ministryofjustice · wullub · Nov 8, 2023 · Oct 19, 2023 · Oct 19, 2023 · Nov 3, 2023
@@ -71,3 +71,5 @@ disks_mount:
   - ebs_device_name: /dev/sds
     dir: swap
     fstype: swap
+
+use_ssm_params: true
@@ -58,3 +58,5 @@ ami_roles_list:
 
 # the below vars are defined in multiple groups.  Keep the values the same to avoid unexpected behaviour
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
+
+use_ssm_params: true
@@ -63,3 +63,5 @@ oracle_install_group: oinstall
 oracle_inventory: /u01/app/oraInventory
 database_home: /u01/app/oracle/product/19c/db_1
 grid_home: /u01/app/oracle/product/19c/gridhome_1
+
+use_ssm_params: true
@@ -69,3 +69,5 @@ disks_mount:
   - ebs_device_name: /dev/sds
     dir: swap
     fstype: swap
+
+use_ssm_params: true
@@ -68,3 +68,5 @@ collectd_monitored_services_servertype:
 
 # the below vars are defined in multiple groups.  Keep the values the same to avoid unexpected behaviour
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
+
+use_ssm_params: true
@@ -110,3 +110,5 @@ tns_entries:
       host_list:
         - t1-ncr-db-1-a.nomis-combined-reporting.hmpps-test.modernisation-platform.internal
       service_name: T1BIPAUD
+
+use_ssm_params: true
@@ -113,3 +113,5 @@ tns_entries:
       host_list:
         - t1-ncr-db-1-a.nomis-combined-reporting.hmpps-test.modernisation-platform.internal
       service_name: BIPAUD_TAF
+
+use_ssm_params: true
@@ -74,3 +74,5 @@ oracle_inventory: /u01/app/oraInventory
 database_home: /u01/app/oracle/product/19c/db_1
 oracle_home: "{{ database_home }}"
 grid_home: /u01/app/oracle/product/19c/gridhome_1
+
+use_ssm_params: true
@@ -78,3 +78,5 @@ oracle_install_group: oinstall
 oracle_inventory: /u01/app/oraInventory
 database_home: /u01/app/oracle/product/19c/db_1
 grid_home: /u01/app/oracle/product/19c/gridhome_1
+
+assume_ec2_role_name_prefix: ec2-database-role
@@ -35,13 +35,17 @@ grid_install_script: grid_install.sh
 
 password_response_file: grid_pw.rsp
 
-db_ssm_passwords:
+use_ssm_params: false
+db_secretsmanager_passwords:
   asm:
     parameter: "/ec2/{{ ec2_name }}/asm-passwords"
+    secret: "/ec2/{{ ec2_name }}/asm-passwords"
     users:
       - ASMSNMP: auto
       - ASMSYS: auto
 
+db_ssm_passwords: "{{ db_secretsmanager_passwords }}"
+
 grid_env:
   ORACLE_HOME: "{{ grid_home }}"
   PATH: "{{ grid_home }}/bin:{{ oracle_path }}"

@@ -1,19 +1,38 @@
 ---
-- name: Get SSM parameters
-  import_role:
-    name: ssm-passwords
-  vars:
-    ssm_passwords: "{{ db_ssm_passwords }}"
-  when: ec2.tags.application is defined and ec2.tags.application != 'delius-core'
+- name: Get secretsmanager passwords
+  block:
+    - name: secretsmanager passwords
+      import_role:
+        name: secretsmanager-passwords
+      vars:
+        secretsmanager_passwords: "{{ db_secretsmanager_passwords }}"
 
-- name: Get SSM parameters
-  set_fact:
-    asmpassword: "{{ ssm_passwords_dict['asm'].passwords['ASMSYS'] }}"
-    asmmonitorpassword: "{{ ssm_passwords_dict['asm'].passwords['ASMSNMP'] }}"
-  when: ssm_passwords_dict is defined
+    - name: secretsmanager passwords
+      set_fact:
+        asmpassword: "{{ secretsmanager_passwords_dict['asm'].passwords['ASMSYS'] }}"
+        asmmonitorpassword: "{{ secretsmanager_passwords_dict['asm'].passwords['ASMSNMP'] }}"
 
-- name: Set Random Password Specifically For Delius
-  set_fact:
-    asmpassword: "{{ lookup('password','/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=16') }}"
-    asmmonitorpassword: "{{ lookup('password','/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=16')}}"
-  when: ssm_passwords_dict is not defined
+  when: not use_ssm_params
+
+- name: Get SSM params
+  block:
+    - name: Get SSM parameters
+      import_role:
+        name: ssm-passwords
+      vars:
+        ssm_passwords: "{{ db_ssm_passwords }}"
+      when: ec2.tags.application is defined and ec2.tags.application != 'delius-core'
+
+    - name: Get SSM parameters
+      set_fact:
+        asmpassword: "{{ ssm_passwords_dict['asm'].passwords['ASMSYS'] }}"
+        asmmonitorpassword: "{{ ssm_passwords_dict['asm'].passwords['ASMSNMP'] }}"
+      when: ssm_passwords_dict is defined
+
+    - name: Set Random Password Specifically For Delius
+      set_fact:
+        asmpassword: "{{ lookup('password','/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=16') }}"
+        asmmonitorpassword: "{{ lookup('password','/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=16')}}"
+      when: ssm_passwords_dict is not defined
+
+  when: use_ssm_params
@@ -16,3 +16,5 @@ secretsmanager_passwords:
 
 secretsmanager_passwords_force_rotate: ""
 # include the secret key and username to force rotation, e.g. "unique_key_for_ansible_dictionary1:myuser1"
+
+assume_ec2_role_name_prefix: ""
@@ -21,9 +21,18 @@
     PATH=$PATH:/usr/local/bin
     set -e
     account_id=$(aws sts get-caller-identity --query Account --output text)
+    {% if item.value.account_name is defined %}
     secret_account_id="{{ account_ids[item.value.account_name] }}"
+    {% else %}
+    secret_account_id=$account_id
+    {% endif %}
     if [[ $account_id != $secret_account_id ]]; then
+      # this could be improved to look up role dynamically, would require permissions for ec2s to look at iam roles and instance profile 
+    {% if item.value.assume_role_name is defined %}
       role_arn="arn:aws:iam::${account_id}:role/{{ item.value.assume_role_name }}"
+    {% else %}
+      role_arn="arn:aws:iam::${account_id}:role/{{ assume_ec2_role_name_prefix }}-{{ ec2.tags['Name'] }}"
+    {% endif %}
       session="{{ item.key }}-ansible"
       creds=$(aws sts assume-role --role-arn "${role_arn}" --role-session-name "${session}"  --output text --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]")
       export AWS_ACCESS_KEY_ID=$(echo "${creds}" | tail -1 | cut -f1)
@@ -135,7 +144,11 @@
     PATH=$PATH:/usr/local/bin
     set -e
     account_id=$(aws sts get-caller-identity --query Account --output text)
-    secret_account_id="{{ account_ids[item.value.config.account_name] }}"
+    {% if item.value.config.account_name is defined %}
+      secret_account_id="{{ account_ids[item.value.config.account_name] }}"
+    {% else %}
+      secret_account_id="{{ account_ids[ec2.tags['Name']] }}"
+    {% endif %}
     if [[ $account_id != $secret_account_id ]]; then
       echo "ERROR: cannot update secret in other account" >&2
       exit 1
Original file line number	Diff line number	Diff line change
Expand Up		@@ -58,3 +58,5 @@ ami_roles_list:

		# the below vars are defined in multiple groups. Keep the values the same to avoid unexpected behaviour
		roles_list: "{{ (ami_roles_list \| default([]) \| difference(server_type_roles_list \| default([]))) + (server_type_roles_list \| default([])) }}"

		use_ssm_params: true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -68,3 +68,5 @@ collectd_monitored_services_servertype:

		# the below vars are defined in multiple groups. Keep the values the same to avoid unexpected behaviour
		roles_list: "{{ (ami_roles_list \| default([]) \| difference(server_type_roles_list \| default([]))) + (server_type_roles_list \| default([])) }}"

		use_ssm_params: true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -16,3 +16,5 @@ secretsmanager_passwords:

		secretsmanager_passwords_force_rotate: ""
		# include the secret key and username to force rotation, e.g. "unique_key_for_ansible_dictionary1:myuser1"

		assume_ec2_role_name_prefix: ""