diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml index d8e7b1ef4..703e4ccb5 100644 --- a/roles/aws/aws_backup_validation/tasks/main.yml +++ b/roles/aws/aws_backup_validation/tasks/main.yml @@ -25,7 +25,7 @@ timeout: "{{ aws_backup_validation.timeout }}" role: "{{ aws_iam_role._result['LambdaBackupRestoreRole'] }}" runtime: "{{ aws_backup_validation.runtime }}" - function_file: "{{ lookup('template', item + '_validation.py.j2') }}" + function_file: "{{ lookup('template', item + '_validation.py.j2') }}" s3_bucket: "ce-{{ _aws_profile }}-lambda-functions" tags: Name: "{{ item }}_backup_validation" diff --git a/roles/aws/aws_elasticache/tasks/main.yml b/roles/aws/aws_elasticache/tasks/main.yml index 7c75d36eb..a393d6528 100644 --- a/roles/aws/aws_elasticache/tasks/main.yml +++ b/roles/aws/aws_elasticache/tasks/main.yml @@ -38,4 +38,4 @@ security_group_ids: "{{ _aws_security_group_list }}" # variable populated by the aws_security_groups role zone: "{{ aws_elasticache.zone | default(omit) }}" -# @TODO grab the endpoint data for the memcached client role \ No newline at end of file +# @TODO grab the endpoint data for the memcached client role diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 8f67e33c8..f51b0aecd 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -1,6 +1,6 @@ - name: Create an IAM Managed Policy if defined. amazon.aws.iam_managed_policy: - policy_name: "inline_{{ aws_iam_role.name }}_policy" + policy_name: "inline_{{ aws_iam_role.inline_policies.name }}_policy" policy: Version: "2012-10-17" Statement: @@ -13,7 +13,7 @@ - name: Join managed and inline policy. ansible.builtin.set_fact: - _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.arn] }}" + _combined_policies: "{{ aws_iam_role.managed_policies + [_inline_iam_policy.policy.arn] }}" when: aws_iam_role.inline_policies.action is defined and aws_iam_role.inline_policies.action | length > 0 - name: Create combined var if inline policy is not defined or empty. diff --git a/roles/aws/aws_s3_bucket/tasks/main.yml b/roles/aws/aws_s3_bucket/tasks/main.yml index 915b9c09e..303c56519 100644 --- a/roles/aws/aws_s3_bucket/tasks/main.yml +++ b/roles/aws/aws_s3_bucket/tasks/main.yml @@ -24,4 +24,4 @@ - name: Register aws_s3_bucket results. ansible.builtin.set_fact: - aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name | replace('-','_'): {'bucket': _aws_s3_bucket, 'policy': _aws_s3_bucket_policy}}}, recursive=True) }}" + aws_s3_bucket: "{{ aws_s3_bucket | combine({'_result': {aws_s3_bucket.name | replace('-', '_'): {'bucket': _aws_s3_bucket, 'policy': _aws_s3_bucket_policy}}}, recursive=True) }}" diff --git a/roles/aws/aws_vpc/tasks/main.yml b/roles/aws/aws_vpc/tasks/main.yml index 9901abd85..22ef2638f 100644 --- a/roles/aws/aws_vpc/tasks/main.yml +++ b/roles/aws/aws_vpc/tasks/main.yml @@ -10,15 +10,13 @@ register: _aws_vpc_vpc - name: Ensure default Security group is tagged. - amazon.aws.ec2_security_group: - name: "default" - profile: "{{ aws_vpc.aws_profile }}" - region: "{{ aws_vpc.region }}" - tags: "{{ aws_vpc.tags }}" - state: "{{ aws_vpc.state }}" - vpc_id: "{{ _aws_vpc_vpc.vpc.id }}" - description: "default VPC security group" - purge_rules: false + ansible.builtin.include_tasks: "security_group.yml" + vars: + aws_vpc: + name: "default" + id: "{{ _aws_vpc_vpc.vpc.id }}" + description: "default VPC security group" + purge_rules: false - name: Create VPC Security groups. ansible.builtin.include_tasks: "security_group.yml" diff --git a/roles/aws/aws_vpc/tasks/security_group.yml b/roles/aws/aws_vpc/tasks/security_group.yml index 0c63b1063..6c0bfe8b6 100644 --- a/roles/aws/aws_vpc/tasks/security_group.yml +++ b/roles/aws/aws_vpc/tasks/security_group.yml @@ -1,11 +1,17 @@ - name: Create Security Group. amazon.aws.ec2_security_group: - name: "{{ security_group.name }}" + name: "{{ aws_vpc.name }}" profile: "{{ aws_vpc.aws_profile }}" region: "{{ aws_vpc.region }}" - tags: "{{ aws_vpc.tags | combine({'Name': security_group.name}) }}" + tags: "{{ aws_vpc.tags | combine({'Name': aws_vpc.name}) }}" state: "{{ aws_vpc.state }}" - vpc_id: "{{ _aws_vpc_vpc.vpc.id }}" + vpc_id: "{{ aws_vpc.id }}" description: "{{ security_group.description }}" rules: "{{ security_group.rules | default(omit) }}" rules_egress: "{{ security_group.rules_egress | default(omit) }}" + purge_rules: "{{ aws_vpc.purge_rules | default(omit) }}" + register: _aws_vpc_result + +- name: Register aws_vpc SG results. + ansible.builtin.set_fact: + aws_vpc: "{{ aws_vpc | combine({'_result': {aws_vpc.name: _aws_vpc_result}}, recursive=True) }}" diff --git a/roles/debian/jenkins/defaults/main.yml b/roles/debian/jenkins/defaults/main.yml index 39c1a1c64..1af47f075 100644 --- a/roles/debian/jenkins/defaults/main.yml +++ b/roles/debian/jenkins/defaults/main.yml @@ -7,7 +7,7 @@ ldap_client: bindpw: "" jenkins: - apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key + apt_signed_by: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key server_name: "jenkins.{{ _domain_name }}" ssl_handling: "ssl_selfsigned" listen_http_port: -1 diff --git a/roles/debian/jenkins/tasks/main.yml b/roles/debian/jenkins/tasks/main.yml index 3c8413203..b14e236fe 100644 --- a/roles/debian/jenkins/tasks/main.yml +++ b/roles/debian/jenkins/tasks/main.yml @@ -1,17 +1,17 @@ --- -- name: Add Jenkins repository and key. +- name: Add Jenkins repository. ansible.builtin.include_role: name: debian/apt_repository vars: apt_repository: - legacy_repo: "deb http://pkg.jenkins.io/debian binary/" + legacy_repo: "deb http://pkg.jenkins.io/debian-stable binary/" format: list # Jenkins repo does not support deb822 - list_repo_string: "http://pkg.jenkins.io/debian binary/" # override automated repo string generation + list_repo_string: "http://pkg.jenkins.io/debian-stable binary/" # override automated repo string generation name: jenkins types: - deb uris: - - http://pkg.jenkins.io/debian + - http://pkg.jenkins.io/debian-stable signed_by: "{{ jenkins.apt_signed_by }}" state: present key_refresh_timer_OnCalendar: "Mon *-*-* 00:00:00" @@ -100,20 +100,23 @@ group: "{{ jenkins.user }}" mode: 0775 -- name: Restart Jenkins. +- name: Copy jenkins service file with jenkins port number. + ansible.builtin.template: + src: "jenkins.service.j2" + dest: "/usr/lib/systemd/system/jenkins.service" + owner: "root" + group: "root" + mode: 0644 + +- name: Restart Jenkins and reload daemon. ansible.builtin.service: name: jenkins + daemon_reload: true state: restarted - when: aptoutput.changed - -- name: Paise for 2 minutes. - ansible.builtin.pause: - minutes: 2 - when: aptoutput.changed - name: Download Jenkins CLI. ansible.builtin.get_url: - url: "https://localhost:{{ jenkins.listen_https_port }}/jnlpJars/jenkins-cli.jar" + url: "http://localhost:{{ jenkins.listen_https_port }}/jnlpJars/jenkins-cli.jar" validate_certs: false dest: /opt/jenkins-cli.jar @@ -135,13 +138,13 @@ timer_OnCalendar: "{{ jenkins.on_calendar }}" - name: Install Jenkins Plugins. - ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }} -noCertificateCheck -s https://localhost:{{ jenkins.listen_https_port }}/ install-plugin {{ jenkins.plugins | join(' ') }}" + ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }} -noCertificateCheck -s http://localhost:{{ jenkins.listen_https_port }}/ install-plugin {{ jenkins.plugins | join(' ') }}" become: true become_user: "{{ jenkins.user }}" register: pluginoutput - name: Safe restart Jenkins. - ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }} -noCertificateCheck -s https://localhost:{{ jenkins.listen_https_port }}/ safe-restart" + ansible.builtin.command: "java -jar /opt/jenkins-cli.jar -auth {{ jenkins.adminuser }}:{{ jenkins.adminpass }} -noCertificateCheck -s http://localhost:{{ jenkins.listen_https_port }}/ safe-restart" become: true become_user: "{{ jenkins.user }}" when: pluginoutput.changed diff --git a/roles/debian/jenkins/templates/jenkins.service.j2 b/roles/debian/jenkins/templates/jenkins.service.j2 new file mode 100644 index 000000000..3c94e482e --- /dev/null +++ b/roles/debian/jenkins/templates/jenkins.service.j2 @@ -0,0 +1,151 @@ + +# This file is managed by systemd(1). Do NOT edit this file manually! +# To override these settings, run: +# +# systemctl edit jenkins +# +# For more information about drop-in files, see: +# +# https://www.freedesktop.org/software/systemd/man/systemd.unit.html +# + +[Unit] +Description=Jenkins Continuous Integration Server +Requires=network.target +After=network.target +StartLimitBurst=5 +StartLimitIntervalSec=5m + +[Service] +Type=notify +NotifyAccess=main +ExecStart=/usr/bin/jenkins +Restart=on-failure +SuccessExitStatus=143 + +# Configures the time to wait for start-up. If Jenkins does not signal start-up +# completion within the configured time, the service will be considered failed +# and will be shut down again. Takes a unit-less value in seconds, or a time span +# value such as "5min 20s". Pass "infinity" to disable the timeout logic. +#TimeoutStartSec=90 + +# Unix account that runs the Jenkins daemon +# Be careful when you change this, as you need to update the permissions of +# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins) +# $JENKINS_WEBROOT. +User=jenkins +Group=jenkins + +# Directory where Jenkins stores its configuration and workspaces +Environment="JENKINS_HOME=/var/lib/jenkins" +WorkingDirectory=/var/lib/jenkins + +# Location of the Jenkins WAR +#Environment="JENKINS_WAR=/usr/share/java/jenkins.war" + +# Location of the exploded WAR +Environment="JENKINS_WEBROOT=%C/jenkins/war" + +# Location of the Jenkins log. By default, systemd-journald(8) is used. +#Environment="JENKINS_LOG=%L/jenkins/jenkins.log" + +# The Java home directory. When left empty, JENKINS_JAVA_CMD and PATH are consulted. +#Environment="JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64" + +# The Java executable. When left empty, JAVA_HOME and PATH are consulted. +#Environment="JENKINS_JAVA_CMD=/etc/alternatives/java" + +# Arguments for the Jenkins JVM +Environment="JAVA_OPTS=-Djava.awt.headless=true" + +# Unix Domain Socket to listen on for local HTTP requests. Default is disabled. +#Environment="JENKINS_UNIX_DOMAIN_PATH=/run/jenkins/jenkins.socket" + +# IP address to listen on for HTTP requests. +# The default is to listen on all interfaces (0.0.0.0). +#Environment="JENKINS_LISTEN_ADDRESS=" + +# Port to listen on for HTTP requests. Set to -1 to disable. +# To be able to listen on privileged ports (port numbers less than 1024), +# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities +# directive below. +Environment="JENKINS_PORT={{ jenkins.listen_https_port }}" + +# IP address to listen on for HTTPS requests. Default is disabled. +#Environment="JENKINS_HTTPS_LISTEN_ADDRESS=" + +# Port to listen on for HTTPS requests. Default is disabled. +# To be able to listen on privileged ports (port numbers less than 1024), +# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities +# directive below. +#Environment="JENKINS_HTTPS_PORT=443" + +# Path to the keystore in JKS format (as created by the JDK's keytool). +# Default is disabled. +#Environment="JENKINS_HTTPS_KEYSTORE=/path/to/keystore.jks" + +# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE. +# Default is disabled. +#Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=s3cR3tPa55w0rD" + +# IP address to listen on for HTTP2 requests. Default is disabled. +#Environment="JENKINS_HTTP2_LISTEN_ADDRESS=" + +# HTTP2 port to listen on. Default is disabled. +# To be able to listen on privileged ports (port numbers less than 1024), +# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities +# directive below. +#Environment="JENKINS_HTTP2_PORT=" + +# Controls which capabilities to include in the ambient capability set for the +# executed process. Takes a whitespace-separated list of capability names, e.g. +# CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Ambient capability sets are +# useful if you want to execute a process as a non-privileged user but still +# want to give it some capabilities. For example, add the CAP_NET_BIND_SERVICE +# capability to be able to listen on privileged ports (port numbers less than +# 1024). +#AmbientCapabilities=CAP_NET_BIND_SERVICE + +# Debug level for logs. The higher the value, the more verbose. 5 is INFO. +#Environment="JENKINS_DEBUG_LEVEL=5" + +# Set to true to enable logging to /var/log/jenkins/access_log. +#Environment="JENKINS_ENABLE_ACCESS_LOG=false" + +# Servlet context (important if you want to use reverse proxying) +#Environment="JENKINS_PREFIX=/jenkins" + +# Arbitrary additional arguments to pass to Jenkins. +# Full option list: java -jar jenkins.war --help +#Environment="JENKINS_OPTS=" + +# Maximum core file size. If unset, the value from the OS is inherited. +#LimitCORE=infinity + +# Maximum file size. If unset, the value from the OS is inherited. +#LimitFSIZE=infinity + +# File descriptor limit. If unset, the value from the OS is inherited. +#LimitNOFILE=8192 + +# Maximum number of processes. If unset, the value from the OS is inherited. +#LimitNPROC=32768 + +# Set the umask to control the permission bits of files that Jenkins creates. +# +# 0027 makes files read-only for group and inaccessible for others, which some +# security sensitive users might consider beneficial, especially if Jenkins +# is running on a server that is used for multiple purposes. Beware that 0027 +# permissions would interfere with sudo scripts that run on the controller +# (see JENKINS-25065). +# +# Note also that the particularly sensitive parts of $JENKINS_HOME (such as +# credentials) are always written without 'other' access. So the umask values +# only affect job configuration, build records, etc. +# +# If unset, the value from the OS is inherited, which is normally 0022. +# The default umask comes from pam_umask(8) and /etc/login.defs. +#UMask=0022 + +[Install] +WantedBy=multi-user.target