.exists
-
-- name: Check all SSM parameters and tags are set
-  set_fact:
-    db_all_variables_set: true
-  when:
-    - db_sid |length > 0
-
-- name: Fail if missing SSM parameters or tags
-  fail:
-    msg: Ensure all required SSM parameters and tags are set
-  when: not db_all_variables_set |default(false)
-
-- name: Get secretsmanager passwords
-  block:
-    - name: secretsmanager passwords
-      import_role:
-        name: secretsmanager-passwords
-      vars:
-        secretsmanager_passwords: "{{ db_secretsmanager_passwords }}"
-
-    - name: secretsmanager passwords
-      set_fact:
-        db_sys_password: "{{ secretsmanager_passwords_dict['db'].passwords['sys'] }}"
-      when: secretsmanager_passwords_dict is defined
-  when: not use_ssm_params
-
-- name: Get SSM params
-  block:
-    - name: Get SSM parameters
-      import_role:
-        name: ssm-passwords
-      vars:
-        ssm_passwords: "{{ db_ssm_passwords }}"
-
-    - name: Get SSM parameters
-      set_fact:
-        db_sys_password: "{{ ssm_passwords_dict['db'].passwords['sys'] }}"
-      when: ssm_passwords_dict is defined
-  when: use_ssm_params
-
-- name: Check password is extracted
-  ansible.builtin.set_fact:
-    db_sys_password_set: true
-  when:
-    - db_sys_password |length > 0
-
-- name: Fail if missing secrets
-  ansible.builtin.fail:
-    msg: Ensure SYS password exists for {{ db_name }} database
-  when: not  db_sys_password_set |default(false)
diff --git a/ansible/roles/oracle-restore-point/tasks/main.yml b/ansible/roles/oracle-restore-point/tasks/main.yml
index 4ad63f80b..a35c0579d 100644
--- a/ansible/roles/oracle-restore-point/tasks/main.yml
+++ b/ansible/roles/oracle-restore-point/tasks/main.yml
@@ -1,19 +1,18 @@
 ---
-- name: Get facts for playbook execution
-  ansible.builtin.import_tasks: get_facts.yml
-  tags:
-    - always
-
 - name: Create restore point on databases specified by TNS
   ansible.builtin.include_tasks:
     file: create_restore_point.yml
     apply:
       tags:
         - create_restore_point
+        - never
   loop_control:
     loop_var: db_name
   loop: "{{ db_tns_list.split(',') }}"
-  when: db_server_file.stat.exists and db_tns_list is defined and restore_point_name is defined and action == "create"
+  tags:
+    - create_restore_point
+    - never
+  when: db_tns_list is defined and restore_point_name is defined
 
 - name: Drop restore point from databases specified by TNS
   ansible.builtin.include_tasks:
@@ -21,7 +20,11 @@
     apply:
       tags:
         - drop_restore_point
+        - never
   loop_control:
     loop_var: db_name
   loop: "{{ db_tns_list.split(',') }}"
-  when: db_server_file.stat.exists and db_tns_list is defined and restore_point_name is defined and action == "drop"
+  tags:
+    - drop_restore_point
+    - never
+  when: db_tns_list is defined and restore_point_name is defined