From f65dc727aa8cb16a24598507f51f5268e782453e Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Thu, 30 Nov 2023 11:28:02 +0000 Subject: [PATCH] Update oracle-restore-point to use secrets (#428) --- ansible/roles/oracle-restore-point/README.md | 6 +- .../oracle-restore-point/defaults/main.yml | 10 +-- .../tasks/create_restore_point.yml | 25 +++++++ .../tasks/drop_restore_point.yml | 27 ++++++++ .../oracle-restore-point/tasks/get_facts.yml | 65 ------------------- .../roles/oracle-restore-point/tasks/main.yml | 17 +++-- 6 files changed, 67 insertions(+), 83 deletions(-) delete mode 100644 ansible/roles/oracle-restore-point/tasks/get_facts.yml diff --git a/ansible/roles/oracle-restore-point/README.md b/ansible/roles/oracle-restore-point/README.md index e17abec68..03c8f7ba1 100644 --- a/ansible/roles/oracle-restore-point/README.md +++ b/ansible/roles/oracle-restore-point/README.md @@ -11,11 +11,11 @@ SYS user database Passwords stored in SSM parameter store. 1. Create Restore point ``` -no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM -e action=create +no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM --tags create_restore_point ``` 2. Drop restore point ``` -no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM -e action=drop -``` \ No newline at end of file +no_proxy="*" ansible-playbook site.yml --limit t1-nomis-db-1-a -e force_role=oracle-restore-point -e restore_point_name=PRE_ROLE_RUN -e db_tns_list=T1MIS,T1CNMAUD,T1CNOM --tags drop_restore_point +``` diff --git a/ansible/roles/oracle-restore-point/defaults/main.yml b/ansible/roles/oracle-restore-point/defaults/main.yml index 5670623d5..e0ba5a454 100644 --- a/ansible/roles/oracle-restore-point/defaults/main.yml +++ b/ansible/roles/oracle-restore-point/defaults/main.yml @@ -2,12 +2,6 @@ stage: /u02/stage oracle_install_user: oracle oracle_install_group: oinstall -use_ssm_params: false -db_secretsmanager_passwords: - db: - parameter: "/oracle/database/{{ db_name }}/passwords" - secret: "/oracle/database/{{ db_name }}/passwords" - users: - - sys: -db_ssm_passwords: "{{ db_secretsmanager_passwords }}" +#db_tns_list: # comma separate listed of db names that must be defined in db_configs. Pass in via cmdline +db_configs: {} diff --git a/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml b/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml index e2acf83ae..e7fd22dd5 100644 --- a/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml +++ b/ansible/roles/oracle-restore-point/tasks/create_restore_point.yml @@ -1,4 +1,29 @@ --- +- name: Set DB facts + set_fact: + db_sid: "{{ db_configs[ db_name ].instance_name }}" + db_passwords_secret: "/oracle/database/{{ db_name }}/passwords" + +- name: Get DB secrets {{ db_passwords_secret }} + set_fact: + db_passwords: "{{ lookup('amazon.aws.aws_secret', db_passwords_secret) }}" + +- name: Get DB sys password + set_fact: + db_sys_password: "{{ db_passwords.sys }}" + +- name: Check password is extracted + ansible.builtin.set_fact: + db_sys_password_set: true + when: + - db_sys_password |length > 0 + - db_sid |length > 0 + +- name: Fail if missing secrets + ansible.builtin.fail: + msg: Ensure SYS password exists for {{ db_name }} database + when: not db_sys_password_set |default(false) + - name: Copy restore point creation script ansible.builtin.template: src: "create_restore_point.sql.j2" diff --git a/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml b/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml index bb073a09e..d175a93bb 100644 --- a/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml +++ b/ansible/roles/oracle-restore-point/tasks/drop_restore_point.yml @@ -1,4 +1,31 @@ --- +- name: Set DB facts + set_fact: + db_sid: "{{ db_configs[ db_name ].instance_name }}" + db_passwords_secret: "/oracle/database/{{ db_name }}/passwords" + +- name: Get DB secrets {{ db_passwords_secret }} + set_fact: + db_passwords: "{{ lookup('amazon.aws.aws_secret', db_passwords_secret) }}" + +- name: Get DB sys password + set_fact: + db_sys_password: "{{ db_passwords.sys }}" + +- name: Check password is extracted + ansible.builtin.set_fact: + db_sys_password_set: true + when: + - db_sys_password |length > 0 + - db_sid |length > 0 + +- name: Fail if missing secrets + ansible.builtin.fail: + msg: Ensure SYS password exists for {{ db_name }} database + when: not db_sys_password_set |default(false) +- set_fact: + db_passwords_secret: "/oracle/database/{{ db_name }}/passwords" + - name: Copy drop restore point script ansible.builtin.template: src: "drop_restore_point.sql.j2" diff --git a/ansible/roles/oracle-restore-point/tasks/get_facts.yml b/ansible/roles/oracle-restore-point/tasks/get_facts.yml deleted file mode 100644 index 952b5faac..000000000 --- a/ansible/roles/oracle-restore-point/tasks/get_facts.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -- name: Check server has DB components - ansible.builtin.stat: - path: /etc/oratab - register: db_server_file - -- name: If database server , get DB from running process - ansible.builtin.shell: ps -ef | grep pmon | grep -v ASM| grep -v grep | head -1 | awk -F_ '{ print $3 }' - register: db_instance_name - when: db_server_file.stat.exists - -- name: Set db name from ec2 oracle-db-name tag - set_fact: - db_sid: "{{ db_instance_name.stdout }}" - when: db_server_file.stat.exists - -- name: Check all SSM parameters and tags are set - set_fact: - db_all_variables_set: true - when: - - db_sid |length > 0 - -- name: Fail if missing SSM parameters or tags - fail: - msg: Ensure all required SSM parameters and tags are set - when: not db_all_variables_set |default(false) - -- name: Get secretsmanager passwords - block: - - name: secretsmanager passwords - import_role: - name: secretsmanager-passwords - vars: - secretsmanager_passwords: "{{ db_secretsmanager_passwords }}" - - - name: secretsmanager passwords - set_fact: - db_sys_password: "{{ secretsmanager_passwords_dict['db'].passwords['sys'] }}" - when: secretsmanager_passwords_dict is defined - when: not use_ssm_params - -- name: Get SSM params - block: - - name: Get SSM parameters - import_role: - name: ssm-passwords - vars: - ssm_passwords: "{{ db_ssm_passwords }}" - - - name: Get SSM parameters - set_fact: - db_sys_password: "{{ ssm_passwords_dict['db'].passwords['sys'] }}" - when: ssm_passwords_dict is defined - when: use_ssm_params - -- name: Check password is extracted - ansible.builtin.set_fact: - db_sys_password_set: true - when: - - db_sys_password |length > 0 - -- name: Fail if missing secrets - ansible.builtin.fail: - msg: Ensure SYS password exists for {{ db_name }} database - when: not db_sys_password_set |default(false) diff --git a/ansible/roles/oracle-restore-point/tasks/main.yml b/ansible/roles/oracle-restore-point/tasks/main.yml index 4ad63f80b..a35c0579d 100644 --- a/ansible/roles/oracle-restore-point/tasks/main.yml +++ b/ansible/roles/oracle-restore-point/tasks/main.yml @@ -1,19 +1,18 @@ --- -- name: Get facts for playbook execution - ansible.builtin.import_tasks: get_facts.yml - tags: - - always - - name: Create restore point on databases specified by TNS ansible.builtin.include_tasks: file: create_restore_point.yml apply: tags: - create_restore_point + - never loop_control: loop_var: db_name loop: "{{ db_tns_list.split(',') }}" - when: db_server_file.stat.exists and db_tns_list is defined and restore_point_name is defined and action == "create" + tags: + - create_restore_point + - never + when: db_tns_list is defined and restore_point_name is defined - name: Drop restore point from databases specified by TNS ansible.builtin.include_tasks: @@ -21,7 +20,11 @@ apply: tags: - drop_restore_point + - never loop_control: loop_var: db_name loop: "{{ db_tns_list.split(',') }}" - when: db_server_file.stat.exists and db_tns_list is defined and restore_point_name is defined and action == "drop" + tags: + - drop_restore_point + - never + when: db_tns_list is defined and restore_point_name is defined