From f8bda2f7c7c58e9559101c8b5fd224391913ed0f Mon Sep 17 00:00:00 2001
From: Jose M <jm.garcia@wazuh.com>
Date: Mon, 5 Aug 2019 12:34:42 +0200
Subject: [PATCH] Move xpack_security tasks from main.yml to xpack_security.yml

---
 .../ansible-elasticsearch/tasks/main.yml      | 137 +-----------------
 .../tasks/xpack_security.yml                  | 126 ++++++++++++++++
 2 files changed, 128 insertions(+), 135 deletions(-)
 create mode 100644 roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml

diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
index def0b46d..85706199 100644
--- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
+++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
@@ -10,16 +10,6 @@
   when:
     - ansible_service_mgr == "systemd"
 
-- name: Install unzip dependency.
-  package:
-    name: unzip
-    state: present
-  delegate_to: "127.0.0.1"
-  when:
-    - node_certs_generator
-    - elasticsearch_xpack_security
-    
-
 - name: Configure Elasticsearch System Resources.
   template:
     src: elasticsearch_systemd.conf.j2
@@ -73,126 +63,10 @@
 - import_tasks: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"
 
-- name: Check if certificate exists locally
-  stat:
-    path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
-  register: certificate_file_exists
+- import_tasks: "xpack_security.yml"
   when:
     - elasticsearch_xpack_security
 
-- name: Write the instances.yml file in the selected node (force = no)
-  template:
-    src: instances.yml.j2
-    dest: "{{ node_certs_source }}/instances.yml"
-    force: no
-  register: instances_file_exists
-  tags:
-    - config
-    - xpack-security
-  when:
-    - node_certs_generator
-    - elasticsearch_xpack_security
-    - not certificate_file_exists.stat.exists
-
-- name: Update instances.yml status after generation
-  stat:
-    path: "{{ node_certs_source }}/instances.yml"
-  register: instances_file_exists
-  when:
-    - node_certs_generator
-    - elasticsearch_xpack_security
-
-- name: Check if the certificates ZIP file exists
-  stat:
-    path: "{{ node_certs_source }}/certs.zip"
-  register: xpack_certs_zip
-  when:
-    - node_certs_generator
-    - elasticsearch_xpack_security
-
-- name: Generating certificates for Elasticsearch security
-  shell: >-
-    /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in 
-    {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
-  when:
-    - node_certs_generator
-    - elasticsearch_xpack_security
-    - not xpack_certs_zip.stat.exists
-  register: certs_file_generated
-  tags: xpack-security
-
-- name: Create the certificates directory
-  file:
-    path: "{{master_certs_destination}}"
-    state: directory
-    mode: '0700'
-  delegate_to: "127.0.0.1"
-  when: 
-    - node_certs_generator
-    - elasticsearch_xpack_security
-
-- name: Copying certificates to Ansible master
-  fetch:
-    src: "{{node_certs_source}}/certs.zip"
-    dest: "{{master_certs_destination}}/"
-    flat: yes
-    mode: 0700
-  when: 
-    - node_certs_generator
-    - elasticsearch_xpack_security
-  tags: xpack-security
-
-- name: Delete certs.zip in Generator node
-  file:
-    state: absent
-    path: "{{ node_certs_source }}/certs.zip"
-  when: 
-    - node_certs_generator
-    - elasticsearch_xpack_security
-
-- name: Unzip generated certs.zip
-  unarchive:
-    src: "{{master_certs_destination}}/certs.zip"
-    dest: "{{master_certs_destination}}/"
-  become: true
-  delegate_to: "127.0.0.1"
-  when: 
-    - node_certs_generator
-    - elasticsearch_xpack_security
-  tags: xpack-security
-
-- name: Ensuring certificates folder owner
-  file:
-    path: "{{ node_certs_destination }}/"
-    state: directory
-    recurse: yes
-    owner: elasticsearch
-    group: elasticsearch
-  when:
-    - elasticsearch_xpack_security
-  tags: xpack-security
-
-- name: Ensuring certificates folder owner
-  file:
-    path: "{{ node_certs_destination }}/"
-    mode: '0770'
-    recurse: yes
-  when:
-    - elasticsearch_xpack_security
-  tags: xpack-security
-
-- name: Copying node's certificate from master
-  copy:
-    src: "{{item}}"
-    dest: "{{node_certs_destination}}/"
-  with_items: 
-    - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" 
-    - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
-    - "{{master_certs_destination}}/ca/ca.crt"
-  when:
-    - elasticsearch_xpack_security
-  tags: xpack-security
-
 - name: Configure Elasticsearch.
   template:
     src: elasticsearch.yml.j2
@@ -202,14 +76,7 @@
     mode: 0660
   notify: restart elasticsearch
   tags: configure
-
-- name: Set elasticsearch bootstrap password
-  shell: >-
-     echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
-  when:
-    - node_certs_generator
-    - elasticsearch_xpack_security
-    
+  
 - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf
   lineinfile:
     path: /etc/security/limits.conf
diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
new file mode 100644
index 00000000..3d9f3f7d
--- /dev/null
+++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
@@ -0,0 +1,126 @@
+
+- name: Install unzip dependency.
+  package:
+    name: unzip
+    state: present
+  delegate_to: "127.0.0.1"
+  when:
+    - node_certs_generator
+
+- name: Check if certificate exists locally
+  stat:
+    path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
+  register: certificate_file_exists
+
+- name: Write the instances.yml file in the selected node (force = no)
+  template:
+    src: instances.yml.j2
+    dest: "{{ node_certs_source }}/instances.yml"
+    force: no
+  register: instances_file_exists
+  tags:
+    - config
+    - xpack-security
+  when:
+    - node_certs_generator
+    - not certificate_file_exists.stat.exists
+
+- name: Update instances.yml status after generation
+  stat:
+    path: "{{ node_certs_source }}/instances.yml"
+  register: instances_file_exists
+  when:
+    - node_certs_generator
+
+- name: Check if the certificates ZIP file exists
+  stat:
+    path: "{{ node_certs_source }}/certs.zip"
+  register: xpack_certs_zip
+  when:
+    - node_certs_generator
+
+- name: Generating certificates for Elasticsearch security (generating CA)
+  shell: >-
+    /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in 
+    {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
+  when:
+    - node_certs_generator
+    - not xpack_certs_zip.stat.exists
+  tags: xpack-security
+
+- name: Generating certificates for Elasticsearch security (using provided CA)
+  shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key /usr/share/elasticsearch/myCA.key --ca-cert /usr/share/elasticsearch/myCA.pem --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
+  when:
+    - node_certs_generator
+    - not xpack_certs_zip.stat.exists
+  tags: xpack-security 
+
+- name: Create the certificates directory
+  file:
+    path: "{{master_certs_destination}}"
+    state: directory
+    mode: '0700'
+  delegate_to: "127.0.0.1"
+  when: 
+    - node_certs_generator
+
+- name: Copying certificates to Ansible master
+  fetch:
+    src: "{{node_certs_source}}/certs.zip"
+    dest: "{{master_certs_destination}}/"
+    flat: yes
+    mode: 0700
+  when: 
+    - node_certs_generator
+  tags: xpack-security
+
+- name: Delete certs.zip in Generator node
+  file:
+    state: absent
+    path: "{{ node_certs_source }}/certs.zip"
+  when: 
+    - node_certs_generator
+    
+
+- name: Unzip generated certs.zip
+  unarchive:
+    src: "{{master_certs_destination}}/certs.zip"
+    dest: "{{master_certs_destination}}/"
+  become: true
+  delegate_to: "127.0.0.1"
+  when: 
+    - node_certs_generator
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  file:
+    path: "{{ node_certs_destination }}/"
+    state: directory
+    recurse: yes
+    owner: elasticsearch
+    group: elasticsearch
+  tags: xpack-security
+
+- name: Ensuring certificates folder owner
+  file:
+    path: "{{ node_certs_destination }}/"
+    mode: '0770'
+    recurse: yes
+  tags: xpack-security
+
+- name: Copying node's certificate from master
+  copy:
+    src: "{{item}}"
+    dest: "{{node_certs_destination}}/"
+  with_items: 
+    - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" 
+    - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
+    - "{{master_certs_destination}}/ca/ca.crt"
+  tags: xpack-security
+
+- name: Set elasticsearch bootstrap password
+  shell: >-
+     echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
+  when:
+    - node_certs_generator
+    
\ No newline at end of file