diff --git a/README.md b/README.md index 5b14ab27..63f4c98e 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ ![Test ElasticStack](https://github.com/NETWAYS/ansible-collection-elasticstack/actions/workflows/test_full_stack.yml/badge.svg) +> [!CAUTION] +> The current main branch has some breaking changes. Be careful using it! Everything after commit 3d6673f6d526afeb0fd7ba382d067d76bd10bbd6 is affected! + This collection installs and manages the Elastic Stack. It provides roles for every component of the Stack. Furthermore, it is possible to differentiate between Enterprise or OSS releases. Every role is documented with all variables, please refer to the documentation found in **[Getting-Started](./docs/getting-started.md)** @@ -10,6 +13,9 @@ Every role is documented with all variables, please refer to the documentation f ## Roles documentation +> [!NOTE] +> Some roles have fixed requirements that you must observe. Please have a look at the [requirements](docs/01-requirements.md) before using the collection. (There is a high probability that some of them will be refactored soon) + * [Beats](docs/role-beats.md) * [Elasticsearch](docs/role-elasticsearch.md) * [Kibana](docs/role-kibana.md) diff --git a/docs/01-requirements.md b/docs/01-requirements.md new file mode 100644 index 00000000..9e78c5c2 --- /dev/null +++ b/docs/01-requirements.md @@ -0,0 +1,11 @@ +# Requirements + +There are some requirements that the user have to fulfill while using the collection. Some of them will be refactored and disappear from the list soon. + +**Inventory names** + +The collection provides roles for several tools (elasticsearch, kibana, ...). In some tasks hosts from the specific inventory group are fetched. The group names are customizable via variables. But using different inventory names than provided inside the variables will result in errors. + +**elasticstack_ca_host** + +This is a mandatory variable. It is used to define the host that will be used as "CA host". Per default it is already defined (first host inside the group `elasticstack_elasticsearch_group_name`). In case you are using different group names, this variable wont be set with a defualt value. \ No newline at end of file diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index 693dac09..fa7f5620 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -60,7 +60,7 @@ The following variable was only integrated to speed up upgrades of non-productio These variables are identical over all our elastic related roles, hence the different naming schemes. -* *elasticstack_ca*: Set to the inventory hostname of the host that should house the CA for certificates for inter-node communication. (default: First node in the `elasticsearch` host group) +* *elasticstack_ca_host*: Set to the inventory hostname of the host that should house the CA for certificates for inter-node communication. (default: First node in the `elasticsearch` host group) * *elasticstack_ca_name*: Distinguished name of the CA. (default: `CN=Elastic Certificate Tool Autogenerated CA`) * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_ca_validity_period*: number of days that the generated CA are valid (default: 1095). diff --git a/docs/role-kibana.md b/docs/role-kibana.md index 0581b9ff..f1df2640 100644 --- a/docs/role-kibana.md +++ b/docs/role-kibana.md @@ -32,7 +32,7 @@ These variables are identical over all our elastic related roles, hence the diff * *kibana_cert_will_expire_soon*: Set it to true to renew kibana certificate (default: `false`), Or run the playbook with `--tags renew_kibana_cert` to do that. * *elasticstack_kibana_host*: Hostname users use to connect to Kibana (default: FQDN of the host the role is executed on) * *elasticstack_kibana_port*: Port Kibana webinterface is listening on (default: `5601`) -* *elasticstack_ca*: Set to the inventory hostname of the host that should house the CA for certificates for inter-node communication. (default: First node in the `elasticsearch` host group) +* *elasticstack_ca_host*: Set to the inventory hostname of the host that should house the CA for certificates for inter-node communication. (default: First node in the `elasticsearch` host group) * *elasticstack_ca_dir*: Directory where on the Elasticsearch CA host certificates are stored. This is only useful in connection with out other Elastic Stack related roles. (default: `/opt/es-ca`) * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`) diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml index 768babd1..c2191c32 100644 --- a/roles/beats/tasks/beats-security.yml +++ b/roles/beats/tasks/beats-security.yml @@ -1,5 +1,4 @@ --- - - name: Ensure beats certificate exists ansible.builtin.stat: path: "/etc/beats/certs/{{ inventory_hostname }}-beats.crt" @@ -53,9 +52,9 @@ state: absent when: beats_move_cert_directory.changed -- name: Backup beats certs on elasticstack_ca host then remove +- name: Backup beats certs on elasticstack_ca_host then remove when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - renew_ca - renew_beats_cert @@ -134,7 +133,7 @@ --pass {{ beats_tls_key_passphrase }} --pem --out {{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" args: creates: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip" tags: @@ -147,7 +146,7 @@ src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-beats.zip" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-beats.zip" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -204,7 +203,7 @@ src: "{{ elasticstack_ca_dir }}/ca.crt" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -234,4 +233,4 @@ register: beats_writer_password changed_when: false no_log: "{{ elasticstack_no_log }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" diff --git a/roles/beats/tasks/main.yml b/roles/beats/tasks/main.yml index 319c9eb8..7739e7e5 100644 --- a/roles/beats/tasks/main.yml +++ b/roles/beats/tasks/main.yml @@ -3,6 +3,7 @@ - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - name: Update apt cache. ansible.builtin.apt: diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 3f5fcc75..d1fd178a 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -4,25 +4,25 @@ ansible.builtin.stat: path: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12" register: elasticstack_ca_exists - when: inventory_hostname == elasticstack_ca + when: inventory_hostname == elasticstack_ca_host - name: Get CA informations cert_info: path: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12" passphrase: "{{ elasticstack_ca_pass | default(omit, true) }}" register: elasticstack_ca_infos - when: inventory_hostname == elasticstack_ca and elasticstack_ca_exists.stat.exists | bool + when: inventory_hostname == elasticstack_ca_host and elasticstack_ca_exists.stat.exists | bool - name: Set the ca expiration date in days ansible.builtin.set_fact: elasticstack_ca_expiration_days: "{{ ((elasticstack_ca_infos.not_valid_after | to_datetime()) - (ansible_date_time.date | to_datetime('%Y-%m-%d'))).days }}" - when: inventory_hostname == elasticstack_ca and elasticstack_ca_infos.skipped is not defined + when: inventory_hostname == elasticstack_ca_host and elasticstack_ca_infos.skipped is not defined - name: Set ca will expire soon to true ansible.builtin.set_fact: elasticstack_ca_will_expire_soon: true when: > - inventory_hostname == elasticstack_ca and + inventory_hostname == elasticstack_ca_host and elasticstack_ca_expiration_days is defined and elasticstack_ca_expiration_days | int <= elasticstack_ca_expiration_buffer | int @@ -32,7 +32,7 @@ Your ca will expire in {{ elasticstack_ca_expiration_days }} days. Ansible will renew it and all elastic stack certificates when: > - inventory_hostname == elasticstack_ca and + inventory_hostname == elasticstack_ca_host and elasticstack_ca_expiration_days is defined and elasticstack_ca_expiration_days | int <= elasticstack_ca_expiration_buffer | int @@ -48,7 +48,7 @@ - groups[elasticstack_logstash_group_name] is defined - name: Backup ca directory on elasticsearch ca host then remove - when: (inventory_hostname == elasticstack_ca) and ('renew_ca' in "ansible_run_tags" or elasticstack_ca_will_expire_soon | bool) + when: (inventory_hostname == elasticstack_ca_host) and ('renew_ca' in "ansible_run_tags" or elasticstack_ca_will_expire_soon | bool) tags: - renew_ca block: @@ -149,19 +149,19 @@ state: absent when: elasticsearch_move_cert_directory.changed -- name: Backup elasticsearch certs on elasticstack_ca host then remove +- name: Backup elasticsearch certs on elasticstack_ca_host host then remove when: "'renew_es_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or elasticsearch_cert_will_expire_soon | bool" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - renew_ca - renew_es_cert block: - - name: Check if cert file exists on elasticstack_ca host + - name: Check if cert file exists on elasticstack_ca_host host ansible.builtin.stat: path: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}.p12" register: elasticsearch_check_cert_file - - name: Move cert file on elasticstack_ca host + - name: Move cert file on elasticstack_ca_host ansible.builtin.copy: src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}.p12" dest: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}.p12_{{ ansible_date_time.iso8601_micro }}" @@ -170,7 +170,7 @@ when: elasticsearch_check_cert_file.stat.exists register: elasticsearch_move_cert_file - - name: Remove cert file on elasticstack_ca host + - name: Remove cert file on elasticstack_ca_host ansible.builtin.file: path: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}.p12" state: absent @@ -217,14 +217,14 @@ - name: Import Tasks elasticsearch-keystore.yml ansible.builtin.import_tasks: elasticsearch-keystore.yml -- name: Create ca and certificates on elasticstack_ca host - when: inventory_hostname == elasticstack_ca +- name: Create ca and certificates on elasticstack_ca_host + when: inventory_hostname == elasticstack_ca_host tags: - certificates - renew_ca - renew_es_cert block: - - name: Configure ca on elasticstack_ca host + - name: Configure ca on elasticstack_ca_host ansible.builtin.command: > /usr/share/elasticsearch/bin/elasticsearch-certutil ca --ca-dn {{ elasticstack_ca_name }} @@ -236,7 +236,7 @@ creates: "{{ elasticstack_ca_dir }}/elastic-stack-ca.p12" no_log: "{{ elasticstack_no_log }}" - - name: Create node certificates on elasticstack_ca host + - name: Create node certificates on elasticstack_ca_host ansible.builtin.command: > /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca {{ elasticstack_ca_dir }}/elastic-stack-ca.p12 @@ -266,7 +266,7 @@ src: "{{ elasticstack_ca_dir }}/ca.crt" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt" flat: yes - when: inventory_hostname == elasticstack_ca + when: inventory_hostname == elasticstack_ca_host tags: - certificates - renew_ca @@ -277,7 +277,7 @@ src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}.p12" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}.p12" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -361,7 +361,7 @@ - name: Check for passwords being set ansible.builtin.stat: path: "{{ elasticstack_initial_passwords }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" register: elasticsearch_passwords_file - name: Setting elasticsearch_http_protocol @@ -412,7 +412,7 @@ register: elasticstack_password changed_when: false no_log: "{{ elasticstack_no_log }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" when: elasticsearch_passwords_file.stat.exists | bool - name: Check for API availability with elastic password @@ -499,7 +499,7 @@ if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi; /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b > {{ elasticstack_initial_passwords }} - when: inventory_hostname == elasticstack_ca + when: inventory_hostname == elasticstack_ca_host no_log: "{{ elasticstack_no_log }}" args: creates: "{{ elasticstack_initial_passwords }}" @@ -512,6 +512,6 @@ owner: root group: root mode: 0600 - when: inventory_hostname == elasticstack_ca + when: inventory_hostname == elasticstack_ca_host # Maybe make sure that Elasticsearch is using the right protocol http(s) to connect, even in newly setup clusters diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 1516e983..7537197b 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -10,6 +10,7 @@ - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - name: Update apt cache. ansible.builtin.apt: @@ -314,8 +315,8 @@ - name: Show hint about passwords ansible.builtin.debug: - msg: "Remember, your temporary passwords can be found on {{ elasticstack_ca }} in {{ elasticstack_initial_passwords }}" + msg: "Remember, your temporary passwords can be found on {{ elasticstack_ca_host }} in {{ elasticstack_initial_passwords }}" when: - elasticsearch_security | bool - elasticstack_variant == "elastic" - - inventory_hostname == elasticstack_ca + - inventory_hostname == elasticstack_ca_host diff --git a/roles/elasticstack/defaults/main.yml b/roles/elasticstack/defaults/main.yml index 4e754120..ee14ca30 100644 --- a/roles/elasticstack/defaults/main.yml +++ b/roles/elasticstack/defaults/main.yml @@ -5,6 +5,7 @@ elasticstack_logstash_group_name: logstash elasticstack_kibana_group_name: kibana elasticstack_beats_port: 5044 +elasticstack_ca_host: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" elasticstack_ca_dir: /opt/es-ca elasticstack_ca_expiration_buffer: 30 elasticstack_ca_name: "CN=Elastic Certificate Tool Autogenerated CA" diff --git a/roles/elasticstack/tasks/elasticstack-passwords.yml b/roles/elasticstack/tasks/elasticstack-passwords.yml index 1f2bc2a1..9a285685 100644 --- a/roles/elasticstack/tasks/elasticstack-passwords.yml +++ b/roles/elasticstack/tasks/elasticstack-passwords.yml @@ -3,7 +3,7 @@ - name: Check for passwords being set ansible.builtin.stat: path: "{{ elasticstack_initial_passwords }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" register: elasticsearch_passwords_file - name: Fetch Elastic password # noqa: risky-shell-pipe @@ -14,5 +14,5 @@ register: elasticstack_password changed_when: false no_log: "{{ elasticstack_no_log }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" when: elasticsearch_passwords_file.stat.exists | bool diff --git a/roles/elasticstack/tasks/elasticstack-versions.yml b/roles/elasticstack/tasks/elasticstack-versions.yml index 0f5421f8..c135ac56 100644 --- a/roles/elasticstack/tasks/elasticstack-versions.yml +++ b/roles/elasticstack/tasks/elasticstack-versions.yml @@ -7,7 +7,7 @@ - name: Set target version to Elasticsearch on CA host ansible.builtin.set_fact: elasticstack_version: "{{ ansible_facts.packages['elasticsearch'][0].version }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" when: - ansible_facts.packages['elasticsearch'][0].version is defined - elasticstack_version is undefined diff --git a/roles/elasticstack/tasks/main.yml b/roles/elasticstack/tasks/main.yml index e8797325..66861b8b 100644 --- a/roles/elasticstack/tasks/main.yml +++ b/roles/elasticstack/tasks/main.yml @@ -1,34 +1,40 @@ --- +- name: Include elasticstack role + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) # Ensure the global meta role is only called once for each host + block: + - name: Include OS specific vars + ansible.builtin.include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' -- name: Include OS specific vars - ansible.builtin.include_vars: '{{ item }}' - with_first_found: - - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_os_family }}.yml' + - name: Set elasticstack_ca_host variable if not already done by user + ansible.builtin.set_fact: + elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" + when: + - elasticstack_ca_host is undefined + - groups[elasticstack_elasticsearch_group_name][0] is defined -- name: Set elasticstack_ca variable if not already done by user - ansible.builtin.set_fact: - elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" - when: - - elasticstack_ca is undefined - - groups[elasticstack_elasticsearch_group_name][0] is defined + - name: Set elasticstack_ca_host variable if not already set to Elasticsearch server + ansible.builtin.set_fact: + elasticstack_ca_host: "{{ groups[elasticstack_logstash_group_name][0] }}" + when: + - elasticstack_ca_host is undefined + - groups[elasticstack_logstash_group_name][0] is defined -- name: Set elasticstack_ca variable if not already set to Elasticsearch server - ansible.builtin.set_fact: - elasticstack_ca: "{{ groups[elasticstack_logstash_group_name][0] }}" - when: - - elasticstack_ca is undefined - - groups[elasticstack_logstash_group_name][0] is defined + - name: Set versions for components + ansible.builtin.import_tasks: elasticstack-versions.yml -- name: Set versions for components - ansible.builtin.import_tasks: elasticstack-versions.yml + - name: Fetch passwords if passwords are initialized + ansible.builtin.import_tasks: elasticstack-passwords.yml -- name: Fetch passwords if passwords are initialized - ansible.builtin.import_tasks: elasticstack-passwords.yml + - name: Set elasticstack_globals_set for other roles to skip this role + ansible.builtin.set_fact: + elasticstack_globals_set: true -- name: Set elasticstack_globals_set for other roles to skip this role - ansible.builtin.set_fact: - elasticstack_globals_set: true + - name: Install common packages and dependencies + ansible.builtin.import_tasks: packages.yml -- name: Install common packages and dependencies - ansible.builtin.import_tasks: packages.yml + - name: Register elasticstack role has run for that host + ansible.builtin.set_fact: + _elasticstack_role_imported: true diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 57fb463f..db4479ed 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -57,9 +57,9 @@ state: absent when: kibana_move_cert_directory.changed -- name: Backup kibana certs on elasticstack_ca host then remove +- name: Backup kibana certs on elasticstack_ca_host then remove when: "'renew_kibana_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or kibana_cert_will_expire_soon | bool" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - renew_ca - renew_kibana_cert @@ -115,7 +115,7 @@ when: kibana_move_cert_file.changed - name: Block for key generation - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" run_once: true tags: - certificates @@ -174,7 +174,7 @@ --dns {{ ansible_hostname }},{{ ansible_fqdn }},{{ inventory_hostname }} --pass {{ kibana_tls_key_passphrase }} --out {{ elasticstack_ca_dir }}/{{ ansible_hostname }}-kibana.p12 - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" no_log: "{{ elasticstack_no_log }}" args: creates: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-kibana.p12" @@ -188,7 +188,7 @@ src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-kibana.p12" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-kibana.p12" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -216,14 +216,14 @@ register: kibana_password changed_when: false no_log: "{{ elasticstack_no_log }}" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" - name: Fetch ca certificate from ca host to master ansible.builtin.fetch: src: "{{ elasticstack_ca_dir }}/ca.crt" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 7d2c56cc..194f8344 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -10,6 +10,7 @@ - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - name: Update apt cache. ansible.builtin.apt: diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 2cffd8c1..4e8e1901 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -56,20 +56,20 @@ state: absent when: logstash_move_cert_directory.changed -- name: Backup logstash certs on elasticstack_ca host then remove +- name: Backup logstash certs on elasticstack_ca_host then remove when: "'renew_logstash_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags" - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - renew_ca - renew_logstash_cert - never block: - - name: Check if cert file exists on elasticstack_ca host + - name: Check if cert file exists on elasticstack_ca_host ansible.builtin.stat: path: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12" register: logstash_check_cert_file_ca_host - - name: Move cert file on elasticstack_ca host + - name: Move cert file on elasticstack_ca_host host ansible.builtin.copy: src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12" dest: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12_{{ ansible_date_time.iso8601_micro }}" @@ -80,18 +80,18 @@ when: logstash_check_cert_file_ca_host.stat.exists register: logstash_move_cert_file_ca_host - - name: Remove cert file on elasticstack_ca host + - name: Remove cert file on elasticstack_ca_host ansible.builtin.file: path: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12" state: absent when: logstash_move_cert_file_ca_host.changed - - name: Check if cert zip file exists on elasticstack_ca host + - name: Check if cert zip file exists on elasticstack_ca_host ansible.builtin.stat: path: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip" register: logstash_check_cert_zip_file_ca_host - - name: Move cert zip file on elasticstack_ca host + - name: Move cert zip file on elasticstack_ca_host host ansible.builtin.copy: src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip" dest: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip_{{ ansible_date_time.iso8601_micro }}" @@ -102,7 +102,7 @@ when: logstash_check_cert_zip_file_ca_host.stat.exists register: logstash_move_cert_zip_file_ca_host - - name: Remove cert zip file on elasticstack_ca host + - name: Remove cert zip file on elasticstack_ca_host ansible.builtin.file: path: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip" state: absent @@ -165,7 +165,7 @@ --dns {{ ansible_hostname }},{{ ansible_fqdn }},{{ inventory_hostname }} --pass {{ logstash_tls_key_passphrase }} --out {{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12 - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" no_log: "{{ elasticstack_no_log }}" args: creates: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12" @@ -179,7 +179,7 @@ src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.p12" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.p12" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -235,7 +235,7 @@ --pass {{ logstash_tls_key_passphrase }} --pem --out {{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" no_log: "{{ elasticstack_no_log }}" args: creates: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip" @@ -249,7 +249,7 @@ src: "{{ elasticstack_ca_dir }}/{{ ansible_hostname }}-ls.zip" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/{{ ansible_hostname }}-ls.zip" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -329,7 +329,7 @@ src: "{{ elasticstack_ca_dir }}/ca.crt" dest: "{{ lookup('config', 'DEFAULT_LOCAL_TMP') | dirname }}/ca.crt" flat: yes - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" tags: - certificates - renew_ca @@ -361,7 +361,7 @@ awk {' print $4 '} register: logstash_elasticstack_password changed_when: false - delegate_to: "{{ elasticstack_ca }}" + delegate_to: "{{ elasticstack_ca_host }}" no_log: "{{ elasticstack_no_log }}" tags: - configuration @@ -375,7 +375,7 @@ - names: "{{ logstash_role_indicies_names }}" privileges: "{{ logstash_role_indicies_privileges }}" state: present - host: "https://{{ hostvars[elasticstack_ca].ansible_default_ipv4.address }}:{{ elasticstack_elasticsearch_http_port }}" + host: "https://{{ hostvars[elasticstack_ca_host].ansible_default_ipv4.address }}:{{ elasticstack_elasticsearch_http_port }}" auth_user: elastic auth_pass: "{{ logstash_elasticstack_password.stdout }}" verify_certs: true @@ -392,7 +392,7 @@ - "{{ logstash_role_name }}" enabled: true state: present - host: "https://{{ hostvars[elasticstack_ca].ansible_default_ipv4.address }}:{{ elasticstack_elasticsearch_http_port }}" + host: "https://{{ hostvars[elasticstack_ca_host].ansible_default_ipv4.address }}:{{ elasticstack_elasticsearch_http_port }}" auth_user: elastic auth_pass: "{{ logstash_elasticstack_password.stdout }}" verify_certs: false diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index cb6981c2..4a1ab279 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -3,6 +3,7 @@ - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - name: Update apt cache. ansible.builtin.apt: diff --git a/roles/repos/tasks/main.yml b/roles/repos/tasks/main.yml index bb37db9d..d3390966 100644 --- a/roles/repos/tasks/main.yml +++ b/roles/repos/tasks/main.yml @@ -3,6 +3,7 @@ - name: Include global role ansible.builtin.import_role: name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - name: Import RedHat tasks ansible.builtin.import_tasks: redhat.yml