diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 48a979b3..ebaaa617 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -1,8 +1,10 @@ --- -- set_fact: force_install=no +- name: set fact force_install to no + set_fact: force_install=no -- set_fact: force_install=yes +- name: set fact force_install to yes + set_fact: force_install=yes when: es_allow_downgrades - name: Debian - Install apt-transport-https to support https APT downloads diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index 1ac92ffb..13c6472a 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -1,39 +1,52 @@ # Check for mandatory parameters -- fail: msg="es_instance_name must be specified and cannot be blank" +- name: fail when es_instance is not defined + fail: msg="es_instance_name must be specified and cannot be blank" when: es_instance_name is not defined or es_instance_name == '' -- fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined" +- name: fail when es_proxy_port is not defined or is blank + fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined" when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '') -- debug: msg="WARNING - It is recommended you specify the parameter 'http.port'" +- name: debug message + debug: msg="WARNING - It is recommended you specify the parameter 'http.port'" when: es_config['http.port'] is not defined -- debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'" +- name: debug message + debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'" when: es_config['transport.tcp.port'] is not defined -- debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'" +- name: debug message + debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'" when: es_config['discovery.zen.ping.unicast.hosts'] is not defined #If the user attempts to lock memory they must specify a heap size -- fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified" +- name: fail when heap size is not specified when using memory lock + fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified" when: es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True and es_heap_size is not defined #Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work -- fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations" +- name: fail when api credentials are not declared when using security + fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations" when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined -- set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }} +- name: set fact file_reserved_users + set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }} when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0) -- fail: +- name: fail when changing users through file realm + fail: msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM." when: file_reserved_users | default([]) | length > 0 -- set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}} -- set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}} -- set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}} -- set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }} +- name: set fact instance_default_file + set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}} +- name: set fact instance_init_script + set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}} +- name: set fact conf_dir + set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}} +- name: set fact m_lock_enabled + set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }} #TODO - if transport.host is not local maybe error on boostrap checks @@ -44,13 +57,19 @@ #Centos 7 and up #Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied. -- set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }} +- name: set fact use_system_d + set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }} -- set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}} +- name: set fact instance_sysd_script + set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}} when: use_system_d #For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN. -- set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }} -- set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}} -- set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}} -- set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }} +- name: set fact instance_suffix + set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }} +- name: set fact pid_dir + set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}} +- name: set fact log_dir + set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}} +- name: set fact log_dir + set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }} diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index 01c275e7..5d4e2d81 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -2,12 +2,15 @@ # es_plugins_reinstall will be set to true if elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed # i.e. we have changed ES version(or we have clean installation of ES), or if no plugins listed. Otherwise it is false and requires explicitly setting. -- set_fact: es_plugins_reinstall=true +- name: set fact es_plugins_reinstall to true + set_fact: es_plugins_reinstall=true when: (((debian_elasticsearch_install_from_repo is defined and debian_elasticsearch_install_from_repo.changed) or (redhat_elasticsearch_install_from_repo is defined and redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) or es_plugins is not defined or es_plugins is none -- set_fact: list_command="" +- name: set fact list_command + set_fact: list_command="" #If we are reinstalling all plugins, e.g. to a version change, we need to remove all plugins (inc. x-pack) to install any plugins. Otherwise we don't consider x-pack so the role stays idempotent. -- set_fact: list_command="| grep -vE 'x-pack'" +- name: set fact list_command check for x-pack + set_fact: list_command="| grep -vE 'x-pack'" when: not es_plugins_reinstall #List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version. @@ -23,19 +26,23 @@ ES_INCLUDE: "{{ instance_default_file }}" #if es_plugins_reinstall is set to true we remove ALL plugins -- set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | default([]) }}" +- name: set fact plugins_to_remove to install_plugins.stdout_lines + set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | default([]) }}" when: es_plugins_reinstall #if the plugins listed are different than those requested, we remove those installed but not listed in the config -- set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | difference(es_plugins | json_query('[*].plugin')) | default([]) }}" +- name: set fact plugins_to_remove to delete plugins installed but not listed in es_plugins + set_fact: plugins_to_remove="{{ installed_plugins.stdout_lines | difference(es_plugins | json_query('[*].plugin')) | default([]) }}" when: not es_plugins_reinstall #if es_plugins_reinstall is set to true we (re)install ALL plugins -- set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | default([]) }}" +- name: set fact plugins_to_install to es_plugins + set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | default([]) }}" when: es_plugins_reinstall #if the plugins listed are different than those requested, we install those not installed but listed in the config -- set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | difference(installed_plugins.stdout_lines) | default([]) }}" +- name: set fact to plugins_to_install to those in es_config but not installed + set_fact: plugins_to_install="{{ es_plugins | json_query('[*].plugin') | difference(installed_plugins.stdout_lines) | default([]) }}" when: not es_plugins_reinstall # This removes any currently installed plugins (to prevent errors when reinstalling) diff --git a/tasks/elasticsearch-scripts.yml b/tasks/elasticsearch-scripts.yml index 91708f9b..e38c3b4c 100644 --- a/tasks/elasticsearch-scripts.yml +++ b/tasks/elasticsearch-scripts.yml @@ -1,10 +1,12 @@ --- -- set_fact: es_script_dir={{ es_conf_dir }}/{{es_instance_name}} +- name: set fact es_script_dir + set_fact: es_script_dir={{ es_conf_dir }}/{{es_instance_name}} tags: - always -- set_fact: es_script_dir={{es_config['path.scripts']}} +- name: set fact es_script_dir when path.scripts + set_fact: es_script_dir={{es_config['path.scripts']}} when: es_config['path.scripts'] is defined tags: - always diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index 08a97d10..febe3383 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -1,6 +1,11 @@ --- -- file: path=/etc/elasticsearch/templates state=directory owner={{ es_user }} group={{ es_group }} +- name: ensure templates dir is created + file: + path: /etc/elasticsearch/templates + state: directory + owner: "{{ es_user }}" + group: "{{ es_group }}" - name: Copy templates to elasticsearch copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }} diff --git a/tasks/java.yml b/tasks/java.yml index a95b7bdc..a4ecac04 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -1,8 +1,10 @@ --- -- set_fact: java_state="present" +- name: set fact java_state to present + set_fact: java_state="present" -- set_fact: java_state="latest" +- name: set fact java_state to latest + set_fact: java_state="latest" when: update_java == true - name: RedHat - Ensure Java is installed @@ -35,7 +37,8 @@ apt: name={{ java }} state={{java_state}} when: ansible_os_family == 'Debian' -- shell: java -version 2>&1 | grep OpenJDK +- name: register open_jdk version + shell: java -version 2>&1 | grep OpenJDK register: open_jdk ignore_errors: yes changed_when: false diff --git a/tasks/main.yml b/tasks/main.yml index 245c9ea2..459b40e9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,35 +9,42 @@ tags: - always -- include: java.yml +- name: include java.yml + include: java.yml when: es_java_install tags: - java -- include: elasticsearch.yml +- name: include elasticsearch.yml + include: elasticsearch.yml tags: - install -- include: elasticsearch-config.yml +- name: include elasticsearch-config.yml + include: elasticsearch-config.yml tags: - config -- include: elasticsearch-scripts.yml +- name: include elasticsearch-scripts.yml + include: elasticsearch-scripts.yml when: es_scripts tags: - scripts -- include: elasticsearch-plugins.yml +- name: include elasticsearch-plugins.yml + include: elasticsearch-plugins.yml when: es_plugins is defined or es_plugins_reinstall tags: - plugins #We always execute xpack as we may need to remove features -- include: xpack/elasticsearch-xpack.yml +- name: include xpack/elasticsearch-xpack.yml + include: xpack/elasticsearch-xpack.yml tags: - xpack -- meta: flush_handlers +- name: flush handlers + meta: flush_handlers - name: Make sure elasticsearch is started service: name={{instance_init_script | basename}} state=started enabled=yes @@ -47,9 +54,11 @@ wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1 when: es_restarted is defined and es_restarted.changed and es_start_service -- set_fact: manage_native_realm=false +- name: set fact manage_native_realm to false + set_fact: manage_native_realm=false -- set_fact: manage_native_realm=true +- name: set fact manage_native_realm to true + set_fact: manage_native_realm=true when: es_start_service and (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up @@ -62,12 +71,14 @@ when: es_start_service and es_enable_xpack and es_xpack_license is defined and es_xpack_license != '' #perform security actions here now elasticsearch is started -- include: ./xpack/security/elasticsearch-security-native.yml +- name: include xpack/security/elasticsearch-security-native.yml + include: ./xpack/security/elasticsearch-security-native.yml when: manage_native_realm #Templates done after restart - handled by flushing the handlers. e.g. suppose user removes security on a running node and doesn't specify es_api_basic_auth_username and es_api_basic_auth_password. The templates will subsequently not be removed if we don't wait for the node to restart. #We also do after the native realm to ensure any changes are applied here first and its denf up. -- include: elasticsearch-template.yml +- name: include elasticsearch-template.yml + include: elasticsearch-template.yml when: es_templates tags: - - templates \ No newline at end of file + - templates diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml index eba38444..522f8161 100644 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ b/tasks/xpack/elasticsearch-xpack-install.yml @@ -1,7 +1,8 @@ --- #Test if feature is installed -- shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack" +- name: Test if x-pack is installed + shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack" become: yes register: x_pack_installed changed_when: False diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 8478a6bc..ec82a68a 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -1,11 +1,14 @@ --- -- set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} +- name: set fact es_version_changed + set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} -- include: elasticsearch-xpack-install.yml +- name: include elasticsearch-xpack-install.yml + include: elasticsearch-xpack-install.yml #Security configuration -- include: security/elasticsearch-security.yml +- name: include security/elasticsearch-security.yml + include: security/elasticsearch-security.yml #Add any feature specific configuration here - name: Set Plugin Directory Permissions diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 3bc96680..8d6f8789 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -1,5 +1,6 @@ --- -- set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0 +- name: set fact manage_file_users + set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0 #List current users - name: List Users @@ -9,7 +10,8 @@ when: manage_file_users changed_when: False -- set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }} +- name: set fact users_to_remove + set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }} when: manage_file_users #Remove users @@ -24,7 +26,8 @@ ES_PATH_CONF: "{{ conf_dir }}" ES_HOME: "{{es_home}}" -- set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }} +- name: set fact users_to_add + set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }} when: manage_file_users #Add users @@ -55,7 +58,8 @@ ES_PATH_CONF: "{{ conf_dir }}" ES_HOME: "{{es_home}}" -- set_fact: users_roles={{es_users.file | extract_role_users () }} +- name: set fact users_roles + set_fact: users_roles={{es_users.file | extract_role_users () }} when: manage_file_users #Copy Roles files diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index c748d386..63024fad 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -1,14 +1,19 @@ --- -- set_fact: change_api_password=false +- name: set fact change_api_password to false + set_fact: change_api_password=false -- set_fact: manage_native_users=false +- name: set fact manage_native_users to false + set_fact: manage_native_users=false -- set_fact: manage_native_users=true +- name: set fact manage_native_users to true + set_fact: manage_native_users=true when: es_users is defined and es_users.native is defined and es_users.native.keys() | length > 0 -- set_fact: manage_native_roles=false +- name: set fact manage_native_role to false + set_fact: manage_native_roles=false -- set_fact: manage_native_roles=true +- name: set fact manange_native_roles to true + set_fact: manage_native_roles=true when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | length > 0 #If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load @@ -25,18 +30,22 @@ register: user_list_response when: manage_native_users -- set_fact: reserved_users={{ user_list_response.json | filter_reserved }} +- name: set fact reserved_users equals user_list_response.json + set_fact: reserved_users={{ user_list_response.json | filter_reserved }} when: manage_native_users #Current users not inc. those reserved -- set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }} +- name: set fact current_users equals user_list_response.json.keys not including reserved + set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }} when: manage_native_users #We are changing the es_api_basic_auth_username password, so we need to do it first and update the param -- set_fact: native_users={{ es_users.native }} +- name: set fact native_users + set_fact: native_users={{ es_users.native }} when: manage_native_users -- set_fact: change_api_password=true +- name: set fact change_api_password to true + set_fact: change_api_password=true when: manage_native_users and es_api_basic_auth_username in native_users and native_users[es_api_basic_auth_username].password is defined - name: Update API User Password @@ -51,11 +60,13 @@ force_basic_auth: yes when: change_api_password -- set_fact: es_api_basic_auth_password={{native_users[es_api_basic_auth_username].password}} +- name: set fact es_api_basic_auth_password + set_fact: es_api_basic_auth_password={{native_users[es_api_basic_auth_username].password}} when: change_api_password #Identify users that are present in ES but not declared and thus should be removed -- set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }} +- name: set fact users_to_remove + set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }} when: manage_native_users #Delete all non required users NOT inc. reserved @@ -70,10 +81,12 @@ when: manage_native_users with_items: "{{ users_to_remove | default([]) }}" -- set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }} +- name: set fact users_to_ignore + set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }} when: manage_native_users -- debug: +- name: debug message + debug: msg: "WARNING: YOU CAN ONLY CHANGE THE PASSWORD FOR RESERVED USERS IN THE NATIVE REALM. ANY ROLE CHANGES WILL BE IGNORED: {{users_to_ignore}}" when: manage_native_users and users_to_ignore | length > 0 @@ -92,7 +105,8 @@ no_log: True with_items: "{{ users_to_ignore | default([]) }}" -- set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }} +- name: set fact users_to_modify + set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }} when: manage_native_users #Overwrite all other users NOT inc. those reserved @@ -125,20 +139,25 @@ register: role_list_response when: manage_native_roles -- set_fact: reserved_roles={{ role_list_response.json | filter_reserved }} +- name: set fact reserved roles + set_fact: reserved_roles={{ role_list_response.json | filter_reserved }} when: manage_native_roles -- set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }} +- name: set fact current roles + set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }} when: manage_native_roles -- set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }} +- name: set fact roles to ignore + set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }} when: manage_native_roles -- debug: +- name: debug message + debug: msg: "WARNING: YOU CANNOT CHANGE RESERVED ROLES. THE FOLLOWING WILL BE IGNORED: {{roles_to_ignore}}" when: manage_native_roles and roles_to_ignore | length > 0 -- set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }} +- name: set fact roles_to_remove + set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }} when: manage_native_roles #Delete all non required roles NOT inc. reserved @@ -153,7 +172,8 @@ when: manage_native_roles with_items: "{{roles_to_remove | default([]) }}" -- set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }} +- name: set fact roles_to_modify + set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }} when: manage_native_roles #Update other roles - NOT inc. reserved roles @@ -168,4 +188,4 @@ password: "{{es_api_basic_auth_password}}" force_basic_auth: yes when: manage_native_roles - with_items: "{{ roles_to_modify | default([]) }}" \ No newline at end of file + with_items: "{{ roles_to_modify | default([]) }}"