add possibility to disable user/role creation in logstash

docs/role-logstash.md

@@ -69,10 +69,12 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_cert_will_expire_soon*: Set it to true to renew logstash certificate (default: `false`), Or run the playbook with `--tags renew_logstash_cert` to do that.
 * *logstash_elasticsearch*: Address of Elasticsearch instance for default output (default: list of Elasticsearch nodes from `elasticsearch` role or `localhost` when used standalone)
 * *logstash_security*: Enable X-Security (No default set, but will be activated when in full stack mode)
-* *logstash_user*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`)
-* *logstash_user_email*: email-address that is linked with the logstash_user (Default: `""`)
-* *logstash_user_fullname*: fullname that is linked with the logstash_user (Default: `Internal Logstash User`)
-* *logstash_user_password*: Password of `logstash_user` in Elasticsearch. It must be at least 6 characters long (default: `password`)
+* *logstash_create_user*: Enables creation `logstash_user_name` (Default: `true`)
+* *logstash_user_name*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`)
+* *logstash_user_email*: email-address that is linked with the logstash_user_name (Default: `""`)
+* *logstash_user_fullname*: fullname that is linked with the logstash_user_name (Default: `Internal Logstash User`)
+* *logstash_user_password*: Password of `logstash_user_name` in Elasticsearch. It must be at least 6 characters long (default: `password`)
+* *logstash_create_role*: Enables creation `logstash_role_name` (Default: `true`)
 * *logstash_role_name*: Name of the logstash role that is getting created (Default: `logstash_writer`)
 * *logstash_role_cluster_privileges*: Cluster privileges the role has access to (default: `"manage_index_templates", "monitor", "manage_ilm"`)
 * *logstash_role_indicies_names*: Indices the role has access to (default: `"ecs-logstash*", "logstash*", "logs*"`)

roles/logstash/defaults/main.yml

@@ -44,7 +44,9 @@ logstash_forwarder_queue_type: memory
 logstash_forwarder_queue_max_bytes: 1gb
 logstash_sniffing: false
 
-# logstash security
+# logstash role / user
+logstash_create_role: true
+logstash_role_name: logstash_writer
 logstash_role_cluster_privileges:
   - manage_index_templates
   - monitor
@@ -60,13 +62,14 @@ logstash_role_indicies_privileges:
   - create_index
   - manage
   - manage_ilm
-logstash_role_name: logstash_writer
-logstash_user: logstash_writer
+logstash_create_user: true
+logstash_user_name: logstash_writer
 logstash_user_password: password
 logstash_user_email: ""
 logstash_user_fullname: "Internal Logstash User"
 logstash_reset_writer_role: true
 
+# logstash security
 logstash_tls_key_passphrase: LogstashChangeMe
 logstash_certs_dir: /etc/logstash/certs
 logstash_cert_validity_period: 1095

roles/logstash/tasks/logstash-security.yml

@@ -376,10 +376,11 @@
     auth_pass: "{{ logstash_elasticstack_password.stdout }}"
     verify_certs: true
     ca_certs: "{{ logstash_certs_dir }}/ca.crt"
+  when: logstash_create_role | bool
 
-- name: Create logstash user {{ logstash_user }}
+- name: Create logstash user {{ logstash_user_name }}
   netways.elasticstack.elasticsearch_user:
-    name: "{{ logstash_user }}"
+    name: "{{ logstash_user_name }}"
     fullname: "{{ logstash_user_fullname }}"
     password: "{{ logstash_user_password }}"
     email: "{{ logstash_user_email }}"
@@ -392,3 +393,4 @@
     auth_pass: "{{ logstash_elasticstack_password.stdout }}"
     verify_certs: false
     ca_certs: "{{ logstash_certs_dir }}/ca.crt"
+  when: logstash_create_user | bool

roles/logstash/templates/elasticsearch-output.conf.j2

@@ -36,7 +36,7 @@ output {
     keystore_password => "{{ logstash_tls_key_passphrase }}"
     cacert => "{{ logstash_certs_dir }}/ca.crt"
     ssl => true
-    user => "{{ logstash_user }}"
+    user => "{{ logstash_user_name }}"
     password => "{{ logstash_user_password }}"
 {% endif %}
   }