afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1e8cc831cf
wazuh-ansible-4.8.1/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
Manuel Gutierrez 1e8cc831cf Remove become from local task
2019-10-09 16:47:41 +02:00

212 lines
6.0 KiB
YAML
Raw Blame History

- name: Check if certificate exists locally
stat:
path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
register: certificate_file_exists
- name: Write the instances.yml file in the selected node (force = no)
template:
src: instances.yml.j2
dest: "{{ node_certs_source }}/instances.yml"
force: no
register: instances_file_exists
tags:
- config
- xpack-security
when:
- node_certs_generator
- not certificate_file_exists.stat.exists
- name: Update instances.yml status after generation
stat:
path: "{{ node_certs_source }}/instances.yml"
register: instances_file_exists
when:
- node_certs_generator
- name: Check if the certificates ZIP file exists
stat:
path: "{{ node_certs_source }}/certs.zip"
register: xpack_certs_zip
when:
- node_certs_generator
- name: Importing custom CA key
copy:
src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
dest: "{{ node_certs_source }}/{{ ca_key_name }}"
mode: '0664'
when:
- not generate_CA
- node_certs_generator
tags: xpack-security
- name: Importing custom CA cert
copy:
src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
mode: '0664'
when:
- not generate_CA
- node_certs_generator
tags: xpack-security
- name: Generating certificates for Elasticsearch security (generating CA)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem
--in {{ node_certs_source }}/instances.yml
--out {{ node_certs_source }}/certs.zip
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
--pem --in {{ node_certs_source }}/instances.yml
--out {{ node_certs_source }}/certs.zip
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length == 0
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
--pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
--ca-pass {{ ca_password }}
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length > 0
tags:
- xpack-security
- molecule-idempotence-notest
- name: Verify the Elastic certificates directory
file:
path: "{{ master_certs_path }}"
state: directory
mode: '0700'
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Verify the Certificates Authority directory
file:
path: "{{ master_certs_path }}/ca/"
state: directory
mode: '0700'
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Copying certificates to Ansible master
fetch:
src: "{{ node_certs_source }}/certs.zip"
dest: "{{ master_certs_path }}/"
flat: yes
mode: 0700
when:
- node_certs_generator
tags:
- xpack-security
- molecule-idempotence-notest
- name: Delete certs.zip in Generator node
file:
state: absent
path: "{{ node_certs_source }}/certs.zip"
when:
- node_certs_generator
tags: molecule-idempotence-notest
- name: Unzip generated certs.zip
unarchive:
src: "{{ master_certs_path }}/certs.zip"
dest: "{{ master_certs_path }}/"
delegate_to: "127.0.0.1"
when:
- node_certs_generator
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Ensuring folder permissions
file:
path: "{{ node_certs_destination }}/"
mode: '0774'
state: directory
recurse: yes
when:
- elasticsearch_xpack_security
- generate_CA
tags: xpack-security
- name: Set elasticsearch bootstrap password
shell: |
set -o pipefail
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
args:
executable: /bin/bash
when:
- node_certs_generator
tags: molecule-idempotence-notest
- name: Create elasticsearch users
uri:
url: "https://{{ elasticsearch_reachable_host }}:9200/_security/user/{{ item.key }}"
method: POST
body_format: json
user: "{{ elasticsearch_xpack_security_user }}"
password: "{{ elasticsearch_xpack_security_password }}"
body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }'
validate_certs: no
loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}"
register: http_response
failed_when: http_response.status != 200
when:
- elasticsearch_xpack_users is defined
- node_certs_generator
Reference in New Issue View Git Blame Copy Permalink