oradb_manage_wallet: New role for managing Oracle Wallets

changelogs/fragments/wallet.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - "oradb_manage_wallet: New role for managing Oracle Wallets ()"

extensions/molecule/shared_config/inventory/group_vars/all/oracle_db.yml

@@ -160,3 +160,32 @@ tnsnames_installed:
   - tnsname: "{{ oracle_pdbs[0]['pdb_name'] }}"
     home: db19-si-ee
     state: present
+
+sqlnet_config:
+  sqlnetalias1:
+    - {name: "ADR_BASE", value: "/u01/app/oracle/"}
+    - {name: "SQLNET.ALLOWED_LOGON_VERSION_CLIENT", value: 12}
+    - {name: "SQLNET.WALLET_OVERRIDE", value: 'TRUE'}
+    - name: WALLET_LOCATION
+      value: |-
+        (
+          SOURCE =
+            (METHOD = FILE)(METHOD_DATA = (DIRECTORY=/u01/app/oracle/wallet))
+          )
+
+sqlnet_installed:
+  - home: db19-si-ee
+    sqlnet: sqlnetalias1
+    state: present
+
+oracle_wallet_config:
+  - name: wallet1
+    home: db19-si-ee
+    path: /u01/app/oracle/wallet
+    state: present
+    # mode: g+rx
+    dbcredentials:
+      - tns_name: oracle_pdbs[0]['pdb_name']
+        db_name: oracle_pdbs[0]['pdb_name']
+        db_user: system
+        state: present

extensions/molecule/shared_config/inventory/group_vars/all/password.yml

@@ -0,0 +1,3 @@
+---
+oracle_wallet_password:
+  wallet1: "aA_{{ ansible_machine_id }}"

playbooks/manage_db.yml

@@ -4,6 +4,7 @@
   become: true
   any_errors_fatal: true
   roles:
+    - opitzconsulting.ansible_oracle.oradb_manage_wallet
     - opitzconsulting.ansible_oracle.oradb_manage_db
     - opitzconsulting.ansible_oracle.oradb_manage_pdb
     - opitzconsulting.ansible_oracle.oradb_manage_parameters

playbooks/manage_wallet.yml

@@ -0,0 +1,6 @@
+---
+- name: Manage Oracle wallet
+  hosts: "{{ hostgroup | default('all') }}"
+  any_errors_fatal: true
+  roles:
+    - opitzconsulting.ansible_oracle.oradb_manage_wallet

roles/oradb_manage_wallet/.ansibledoctor.yml

@@ -0,0 +1,5 @@
+---
+logging:
+  level: warning
+template: readme
+force_overwrite: true

roles/oradb_manage_wallet/README.md

@@ -1,8 +1,17 @@
 # oradb_manage_wallet
 
+Manage Wallets for Oracle with `mkstore`.
+
+Multiple wallets with different locations are possivle.
+Define a password for the wallet in `oracle_wallet_password`.
+
 ## Table of content
 
 - [Requirements](#requirements)
+- [Default Variables](#default-variables)
+  - [oracle_wallet_config](#oracle_wallet_config)
+  - [oracle_wallet_password](#oracle_wallet_password)
+- [Discovered Tags](#discovered-tags)
 - [Dependencies](#dependencies)
 - [License](#license)
 - [Author](#author)
@@ -11,11 +20,62 @@
 
 ## Requirements
 
-None.
+- Minimum Ansible version: `2.15.0`
+
+## Default Variables
+
+### oracle_wallet_config
+
+#### Default value
+
+```YAML
+oracle_wallet_config: []
+```
+
+#### Example usage
+
+```YAML
+oracle_wallet_config:
+  - name: wallet1
+    home: 19300_base
+    path: /u01/app/oracle/wallet
+    state: present
+    dbcredential:
+      - tns_name: db1
+        db_name: db1
+        db_user: user1
+        state: present
+```
+
+### oracle_wallet_password
 
+#### Default value
 
+```YAML
+oracle_wallet_password: {}
+```
+
+#### Example usage
+
+```YAML
+oracle_wallet_password:
+  wallet1: <password>
+  wallet2: <password>
+```
+
+## Discovered Tags
+
+**_always_**
 
 
 ## Dependencies
 
-None.
+- orasw_meta
+
+## License
+
+license (MIT)
+
+## Author
+
+[Thorsten Bruhns]

roles/oradb_manage_wallet/defaults/main.yml

@@ -0,0 +1,45 @@
+---
+# @var oracle_wallet_password:description: >
+# @end
+oracle_wallet_password: {}
+# @var oracle_wallet_password:example: >
+# oracle_wallet_password:
+#   wallet1: <password>
+#   wallet2: <password>
+# @end
+
+# @var oracle_wallet_config:description: >
+oracle_wallet_config: []
+
+# See below example for more details.
+# oracle_wallet_config:
+#   - name: <name for password entry>
+#     home: <dict key from db_homes_config>
+#     path: <target directory for wallet>
+#     owner: <OS-Owner - default oracle_owner>
+#     group: <OS-Group | default(omit)>
+#     mode: <chmod auf path | default(omit)>
+#     state: present/absent
+#     certificates: <optional>
+#       - type: ca
+#         cert: <certificate>
+#         state: present/absent
+#     dbcredential: <optional>
+#       - tns_name: <tns-alias from
+#         db_name: <db_name for dbpasswords[db_name]>
+#         db_user: <database user>
+#         state: present/absent
+# @end
+#
+# @var oracle_wallet_config:example: >
+# oracle_wallet_config:
+#   - name: wallet1
+#     home: 19300_base
+#     path: /u01/app/oracle/wallet
+#     state: present
+#     dbcredential:
+#       - tns_name: db1
+#         db_name: db1
+#         db_user: user1
+#         state: present
+# @end

roles/oradb_manage_wallet/meta/main.yml

@@ -0,0 +1,40 @@
+---
+# @meta description: >
+# Manage Wallets for Oracle with `mkstore`.
+#
+# Multiple wallets with different locations are possivle.
+# Define a password for the wallet in `oracle_wallet_password`.
+
+# The following credentials could be managed by this role:
+#
+# `database credentials:`
+#
+# We need the `db_name` as attribute for finding the password in `dbpasswords`.
+# Be aware that `tns_name` could be different to the `db_name`.
+# @end
+# @meta author: [Thorsten Bruhns]
+galaxy_info:
+  role_name: oradb_manage_wallet
+  author: Thorsten Bruhns
+  description: Manage Wallets for Oracle
+  company: Thorsten Bruhns
+
+  license: license (MIT)
+
+  min_ansible_version: 2.15.0
+
+  platforms:
+    - name: EL
+      versions:
+        - "6"
+        - "7"
+        - "8"
+        - "9"
+
+  galaxy_tags:
+    - database
+    - oracle
+    - wallet
+
+dependencies:
+  - role: orasw_meta

roles/oradb_manage_wallet/tasks/assert.yml

@@ -0,0 +1,49 @@
+---
+- name: assert | assert wallet
+  when:
+    - oracle_wallet_config is defined
+  block:
+    - name: assert | assert oracle_wallet_config
+      ansible.builtin.assert:
+        quiet: true
+        that:
+          - owc.state is defined
+          - owc.state in ('present', 'absent')
+          - owc.name is defined
+          - owc.path is defined
+          - owc.home is defined
+          - db_homes_config[owc.home] is defined
+          - oracle_wallet_password[owc.name] is defined
+      with_items:
+        - "{{ oracle_wallet_config }}"
+      loop_control:
+        label: >-
+          {{ owc.name | default('') }}
+          {{ owc.path | default('') }}
+          {{ owc.state | default('') }}
+        loop_var: owc
+
+    # owc_dbc due to with_subelements instead of dbc_d!
+    - name: assert | assert dbcredential in oracle_wallet_config
+      ansible.builtin.assert:
+        quiet: true
+        that:
+          - owc_dbc.1.tns_name is defined
+          - owc_dbc.1.db_name is defined
+          - owc_dbc.1.db_user is defined
+          - owc_dbc.1.state in ('present', 'absent')
+        fail_msg: attribute missing or duplicate tns_name in wallet
+      with_subelements:
+        - "{{ oracle_wallet_config }}"
+        - dbcredentials
+        - flags:
+          skip_missing: true
+      loop_control:
+        label: >-
+          {{ owc_dbc.0.name | default('') }}
+          {{ owc_dbc.1.tns_name | default('') }}
+          {{ owc_dbc.1.state | default('') }}
+        loop_var: owc_dbc
+      when:
+        - owc_dbc.0.state == 'present'
+        - owc_dbc.1 is defined

roles/oradb_manage_wallet/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+# tasks file for manage_db
+- name: oradb_manage_wallet | assert
+  ansible.builtin.include_tasks: assert.yml
+  tags:
+    always
+
+- name: oradb_manage_wallet | Loop over oracle_wallet_config
+  ansible.builtin.include_tasks: wallet_config.yml
+  with_items:
+    - "{{ oracle_wallet_config }}"
+  loop_control:
+    label: >-
+      {{ owc.name | default('') }}
+      {{ owc.path | default('') }}
+      {{ owc.state | default('present') }}
+    loop_var: owc
+  vars:
+    # set odb loop_var for usage of _oracle_home_db
+    odb: "{{ owc }}"
+  tags:
+    always

roles/oradb_manage_wallet/tasks/wallet_config.yml

@@ -0,0 +1,38 @@
+---
+- name: wallet_config | Wallet present
+  when:
+    - owc.state | default('present') == 'present'
+  block:
+    - name: wallet_config | Wallet create
+      ansible.builtin.shell:
+        cmd: |
+          set -eu
+          set -o pipefail
+          echo -e "$stdin" | "${ORACLE_HOME}/bin/mkstore" -create -nologo -wrl "${wrl}"
+        creates: "{{ owc.path }}/ewallet.p12"
+      become: true
+      become_user: "{{ osc.owner | default(oracle_user) }}"
+      environment:
+        stdin: "{{ _oradb_manage_wallet_password }}\n{{ _oradb_manage_wallet_password }}"
+        wrl: "{{ owc.path }}"
+        ORACLE_HOME: "{{ _oracle_home_db }}"
+
+    - name: wallet_config | include wallet_manage_dbcredential.yml
+      ansible.builtin.include_tasks: wallet_manage_dbcredential.yml
+
+    - name: wallet_config | chmod over wallet directory
+      ansible.builtin.file:
+        path: "{{ owc.path }}"
+        group: "{{ owc.group | default(omit) }}"
+        mode: "{{ owc.mode | default(omit) }}"
+        recurse: true
+
+- name: wallet_config | Remove wallet
+  when:
+    - owc.state | default('present') == 'absent'
+  ansible.builtin.file:
+    path: "{{ owc.path }}"
+    state: absent
+    recurse: true
+  become: true
+  become_user: "{{ osc.owner | default(oracle_user) }}"