Merge branch 'icshwi_8516_create_awx_data' into 'master'

ICSHWI-8516: Create AWX data See merge request ics-ansible-galaxy/ics-ans-ccce!15

Merge branch 'icshwi_8516_create_awx_data' into 'master'
ICSHWI-8516: Create AWX data See merge request ics-ansible-galaxy/ics-ans-ccce!15
a013469f · Anders Harrisson · 8e44c6db · ae81fb59 · a013469f · a013469f
Commit a013469f authored Feb 08, 2022 by Anders Harrisson
--- a/.ansible-lint
+++ b/.ansible-lint
 exclude_paths:
  - molecule/default/create.yml
+  - molecule/default/prepare.yml
 skip_list:
  - '602'
  - '204'

--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ __pycache__
 *.pyc
 playbook.retry
 .vault_pass
+.vscode
--- a/README.md
+++ b/README.md
@@ -2,6 +2,21 @@

 Ansible playbook to install CCCE.

+## Usage
+
+This playbook will set up a host in order to run the CCCE deployment tool. This will further set up the necessary
+infrastructure in the appropriate AWX instance that is needed for the deployment tool to run correctly. There is
+a small amount of setup work that needs to be in place first, however:
+* You must add a machine credential to the appropriate AWX instance to allow it to log into the hosts that you
+  would like it to deploy to
+* You must create a technical user on the AWX instance that is used by the deployment tool to trigger AWX jobs
+* You must create a token for the technical user to allow it access to the AWX instance
+* That token should be stored in `ccce_awx_token` (it should, of course, be vaulted.)
+
+Once this is done, you should be able to run this playbook on your desired host, and have a working CCCE
+deployment tool.
+
 ## License

 BSD 2-clause
+
--- a/group_vars/ccce.yml
+++ b/group_vars/ccce.yml
@@ -79,3 +79,24 @@ gitlab_allowed_group_id: 698

 ccce_openapi_server: "{{ ccce_server_address }}"
 ccce_openapi_dev_server: "{{ ccce_server_address }}"
+
+ccce_awx_suffix: ""
+ccce_ioc_deploy_playbook_branch: "1.0.0-rc3"
+ccce_default_nonvolatile_server: nonvolatile-tn-01.tn.esss.lu.se
+ccce_awx_job_template_name: ccce-deploy-ioc
+ccce_awx_notification_token: ccce
+ccce_awx_technical_user_username: ccce
+ccce_awx_validate_certs: true
+ccce_awx_project_scm_type: git
+ccce_awx_project_scm_update_on_launch: true
+ccce_awx_project_name: ics-ans-lab-ioc-deploy-master
+ccce_awx_project_scm_url: https://gitlab.esss.lu.se/ccce/dev/ics-ans-lab-ioc-deploy.git
+
+ccce_awx_admin_username: ccce-admin
+ccce_awx_admin_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35333230356631323230396332316631643765643733396465396236343866383466356634353733
+          3834346132613039623761623761366535623263613336310a323565656432346133663739646164
+          63353034383538323531313030343032626162636237313664623835346434386165336566336438
+          3335383434323339630a326530643734303665393963336136376432363230626365353039363635
+          3531
--- a/host_vars/ccce-01.esss.lu.se.yaml
+++ b/host_vars/ccce-01.esss.lu.se.yaml
@@ -17,3 +17,5 @@ ccce_awx_token: !vault |
          65303833653430326537653839666463623861353533376564396131663761666462323838666535
          3538313537363532380a366663643530346631646233633039653366353932383732393563393637
          37396430333961353064323436366364363866616334386564613664393631663663
+ccce_awx_inventory: csentry
+ccce_awx_machine_credential: ioc-deploy-prod-key
--- a/host_vars/ccce-demo.cslab.esss.lu.se.yaml
+++ b/host_vars/ccce-demo.cslab.esss.lu.se.yaml
@@ -7,6 +7,21 @@ ccce_database_password: !vault |
          3935633639316364620a653731373630393761373264353538643664343263653035646535653036
          38313437313533396539383136383261646438663032613865383261663334653164
 ccce_awx_job_template_name: ccce-ioc-deployment-demo
+ccce_awx_host: https://awx-lab-01.cslab.esss.lu.se
 gitlab_allowed_group_id: 611
 ccce_rbac_server_address: https://rbac.esss.lu.se/service/
 ccce_web_environment_title: DEMO
+ccce_awx_suffix: -demo
+ccce_ioc_deploy_playbook_branch: master
+ccce_default_nonvolatile_server: nonvolatile-ccce-01.cslab.esss.lu.se
+ccce_awx_inventory: csentry-from-torn
+ccce_awx_machine_credential: ioc-deploy-test
+ccce_awx_validate_certs: false
+ccce_awx_admin_username: ccce-admin
+ccce_awx_admin_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62646434633539663335663032376431326334623838376531303837393737363063396136333166
+          3732643636363165656464656564306238386435663736610a333831613765306535316632653332
+          39393738663963613738373933616235666632363035343035323363323531383033346562376635
+          6438343563393334660a323362333661313431393362376564363839303162373534633935363061
+          3137
--- a/host_vars/ccce-test.cslab.esss.lu.se.yaml
+++ b/host_vars/ccce-test.cslab.esss.lu.se.yaml
 ---
 ccce_awx_job_template_name: ccce-ioc-deployment-test
+ccce_awx_host: https://awx-lab-01.cslab.esss.lu.se
 gitlab_allowed_group_id: 611
-ccce_backend_container_image_tag: master
-ccce_frontend_container_image_tag: ICSHWI-8059_Confirm_for_start-stop
+ccce_backend_container_image_tag: develop
+ccce_frontend_container_image_tag: develop
 ccce_rbac_server_address: https://icsvs-app01.esss.lu.se/rbac/service/
 ccce_web_environment_title: TEST
+ccce_awx_suffix: -test
+ccce_ioc_deploy_playbook_branch: master
+ccce_default_nonvolatile_server: nonvolatile-ccce-01.cslab.esss.lu.se
+ccce_awx_inventory: csentry-from-torn
+ccce_awx_machine_credential: ioc-deploy-test
+ccce_awx_validate_certs: false
+ccce_awx_admin_username: ccce-admin
+ccce_awx_admin_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62646434633539663335663032376431326334623838376531303837393737363063396136333166
+          3732643636363165656464656564306238386435663736610a333831613765306535316632653332
+          39393738663963613738373933616235666632363035343035323363323531383033346562376635
+          6438343563393334660a323362333661313431393362376564363839303162373534633935363061
+          3137
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -3,10 +3,12 @@ dependency:
  name: galaxy
  options:
    role-file: roles/requirements.yml
+    requirements-file: roles/requirements.yml
 lint: |
  set -e
  yamllint .
-  ansible-lint
+  # Workaround to find collections installed by Molecule
+  ANSIBLE_COLLECTIONS_PATHS=${MOLECULE_EPHEMERAL_DIRECTORY}/collections ansible-lint
  flake8
 provisioner:
  name: ansible
@@ -18,12 +20,27 @@ provisioner:
  inventory:
    host_vars:
      ccce-default:
+        ccce_awx_host: ccce-awx-default
+        ccce_awx_admin_username: admin
+        ccce_awx_admin_password: password
+        ccce_awx_validate_certs: false
        ccce_awx_token: 'awx-token'
        ccce_csentry_token: 'csentry-token'
        ccce_gitlab_client_app_id: 'gitlab-client-app-id'
        ccce_gitlab_client_app_secret: 'gitlab-client-app-secret'
        ccce_gitlab_technical_user_token: 'gitlab-technical-user-token'
        ccce_graylog_token: 'graylog-token'
+        ccce_awx_project_scm_type: manual
+        ccce_awx_project_local_path: project
+        ccce_awx_project_scm_update_on_launch: false
+      ccce-awx-default:
+        ccce_awx_host: ccce-awx-default
+        ccce_awx_admin_username: admin
+        ccce_awx_admin_password: password
+        ccce_awx_validate_certs: false
+        ccce_awx_technical_user_username: ccce
+        ccce_awx_technical_user_password: ccce
+
 verifier:
  name: testinfra
 driver:
@@ -35,7 +52,23 @@ platforms:
    box: centos/7
    memory: 2048
    cpus: 1
+    interfaces:
+      - network_name: private_network
+        type: dhcp
+        auto_config: true
    instance_raw_config_args:
      - "vbguest.auto_update = false"
    groups:
      - ccce
+  - name: ccce-awx-default
+    box: centos/7
+    memory: 2048
+    cpus: 1
+    interfaces:
+      - network_name: private_network
+        type: dhcp
+        auto_config: true
+    instance_raw_config_args:
+      - "vbguest.auto_update = false"
+    groups:
+      - awx
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
 ---
 - name: Prepare
  hosts: all
-  gather_facts: false
+  become: true
+  gather_facts: true
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
      become: true
      changed_when: false
+
+    - name: Update /etc/hosts
+      lineinfile:
+        dest: /etc/hosts
+        regexp: '.*\b{{ item }}$'
+        line: '{{ hostvars[item]["ansible_eth1"]["ipv4"]["address"] }} {{ item }}'
+        mode: 0644
+      loop: "{{ ansible_play_hosts }}"
+
+- name: Prepare AWX test instance
+  hosts: awx
+  become: true
+  gather_facts: true
+  roles:
+    - ics-ans-role-awx
+  tasks:
+    - name: Add playbook project for Molecule
+      command: "docker exec awx_web bash -c 'mkdir -p /var/lib/awx/projects/project && echo -e \"---\n- hosts: all\n  tasks: []\" > /var/lib/awx/projects/project/playbook.yml'"
+
+    - name: Create AWX technical user
+      awx.awx.tower_user:
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        username: "{{ ccce_awx_technical_user_username }}"
+        password: "{{ ccce_awx_technical_user_password }}"
+        update_secrets: false
+        state: present
--- a/playbook.yml
+++ b/playbook.yml
@@ -3,7 +3,125 @@
  become: true
  roles:
    - ics-ans-role-traefik
+  collections:
+    - awx.awx
  tasks:
+    - name: Create deployment notification template
+      awx.awx.tower_notification_template:
+        name: ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        organization: "{{ ccce_organization | default('Default') }}"
+        notification_type: webhook
+        notification_configuration:
+          url: "{{ inventory_hostname }}/api/v1/awx/jobs"
+          headers:
+            CCCE-TOKEN: "{{ ccce_awx_notification_token }}"
+
+    - name: Create command notification template
+      awx.awx.tower_notification_template:
+        name: ccce-ioc-command-notifications{{ ccce_awx_suffix }}
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        organization: "{{ ccce_organization | default('Default') }}"
+        notification_type: webhook
+        notification_configuration:
+          url: "{{ inventory_hostname }}/api/v1/awx/commands"
+          headers:
+            CCCE-TOKEN: "{{ ccce_awx_notification_token }}"
+
+    - name: Create AWX Project
+      awx.awx.tower_project:
+        name: "{{ ccce_awx_project_name }}"
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        organization: "{{ ccce_organization | default('Default') }}"
+        scm_type: "{{ ccce_awx_project_scm_type | default(omit) }}"
+        scm_url: "{{ ccce_awx_project_scm_url | default(omit) }}"
+        scm_branch: "{{ ccce_ioc_deploy_playbook_branch | default(omit) }}"
+        scm_update_on_launch: "{{ ccce_awx_project_scm_update_on_launch | default(omit) }}"
+        local_path: "{{ ccce_awx_project_local_path | default(omit) }}"
+
+    - name: Create AWX inventory
+      awx.awx.tower_inventory:
+        name: default_inventory
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        organization: "{{ ccce_organization | default('Default') }}"
+      when: ccce_awx_inventory is undefined
+
+    - name: Create AWX Job template
+      awx.awx.tower_job_template:
+        name: "{{ ccce_awx_job_template_name }}"
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        description: "Deploy IOCs from CCCE"
+        organization: "{{ ccce_organization | default('Default') }}"
+        job_type: run
+        inventory: "{{ ccce_awx_inventory | default ('default_inventory') }}"
+        project: "{{ ccce_awx_project_name }}"
+        playbook: playbook.yml
+        credentials: "{{ ccce_awx_machine_credential | default(omit) }}"
+        extra_vars:
+          ioc_nonvolatile_server: "{{ ccce_default_nonvolatile_server }}"
+        use_fact_cache: true
+        notification_templates_error: ["ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}"]
+        notification_templates_started: ["ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}"]
+        notification_templates_success: ["ccce-ioc-deployment-notifications{{ ccce_awx_suffix }}"]
+
+    - name: Create AWX roles (job template)
+      awx.awx.tower_role:
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        user: "{{ ccce_awx_technical_user_username }}"
+        job_templates:
+          - "{{ ccce_awx_job_template_name }}"
+        role: "{{ item }}"
+      loop:
+        - read
+        - execute
+
+    - name: Create AWX roles (inventory)
+      awx.awx.tower_role:
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        user: "{{ ccce_awx_technical_user_username }}"
+        inventories:
+          - "{{ ccce_awx_inventory | default('default_inventory') }}"
+        role: "{{ item }}"
+      loop:
+        - adhoc
+        - read
+        - use
+
+    - name: Create AWX roles (project)
+      awx.awx.tower_role:
+        tower_host: "{{ ccce_awx_host }}"
+        tower_username: "{{ ccce_awx_admin_username }}"
+        tower_password: "{{ ccce_awx_admin_password }}"
+        validate_certs: "{{ ccce_awx_validate_certs }}"
+        user: "{{ ccce_awx_technical_user_username }}"
+        projects:
+          - "{{ ccce_awx_project_name }}"
+        role: "{{ item }}"
+      loop:
+        - read
+        - use
+
    - name: Create container network
      docker_network:
        name: ccce

--- a/roles/requirements.yml
+++ b/roles/requirements.yml
 ---
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-docker.git
-  version: v1.5.0
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-traefik.git
-  version: v1.0.1
- src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-certificate.git
-  version: v0.5.2
+roles:
+  - src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-docker.git
+    version: v1.5.0
+  - src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-traefik.git
+    version: v1.0.1
+  - src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-certificate.git
+    version: v0.5.2
+  - src: git+https://gitlab.esss.lu.se/ics-ansible-galaxy/ics-ans-role-awx.git
+    version: v0.5.0
+
+collections:
+  - name: awx.awx
+    version: 17.0.1