Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
__pycache__*
.vscode
.venv
.fuse_hidden*
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ The variable `elasticstack_no_log` can be set to `false` if you want to see the

*elasticstack_version*: Version number of tools to install. Only set if you don't want the latest on new setups. (default: none). If you already have an installation of Elastic Stack, this collection will query the version of Elasticsearch on the CA host and use it for all further installations in the same setup. (Only if you run the `elasticsearch` role before all others) Example: `7.17.2`

All packages are installed with `state: present`. When `elasticstack_version` is set to a version number (e.g. `7.17.2`), that exact version is installed and pinned. When it is left unset, the package is installed without a version, so a new setup gets the newest available version and existing installations are not upgraded automatically on later runs.

*elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) Make sure it corresponds to `elasticstack_version` if you set both.

For OSS version see `elasticstack_variant` below.
Expand Down
2 changes: 1 addition & 1 deletion docs/role-beats.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ The following variables only apply if you use this role together with our other
* *elasticstack_ca_dir*: Directory where on the Elasticsearch CA host certificates are stored. This is only useful in connection with out other Elastic Stack related roles. (default: `/opt/es-ca`)
* *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`)
* *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`)
* *elasticstack_version*: Install specific version (Default: none. Possible values: e.g. `7.10.1` or `latest`)
* *elasticstack_version*: Install a (update to) specific version; leave unset to install the latest available. (Default: none. Example: `7.10.1`)

If you want to use this role with your own TLS certificates, use these variables.

Expand Down
43 changes: 3 additions & 40 deletions roles/beats/tasks/auditbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- name: Install Auditbeat - rpm - full stack
ansible.builtin.package:
name: "{{ beats_auditbeat_package }}"
state: present
enablerepo:
- 'elastic-{{ elasticstack_release }}.x'
notify:
Expand All @@ -25,6 +26,7 @@
- name: Install Auditbeat - rpm - standalone
ansible.builtin.package:
name: "{{ beats_auditbeat_package }}"
state: present
notify:
- Restart Auditbeat
when:
Expand All @@ -34,51 +36,12 @@
- name: Install Auditbeat - deb
ansible.builtin.package:
name: "{{ beats_auditbeat_package }}"
state: present
notify:
- Restart Auditbeat
when:
- ansible_os_family == "Debian"

# KICS complains about "latest" package but this is a dedicated update task

- name: Install Auditbeat latest version - rpm - full stack
ansible.builtin.package:
name: auditbeat
# kics-scan ignore-line
state: latest
enablerepo:
- "elastic-{{ elasticstack_release }}.x"
notify:
- Restart Auditbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool

- name: Install Auditbeat latest version - rpm - standalone
ansible.builtin.package:
name: auditbeat
state: latest
notify:
- Restart Auditbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool

- name: Install Auditbeat latest version - deb
ansible.builtin.package:
name: auditbeat
state: latest
notify:
- Restart Auditbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "Debian"

- name: Configure Auditbeat
ansible.builtin.template:
src: auditbeat.yml.j2
Expand Down
40 changes: 3 additions & 37 deletions roles/beats/tasks/filebeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
- name: Install Filebeat - rpm - full stack
ansible.builtin.package:
name: "{{ beats_filebeat_package }}"
state: present
enablerepo:
- 'elastic-{{ elasticstack_release }}.x'
notify:
Expand All @@ -24,6 +25,7 @@
- name: Install Filebeat - rpm - standalone
ansible.builtin.package:
name: "{{ beats_filebeat_package }}"
state: present
notify:
- Restart Filebeat
when:
Expand All @@ -33,48 +35,12 @@
- name: Install Filebeat - deb
ansible.builtin.package:
name: "{{ beats_filebeat_package }}"
state: present
notify:
- Restart Filebeat
when:
- ansible_os_family == "Debian"

- name: Install Filebeat latest version - rpm - full stack
ansible.builtin.package:
name: filebeat
state: latest
enablerepo:
- "elastic-{{ elasticstack_release }}.x"
notify:
- Restart Filebeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool

- name: Install Filebeat latest version - rpm - standalone
ansible.builtin.package:
name: filebeat
state: latest
notify:
- Restart Filebeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool

- name: Install Filebeat latest version - deb
ansible.builtin.package:
name: filebeat
state: latest
notify:
- Restart Filebeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "Debian"

- name: Configure Filebeat
ansible.builtin.template:
src: filebeat.yml.j2
Expand Down
41 changes: 3 additions & 38 deletions roles/beats/tasks/metricbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- name: Install Metricbeat - rpm - full stack
ansible.builtin.package:
name: "{{ beats_metricbeat_package }}"
state: present
enablerepo:
- 'elastic-{{ elasticstack_release }}.x'
notify:
Expand All @@ -25,6 +26,7 @@
- name: Install Metricbeat - rpm - standalone
ansible.builtin.package:
name: "{{ beats_metricbeat_package }}"
state: present
notify:
- Restart Metricbeat
when:
Expand All @@ -34,49 +36,12 @@
- name: Install Metricbeat - deb
ansible.builtin.package:
name: "{{ beats_metricbeat_package }}"
state: present
notify:
- Restart Metricbeat
when:
- ansible_os_family == "Debian"

- name: Install Metricbeat latest version - rpm - full stack
ansible.builtin.package:
name: metricbeat
state: latest
enablerepo:
- "elastic-{{ elasticstack_release }}.x"
notify:
- Restart Metricbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool

- name: Install Metricbeat latest version - rpm - standalone
ansible.builtin.package:
name: metricbeat
state: latest
notify:
- Restart Metricbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool


- name: Install Metricbeat latest version - deb
ansible.builtin.package:
name: metricbeat
state: latest
notify:
- Restart Metricbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "Debian"

- name: Configure Metricbeat
ansible.builtin.template:
src: metricbeat.yml.j2
Expand Down
3 changes: 3 additions & 0 deletions roles/elasticsearch/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@
- name: Install Elasticsearch - rpm - full stack
ansible.builtin.package:
name: "{{ elasticsearch_package }}"
state: present
enablerepo:
- 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x'
when:
Expand All @@ -150,13 +151,15 @@
- name: Install Elasticsearch - rpm - standalone
ansible.builtin.package:
name: "{{ elasticsearch_package }}"
state: present
when:
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool

- name: Install Elasticsearch - deb
ansible.builtin.package:
name: "{{ elasticsearch_package }}"
state: present
when:
- ansible_os_family == "Debian"

Expand Down Expand Up @@ -265,7 +268,7 @@
- name: Check for cluster status without security
ansible.builtin.uri:
# kics-scan ignore-line
url: "http://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty"

Check warning on line 271 in roles/elasticsearch/tasks/main.yml

View workflow job for this annotation

GitHub Actions / security_scan

[MEDIUM] Communication Over HTTP

Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks
register: elasticsearch_cluster_status
ignore_errors: "{{ ansible_check_mode }}"
until: elasticsearch_cluster_status.json.status == "green"
Expand Down
3 changes: 3 additions & 0 deletions roles/kibana/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@
- name: Install Kibana - rpm - full stack
ansible.builtin.package:
name: "{{ kibana_package }}"
state: present
enablerepo:
- 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x'
notify:
Expand All @@ -65,6 +66,7 @@
- name: Install Kibana - rpm - standalone
ansible.builtin.package:
name: "{{ kibana_package }}"
state: present
notify:
- Restart Kibana
when:
Expand All @@ -74,6 +76,7 @@
- name: Install Kibana - deb
ansible.builtin.package:
name: "{{ kibana_package }}"
state: present
notify:
- Restart Kibana
when:
Expand Down
3 changes: 3 additions & 0 deletions roles/logstash/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@
- name: Install Logstash - rpm - full stack
ansible.builtin.package:
name: "{{ logstash_package }}"
state: present
enablerepo:
- 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x'
notify:
Expand All @@ -98,6 +99,7 @@
- name: Install Logstash - rpm - standalone
ansible.builtin.package:
name: "{{ logstash_package }}"
state: present
notify:
- Restart Logstash
when:
Expand All @@ -107,6 +109,7 @@
- name: Install Logstash - deb
ansible.builtin.package:
name: "{{ logstash_package }}"
state: present
notify:
- Restart Logstash
when:
Expand Down
Loading