ministryofjustice · wullub · Nov 20, 2023 · Nov 20, 2023 · Nov 20, 2023
@@ -6,3 +6,5 @@ ami_roles_list:
 
 # the below vars are defined in multiple groups.  Keep the values the same to avoid unexpected behaviour
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
+
+use_ssm_params: true
@@ -5,3 +5,5 @@ server_type_roles_list:
   - join-devtest-ad-linux
 
 roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}"
+
+use_ssm_params: true
@@ -1,9 +1,13 @@
 ---
-service_account_ssm_passwords:
+use_ssm_params: false
+service_account_secretsmanager_passwords:
   service_account:
     parameter: "/join_domain_linux_service_account/passwords"
+    secret: "/join_domain_linux_service_account/passwords"
     users:
       - username: auto
       - password: auto
 
+service_account_ssm_passwords: "{{ service_account_secretsmanager_passwords }}"
+
 ad_domain: AZURE.NOMS.ROOT
@@ -1,23 +1,43 @@
 ---
-- name: Get linux service account details
-  import_role:
-    name: ssm-passwords
-  vars:
-    ssm_passwords: "{{ service_account_ssm_passwords }}"
+- name: Get secretsmanager passwords
+  block:
+    - name: secretsmanager passwords
+      import_role:
+        name: secretsmanager-passwords
+      vars:
+        secretsmanager_passwords: "{{ service_account_secretsmanager_passwords }}"
 
-- name: Set linux service account variables
-  set_fact:
-    join_domain_linux_service_account_username: "{{ ssm_passwords_dict['service_account'].passwords['username'] }}"
-    join_domain_linux_service_account_password: "{{ ssm_passwords_dict['service_account'].passwords['password'] }}"
+    - name: secretsmanager passwords
+      set_fact:
+        join_domain_linux_service_account_username: "{{ secretsmanager_passwords_dict['service_account'].passwords['username'] }}"
+        join_domain_linux_service_account_password: "{{ secretsmanager_passwords_dict['service_account'].passwords['password'] }}"
+
+  when: not use_ssm_params
+
+- name: Get SSM params
+  block:
+    - name: Get SSM parameters
+      import_role:
+        name: ssm-passwords
+      vars:
+        ssm_passwords: "{{ service_account_ssm_passwords }}"
+
+    - name: Get SSM parameters
+      set_fact:
+        join_domain_linux_service_account_username: "{{ ssm_passwords_dict['service_account'].passwords['username'] }}"
+        join_domain_linux_service_account_password: "{{ ssm_passwords_dict['service_account'].passwords['password'] }}"
+      when: ssm_passwords_dict is defined
+
+  when: use_ssm_params
 
-- name: Check parameters
+- name: Check secrets
   set_fact:
     all_variables_set: true
   when:
     - join_domain_linux_service_account_username|length > 0
     - join_domain_linux_service_account_password|length > 0
 
-- name: Fail if missing parameters
+- name: Fail if missing secrets
   fail:
     msg: Ensure all required parameters are set
   when: not all_variables_set|default(false)
@@ -11,11 +11,15 @@ misload_monitoring_cron:
     job: "su oracle -c '/home/oracle/admin/misload_scripts/{{ misload_monitoring_script }}' | logger -p local3.info -t misload"
 
 misload_dbname: "{{ ec2.tags['misload-dbname'] }}"
-misload_ssm_parameter: "/oracle/database/{{ misload_dbname }}/misload-config"
-misload_ssm_passwords:
+misload_secret_parameter: "/oracle/database/{{ misload_dbname }}/misload-config"
+use_ssm_params: false
+misload_secretsmanager_passwords:
   misload:
-    parameter: "{{ misload_ssm_parameter }}"
+    parameter: "{{ misload_secret_parameter }}"
+    secret: "{{ misload_secret_parameter }}"
     users:
       - target:
       - username:
       - password:
+
+misload_ssm_passwords: "{{ misload_secretsmanager_passwords }}"
@@ -1,4 +1,45 @@
 ---
+# needs testing
+# - name: Get secretsmanager passwords
+#   block:
+#     - name: secretsmanager passwords
+#       import_role:
+#         name: secretsmanager-passwords
+#       vars:
+#         secretsmanager_passwords: "{{ misload_secretsmanager_passwords }}"
+#       tags:
+#         - always
+#       when: ec2.tags['misload-dbname'] is defined and ansible_facts['distribution'] == "RedHat"
+
+#     - name: secretsmanager passwords
+#       set_fact:
+#         misload_target: "{{ secretsmanager_passwords_dict['misload'].passwords['target'] }}"
+#         misload_username: "{{ secretsmanager_passwords_dict['misload'].passwords['username'] }}"
+#         misload_password: "{{ secretsmanager_passwords_dict['misload'].passwords['password'] }}"
+#       when: secretsmanager_passwords_dict is defined
+
+#   when: not use_ssm_params
+
+# - name: Get SSM params
+#   block:
+#     - name: Get SSM parameters
+#       import_role:
+#         name: ssm-passwords
+#       vars:
+#         ssm_passwords: "{{ misload_ssm_passwords }}"
+#       tags:
+#         - always
+#       when: ec2.tags['misload-dbname'] is defined and ansible_facts['distribution'] == "RedHat"
+
+#     - name: Get SSM parameters
+#       set_fact:
+#         misload_target: "{{ ssm_passwords_dict['misload'].passwords['target'] }}"
+#         misload_username: "{{ ssm_passwords_dict['misload'].passwords['username'] }}"
+#         misload_password: "{{ ssm_passwords_dict['misload'].passwords['password'] }}"
+#       when: ssm_passwords_dict is defined
+
+#   when: use_ssm_params
+
 - name: Get misload config
   import_role:
     name: ssm-passwords

@@ -2,8 +2,8 @@
 
 export PATH=$PATH:/usr/local/bin
 
-target=$(aws ssm get-parameter --name "{{ misload_ssm_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .target)
-username=$(aws ssm get-parameter --name "{{ misload_ssm_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .username)
-password=$(aws ssm get-parameter --name "{{ misload_ssm_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .password)
+target=$(aws ssm get-parameter --name "{{ misload_secret_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .target)
+username=$(aws ssm get-parameter --name "{{ misload_secret_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .username)
+password=$(aws ssm get-parameter --name "{{ misload_secret_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .password)
 
 {{ ansible_python_interpreter }} /usr/local/share/winrm_connection_check.py -u "$username" -p "$password" -t "$target"
@@ -2,14 +2,14 @@
 
 export PATH=$PATH:/usr/local/bin
 
-target=$(aws ssm get-parameter --name "{{ misload_ssm_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .target)
-username=$(aws ssm get-parameter --name "{{ misload_ssm_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .username)
-password=$(aws ssm get-parameter --name "{{ misload_ssm_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .password)
+target=$(aws ssm get-parameter --name "{{ misload_secret_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .target)
+username=$(aws ssm get-parameter --name "{{ misload_secret_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .username)
+password=$(aws ssm get-parameter --name "{{ misload_secret_parameter }}" --query Parameter.Value --with-decryption --output text | jq -r .password)
 
 if [[ -z $target || $target == "null" || $target == "None" ||
       -z $username || $username == "null" || $username == "None" ||
       -z $password || $password == "null" || $password == "None" ]]; then
-  echo "Could not retrieve config from {{ misload_ssm_parameter }}"
+  echo "Could not retrieve config from {{ misload_secret_parameter }}"
   echo "misload_status 1" > /opt/textfile_monitoring/misload_status.prom
   exit 1
 fi

@@ -12,12 +12,16 @@ app_db_name: "{{ ec2.tags['oracle-db-name'] }}"
 db_configs: {}
 db_config: "{{ db_configs[app_db_name] }}"
 
-app_ssm_passwords:
+use_ssm_params: false
+app_secretsmanager_passwords:
   db:
     parameter: "/oracle/database/{{ db_config.db_name }}/weblogic-passwords"
+    secret: "/oracle/database/{{ db_config.db_name }}/weblogic-passwords"
     users:
       - oms_owner:
 
+app_ssm_passwords: "{{ app_secretsmanager_passwords }}"
+
 nomis_releases:
   # - { name: DB_V11.2.1.1.203.1, web_config_files: 0, db_patch_updated: 0 }
   # - { name: DB_V11.2.1.1.204, web_config_files: 0, db_patch_updated: 1 }

@@ -24,17 +24,36 @@
   # block
   when: db_server_file.stat.exists
 
-- name: Get SSM parameters
-  import_role:
-    name: ssm-passwords
-  vars:
-    ssm_passwords: "{{ app_ssm_passwords }}"
+- name: Get secretsmanager passwords
+  block:
+    - name: secretsmanager passwords
+      import_role:
+        name: secretsmanager-passwords
+      vars:
+        secretsmanager_passwords: "{{ app_secretsmanager_passwords }}"
 
-- name: Get SSM parameters
-  set_fact:
-    app_db_password: "{{ ssm_passwords_dict['db'].passwords[app_db_username] }}"
+    - name: secretsmanager passwords
+      set_fact:
+        app_db_password: "{{ secretsmanager_passwords_dict['db'].passwords[app_db_username] }}"
+
+  when: not use_ssm_params
+
+- name: Get SSM params
+  block:
+    - name: Get SSM parameters
+      import_role:
+        name: ssm-passwords
+      vars:
+        ssm_passwords: "{{ app_ssm_passwords }}"
+
+    - name: Get SSM parameters
+      set_fact:
+        app_db_password: "{{ ssm_passwords_dict['db'].passwords[app_db_username] }}"
+      when: ssm_passwords_dict is defined
+
+  when: use_ssm_params
 
-- name: Check all SSM parameters and tags are set
+- name: Check all secrets and tags are set
   set_fact:
     app_all_variables_set: true
   when:

@@ -13,9 +13,12 @@ db_standby_name: None
 db_primary: "{{ db_configs[ db_primary_name ] }}"
 db_standby: "{{ db_configs[ db_standby_name ] }}"
 
-# ensure sys password is defined in the standby DB passwords SSM parameter
-db_ssm_passwords:
+use_ssm_params: false
+db_secretsmanager_passwords:
   db:
     parameter: "/oracle/database/{{ db_standby.db_name }}/passwords"
+    secret: "/oracle/database/{{ db_standby.db_name }}/passwords"
     users:
       - sys:
+
+db_ssm_passwords: "{{ db_secretsmanager_passwords }}"
@@ -22,15 +22,32 @@
     msg: Cannot have both storage_account_name and s3_bucket defined in the primary db_config
   when: db_primary.storage_account_name is defined and db_primary.s3_bucket is defined
 
-- name: Get DB passwords
-  import_role:
-    name: ssm-passwords
-  vars:
-    ssm_passwords: "{{ db_ssm_passwords }}"
+- name: Get secretsmanager passwords
+  block:
+    - name: secretsmanager passwords
+      import_role:
+        name: secretsmanager-passwords
+      vars:
+        secretsmanager_passwords: "{{ db_secretsmanager_passwords }}"
 
-- name: Set sys password fact
-  set_fact:
-    db_sys_password: "{{ ssm_passwords_dict['db'].passwords['sys'] }}"
+    - name: secretsmanager passwords
+      set_fact:
+        db_sys_password: "{{ secretsmanager_passwords_dict['db'].passwords['sys'] }}"
+  when: not use_ssm_params
+
+- name: Get SSM params
+  block:
+    - name: Get SSM parameters
+      import_role:
+        name: ssm-passwords
+      vars:
+        ssm_passwords: "{{ db_ssm_passwords }}"
+
+    - name: Get SSM parameters
+      set_fact:
+        db_sys_password: "{{ ssm_passwords_dict['db'].passwords['sys'] }}"
+      when: ssm_passwords_dict is defined
+  when: use_ssm_params
 
 - block:
     - name: Get Egress Ip

@@ -2,8 +2,12 @@
 stage: /u02/stage
 oracle_install_user: oracle
 oracle_install_group: oinstall
-db_ssm_passwords:
+use_ssm_params: false
+db_secretsmanager_passwords:
   db:
     parameter: "/oracle/database/{{ db_name }}/passwords"
+    secret: "/oracle/database/{{ db_name }}/passwords"
     users:
       - sys:
+
+db_ssm_passwords: "{{ db_secretsmanager_passwords }}"
@@ -7,27 +7,6 @@
     owner: "{{ oracle_install_user }}"
     group: "{{ oracle_install_group }}"
 
-- name: Get SSM parameters
-  import_role:
-    name: ssm-passwords
-  vars:
-    ssm_passwords: "{{ db_ssm_passwords }}"
-
-- name: Get SSM parameters
-  set_fact:
-    db_sys_password: "{{ ssm_passwords_dict['db'].passwords['sys'] }}"
-
-- name: Check password is extracted from SSM
-  ansible.builtin.set_fact:
-    db_sys_password_set: true
-  when:
-    - db_sys_password |length > 0
-
-- name: Fail if missing SSM parameters
-  ansible.builtin.fail:
-    msg: Ensure SYS password is in SSM for {{ db_name }} database
-  when: not  db_sys_password_set |default(false)
-
 - name: Create restore point in database {{ db_name }}
   become_user: "{{ oracle_install_user }}"
   ansible.builtin.shell: |

@@ -7,27 +7,6 @@
     owner: "{{ oracle_install_user }}"
     group: "{{ oracle_install_group }}"
 
-- name: Get SSM parameters
-  import_role:
-    name: ssm-passwords
-  vars:
-    ssm_passwords: "{{ db_ssm_passwords }}"
-
-- name: Get SSM parameters
-  set_fact:
-    db_sys_password: "{{ ssm_passwords_dict['db'].passwords['sys'] }}"
-
-- name: Check password is extracted from SSM
-  ansible.builtin.set_fact:
-    db_sys_password_set: true
-  when:
-    - db_sys_password |length > 0
-
-- name: Fail if missing SSM parameters
-  ansible.builtin.fail:
-    msg: Ensure SYS password is in SSM for {{ db_name }} database
-  when: not  db_sys_password_set |default(false)
-
 - name: Drop restore point in database {{ db_name }}
   become_user: "{{ oracle_install_user }}"
   ansible.builtin.shell: |
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,3 +6,5 @@ ami_roles_list:

		# the below vars are defined in multiple groups. Keep the values the same to avoid unexpected behaviour
		roles_list: "{{ (ami_roles_list \| default([]) \| difference(server_type_roles_list \| default([]))) + (server_type_roles_list \| default([])) }}"

		use_ssm_params: true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,3 +5,5 @@ server_type_roles_list:
		- join-devtest-ad-linux

		roles_list: "{{ (ami_roles_list \| default([]) \| difference(server_type_roles_list \| default([]))) + (server_type_roles_list \| default([])) }}"

		use_ssm_params: true