Move 'api_pass' variable in a separate var file so it's possibile to encrypt it with ansible-vault

Improve the task tags
2018-03-29 20:27:05 +02:00 · 2018-03-29 20:27:05 +02:00 · cea70a3fbd
commit cea70a3fbd
parent 6cb6d3bda8
5 changed files with 20 additions and 7 deletions
--- a/ansible-wazuh-agent/defaults/main.yml
+++ b/ansible-wazuh-agent/defaults/main.yml
@ -4,9 +4,8 @@ wazuh_managers:
    port: 1514
    protocol: tcp
    api_port: 55000
-    api_proto: 'https'
+    api_proto: 'http'
    api_user: null
-    api_password: null
 wazuh_profile: null
 wazuh_auto_restart: 'yes'
 wazuh_agent_authd:
--- a/ansible-wazuh-agent/tasks/Linux.yml
+++ b/ansible-wazuh-agent/tasks/Linux.yml
@ -23,6 +23,7 @@
      include_vars: authd_pass.yml
      tags:
        - config
+        - authd

    - name: Copy CA, SSL key and cert for authd
      copy:
@ -35,6 +36,7 @@
        - "{{ wazuh_agent_authd.ssl_agent_key }}"
      tags:
        - config
+        - authd
      when:
        - wazuh_agent_authd.ssl_agent_ca is not none

@ -56,6 +58,7 @@
        - wazuh_managers.0.address is not none
      tags:
        - config
+        - authd

    - name: Linux | Verify agent registration
      shell: echo {{ agent_auth_output }} | grep "Valid key created"
@ -64,12 +67,19 @@
        - wazuh_managers.0.address is not none
      tags:
        - config
+        - authd

  when: wazuh_agent_authd.enable == true

 - name: Linux | Agent registration via rest-API
  block:

+    - name: Retrieving authd Credentials
+      include_vars: authd_pass.yml
+      tags:
+        - config
+        - api
+
    - name: Linux | Create the agent key via rest-API
      uri:
        url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/"
@ -81,7 +91,7 @@
        headers:
          Content-Type: "application/json"
        user: "{{ wazuh_managers.0.api_user }}"
-        password: "{{ wazuh_managers.0.api_password }}"
+        password: "{{ api_pass }}"
      register: newagent_api
      changed_when: newagent_api.json.error == 0
      when:
@ -100,7 +110,7 @@
        method: GET
        return_content: yes
        user: "{{ wazuh_managers.0.api_user }}"
-        password: "{{ wazuh_managers.0.api_password }}"
+        password: "{{ api_pass }}"
      when:
        - check_keys.stat.size == 0
        - wazuh_managers.0.address is not none
@ -128,9 +138,10 @@
        - newagent_api.changed
      tags:
        - config
+        - api
      notify: restart wazuh-agent

-  when: wazuh_agent_authd.enable == false
+  when: wazuh_agent_authd.enable == false and ( wazuh_managers.0.api_user is defined and api_pass is defined )

 - name: Linux | Vuls integration deploy (runs in background, can take a while)
  command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
--- a/ansible-wazuh-agent/vars/api_pass.yml
+++ b/ansible-wazuh-agent/vars/api_pass.yml
@ -0,0 +1,3 @@
+---
+# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
+#api_pass: 'changeme'
--- a/ansible-wazuh-agent/vars/authd_pass.yml
+++ b/ansible-wazuh-agent/vars/authd_pass.yml
@ -1,2 +1,3 @@
 ---
+# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
 #authd_pass: 'foobar'
--- a/wazuh-agent.yml
+++ b/wazuh-agent.yml
@ -7,9 +7,8 @@
        port: 1514
        protocol: udp
        api_port: 55000
-        api_proto: 'https'
+        api_proto: 'http'
        api_user: ansible
-        api_password: changeme
    wazuh_agent_authd:
      enable: true
      port: 1515