diff --git a/ibm/mas_devops/plugins/modules/cis_dns_entries.py b/ibm/mas_devops/plugins/modules/cis_dns_entries.py index 67689603ec..ff1ce9c20f 100644 --- a/ibm/mas_devops/plugins/modules/cis_dns_entries.py +++ b/ibm/mas_devops/plugins/modules/cis_dns_entries.py @@ -71,10 +71,6 @@ def main(): delete_wildcards = dict( type = 'bool' ), - edge_certificate_routes = dict( - type = 'list', - required = False - ), cis_proxy = dict( type = 'bool', required = False @@ -98,7 +94,6 @@ def main(): updateDNS = module.params['update_dns'] delete_wildcards = module.params['delete_wildcards'] cis_waf = module.params['cis_waf'] - edgeCertRoutes = module.params['edge_certificate_routes'] cisProxy = module.params['cis_proxy'] diff --git a/ibm/mas_devops/plugins/modules/cis_edge_cert_entries.py b/ibm/mas_devops/plugins/modules/cis_edge_cert_entries.py new file mode 100644 index 0000000000..6e63711125 --- /dev/null +++ b/ibm/mas_devops/plugins/modules/cis_edge_cert_entries.py @@ -0,0 +1,167 @@ +# coding: utf-8 -*- +# # (C) Copyright IBM Corp. 2025 All Rights Reserved. +# Eclipse Public License 2.0 (see https://spdx.org/licenses/EPL-2.0.html) + +ANSIBLE_METADATA = { + 'metadata_version': '1.0', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: cis_edge_cert_entries + +short_description: Manage MAS CIS Edge Cert entries + +version_added: "1.0.0" + +description: Manage MAS Edge Certs using IBM Cloud Internet Services. + +author: + - Andrew Whitfield (@whitfiea) +''' + +import requests +from requests.exceptions import HTTPError +from ansible.module_utils.basic import AnsibleModule + +def main(): + + fields = dict( + + edge_cert_entries = dict( + type = "list", + required = True, + ), + cis_crn = dict( + type = "str", + required = True, + ), + ibmcloud_apikey = dict( + type = "str", + required = True, + no_log = True, + ), + mas_instance_id = dict( + type = "str", + required = True, + ), + dns_zone = dict( + type = "str", + ), + ) + module = AnsibleModule( + argument_spec=fields, + supports_check_mode = True, + ) + + if any(v == "" for v in [module.params['edge_cert_entries'], module.params['cis_crn'], module.params['ibmcloud_apikey'], module.params['mas_instance_id']]): + module.fail_json(msg = f"Required parameters: [edge_cert_entries, cis_crn, ibmcloud_apikey, mas_instance_id] cannot be empty") + + crn = module.params['cis_crn'] + ibmCloudApiKey = module.params['ibmcloud_apikey'] + masInstanceId = module.params['mas_instance_id'] + edgeCertEntries = module.params['edge_cert_entries'] + + # User may want to select an specific zone + dnsZone = module.params['dns_zone'] + + url = "https://iam.cloud.ibm.com/oidc/token" + + payload='apikey=' + ibmCloudApiKey + '&response_type=cloud_iam&grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey' + headers = { + 'Accept': 'application/json', + 'Content-Type': 'application/x-www-form-urlencoded' + } + + try: + response = requests.request("POST", url, headers=headers, data=payload) + + # If the response was successful, no Exception will be raised + + if response.status_code != 200: + module.fail_json(msg = f"Could not get IBM Cloud Token based on the provided API: {response.content}") + + json_response = response.json() + access_token = json_response['access_token'] + + # Getting zones + + url = f"https://api.cis.cloud.ibm.com/v1/{crn}/zones" + + payload={} + headers = { + 'Content-Type': 'application/json', + 'Accept': 'application/json', + 'X-Auth-User-Token': access_token + } + + response = requests.request("GET", url, headers=headers, data=payload) + json_response = response.json() + + if response.status_code != 200: + module.fail_json(msg = f"Could not get Zones using provided CRN: {response.content}") + + zones = json_response['result'] + + # Looking for available zones + + for zone in zones: + if(dnsZone and dnsZone == zone['id']): + currentZone = zone + elif(not dnsZone): + currentZone = zone + + zoneName = currentZone['name'] + zoneId = currentZone['id'] + + if len(zones) > 1 and not dnsZone: + module.fail_json(msg = f"More than one zone found please choose one and export DNS_ZONE_ID env var.") + elif len(zones) == 0: + module.fail_json(msg = f"No DNS zones found, aborting...") + + url = f"https://api.cis.cloud.ibm.com/v1/{crn}/zones/{zoneId}/ssl/certificate_packs?per_page=500" + + payload={} + headers = { + 'Content-Type': 'application/json', + 'Accept': 'application/json', + 'X-Auth-User-Token': access_token + } + + response = requests.request("GET", url, headers=headers, data=payload) + json_response = response.json() + + if response.status_code != 200: + module.fail_json(msg = f"Could not get SSL Certificates using provided CRN and Zone: {response.content}") + + results = json_response['result'] + + msg = "" + existingCertHosts = [] + for certs in results: + if certs['type'] == "advanced": + for host in certs['hosts']: + if masInstanceId in host: + existingCertHosts.append(host) + + exitingCertHostsFound = len(existingCertHosts) + + entryMissing = False + for entryName in edgeCertEntries: + if not any(entryName == host for host in existingCertHosts): + entryMissing = True + msg = msg + f"{entryName} not in exisitng hosts. \n " + + if not entryMissing: + msg = "All expected edge cert hosts present in existing edge certificates" + + except requests.exceptions.RequestException as e: # This is the correct syntax + module.fail_json(msg = f"Error {e} calling : {url}") + + result = {"changed": False, "reorder": entryMissing, "msg": msg, "exitingCertHostsFound": exitingCertHostsFound} + module.exit_json(**result) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/ibm/mas_devops/roles/aws_documentdb_user/tasks/main.yml b/ibm/mas_devops/roles/aws_documentdb_user/tasks/main.yml index 00a312f6b9..77c3e89564 100644 --- a/ibm/mas_devops/roles/aws_documentdb_user/tasks/main.yml +++ b/ibm/mas_devops/roles/aws_documentdb_user/tasks/main.yml @@ -45,10 +45,18 @@ docdb_instance_password: "{{ lookup('password', '/dev/null length=20 chars=ascii_lowercase,ascii_uppercase,digits') }}" when: docdb_instance_password is undefined or docdb_instance_password == "" -- name: "Download Amazon DocumentDB public key" +- name: "Download Amazon DocumentDB public CA certs" shell: | wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem -O /tmp/global-bundle.pem +- name: "Download Amazon DocumentDB public govcloud CA certs" + shell: | + wget https://truststore.pki.us-gov-west-1.rds.amazonaws.com/global/global-bundle.pem -O /tmp/global-bundle-govcloud.pem + +- name: "Concatenate PRM files" + shell: | + cat /tmp/global-bundle.pem /tmp/global-bundle-govcloud.pem > /tmp/global-bundle-complete.pem + - name: create js file from template template: src: create_user.js.j2 @@ -66,20 +74,20 @@ - name: Create docdb user for MAS instance shell: | - mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle.pem --username {{ docdb_master_username }} --password {{ docdb_master_password }} /tmp/create_user.js + mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle-complete.pem --username {{ docdb_master_username }} --password {{ docdb_master_password }} /tmp/create_user.js register: creating_user_output when: user_action == 'add' failed_when: creating_user_output.rc not in [0] and ('User already exists' not in creating_user_output.stderr ) - name: Change docdb user password for MAS instance shell: | - mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle.pem --username {{ docdb_master_username }} --password {{ docdb_master_password }} /tmp/change_user_password.js + mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle-complete.pem --username {{ docdb_master_username }} --password {{ docdb_master_password }} /tmp/change_user_password.js register: change_user_password_output when: user_action == 'add' and creating_user_output.rc not in [0] and ('User already exists' in creating_user_output.stderr ) - name: Drop docdb user of MAS instance shell: | - mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle.pem --username {{ docdb_master_username }} --password {{ docdb_master_password }} /tmp/drop_user.js + mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle-complete.pem --username {{ docdb_master_username }} --password {{ docdb_master_password }} /tmp/drop_user.js register: drop_user_password_output when: user_action == 'remove' diff --git a/ibm/mas_devops/roles/ocp_provision/tasks/main.yml b/ibm/mas_devops/roles/ocp_provision/tasks/main.yml index b5df6a3dba..ba0a6c9de1 100644 --- a/ibm/mas_devops/roles/ocp_provision/tasks/main.yml +++ b/ibm/mas_devops/roles/ocp_provision/tasks/main.yml @@ -29,12 +29,12 @@ ocp_version: "{{ rotate_ocp_version[ansible_date_time['weekday']] ~ ('_openshift' if cluster_type == 'roks' else '') }}" vars: rotate_ocp_version: - Monday: 4.17 - Tuesday: 4.15 - Wednesday: 4.14 - Thursday: 4.16 - Friday: 4.15 - Saturday: 4.17 + Monday: 4.18 + Tuesday: 4.17 + Wednesday: 4.16 + Thursday: 4.15 + Friday: 4.14 + Saturday: 4.18 Sunday: 4.16 - name: "Set default OCP version" diff --git a/ibm/mas_devops/roles/ocp_provision/tasks/providers/fyre/provision_fyre.yml b/ibm/mas_devops/roles/ocp_provision/tasks/providers/fyre/provision_fyre.yml index 9a98dc6209..8b813ad1ca 100644 --- a/ibm/mas_devops/roles/ocp_provision/tasks/providers/fyre/provision_fyre.yml +++ b/ibm/mas_devops/roles/ocp_provision/tasks/providers/fyre/provision_fyre.yml @@ -55,11 +55,7 @@ force_basic_auth: yes validate_certs: false register: _cluster_exist - failed_when: _cluster_exist.status == 403 - -- name: "fyre : Debug cluster lookup" - debug: - var: _cluster_exist + failed_when: _cluster_exist.status in [403, 401] # Forbidden, Unauthorized # 4. Deploy the OCP+ cluster diff --git a/ibm/mas_devops/roles/suite_certs/tasks/cis.yml b/ibm/mas_devops/roles/suite_certs/tasks/cis.yml index 538a65574f..e2a783bdd1 100644 --- a/ibm/mas_devops/roles/suite_certs/tasks/cis.yml +++ b/ibm/mas_devops/roles/suite_certs/tasks/cis.yml @@ -52,7 +52,6 @@ ibmcloud_apikey: "{{ cis_apikey }}" dns_entries: "{{ dns_entries['nowildcard'] }}" cis_waf: null - edge_certificate_routes: null cis_proxy: "{{ cis_proxy }}" register: dnsoutput diff --git a/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/db2/preparedb.yml b/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/db2/preparedb.yml index 88bbfacfc2..aff48acdac 100644 --- a/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/db2/preparedb.yml +++ b/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/db2/preparedb.yml @@ -39,29 +39,47 @@ ansible.builtin.shell: | oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- sudo chmod 777 /tmp/prepare_db_files/create-tablespaces.sql /tmp/prepare_db_files/create-schema.sql /tmp/prepare_db_files/db2configdb.sh register: shell_status + until: shell_status.rc == 0 + retries: 5 + delay: 60 # seconds - name: Disable HA for maintanance ansible.builtin.shell: | oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- sudo wvcli system disable -m "Disable HA before Db2 maintenance" register: shell_status + until: shell_status.rc == 0 + retries: 5 + delay: 60 # seconds - name: Executing db2configdb.sh ansible.builtin.shell: | oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- su - db2inst1 -c "sh /tmp/prepare_db_files/db2configdb.sh " register: shell_status + until: shell_status.rc == 0 + retries: 5 + delay: 60 # seconds - name: Executing create-tablespaces.sql ansible.builtin.shell: | oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- su - db2inst1 -c "db2 -tvf /tmp/prepare_db_files/create-tablespaces.sql " register: shell_status + until: shell_status.rc == 0 + retries: 5 + delay: 60 # seconds - name: Executing create-schema.sql when: db2_schema is defined ansible.builtin.shell: | oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- su - db2inst1 -c "db2 -tvf /tmp/prepare_db_files/create-schema.sql " register: shell_status + until: shell_status.rc == 0 + retries: 5 + delay: 60 # seconds - name: Enable HA after maintenance ansible.builtin.shell: | oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- sudo wvcli system enable -m "Enable HA after Db2 maintenance" register: shell_status + until: shell_status.rc == 0 + retries: 5 + delay: 60 # seconds diff --git a/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/main.yml b/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/main.yml index 93fa97fdd7..5156aab761 100644 --- a/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_db2_setup_for_facilities/tasks/main.yml @@ -70,23 +70,11 @@ - "Db2 database name ...................... {{ db2_dbname }}" - "Db2 Schema name ........................ {{ db2_schema }}" -# 4. Determine if the schema has been created -# ----------------------------------------------------------------------------- -- name: Checking if schema is already created - kubernetes.core.k8s_exec: - namespace: "{{ db2_namespace }}" - pod: "{{ db2_pod_name }}" - container: db2u - command: su - db2inst1 -c "db2 connect to {{ db2_dbname }} >/dev/null && db2 'select schemaname from syscat.schemata' | grep '{{ db2_schema }}' | tr -d ' ' " > /tmp/ts_numd.txt - register: db2_output - retries: 10 - delay: 60 -# 5. Execute DB2 config enforcement +# 4. Execute DB2 config enforcement # ----------------------------------------------------------------------------- -- include_tasks: tasks/apply-db2-dbconfig.yml - when: ( db2_output.stdout_lines | length ) == 0 +- name: apply Real Estate and Facilities configurations for db2 + include_tasks: tasks/apply-db2-dbconfig.yml - name: run prepare DB scripts include_tasks: db2/preparedb.yml - when: ( db2_output.stdout_lines | length ) == 0 diff --git a/ibm/mas_devops/roles/suite_dns/README.md b/ibm/mas_devops/roles/suite_dns/README.md index 6de84df2f8..ce2230f975 100644 --- a/ibm/mas_devops/roles/suite_dns/README.md +++ b/ibm/mas_devops/roles/suite_dns/README.md @@ -209,15 +209,26 @@ Location to output the edge-routes-{mas_instance_id}.txt - Environment Variable: `OUTPUT_DIR` - Default: `.` (which will set the directory file in ibm/mas_devops) -### saas_mode -If true: - - saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2 - This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50 so only a single edge route certificate is required - - Ensures that the default edge certificates configured by CIS are excluded from checks, even when the CIS domain includes the MAS instance ID. +### cis_entries_to_add +Comma seperated list of entries to add for edge certificates. These are broken down into functional areas of MAS. The options are: + + - `all` to include all entries (this is the default behaviour) + - `core` to include the MAS Core edge certificates + - `health` to include the MAS Health App edge certificates + - `iot` to include the MAS IoT app edge certificates + - `manage` to include the MAS Manage app edge certificates + - `monitor` to include the MAS Monitor app edge certificates + - `predict` to include the MAS Predict app edge certificates + - `visualinspection` to include the MAS VisualInspection app edge certificates + - `optimizer` to include the MAS Optimizer app edge certificates + - `assist` to include the MAS Assist app edge certificates + - `arcgis` to include the MAS Arcgis edge certificates + - `reportdb` to include the MAS ReportDB edge certificates + - `facilities` to include the MAS Facilities app edge certificates - Optional -- Environment Variable: `SAAS_MODE` -- Default: false +- Environment Variable: `CIS_ENTRIES_TO_ADD` +- Default: `all` Role Variables - AWS Route 53 ------------------------------------------------------------ diff --git a/ibm/mas_devops/roles/suite_dns/defaults/main.yaml b/ibm/mas_devops/roles/suite_dns/defaults/main.yaml index a09c97e70b..4f12faa16f 100644 --- a/ibm/mas_devops/roles/suite_dns/defaults/main.yaml +++ b/ibm/mas_devops/roles/suite_dns/defaults/main.yaml @@ -65,11 +65,7 @@ delete_wildcards: "{{ lookup('env', 'DELETE_WILDCARDS') | default('false', true) # Override and delete any existing edge certificates in cis instance override_edge_certs: "{{ lookup('env', 'OVERRIDE_EDGE_CERTS') | default('true', true) | bool }}" -# If true: -# - saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2 -# This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50 so only a single edge route certificate is required -# - Ensures that the default edge certificates configured by CIS are excluded from checks, even when the CIS domain includes the MAS instance ID. -saas_mode: "{{ lookup('env', 'SAAS_MODE') | default('false', true) | bool }}" +cis_entries_to_add: "{{ lookup('env', 'CIS_ENTRIES_TO_ADD') | default('all', true) }}" cis_apiservice: group_name: acme.cis.ibm.com diff --git a/ibm/mas_devops/roles/suite_dns/tasks/main.yml b/ibm/mas_devops/roles/suite_dns/tasks/main.yml index 0f184d75b6..911ddb78e6 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/main.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/main.yml @@ -11,9 +11,19 @@ assert: that: - dns_provider is in supported_dns_providers + fail_msg: "'{{ dns_provider }}' is not a valid value for 'dns_provider' property! Supported DNS providers: {{ supported_dns_providers }}" + +- name: "Check required properties" + assert: + that: - mas_instance_id is defined and mas_instance_id != "" + fail_msg: "MAS_INSTANCE_ID is not set" + +- name: "Check required properties" + assert: + that: - mas_workspace_id is defined and mas_workspace_id != "" - fail_msg: "'{{ dns_provider }}' is not a valid value for 'dns_provider' property! Supported DNS providers: {{ supported_dns_providers }}" + fail_msg: "MAS_WORKSPACE_ID is not set" - name: Debug manual certificate installation when: mas_manual_cert_mgmt != "" and mas_manual_cert_mgmt diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml index f18aaf8673..0cce7b556d 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_dns_mgmt.yml @@ -32,22 +32,6 @@ dns_entries: "{{ lookup('ansible.builtin.template', 'dnsentries.yml.j2') | from_yaml }}" -- name: "cis : Read Edge Certificate Routes" - set_fact: - list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'edge_certificate_routes.yml.j2') | from_yaml }}" - when: - - not saas_mode - -- name: "cis : Read Edge Certificate Routes (SaaS)" - set_fact: - list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'saas_edge_certificate_routes.yml.j2') | from_yaml }}" - when: - - saas_mode - -- name: "cis : Define Edge Certificate Routes" - set_fact: - edge_cert_routes: "{{ list_edge_cert_routes['edge_cert_routes'] }}" - - name: "cis : Debug information" debug: msg: @@ -73,7 +57,6 @@ delete_wildcards: "{{ delete_wildcards }}" dns_entries: "{{ dns_entries['nowildcard'] }}" cis_waf: "{{ cis_waf }}" - edge_certificate_routes: "{{ edge_cert_routes }}" cis_proxy: "{{ cis_proxy }}" register: dnsoutput @@ -81,6 +64,47 @@ debug: msg: '{{ dnsoutput }}' +- name: "cis : Set edge_certs variables" + set_fact: + edge_certs_all: "{{ (cis_entries_to_add|split(',')) | select('search', 'all') | length > 0 }}" + edge_certs_core: "{{ (cis_entries_to_add|split(',')) | select('search', 'core') | length > 0 }}" + edge_certs_health: "{{ (cis_entries_to_add|split(',')) | select('search', 'health') | length > 0 }}" + edge_certs_iot: "{{ (cis_entries_to_add|split(',')) | select('search', 'ioy') | length > 0 }}" + edge_certs_manage: "{{ (cis_entries_to_add|split(',')) | select('search', 'manage') | length > 0 }}" + edge_certs_monitor: "{{ (cis_entries_to_add|split(',')) | select('search', 'monitor') | length > 0 }}" + edge_certs_predict: "{{ (cis_entries_to_add|split(',')) | select('search', 'predict') | length > 0 }}" + edge_certs_visualinspection: "{{ (cis_entries_to_add|split(',')) | select('search', 'visualinspection') | length > 0 }}" + edge_certs_optimizer: "{{ (cis_entries_to_add|split(',')) | select('search', 'optimizer') | length > 0 }}" + edge_certs_assist: "{{ (cis_entries_to_add|split(',')) | select('search', 'assist') | length > 0 }}" + edge_certs_arcgis: "{{ (cis_entries_to_add|split(',')) | select('search', 'arcgis') | length > 0 }}" + edge_certs_reportdb: "{{ (cis_entries_to_add|split(',')) | select('search', 'reportdb') | length > 0 }}" + edge_certs_facilities: "{{ (cis_entries_to_add|split(',')) | select('search', 'facilities') | length > 0 }}" + +- name: "cis : Debug edge_certs variables" + debug: + msg: + - "edge_certs_all is {{ edge_certs_all }}" + - "edge_certs_core is {{ edge_certs_core }}" + - "edge_certs_health is {{ edge_certs_health }}" + - "edge_certs_iot is {{ edge_certs_iot }}" + - "edge_certs_manage is {{ edge_certs_manage }}" + - "edge_certs_monitor is {{ edge_certs_monitor }}" + - "edge_certs_predict is {{ edge_certs_predict }}" + - "edge_certs_visualinspection is {{ edge_certs_visualinspection }}" + - "edge_certs_optimizer is {{ edge_certs_optimizer }}" + - "edge_certs_assist is {{ edge_certs_assist }}" + - "edge_certs_arcgis is {{ edge_certs_arcgis }}" + - "edge_certs_reportdb is {{ edge_certs_reportdb }}" + - "edge_certs_facilities is {{ edge_certs_facilities }}" + +- name: "cis : Read Edge Certificate Routes" + set_fact: + list_edge_cert_routes: "{{ lookup('ansible.builtin.template', 'edge_certificate_routes.yml.j2') | from_yaml }}" + +- name: "cis : Define Edge Certificate Routes" + set_fact: + edge_cert_routes: "{{ list_edge_cert_routes['edge_cert_routes'] }}" + - name: "cis : Show Edge Routes to create the Certificate" debug: msg: diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml index 250af99131..71db7224d7 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_edge_certificate.yml @@ -50,15 +50,9 @@ set_fact: dedicated_list: "{{ _cis_certificates.stdout | from_json | selectattr('hosts','search',mas_instance_id) }}" -# In SaaS, the default edge cert created by CIS already includes mas_instance_id in its hostname, -# so we add an additional check to ensure this default cert is excluded from our search for the dedicated cert. -# Specifically, we look for type: "advanced" (certs ordered by this role will always have this - the default cert has type: "universal"). -# This specialised check is gated behind the saas_mode flag to protect against unintentionally impacting other existing users of this role -- name: "cis : exclude universal certs (SaaS)" +- name: "cis : exclude certs non advanced certificates" set_fact: dedicated_list: "{{ dedicated_list | selectattr('type', 'equalto', 'advanced') }}" - when: - - saas_mode - name: "cis : Verify if is there a dedicated certificate already" set_fact: @@ -80,17 +74,32 @@ pause: minutes: 2 -- name: "cis : Delete Existent Advanced Edge Certificate" +- name: "cis : Check if we need to re-order certificates due to install change" + when: not override_edge_certs and hasDedicated + block: + - name: "cis : run cis_edge_cert_entries module to determine if we need to reorder due to entries not present" + ibm.mas_devops.cis_edge_cert_entries: + cis_crn: "{{ cis_crn }}" + ibmcloud_apikey: "{{ cis_apikey }}" + edge_cert_entries: "{{ edge_cert_routes }}" + mas_instance_id: "{{ mas_instance_id }}" + register: edge_cert_output + + - name: "cis : dump output" + debug: + msg: '{{ edge_cert_output }}' + +- name: "cis : Delete Existent Advanced Edge Certificate, if set to override or we need to reorder" ansible.builtin.shell: | ibmcloud cis certificate-delete {{ _cis_domain_id }} {{ dedicatedId }} -i {{ cis_service_name }} -f - when: hasDedicated and override_edge_certs + when: hasDedicated and (override_edge_certs or (edge_cert_output is defined and edge_cert_output["reorder"])) register: _deleted_certificate - name: "Pause for 2 minutes before continuing..." pause: minutes: 2 -- name: "cis : Order certificate if there no dedicated yet" +- name: "cis : Order certificate if there no dedicated yet or we just deleted them" ansible.builtin.shell: | ibmcloud cis certificate-order {{ _cis_domain_id }} --hostnames {{ item|join(',') }} -i {{ cis_service_name }} loop: "{{ edge_cert_routes | batch(50) | list }}" diff --git a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_suitedns_basic.yml b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_suitedns_basic.yml index 6afbd133c1..b25423864b 100644 --- a/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_suitedns_basic.yml +++ b/ibm/mas_devops/roles/suite_dns/tasks/providers/cis/cis_suitedns_basic.yml @@ -52,7 +52,6 @@ ibmcloud_apikey: "{{ cis_apikey }}" dns_entries: "{{ dns_entries['wildcard'] }}" cis_waf: null - edge_certificate_routes: null cis_proxy: "{{ cis_proxy }}" register: dnsoutput diff --git a/ibm/mas_devops/roles/suite_dns/templates/edge_certificate_routes.yml.j2 b/ibm/mas_devops/roles/suite_dns/templates/edge_certificate_routes.yml.j2 index e1b3125149..7f50fbeccc 100644 --- a/ibm/mas_devops/roles/suite_dns/templates/edge_certificate_routes.yml.j2 +++ b/ibm/mas_devops/roles/suite_dns/templates/edge_certificate_routes.yml.j2 @@ -1,4 +1,6 @@ +--- edge_cert_routes: +{% if edge_certs_core or edge_certs_all %} - "{{mas_domain}}" - sls.{{mas_domain}} - admin.{{mas_domain}} @@ -6,6 +8,8 @@ edge_cert_routes: - auth.{{mas_domain}} - home.{{mas_domain}} - {{ mas_workspace_id }}.home.{{mas_domain}} +{% endif %} +{% if edge_certs_health | bool or edge_certs_all | bool %} - health.{{mas_domain}} - {{ mas_workspace_id }}.health.{{mas_domain}} - {{ mas_workspace_id }}-all.health.{{mas_domain}} @@ -15,6 +19,8 @@ edge_cert_routes: - {{ mas_workspace_id }}-cron.health.{{mas_domain}} - {{ mas_workspace_id }}-jms.health.{{mas_domain}} - maxinst.health.{{mas_domain}} +{% endif %} +{% if edge_certs_iot | bool or edge_certs_all | bool %} - iot.{{mas_domain}} - {{ mas_workspace_id }}.iot.{{mas_domain}} - messaging.iot.{{mas_domain}} @@ -23,6 +29,8 @@ edge_cert_routes: - {{ mas_workspace_id }}.edgeconfig.iot.{{mas_domain}} - edgeconfigapi.iot.{{mas_domain}} - {{ mas_workspace_id }}.edgeconfigapi.iot.{{mas_domain}} +{% endif %} +{% if edge_certs_manage | bool or edge_certs_all | bool %} - manage.{{mas_domain}} - {{ mas_workspace_id }}.manage.{{mas_domain}} - {{ mas_workspace_id }}-all.manage.{{mas_domain}} @@ -32,21 +40,57 @@ edge_cert_routes: - {{ mas_workspace_id }}-cron.manage.{{mas_domain}} - {{ mas_workspace_id }}-jms.manage.{{mas_domain}} - maxinst.manage.{{mas_domain}} +{% endif %} +{% if edge_certs_monitor | bool or edge_certs_all | bool %} - monitor.{{mas_domain}} - {{ mas_workspace_id }}.monitor.{{mas_domain}} - admin.monitor.{{mas_domain}} - api.monitor.{{mas_domain}} - {{ mas_workspace_id }}.api.monitor.{{mas_domain}} +{% endif %} +{% if edge_certs_predict | bool or edge_certs_all | bool %} - predict.{{mas_domain}} - {{ mas_workspace_id }}.predict.{{mas_domain}} +{% endif %} +{% if edge_certs_visualinspection | bool or edge_certs_all | bool %} - visualinspection.{{mas_domain}} - {{ mas_workspace_id }}.visualinspection.{{mas_domain}} +{% endif %} +{% if edge_certs_optimizer | bool or edge_certs_all | bool %} - optimizer.{{mas_domain}} - {{ mas_workspace_id }}.optimizer.{{mas_domain}} - api.optimizer.{{mas_domain}} - {{ mas_workspace_id }}.api.optimizer.{{mas_domain}} +{% endif %} +{% if edge_certs_assist | bool or edge_certs_all | bool %} - assist.{{mas_domain}} - {{ mas_workspace_id }}.assist.{{mas_domain}} +{% endif %} +{% if edge_certs_arcgis | bool or edge_certs_all | bool %} - arcgis.{{mas_domain}} - {{ mas_workspace_id }}.argis.{{mas_domain}} +{% endif %} +{% if edge_certs_reportdb | bool or edge_certs_all | bool %} - reportdb.{{mas_domain}} +{% endif %} +{% if edge_certs_facilities | bool or edge_certs_all | bool %} + - facilities.{{mas_domain}} + - {{ mas_workspace_id }}.facilities.{{mas_domain}} + - pod-0.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - pod-1.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - multiagents.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - dataconnectagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - dataimportagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - extendedformulaagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - formularecalcagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - incomingmailagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - objectmigrationagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - objectpublishagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - maintenanceagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - reportqueueagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - reservesmtpagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - snmpagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - wfagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - wffutureagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} + - wfnotificationagent.{{ mas_workspace_id }}.facilities.{{mas_domain}} +{% endif %} diff --git a/ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2 b/ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2 deleted file mode 100644 index 9424e90c46..0000000000 --- a/ibm/mas_devops/roles/suite_dns/templates/saas_edge_certificate_routes.yml.j2 +++ /dev/null @@ -1,50 +0,0 @@ -edge_cert_routes: - - "{{mas_domain}}" - - sls.{{mas_domain}} - - admin.{{mas_domain}} - - api.{{mas_domain}} - - auth.{{mas_domain}} - - home.{{mas_domain}} - - {{ mas_workspace_id }}.home.{{mas_domain}} - - health.{{mas_domain}} - - {{ mas_workspace_id }}.health.{{mas_domain}} - - {{ mas_workspace_id }}-all.health.{{mas_domain}} - - {{ mas_workspace_id }}-ui.health.{{mas_domain}} - - {{ mas_workspace_id }}-mea.health.{{mas_domain}} - - {{ mas_workspace_id }}-rpt.health.{{mas_domain}} - - {{ mas_workspace_id }}-cron.health.{{mas_domain}} - - {{ mas_workspace_id }}-jms.health.{{mas_domain}} - - maxinst.health.{{mas_domain}} - - iot.{{mas_domain}} - - {{ mas_workspace_id }}.iot.{{mas_domain}} - - messaging.iot.{{mas_domain}} - - {{ mas_workspace_id }}.messaging.iot.{{mas_domain}} - - edgeconfig.iot.{{mas_domain}} - - {{ mas_workspace_id }}.edgeconfig.iot.{{mas_domain}} - - edgeconfigapi.iot.{{mas_domain}} - - {{ mas_workspace_id }}.edgeconfigapi.iot.{{mas_domain}} - - manage.{{mas_domain}} - - {{ mas_workspace_id }}.manage.{{mas_domain}} - - {{ mas_workspace_id }}-all.manage.{{mas_domain}} - - {{ mas_workspace_id }}-ui.manage.{{mas_domain}} - - {{ mas_workspace_id }}-mea.manage.{{mas_domain}} - - {{ mas_workspace_id }}-rpt.manage.{{mas_domain}} - - {{ mas_workspace_id }}-cron.manage.{{mas_domain}} - - {{ mas_workspace_id }}-jms.manage.{{mas_domain}} - - maxinst.manage.{{mas_domain}} - - monitor.{{mas_domain}} - - {{ mas_workspace_id }}.monitor.{{mas_domain}} - - admin.monitor.{{mas_domain}} - - api.monitor.{{mas_domain}} - - {{ mas_workspace_id }}.api.monitor.{{mas_domain}} - - predict.{{mas_domain}} - - {{ mas_workspace_id }}.predict.{{mas_domain}} - - visualinspection.{{mas_domain}} - - {{ mas_workspace_id }}.visualinspection.{{mas_domain}} - - optimizer.{{mas_domain}} - - {{ mas_workspace_id }}.optimizer.{{mas_domain}} - - api.optimizer.{{mas_domain}} - - {{ mas_workspace_id }}.api.optimizer.{{mas_domain}} - - assist.{{mas_domain}} - - {{ mas_workspace_id }}.assist.{{mas_domain}} - - reportdb.{{mas_domain}}