Commit a013469f authored by Anders Harrisson's avatar Anders Harrisson
Browse files

Merge branch 'icshwi_8516_create_awx_data' into 'master'

ICSHWI-8516: Create AWX data

See merge request ics-ansible-galaxy/ics-ans-ccce!15
parents 8e44c6db ae81fb59
exclude_paths:
- molecule/default/create.yml
- molecule/default/prepare.yml
skip_list:
- '602'
- '204'
......
......@@ -7,3 +7,4 @@ __pycache__
*.pyc
playbook.retry
.vault_pass
.vscode
......@@ -2,6 +2,21 @@
Ansible playbook to install CCCE.
## Usage
This playbook will set up a host in order to run the CCCE deployment tool. This will further set up the necessary
infrastructure in the appropriate AWX instance that is needed for the deployment tool to run correctly. There is
a small amount of setup work that needs to be in place first, however:
* You must add a machine credential to the appropriate AWX instance to allow it to log into the hosts that you
would like it to deploy to
* You must create a technical user on the AWX instance that is used by the deployment tool to trigger AWX jobs
* You must create a token for the technical user to allow it access to the AWX instance
* That token should be stored in `ccce_awx_token` (it should, of course, be vaulted.)
Once this is done, you should be able to run this playbook on your desired host, and have a working CCCE
deployment tool.
## License
BSD 2-clause
......@@ -79,3 +79,24 @@ gitlab_allowed_group_id: 698
ccce_openapi_server: "{{ ccce_server_address }}"
ccce_openapi_dev_server: "{{ ccce_server_address }}"
ccce_awx_suffix: ""
ccce_ioc_deploy_playbook_branch: "1.0.0-rc3"
ccce_default_nonvolatile_server: nonvolatile-tn-01.tn.esss.lu.se
ccce_awx_job_template_name: ccce-deploy-ioc
ccce_awx_notification_token: ccce
ccce_awx_technical_user_username: ccce
ccce_awx_validate_certs: true
ccce_awx_project_scm_type: git
ccce_awx_project_scm_update_on_launch: true
ccce_awx_project_name: ics-ans-lab-ioc-deploy-master
ccce_awx_project_scm_url: https://gitlab.esss.lu.se/ccce/dev/ics-ans-lab-ioc-deploy.git
ccce_awx_admin_username: ccce-admin
ccce_awx_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35333230356631323230396332316631643765643733396465396236343866383466356634353733
3834346132613039623761623761366535623263613336310a323565656432346133663739646164
63353034383538323531313030343032626162636237313664623835346434386165336566336438
3335383434323339630a326530643734303665393963336136376432363230626365353039363635
3531
......@@ -17,3 +17,5 @@ ccce_awx_token: !vault |
65303833653430326537653839666463623861353533376564396131663761666462323838666535
3538313537363532380a366663643530346631646233633039653366353932383732393563393637
37396430333961353064323436366364363866616334386564613664393631663663
ccce_awx_inventory: csentry
ccce_awx_machine_credential: ioc-deploy-prod-key
......@@ -7,6 +7,21 @@ ccce_database_password: !vault |
3935633639316364620a653731373630393761373264353538643664343263653035646535653036
38313437313533396539383136383261646438663032613865383261663334653164
ccce_awx_job_template_name: ccce-ioc-deployment-demo
ccce_awx_host: https://awx-lab-01.cslab.esss.lu.se
gitlab_allowed_group_id: 611
ccce_rbac_server_address: https://rbac.esss.lu.se/service/
ccce_web_environment_title: DEMO
ccce_awx_suffix: -demo
ccce_ioc_deploy_playbook_branch: master
ccce_default_nonvolatile_server: nonvolatile-ccce-01.cslab.esss.lu.se
ccce_awx_inventory: csentry-from-torn
ccce_awx_machine_credential: ioc-deploy-test
ccce_awx_validate_certs: false
ccce_awx_admin_username: ccce-admin
ccce_awx_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62646434633539663335663032376431326334623838376531303837393737363063396136333166
3732643636363165656464656564306238386435663736610a333831613765306535316632653332
39393738663963613738373933616235666632363035343035323363323531383033346562376635
6438343563393334660a323362333661313431393362376564363839303162373534633935363061
3137
---
ccce_awx_job_template_name: ccce-ioc-deployment-test
ccce_awx_host: https://awx-lab-01.cslab.esss.lu.se
gitlab_allowed_group_id: 611
ccce_backend_container_image_tag: master
ccce_frontend_container_image_tag: ICSHWI-8059_Confirm_for_start-stop
ccce_backend_container_image_tag: develop
ccce_frontend_container_image_tag: develop
ccce_rbac_server_address: https://icsvs-app01.esss.lu.se/rbac/service/
ccce_web_environment_title: TEST
ccce_awx_suffix: -test
ccce_ioc_deploy_playbook_branch: master
ccce_default_nonvolatile_server: nonvolatile-ccce-01.cslab.esss.lu.se
ccce_awx_inventory: csentry-from-torn
ccce_awx_machine_credential: ioc-deploy-test
ccce_awx_validate_certs: false
ccce_awx_admin_username: ccce-admin
ccce_awx_admin_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
62646434633539663335663032376431326334623838376531303837393737363063396136333166
3732643636363165656464656564306238386435663736610a333831613765306535316632653332
39393738663963613738373933616235666632363035343035323363323531383033346562376635
6438343563393334660a323362333661313431393362376564363839303162373534633935363061
3137
......@@ -3,10 +3,12 @@ dependency:
name: galaxy
options:
role-file: roles/requirements.yml
requirements-file: roles/requirements.yml
lint: |
set -e
yamllint .
ansible-lint
# Workaround to find collections installed by Molecule
ANSIBLE_COLLECTIONS_PATHS=${MOLECULE_EPHEMERAL_DIRECTORY}/collections ansible-lint
flake8
provisioner:
name: ansible
......@@ -18,12 +20,27 @@ provisioner:
inventory:
host_vars:
ccce-default:
ccce_awx_host: ccce-awx-default
ccce_awx_admin_username: admin
ccce_awx_admin_password: password
ccce_awx_validate_certs: false
ccce_awx_token: 'awx-token'
ccce_csentry_token: 'csentry-token'
ccce_gitlab_client_app_id: 'gitlab-client-app-id'
ccce_gitlab_client_app_secret: 'gitlab-client-app-secret'
ccce_gitlab_technical_user_token: 'gitlab-technical-user-token'
ccce_graylog_token: 'graylog-token'
ccce_awx_project_scm_type: manual
ccce_awx_project_local_path: project
ccce_awx_project_scm_update_on_launch: false
ccce-awx-default:
ccce_awx_host: ccce-awx-default
ccce_awx_admin_username: admin
ccce_awx_admin_password: password
ccce_awx_validate_certs: false
ccce_awx_technical_user_username: ccce
ccce_awx_technical_user_password: ccce
verifier:
name: testinfra
driver:
......@@ -35,7 +52,23 @@ platforms:
box: centos/7
memory: 2048
cpus: 1
interfaces:
- network_name: private_network
type: dhcp
auto_config: true
instance_raw_config_args:
- "vbguest.auto_update = false"
groups:
- ccce
- name: ccce-awx-default
box: centos/7
memory: 2048
cpus: 1
interfaces:
- network_name: private_network
type: dhcp
auto_config: true
instance_raw_config_args:
- "vbguest.auto_update = false"
groups:
- awx
---
- name: Prepare
hosts: all
gather_facts: false
become: true
gather_facts: true
tasks:
- name: Install python for Ansible
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
become: true
changed_when: false
- name: Update /etc/hosts
lineinfile:
dest: /etc/hosts
regexp: '.*\b{{ item }}$'
line: '{{ hostvars[item]["ansible_eth1"]["ipv4"]["address"] }} {{ item }}'
mode: 0644
loop: "{{ ansible_play_hosts }}"
- name: Prepare AWX test instance
hosts: awx
become: true
gather_facts: true
roles:
- ics-ans-role-awx
tasks:
- name: Add playbook project for Molecule
command: "docker exec awx_web bash -c 'mkdir -p /var/lib/awx/projects/project && echo -e \"---\n- hosts: all\n tasks: []\" > /var/lib/awx/projects/project/playbook.yml'"
- name: Create AWX technical user
awx.awx.tower_user:
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
username: "{{ ccce_awx_technical_user_username }}"
password: "{{ ccce_awx_technical_user_password }}"
update_secrets: false
state: present
......@@ -3,7 +3,125 @@
become: true
roles:
- ics-ans-role-traefik
collections:
- awx.awx
tasks:
- name: Create deployment notification template
awx.awx.tower_notification_template:
name: ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
organization: "{{ ccce_organization | default('Default') }}"
notification_type: webhook
notification_configuration:
url: "{{ inventory_hostname }}/api/v1/awx/jobs"
headers:
CCCE-TOKEN: "{{ ccce_awx_notification_token }}"
- name: Create command notification template
awx.awx.tower_notification_template:
name: ccce-ioc-command-notifications{{ ccce_awx_suffix }}
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
organization: "{{ ccce_organization | default('Default') }}"
notification_type: webhook
notification_configuration:
url: "{{ inventory_hostname }}/api/v1/awx/commands"
headers:
CCCE-TOKEN: "{{ ccce_awx_notification_token }}"
- name: Create AWX Project
awx.awx.tower_project:
name: "{{ ccce_awx_project_name }}"
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
organization: "{{ ccce_organization | default('Default') }}"
scm_type: "{{ ccce_awx_project_scm_type | default(omit) }}"
scm_url: "{{ ccce_awx_project_scm_url | default(omit) }}"
scm_branch: "{{ ccce_ioc_deploy_playbook_branch | default(omit) }}"
scm_update_on_launch: "{{ ccce_awx_project_scm_update_on_launch | default(omit) }}"
local_path: "{{ ccce_awx_project_local_path | default(omit) }}"
- name: Create AWX inventory
awx.awx.tower_inventory:
name: default_inventory
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
organization: "{{ ccce_organization | default('Default') }}"
when: ccce_awx_inventory is undefined
- name: Create AWX Job template
awx.awx.tower_job_template:
name: "{{ ccce_awx_job_template_name }}"
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
description: "Deploy IOCs from CCCE"
organization: "{{ ccce_organization | default('Default') }}"
job_type: run
inventory: "{{ ccce_awx_inventory | default ('default_inventory') }}"
project: "{{ ccce_awx_project_name }}"
playbook: playbook.yml
credentials: "{{ ccce_awx_machine_credential | default(omit) }}"
extra_vars:
ioc_nonvolatile_server: "{{ ccce_default_nonvolatile_server }}"
use_fact_cache: true
notification_templates_error: ["ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}"]
notification_templates_started: ["ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}"]
notification_templates_success: ["ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}"]
- name: Create AWX roles (job template)
awx.awx.tower_role:
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
user: "{{ ccce_awx_technical_user_username }}"
job_templates:
- "{{ ccce_awx_job_template_name }}"
role: "{{ item }}"
loop:
- read
- execute
- name: Create AWX roles (inventory)
awx.awx.tower_role:
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
user: "{{ ccce_awx_technical_user_username }}"
inventories:
- "{{ ccce_awx_inventory | default('default_inventory') }}"
role: "{{ item }}"
loop:
- adhoc
- read
- use
- name: Create AWX roles (project)
awx.awx.tower_role:
tower_host: "{{ ccce_awx_host }}"
tower_username: "{{ ccce_awx_admin_username }}"
tower_password: "{{ ccce_awx_admin_password }}"
validate_certs: "{{ ccce_awx_validate_certs }}"
user: "{{ ccce_awx_technical_user_username }}"
projects:
- "{{ ccce_awx_project_name }}"
role: "{{ item }}"
loop:
- read
- use
- name: Create container network
docker_network:
name: ccce
......
---
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-docker.git
version: v1.5.0
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-traefik.git
version: v1.0.1
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-certificate.git
version: v0.5.2
roles:
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-docker.git
version: v1.5.0
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-traefik.git
version: v1.0.1
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-certificate.git
version: v0.5.2
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-awx.git
version: v0.5.0
collections:
- name: awx.awx
version: 17.0.1
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment