diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..9ea6d9b --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,7 @@ +exclude_paths: + - .*/ +parseable: true +quiet: true +use_default_rules: true +verbosity: 1 +skip_list: diff --git a/.gitignore b/.gitignore index 39debfa..d96d0fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # ignore all retries files *.retry +.idea/* # ignore components symlink roles/cpm diff --git a/.yamllint b/.yamllint index 97ccb57..2b0e4cc 100644 --- a/.yamllint +++ b/.yamllint @@ -1,6 +1,7 @@ --- ignore: | .*/ + tests/playbooks rules: braces: @@ -54,4 +55,4 @@ rules: new-lines: type: unix trailing-spaces: enable - truthy: disable \ No newline at end of file + truthy: disable diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 0000000..7c3bfe3 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,179 @@ +pipeline { + agent { + node { + label 'ansible' + } + } + environment { + AWS_REGION = sh(script: 'curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | python -c "import json,sys;obj=json.load(sys.stdin);print obj[\'region\']"', returnStdout: true).trim() + // shortCommit = sh(script: "git log -n 1 --pretty=format:'%h'", returnStdout: true).trim() + CYBERARK_VERSION = "v11.1" + ENV_TIMESTAMP = sh(script: "date +%s", returnStdout: true).trim() + } + stages { + stage('Install virtual environment') { + steps { + sh ''' + python -m pip install --user virtualenv + python -m virtualenv --no-site-packages .testenv + source .testenv/bin/activate + pip install -r requirements.txt + pip install -r tests/requirements.txt + ''' + } + } + stage('yamllint validation') { + steps { + sh ''' + source .testenv/bin/activate + yamllint . + ''' + } + } + stage('Install ansible roles') { + steps { + sh ''' + source .testenv/bin/activate + ansible-galaxy install -r requirements.yml + ''' + } + } + stage('Download packages') { + steps { + withCredentials([ + string(credentialsId: 'default_packages_bucket', variable: 'default_packages_bucket') + ]) { + dir ('/tmp/packages') { + s3Download(file:'/tmp/packages/psm.zip', bucket:"$default_packages_bucket", path:"Packages/${env.CYBERARK_VERSION}/Privileged Session Manager-Rls-${env.CYBERARK_VERSION}.zip", pathStyleAccessEnabled: true, force:true) + s3Download(file:'/tmp/packages/cpm.zip', bucket:"$default_packages_bucket", path:"Packages/${env.CYBERARK_VERSION}/Central Policy Manager-Rls-${env.CYBERARK_VERSION}.zip", pathStyleAccessEnabled: true, force:true) + s3Download(file:'/tmp/packages/pvwa.zip', bucket:"$default_packages_bucket", path:"Packages/${env.CYBERARK_VERSION}/Password Vault Web Access-Rls-${env.CYBERARK_VERSION}.zip", pathStyleAccessEnabled: true, force:true) + } + } + } + } + stage('Deploy Vaults') { + parallel { + stage('Deploy Vault for in-domain environment') { + steps { + withCredentials([ + usernamePassword(credentialsId: 'default_vault_credentials', passwordVariable: 'ansible_password', usernameVariable: 'ansible_user'), + string(credentialsId: 'default_keypair', variable: 'default_keypair'), + string(credentialsId: 'default_s3_bucket', variable: 'default_s3_bucket') + ]) { + sh ''' + source .testenv/bin/activate + ansible-playbook tests/playbooks/deploy_vault.yml -v -e "keypair=$default_keypair bucket=$default_s3_bucket ansible_user=$ansible_user ansible_password=$ansible_password domain=yes env_timestamp=$ENV_TIMESTAMP" + ''' + } + } + } + stage('Deploy Vault for out-of-domain environment') { + steps { + sleep 10 + withCredentials([ + usernamePassword(credentialsId: 'default_vault_credentials', passwordVariable: 'ansible_password', usernameVariable: 'ansible_user'), + string(credentialsId: 'default_keypair', variable: 'default_keypair'), + string(credentialsId: 'default_s3_bucket', variable: 'default_s3_bucket') + ]) { + sh ''' + source .testenv/bin/activate + ansible-playbook tests/playbooks/deploy_vault.yml -v -e "keypair=$default_keypair bucket=$default_s3_bucket ansible_user=$ansible_user ansible_password=$ansible_password domain=no env_timestamp=$ENV_TIMESTAMP" + ''' + } + } + } + } + } + stage('Provision testing environments') { + parallel { + stage('Provision in-domain testing environment') { + steps { + withCredentials([ + usernamePassword(credentialsId: 'default_vault_credentials', passwordVariable: 'ansible_password', usernameVariable: 'ansible_user'), + string(credentialsId: 'default_keypair', variable: 'default_keypair') + ]) { + sh ''' + source .testenv/bin/activate + ansible-playbook tests/playbooks/pas-infrastructure/ec2-infrastructure.yml -e "aws_region=$AWS_REGION keypair=$default_keypair ec2_instance_type=m4.large public_ip=no pas_count=1 indomain=yes ansible_user=$ansible_user ansible_password=$ansible_password env_timestamp=$ENV_TIMESTAMP" + ''' + } + } + } + stage('Provision out-of-domain testing environment') { + steps { + sleep 10 + withCredentials([ + usernamePassword(credentialsId: 'default_vault_credentials', passwordVariable: 'ansible_password', usernameVariable: 'ansible_user'), + string(credentialsId: 'default_keypair', variable: 'default_keypair') + ]) { + sh ''' + source .testenv/bin/activate + ansible-playbook tests/playbooks/pas-infrastructure/ec2-infrastructure.yml -e "aws_region=$AWS_REGION keypair=$default_keypair ec2_instance_type=m4.large public_ip=no pas_count=1 indomain=no ansible_user=$ansible_user ansible_password=$ansible_password env_timestamp=$ENV_TIMESTAMP" + ''' + } + } + } + } + } + stage('Run pas-orchestrator') { + parallel { + stage('Run pas-orchestrator in-domain') { + steps { + withCredentials([usernamePassword(credentialsId: 'default_vault_credentials', passwordVariable: 'ansible_password', usernameVariable: 'ansible_user')]) { + sh ''' + source .testenv/bin/activate + VAULT_IP=$(cat /tmp/vault_ip_domain_yes.txt) + cp -r tests/playbooks/pas-infrastructure/outputs/hosts_domain_yes.yml inventories/staging/hosts_domain_yes.yml + ansible-playbook pas-orchestrator.yml -i inventories/staging/hosts_domain_yes.yml -v -e "accept_eula=yes vault_ip=$VAULT_IP vault_password=$ansible_password cpm_zip_file_path=/tmp/packages/cpm.zip psm_zip_file_path=/tmp/packages/psm.zip pvwa_zip_file_path=/tmp/packages/pvwa.zip connect_with_rdp=yes ansible_user='cyberark.com\\\\$ansible_user' ansible_password=$ansible_password" + ''' + } + } + } + stage('Run pas-orchestrator out-of-domain') { + steps { + withCredentials([usernamePassword(credentialsId: 'default_vault_credentials', passwordVariable: 'ansible_password', usernameVariable: 'ansible_user')]) { + sh ''' + source .testenv/bin/activate + VAULT_IP=$(cat /tmp/vault_ip_domain_no.txt) + cp -r tests/playbooks/pas-infrastructure/outputs/hosts_domain_no.yml inventories/staging/hosts_domain_no.yml + ansible-playbook pas-orchestrator.yml -i inventories/staging/hosts_domain_no.yml -v -e "accept_eula=yes vault_ip=$VAULT_IP vault_password=$ansible_password {psm_out_of_domain:true} cpm_zip_file_path=/tmp/packages/cpm.zip psm_zip_file_path=/tmp/packages/psm.zip pvwa_zip_file_path=/tmp/packages/pvwa.zip connect_with_rdp=yes ansible_user='$ansible_user' ansible_password=$ansible_password" + ''' + } + } + } + } + } + } + post('Archiving artifacts and Cleanup') { + always { + archiveArtifacts artifacts: 'logs/**/*.log', fingerprint: true + archiveArtifacts artifacts: 'logs/ansible.log', fingerprint: true + } + cleanup { + sh ''' + source .testenv/bin/activate + + # Terminate EC2 instances + instance_ids=$(aws ec2 describe-instances --region $AWS_REGION --query 'Reservations[].Instances[].InstanceId' --filters "Name=tag:Timestamp,Values=$ENV_TIMESTAMP" --output text) + aws ec2 terminate-instances --region $AWS_REGION --instance-ids $instance_ids + aws ec2 wait instance-terminated --region $AWS_REGION --instance-ids $instance_ids + + instance_ids=$(aws ec2 describe-instances --region $AWS_REGION --query 'Reservations[].Instances[].InstanceId' --filters "Name=tag:aws:cloudformation:stack-name,Values=$(cat /tmp/cf_vault_domain_yes.txt)" --output text) + aws ec2 terminate-instances --region $AWS_REGION --instance-ids $instance_ids + aws ec2 wait instance-terminated --region $AWS_REGION --instance-ids $instance_ids + + instance_ids=$(aws ec2 describe-instances --region $AWS_REGION --query 'Reservations[].Instances[].InstanceId' --filters "Name=tag:aws:cloudformation:stack-name,Values=$(cat /tmp/cf_vault_domain_no.txt)" --output text) + aws ec2 terminate-instances --region $AWS_REGION --instance-ids $instance_ids + aws ec2 wait instance-terminated --region $AWS_REGION --instance-ids $instance_ids + + # Delete security groups + sleep 60 + aws ec2 describe-security-groups --region $AWS_REGION --query 'SecurityGroups[*].{ID:GroupId}' --filters "Name=tag:Timestamp,Values=$ENV_TIMESTAMP" --output text | awk '{print $1}' | while read line; do aws ec2 delete-security-group --region $AWS_REGION --group-id $line; done + + # Delete Vault Cloudformations + aws cloudformation delete-stack --region $AWS_REGION --stack-name $(cat /tmp/cf_vault_domain_yes.txt) + aws cloudformation delete-stack --region $AWS_REGION --stack-name $(cat /tmp/cf_vault_domain_no.txt) + ''' + } + } +} diff --git a/README.md b/README.md index 810af9a..da0d29c 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,14 @@ - # PAS-Orchestrator +# PAS-Orchestrator - In today’s modern infrastructure, organizations are moving towards hybrid environments, which consist of multiple public clouds, private clouds and on-premises platforms. +In today’s modern infrastructure, organizations are moving towards hybrid environments, which consist of multiple public clouds, private clouds and on-premises platforms. CyberArk has created a tailored installation and deployment method for each platform to enable easy implementation. For example, CloudFormation templates enable easy deployment on AWS, while Azure Resource Manager (ARM) templates enable easy deployment on Azure. However, it is difficult to combine the different methods to orchestrate and automate a hybrid deployment. - PAS Orchestrator is a set of Ansible roles which provides a holistic solution to deploying CyberArk Core PAS components simultaneously in multiple environments, regardless of the environment’s location. +PAS Orchestrator is a set of Ansible roles which provides a holistic solution to deploying CyberArk Core PAS components simultaneously in multiple environments, regardless of the environment’s location. - The Ansible roles are responsible for the entire deployment process, and can be integrated with the organization’s CI/CD pipeline. +The Ansible roles are responsible for the entire deployment process, and can be integrated with the organization’s CI/CD pipeline. - Each PAS component’s Ansible role is responsible for the component end-2-end deployment, which includes the following stages for each component: +Each PAS component’s Ansible role is responsible for the component end-2-end deployment, which includes the following stages for each component: - Copy the installation package to the target server - Installing prerequisites - Silent installation of the component @@ -20,41 +20,38 @@ Ansible Roles for PVWA, CPM and PSM can be found in the following links: - CPM: [https://github.com/cyberark/cpm](https://github.com/cyberark/cpm) - PVWA: [https://github.com/cyberark/pvwa](https://github.com/cyberark/pvwa) -The PAS Orchestrator role is an example of how to use the component roles -demonstrating paralel installation on multiple remote servers +The PAS Orchestrator role is an example of how to use the component roles +demonstrating paralel installation on multiple remote servers - ## Requirements ------------- +## Requirements - IP addresses / hosts to execute the playbook against with Windows 2016 installed on the remote hosts -- WinRM open on port 5986 (**not 5985**) on the remote host +- WinRM open on port 5986 (**not 5985**) on the remote host - Pywinrm is installed on the workstation running the playbook - The workstation running the playbook must have network connectivity to the remote host - The remote host must have Network connectivity to the CyberArk vault and the repository server - 443 port outbound - 443 port outbound (for PVWA only) - - 1858 port outbound -- Administrator access to the remote host -- CyberArk components CD image on the workstation running the playbook - - ## Environment setup ------------- -- Get the PAS Orchestrator Role - ``` - git clone https://github.com/cyberark/pas-orchestrator.git - ``` -- Install Ansible - ``` - pip install ansible pywinrm pywinrm[credssp] requests-credssp --user + - 1858 port outbound +- Administrator access to the remote host +- CyberArk components CD image on the workstation running the playbook + +## Environment setup + +- Get the PAS Orchestrator Playbook ``` -- Get the components roles - ``` + git clone https://github.com/cyberark/pas-orchestrator.git cd pas-orchestrator + ``` +- Install Python requirements + ``` + pip install -r requirements.txt + ``` +- Get the components roles + ``` ansible-galaxy install --roles-path ./roles --role-file requirements.yml ``` -- Update the inventories hosts file with the remote hosts IPs - - +- Update the inventories hosts file with the remote hosts IPs ## Role Variables @@ -74,7 +71,6 @@ These are the variables used in this playbook | pvwa_zip_file_path | yes | None | Path to zipped PVWA image | | psm_zip_file_path | yes | None | Path to zipped PSM image | - Variables related to the components can be found on the Components README ## Usage @@ -134,32 +130,29 @@ Prior to running pas-orchestrator hosts file should be "updated" [https://github cpm psm - ## Running the playbook: To run the above playbook, execute the following command example : ansible-playbook -i ./inventories/production pas-orchestrator.yml -e "vault_ip=VAULT_IP ansible_user=DOMAIN\USER cpm_zip_file_path=/tmp/pas_packages/cpm.zip pvwa_zip_file_path=/tmp/pas_packages/pvwa.zip psm_zip_file_path=/tmp/pas_packages/psm.zip connect_with_rdp=Yes accept_eula=Yes" - - + Command example for out of Domain , no hardening deployment in drive D: ansible-playbook -i ./inventories/production pas-orchestrator.yml -e "vault_ip=VAULT_IP ansible_user=DOMAIN\USER cpm_zip_file_path=/tmp/pas_packages/cpm.zip pvwa_zip_file_path=/tmp/pas_packages/pvwa.zip psm_zip_file_path=/tmp/pas_packages/psm.zip {psm_out_of_domain:true} connect_with_rdp=Yes accept_eula=Yes psm_installation_drive=D: cpm_installation_drive=D: pvwa_installation_drive=D: {psm_hardening:false} {cpm_hardening:false} {pvwa_hardening:false}" - - ** *Vault and remote host passwords are entered via Prompt* + ** *Vault and remote host passwords are entered via Prompt* ## Troubleshooting - In case of a failure, a Log folder with be created on the Ansible workstation with the relevant logs copied from the remote host machine. - The logs are available under - pas-orchestrator/tasks/logs +In case of a failure, a Log folder with be created on the Ansible workstation with the relevant logs copied from the remote host machine. +The logs are available under - pas-orchestrator/tasks/logs ## Idempotence - Every stage in the roles contains validation and can be run multiple times without error. +Every stage in the roles contains validation and can be run multiple times without error. -## Limitations -- Only single component per server is supported -- There is a check sum verification to the CD image zip file , it must be the original cyberArk release +## Limitations +- Only single component per server is supported +- There is a check sum verification to the CD image zip file , it must be the original CyberArk release ## License diff --git a/ansible.cfg b/ansible.cfg index b64c62f..ae56408 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,9 +1,9 @@ [defaults] # Default path to roles directory -roles_path = ./roles +roles_path = ./roles # Adds timestamp to each task and add a recap on the end of the playbook callback_whitelist = profile_tasks -log_path=tasks/logs/ansible.log +log_path = ./logs/ansible.log ; host_key_checking = False \ No newline at end of file diff --git a/roles/README.md b/logs/ansible.log similarity index 100% rename from roles/README.md rename to logs/ansible.log diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..54ba3be --- /dev/null +++ b/requirements.txt @@ -0,0 +1,30 @@ +ansible==2.8.6 +boto==2.49.0 +boto3==1.10.5 +botocore==1.13.5 +certifi==2019.9.11 +cffi==1.13.1 +chardet==3.0.4 +cryptography==2.8 +docutils==0.15.2 +enum34==1.1.6 +futures==3.3.0 +idna==2.8 +ipaddress==1.0.23 +Jinja2==2.10.3 +jmespath==0.9.4 +MarkupSafe==1.1.1 +ntlm-auth==1.4.0 +pyasn1==0.4.7 +pycparser==2.19 +pyOpenSSL==19.0.0 +python-dateutil==2.8.0 +pywinrm==0.3.0 +PyYAML==5.1.2 +requests==2.22.0 +requests-credssp==1.1.0 +requests-ntlm==1.1.0 +s3transfer==0.2.1 +six==1.12.0 +urllib3==1.25.6 +xmltodict==0.12.0 \ No newline at end of file diff --git a/requirements.yml b/requirements.yml index e88cc8d..0f11f2e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,14 +3,14 @@ # pvwa git repo - src: https://github.com/cyberark/pvwa.git scm: git - version: v10.7 + version: v11.1 # cpm git repo - src: https://github.com/cyberark/cpm.git scm: git - version: v10.7 + version: v11.1 # psm git repo - src: https://github.com/cyberark/psm.git scm: git - version: v10.7 + version: v11.1 diff --git a/tasks/cpm.yml b/tasks/cpm.yml index bfb2db4..c4ec44d 100644 --- a/tasks/cpm.yml +++ b/tasks/cpm.yml @@ -9,3 +9,4 @@ - cpm_postinstall: true - cpm_hardening: true - cpm_registration: false + - cpm_official: false diff --git a/tasks/main.yml b/tasks/main.yml index 0eff256..aca4931 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -71,6 +71,4 @@ - include_tasks: register_cpm.yml when: "'cpm' in group_names" - include_tasks: register_psm.yml - vars: - pvwa_ip: "{{ groups['pvwa'][0] }}" when: "'psm' in group_names" diff --git a/tasks/psm.yml b/tasks/psm.yml index 19e5c54..47815fc 100644 --- a/tasks/psm.yml +++ b/tasks/psm.yml @@ -9,3 +9,4 @@ - psm_postinstall: true - psm_hardening: true - psm_registration: false + - psm_official: false diff --git a/tasks/pvwa.yml b/tasks/pvwa.yml index 656f1eb..a33fb04 100644 --- a/tasks/pvwa.yml +++ b/tasks/pvwa.yml @@ -1,11 +1,28 @@ --- -- include_role: - name: pvwa - vars: - - pvwa_extract: true - - pvwa_prerequisites: true - - pvwa_install: true - - pvwa_postinstall: true - - pvwa_hardening: true - - pvwa_registration: false +- name: PVWA Role Block + block: + + - include_role: + name: pvwa + vars: + - pvwa_extract: true + - pvwa_prerequisites: true + - pvwa_install: true + - pvwa_postinstall: true + - pvwa_hardening: true + - pvwa_registration: false + - pvwa_official: true + + rescue: + + - include_role: + name: pvwa + vars: + - pvwa_extract: true + - pvwa_prerequisites: true + - pvwa_install: true + - pvwa_postinstall: true + - pvwa_hardening: true + - pvwa_registration: false + - pvwa_official: true diff --git a/tests/Jenkinsfile b/tests/Jenkinsfile deleted file mode 100644 index df956fb..0000000 --- a/tests/Jenkinsfile +++ /dev/null @@ -1,33 +0,0 @@ -pipeline { - agent { - node { - label 'ansible' - } - } - stages { - stage('Install virtual environment') { - steps { - script { - sh(script: 'python -m pip install --user virtualenv') - sh(script: 'python -m virtualenv --no-site-packages .testenv') - sh(script: 'source ./.testenv/bin/activate') - sh(script: '.testenv/bin/pip install -r tests/requirements.txt --no-cache-dir') - } - } - } - stage('ansible-lint validation') { - steps { - script { - sh(script: ".testenv/bin/ansible-lint pas-orchestrator.yml", returnStdout: true) - } - } - } - stage('yamllint validation') { - steps { - script { - sh(script: ".testenv/bin/yamllint .", returnStdout: true) - } - } - } - } -} diff --git a/tests/playbooks/deploy_vault.yml b/tests/playbooks/deploy_vault.yml new file mode 100644 index 0000000..2f23704 --- /dev/null +++ b/tests/playbooks/deploy_vault.yml @@ -0,0 +1,81 @@ +--- + +- hosts: localhost + gather_facts: no + tasks: + + - name: Get current region + shell: | + echo $AWS_REGION + register: my_region + + - name: Get current vpc id + shell: | + INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/) + VPC_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id) + echo $VPC_ID + register: my_vpc + + - name: Get current subnet id + shell: | + INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/) + SUBNET_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/subnet-id) + echo $SUBNET_ID + register: my_subnet + + - name: Create security group for Vault + ec2_group: + name: "PAS-Orchestrator-Vault-{{ env_timestamp }}" + description: Security Group for PAS Orchestrator Vault + vpc_id: "{{ my_vpc.stdout }}" + rules: + - proto: tcp + ports: + - 1858 + cidr_ip: 0.0.0.0/0 + rule_desc: Allow all traffic on port 1858 + tags: + Timestamp: "{{ env_timestamp }}" + register: my_sg + + - name: Deploy Vault + include_role: + name: cf_deploy + vars: + - deploy_bucket: cloud-initiatives-pipeline-bucket + - cf_template_url: https://raw.githubusercontent.com/cyberark/pas-on-cloud/master/aws/Vault-Single-Deployment.json + - cf_template_parameters: + EULA: Accept + KeyName: "{{ keypair }}" + VaultFilesBucket: "{{ bucket }}" + LicenseFile: license.xml + RecoveryPublicKey: recpub.key + VaultAdminPassword: "{{ ansible_password }}" + RetypeAdminPassword: "{{ ansible_password }}" + VaultMasterPassword: "{{ ansible_password }}" + RetypeMasterPassword: "{{ ansible_password }}" + VaultInstanceName: "[PAS-Orchestrator] Vault" + VaultHostName: vault + VaultInstanceType: m4.large + VaultInstanceSecurityGroups: "{{ my_sg.group_id }}" + VaultInstanceSubnetId: "{{ my_subnet.stdout }}" + - aws_region: "{{ my_region.stdout }}" + + - name: Get Vault machine details from CloudFormation + ec2_instance_facts: + region: "{{ my_region.stdout }}" + instance_ids: + - "{{ cf_output | json_query('[?logical_resource_id == `VaultMachine` ] | [0].physical_resource_id') }}" + register: vault_machine + + - name: Save Vault ip address in text file + copy: + dest: "/tmp/vault_ip_domain_{{ domain }}.txt" + content: | + {{ vault_machine.instances[0].private_ip_address }} + + - name: Save cloudformation id for later cleanup + copy: + dest: "/tmp/cf_vault_domain_{{ domain }}.txt" + content: | + {{ cloudformation_stack_id }} \ No newline at end of file diff --git a/tests/playbooks/pas-infrastructure/README.md b/tests/playbooks/pas-infrastructure/README.md new file mode 100644 index 0000000..c425130 --- /dev/null +++ b/tests/playbooks/pas-infrastructure/README.md @@ -0,0 +1,46 @@ +# EC2-PAS-Infrastructure + +This Playbook provisions an infrastructure on AWS to prepare a DC environment and Domain machines for PAS-Orchestrator + +Requirements +------------ + +- Security Group on the Target VPC with all the neccesary ports open for Domain Controller and WinRM. +- Pip libraries: `jq`, `yq`, `json2yaml`: + `pip install jq yq json2yaml --user` + +## Role Variables + +A list of vaiables the playbook is using + +| Variable | Comments | +|----------------------|--------------------| +| aws_region | AWS Region | +| keypair | KeyPair | +| ec2_instance_type | Instance Type | +| public_ip | Public Ip Yes/No | +| subnet_id | Subnet ID | +| security_group | Security Group ID | +| win2012_ami_id | AMI for DC | +| win2016_ami_id | AMI for PAS EC2 | +| pas_count | Number of Machines | +| ansible_user | Ansible User | +| ansible_password | Ansible Password | +| indomain | Yes/No | +| comp_sg | sg-xxxxxx | +| dc_sg | sg-xxxxxx | + +## Running the playbook: + +To run the above playbook: + + ansible-playbook ec2-infrastructure.yml -e "aws_region=my-region keypair=My-KP ec2_instance_type=t2.size public_ip=yes/no subnet_id=subnet-xxxxxx security_group=sg-xxxxxx win2012_ami_id=ami-xxxxxx win2016_ami_id=ami-xxxxxx dc_sg=sg-xxxxxx comp_sg=sg-xxxxxx pas_count=10 ansible_user=Administrator ansible_password=nopass when: indomain=yes" + +## Outputs: + +You will get a hosts file in `outputs/hosts.yml` you can use for the PAS-Orchestrator. +When using PAS-Orchestrator, you will see the relevant host groups on: `tag_Type_pvwa`, `tag_Type_cpm`, `tag_Type_psm`. + +## License + + **TBD** diff --git a/tests/playbooks/pas-infrastructure/ansible.cfg b/tests/playbooks/pas-infrastructure/ansible.cfg new file mode 100644 index 0000000..957a104 --- /dev/null +++ b/tests/playbooks/pas-infrastructure/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +# Adds timestamp to each task and add a recap on the end of the playbook +callback_whitelist = profile_tasks +# Disalbe host key checking +host_key_checking = False \ No newline at end of file diff --git a/tests/playbooks/pas-infrastructure/create_ec2_batch.yml b/tests/playbooks/pas-infrastructure/create_ec2_batch.yml new file mode 100644 index 0000000..7050c7c --- /dev/null +++ b/tests/playbooks/pas-infrastructure/create_ec2_batch.yml @@ -0,0 +1,27 @@ +--- + +- name: Generate EC2 Batch Machines + ec2: + aws_access_key: "{{ aws_access_key | default(omit) }}" + aws_secret_key: "{{ aws_secret_key | default(omit) }}" + security_token: "{{ aws_security_token | default(omit) }}" + key_name: "{{ keypair }}" + instance_type: "{{ ec2_instance_type }}" + image: "{{ ami_id }}" + wait: yes + group_id: "{{ security_group }}" + count: "{{ count }}" + vpc_subnet_id: "{{ subnet_id }}" + assign_public_ip: "{{ public_ip }}" + region: "{{ aws_region }}" + instance_tags: + Name: "{{ component_name }}-Machine-{{ lookup('pipe','date +%Y-%m-%d-%H-%M-%S') }}" + Type: "{{ component_name }}" + Domain: "{{ indomain }}" + Timestamp: "{{ env_timestamp }}" + user_data: "{{ ansible_user_data }}" + instance_profile_name: "{{ instance_profile | default('') }}" + register: ec2_instances + +- set_fact: + ec2_machines: "{{ ec2_instances }}" \ No newline at end of file diff --git a/tests/playbooks/pas-infrastructure/ec2-infrastructure.yml b/tests/playbooks/pas-infrastructure/ec2-infrastructure.yml new file mode 100644 index 0000000..303c637 --- /dev/null +++ b/tests/playbooks/pas-infrastructure/ec2-infrastructure.yml @@ -0,0 +1,269 @@ +--- + +- hosts: localhost + gather_facts: no + vars: + ansible_user_data: | + + # Change Password + $admin = [adsi]("WinNT://./administrator, user") + $admin.PSBase.Invoke("SetPassword", "{{ ansible_password }}") + + # Configure machine for ansible remoting + $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" + $file = "$env:temp\ConfigureRemotingForAnsible.ps1" + (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) + powershell.exe -ExecutionPolicy ByPass -File $file -EnableCredSSP + + + tasks: + + - name: Get current vpc id + shell: | + INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/) + VPC_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id) + echo $VPC_ID + register: my_vpc + + - name: Get current subnet id + shell: | + INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/) + SUBNET_ID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/subnet-id) + echo $SUBNET_ID + register: my_subnet + + - set_fact: + subnet_id: "{{ my_subnet.stdout }}" + + - name: Create security group for DC + ec2_group: + name: "PAS-Orchestrator-DC-{{ env_timestamp }}" + description: Security Group for PAS Orchestrator Domain Controller + vpc_id: "{{ my_vpc.stdout }}" + rules: + - proto: all + cidr_ip: 0.0.0.0/0 + tags: + Timestamp: "{{ env_timestamp }}" + register: dc_sg + + - name: Create security group for Components + ec2_group: + name: "PAS-Orchestrator-Components-{{ env_timestamp }}" + description: Security Group for PAS Orchestrator Components + vpc_id: "{{ my_vpc.stdout }}" + rules: + - proto: tcp + from_port: 1 + to_port: 65535 + cidr_ip: 0.0.0.0/0 + tags: + Timestamp: "{{ env_timestamp }}" + register: comp_sg + + - name: Get latest windows 2012 ami + ec2_ami_facts: + owners: 801119661308 + filters: + name: "Windows_Server-2012-R2_RTM-English-64Bit-Base-*" + register: ami_find_2012 + + - name: Get latest windows 2016 ami + ec2_ami_facts: + owners: 801119661308 + filters: + name: "Windows_Server-2016-English-Full-Base-*" + register: ami_find_2016 + + - name: Create Domain Controller + include_tasks: create_ec2_batch.yml + vars: + - component_name: dc + - count: 1 + - ami_id: "{{ ami_find_2012.images[0].image_id }}" + - security_group: "{{ dc_sg.group_id }}" + when: indomain == "yes" + + - name: Add DC Machine to Host Group + add_host: + name: "{{ ec2_machines.instances[0].private_ip }}" + group: dc + when: indomain == "yes" + + - name: Save domain controller ip address + set_fact: + dc_ip: "{{ ec2_machines.instances[0].private_ip }}" + when: indomain == "yes" + + - name: Create PVWA Machines + include_tasks: create_ec2_batch.yml + vars: + - component_name: pvwa + - count: "{{ pas_count }}" + - ami_id: "{{ ami_find_2016.images[0].image_id }}" + - security_group: "{{ comp_sg.group_id }}" + + - name: Add PVWA Machines to Host Group + add_host: + name: "{{ item.private_ip }}" + group: pvwa + with_items: "{{ ec2_machines.instances }}" + + - name: Create CPM Machines + include_tasks: create_ec2_batch.yml + vars: + - component_name: cpm + - count: "{{ pas_count }}" + - ami_id: "{{ ami_find_2016.images[0].image_id }}" + - security_group: "{{ comp_sg.group_id }}" + + - name: Add CPM to Host Group + add_host: + name: "{{ item.private_ip }}" + group: cpm + with_items: "{{ ec2_machines.instances }}" + + - name: Create PSM Machines + include_tasks: create_ec2_batch.yml + vars: + - component_name: psm + - count: "{{ pas_count }}" + - ami_id: "{{ ami_find_2016.images[0].image_id }}" + - security_group: "{{ comp_sg.group_id }}" + + - name: Add PSM to Host Group + add_host: + name: "{{ item.private_ip }}" + group: psm + with_items: "{{ ec2_machines.instances }}" + +- hosts: dc + gather_facts: no + vars: + ansible_connection: winrm + ansible_winrm_server_cert_validation: ignore + ansible_winrm_transport: basic + ansible_port: 5986 + domain: cyberark.com + + tasks: + + - name: Wait for DC to Respond + wait_for_connection: + timeout: 600 + when: indomain == "yes" + + - name: Install Active Directory Feature + win_feature: + name: AD-Domain-Services + include_management_tools: yes + include_sub_features: yes + state: present + when: indomain == "yes" + + - name: Install Domain on Active Directory + win_domain: + dns_domain_name: "{{ domain }}" + safe_mode_password: "{{ ansible_password }}" + register: ad + when: indomain == "yes" + + - name: Reboot Domain Controller + win_reboot: + msg: "Installing AD. Rebooting..." + pre_reboot_delay: 15 + reboot_timeout: 300 + when: + - ad.changed + - indomain == "yes" + +- hosts: pvwa:cpm:psm + gather_facts: no + vars: + ansible_connection: winrm + ansible_winrm_server_cert_validation: ignore + ansible_winrm_transport: basic + ansible_port: 5986 + domain: cyberark.com + + tasks: + + - name: Wait for PAS Machines to Respond + wait_for_connection: + timeout: 600 + + - name: Set DNS on IPV4 Adapter to DC + win_dns_client: + adapter_names: '*' + ipv4_addresses: + - "{{ hostvars['localhost']['dc_ip'] }}" + - "8.8.8.8" + log_path: C:\dns_log.txt + when: indomain == "yes" + + - name: Flush DNS Cache + win_shell: | + Clear-DnsClientCache + Register-DnsClient + when: indomain == "yes" + + - name: Join PAS Machines to the Domain + win_domain_membership: + dns_domain_name: "{{ domain }}" + domain_admin_user: "{{ domain }}\\{{ ansible_user }}" + domain_admin_password: "{{ ansible_password }}" + state: domain + register: domain_state + when: indomain == "yes" + + - name: Reboot PAS Machines to Apply Changes + win_reboot: + reboot_timeout: 300 + when: domain_state.reboot_required + when: indomain == "yes" + +- hosts: localhost + gather_facts: no + connection: local + tasks: + + - name: Copy EC2 py files to Outputs Fodler + copy: + src: "inventory/{{ item }}" + dest: "outputs/{{ item }}" + remote_src: yes + with_items: + - ec2.py + - ec2.ini + + - name: Make ec2.py executable + file: + path: outputs/ec2.py + mode: "+x" + + - name: Change the domain placeholder on ec2.ini + shell: | + sed -i -- 's/domain_placeholder/{{ indomain }}/g' outputs/ec2.ini + + - name: Get Dynamic Inventory + shell: | + ansible-inventory -i outputs/ec2.py --list --export -y | yq '.all.children | with_entries( select(.key|contains("tag_Type") ) )' | jq -s '{windows:{children:.[]}}' >> outputs/hosts.json + register: inventory + + - name: Convert Inventory JSON to YAML + command: "json2yaml outputs/hosts.json outputs/hosts_domain_{{ indomain }}.yml" + + - name: Remove Empty Objects + command: "sed -i -- 's/ {}//g' outputs/hosts_domain_{{ indomain }}.yml" + + - name: Remove tag_Type_ string + command: "sed -i -- 's/tag_Type_//g' outputs/hosts_domain_{{ indomain }}.yml" + + - name: Remove Leftovers from Outputs Folder + file: + path: "{{ item }}" + state: absent + with_items: + - outputs/hosts.json + - outputs/ec2.py + - outputs/ec2.ini diff --git a/tests/playbooks/pas-infrastructure/inventory/ec2.ini b/tests/playbooks/pas-infrastructure/inventory/ec2.ini new file mode 100644 index 0000000..7cd81e9 --- /dev/null +++ b/tests/playbooks/pas-infrastructure/inventory/ec2.ini @@ -0,0 +1,220 @@ +# Ansible EC2 external inventory script settings +# + +[ec2] + +# to talk to a private eucalyptus instance uncomment these lines +# and edit edit eucalyptus_host to be the host name of your cloud controller +#eucalyptus = True +#eucalyptus_host = clc.cloud.domain.org + +# AWS regions to make calls to. Set this to 'all' to make request to all regions +# in AWS and merge the results together. Alternatively, set this to a comma +# separated list of regions. E.g. 'us-east-1,us-west-1,us-west-2' and do not +# provide the 'regions_exclude' option. If this is set to 'auto', AWS_REGION or +# AWS_DEFAULT_REGION environment variable will be read to determine the region. +regions = auto +# regions_exclude = us-gov-west-1, cn-north-1 + +# When generating inventory, Ansible needs to know how to address a server. +# Each EC2 instance has a lot of variables associated with it. Here is the list: +# http://docs.pythonboto.org/en/latest/ref/ec2.html#module-boto.ec2.instance +# Below are 2 variables that are used as the address of a server: +# - destination_variable +# - vpc_destination_variable + +# This is the normal destination variable to use. If you are running Ansible +# from outside EC2, then 'public_dns_name' makes the most sense. If you are +# running Ansible from within EC2, then perhaps you want to use the internal +# address, and should set this to 'private_dns_name'. The key of an EC2 tag +# may optionally be used; however the boto instance variables hold precedence +# in the event of a collision. +#it can +destination_variable = public_dns_name + +# This allows you to override the inventory_name with an ec2 variable, instead +# of using the destination_variable above. Addressing (aka ansible_ssh_host) +# will still use destination_variable. Tags should be written as 'tag_TAGNAME'. +#hostname_variable = tag_Name + +# For server inside a VPC, using DNS names may not make sense. When an instance +# has 'subnet_id' set, this variable is used. If the subnet is public, setting +# this to 'ip_address' will return the public IP address. For instances in a +# private subnet, this should be set to 'private_ip_address', and Ansible must +# be run from within EC2. The key of an EC2 tag may optionally be used; however +# the boto instance variables hold precedence in the event of a collision. +# WARNING: - instances that are in the private vpc, _without_ public ip address +# will not be listed in the inventory until You set: +# vpc_destination_variable = private_ip_address +vpc_destination_variable = private_ip_address + +# The following two settings allow flexible ansible host naming based on a +# python format string and a comma-separated list of ec2 tags. Note that: +# +# 1) If the tags referenced are not present for some instances, empty strings +# will be substituted in the format string. +# 2) This overrides both destination_variable and vpc_destination_variable. +# +#destination_format = {0}.{1}.example.com +#destination_format_tags = Name,environment + +# To tag instances on EC2 with the resource records that point to them from +# Route53, set 'route53' to True. +route53 = False + +# To use Route53 records as the inventory hostnames, uncomment and set +# to equal the domain name you wish to use. You must also have 'route53' (above) +# set to True. +# route53_hostnames = .example.com + +# To exclude RDS instances from the inventory, uncomment and set to False. +#rds = False + +# To exclude ElastiCache instances from the inventory, uncomment and set to False. +elasticache = False + +# Additionally, you can specify the list of zones to exclude looking up in +# 'route53_excluded_zones' as a comma-separated list. +# route53_excluded_zones = samplezone1.com, samplezone2.com + +# By default, only EC2 instances in the 'running' state are returned. Set +# 'all_instances' to True to return all instances regardless of state. +all_instances = False + +# By default, only EC2 instances in the 'running' state are returned. Specify +# EC2 instance states to return as a comma-separated list. This +# option is overridden when 'all_instances' is True. +# instance_states = pending, running, shutting-down, terminated, stopping, stopped + +# By default, only RDS instances in the 'available' state are returned. Set +# 'all_rds_instances' to True return all RDS instances regardless of state. +all_rds_instances = False + +# Include RDS cluster information (Aurora etc.) +include_rds_clusters = False + +# By default, only ElastiCache clusters and nodes in the 'available' state +# are returned. Set 'all_elasticache_clusters' and/or 'all_elastic_nodes' +# to True return all ElastiCache clusters and nodes, regardless of state. +# +# Note that all_elasticache_nodes only applies to listed clusters. That means +# if you set all_elastic_clusters to false, no node will be return from +# unavailable clusters, regardless of the state and to what you set for +# all_elasticache_nodes. +all_elasticache_replication_groups = False +all_elasticache_clusters = False +all_elasticache_nodes = False + +# API calls to EC2 are slow. For this reason, we cache the results of an API +# call. Set this to the path you want cache files to be written to. Two files +# will be written to this directory: +# - ansible-ec2.cache +# - ansible-ec2.index +cache_path = ~/.ansible/tmp + +# The number of seconds a cache file is considered valid. After this many +# seconds, a new API call will be made, and the cache file will be updated. +# To disable the cache, set this value to 0 +cache_max_age = 0 + +# Organize groups into a nested/hierarchy instead of a flat namespace. +nested_groups = False + +# Replace - tags when creating groups to avoid issues with ansible +replace_dash_in_groups = True + +# If set to true, any tag of the form "a,b,c" is expanded into a list +# and the results are used to create additional tag_* inventory groups. +expand_csv_tags = False + +# The EC2 inventory output can become very large. To manage its size, +# configure which groups should be created. +group_by_instance_id = False +group_by_region = False +group_by_availability_zone = False +group_by_aws_account = False +group_by_ami_id = False +group_by_instance_type = False +group_by_instance_state = False +group_by_platform = False +group_by_key_pair = False +group_by_vpc_id = False +group_by_security_group = False +group_by_tag_keys = True +group_by_tag_none = False +group_by_route53_names = False +group_by_rds_engine = False +group_by_rds_parameter_group = False +group_by_elasticache_engine = False +group_by_elasticache_cluster = False +group_by_elasticache_parameter_group = False +group_by_elasticache_replication_group = False + +# If you only want to include hosts that match a certain regular expression +# pattern_include = staging-* + +# If you want to exclude any hosts that match a certain regular expression +# pattern_exclude = staging-* + +# Instance filters can be used to control which instances are retrieved for +# inventory. For the full list of possible filters, please read the EC2 API +# docs: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-DescribeInstances.html#query-DescribeInstances-filters +# Filters are key/value pairs separated by '=', to list multiple filters use +# a list separated by commas. To "AND" criteria together, use "&". Note that +# the "AND" is not useful along with stack_filters and so such usage is not allowed. +# See examples below. + +# If you want to apply multiple filters simultaneously, set stack_filters to +# True. Default behaviour is to combine the results of all filters. Stacking +# allows the use of multiple conditions to filter down, for example by +# environment and type of host. +stack_filters = False + +# Retrieve only instances with (key=value) env=staging tag +# instance_filters = tag:env=staging + +# Retrieve only instances with role=webservers OR role=dbservers tag +instance_filters = tag:Type=pvwa&tag:Domain=domain_placeholder,tag:Type=cpm&tag:Domain=domain_placeholder,tag:Type=psm&tag:Domain=domain_placeholder + +# Retrieve only t1.micro instances OR instances with tag env=staging +# instance_filters = instance-type=t1.micro,tag:env=staging + +# You can use wildcards in filter values also. Below will list instances which +# tag Name value matches webservers1* +# (ex. webservers15, webservers1a, webservers123 etc) +# instance_filters = tag:Name=webservers1* + +# Retrieve only instances of type t1.micro that also have tag env=stage +# instance_filters = instance-type=t1.micro&tag:env=stage + +# Retrieve instances of type t1.micro AND tag env=stage, as well as any instance +# that are of type m3.large, regardless of env tag +# instance_filters = instance-type=t1.micro&tag:env=stage,instance-type=m3.large + +# An IAM role can be assumed, so all requests are run as that role. +# This can be useful for connecting across different accounts, or to limit user +# access +# iam_role = role-arn + +# A boto configuration profile may be used to separate out credentials +# see http://boto.readthedocs.org/en/latest/boto_config_tut.html +# boto_profile = some-boto-profile-name + + +[credentials] + +# The AWS credentials can optionally be specified here. Credentials specified +# here are ignored if the environment variable AWS_ACCESS_KEY_ID or +# AWS_PROFILE is set, or if the boto_profile property above is set. +# +# Supplying AWS credentials here is not recommended, as it introduces +# non-trivial security concerns. When going down this route, please make sure +# to set access permissions for this file correctly, e.g. handle it the same +# way as you would a private SSH key. +# +# Unlike the boto and AWS configure files, this section does not support +# profiles. +# +# aws_access_key_id = AXXXXXXXXXXXXXX +# aws_secret_access_key = XXXXXXXXXXXXXXXXXXX +# aws_security_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXX diff --git a/tests/playbooks/pas-infrastructure/inventory/ec2.py b/tests/playbooks/pas-infrastructure/inventory/ec2.py new file mode 100644 index 0000000..7ba6142 --- /dev/null +++ b/tests/playbooks/pas-infrastructure/inventory/ec2.py @@ -0,0 +1,1709 @@ +#!/usr/bin/env python + +''' +EC2 external inventory script +================================= + +Generates inventory that Ansible can understand by making API request to +AWS EC2 using the Boto library. + +NOTE: This script assumes Ansible is being executed where the environment +variables needed for Boto have already been set: + export AWS_ACCESS_KEY_ID='AK123' + export AWS_SECRET_ACCESS_KEY='abc123' + +Optional region environment variable if region is 'auto' + +This script also assumes that there is an ec2.ini file alongside it. To specify a +different path to ec2.ini, define the EC2_INI_PATH environment variable: + + export EC2_INI_PATH=/path/to/my_ec2.ini + +If you're using eucalyptus you need to set the above variables and +you need to define: + + export EC2_URL=http://hostname_of_your_cc:port/services/Eucalyptus + +If you're using boto profiles (requires boto>=2.24.0) you can choose a profile +using the --boto-profile command line argument (e.g. ec2.py --boto-profile prod) or using +the AWS_PROFILE variable: + + AWS_PROFILE=prod ansible-playbook -i ec2.py myplaybook.yml + +For more details, see: http://docs.pythonboto.org/en/latest/boto_config_tut.html + +You can filter for specific EC2 instances by creating an environment variable +named EC2_INSTANCE_FILTERS, which has the same format as the instance_filters +entry documented in ec2.ini. For example, to find all hosts whose name begins +with 'webserver', one might use: + + export EC2_INSTANCE_FILTERS='tag:Name=webserver*' + +When run against a specific host, this script returns the following variables: + - ec2_ami_launch_index + - ec2_architecture + - ec2_association + - ec2_attachTime + - ec2_attachment + - ec2_attachmentId + - ec2_block_devices + - ec2_client_token + - ec2_deleteOnTermination + - ec2_description + - ec2_deviceIndex + - ec2_dns_name + - ec2_eventsSet + - ec2_group_name + - ec2_hypervisor + - ec2_id + - ec2_image_id + - ec2_instanceState + - ec2_instance_type + - ec2_ipOwnerId + - ec2_ip_address + - ec2_item + - ec2_kernel + - ec2_key_name + - ec2_launch_time + - ec2_monitored + - ec2_monitoring + - ec2_networkInterfaceId + - ec2_ownerId + - ec2_persistent + - ec2_placement + - ec2_platform + - ec2_previous_state + - ec2_private_dns_name + - ec2_private_ip_address + - ec2_publicIp + - ec2_public_dns_name + - ec2_ramdisk + - ec2_reason + - ec2_region + - ec2_requester_id + - ec2_root_device_name + - ec2_root_device_type + - ec2_security_group_ids + - ec2_security_group_names + - ec2_shutdown_state + - ec2_sourceDestCheck + - ec2_spot_instance_request_id + - ec2_state + - ec2_state_code + - ec2_state_reason + - ec2_status + - ec2_subnet_id + - ec2_tenancy + - ec2_virtualization_type + - ec2_vpc_id + +These variables are pulled out of a boto.ec2.instance object. There is a lack of +consistency with variable spellings (camelCase and underscores) since this +just loops through all variables the object exposes. It is preferred to use the +ones with underscores when multiple exist. + +In addition, if an instance has AWS tags associated with it, each tag is a new +variable named: + - ec2_tag_[Key] = [Value] + +Security groups are comma-separated in 'ec2_security_group_ids' and +'ec2_security_group_names'. + +When destination_format and destination_format_tags are specified +the destination_format can be built from the instance tags and attributes. +The behavior will first check the user defined tags, then proceed to +check instance attributes, and finally if neither are found 'nil' will +be used instead. + +'my_instance': { + 'region': 'us-east-1', # attribute + 'availability_zone': 'us-east-1a', # attribute + 'private_dns_name': '172.31.0.1', # attribute + 'ec2_tag_deployment': 'blue', # tag + 'ec2_tag_clusterid': 'ansible', # tag + 'ec2_tag_Name': 'webserver', # tag + ... +} + +Inside of the ec2.ini file the following settings are specified: +... +destination_format: {0}-{1}-{2}-{3} +destination_format_tags: Name,clusterid,deployment,private_dns_name +... + +These settings would produce a destination_format as the following: +'webserver-ansible-blue-172.31.0.1' +''' + +# (c) 2012, Peter Sankauskas +# +# This file is part of Ansible, +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +###################################################################### + +import sys +import os +import argparse +import re +from time import time +from copy import deepcopy +import boto +from boto import ec2 +from boto import rds +from boto import elasticache +from boto import route53 +from boto import sts +import six + +from ansible.module_utils import ec2 as ec2_utils + +HAS_BOTO3 = False +try: + import boto3 # noqa + HAS_BOTO3 = True +except ImportError: + pass + +from six.moves import configparser +from collections import defaultdict + +import json + +DEFAULTS = { + 'all_elasticache_clusters': 'False', + 'all_elasticache_nodes': 'False', + 'all_elasticache_replication_groups': 'False', + 'all_instances': 'False', + 'all_rds_instances': 'False', + 'aws_access_key_id': '', + 'aws_secret_access_key': '', + 'aws_security_token': '', + 'boto_profile': '', + 'cache_max_age': '300', + 'cache_path': '~/.ansible/tmp', + 'destination_variable': 'public_dns_name', + 'elasticache': 'True', + 'eucalyptus': 'False', + 'eucalyptus_host': '', + 'expand_csv_tags': 'False', + 'group_by_ami_id': 'True', + 'group_by_availability_zone': 'True', + 'group_by_aws_account': 'False', + 'group_by_elasticache_cluster': 'True', + 'group_by_elasticache_engine': 'True', + 'group_by_elasticache_parameter_group': 'True', + 'group_by_elasticache_replication_group': 'True', + 'group_by_instance_id': 'True', + 'group_by_instance_state': 'False', + 'group_by_instance_type': 'True', + 'group_by_key_pair': 'True', + 'group_by_platform': 'True', + 'group_by_rds_engine': 'True', + 'group_by_rds_parameter_group': 'True', + 'group_by_region': 'True', + 'group_by_route53_names': 'True', + 'group_by_security_group': 'True', + 'group_by_tag_keys': 'True', + 'group_by_tag_none': 'True', + 'group_by_vpc_id': 'True', + 'hostname_variable': '', + 'iam_role': '', + 'include_rds_clusters': 'False', + 'nested_groups': 'False', + 'pattern_exclude': '', + 'pattern_include': '', + 'rds': 'False', + 'regions': 'all', + 'regions_exclude': 'us-gov-west-1, cn-north-1', + 'replace_dash_in_groups': 'True', + 'route53': 'False', + 'route53_excluded_zones': '', + 'route53_hostnames': '', + 'stack_filters': 'False', + 'vpc_destination_variable': 'ip_address' +} + + +class Ec2Inventory(object): + + def _empty_inventory(self): + return {"_meta": {"hostvars": {}}} + + def __init__(self): + ''' Main execution path ''' + + # Inventory grouped by instance IDs, tags, security groups, regions, + # and availability zones + self.inventory = self._empty_inventory() + + self.aws_account_id = None + + # Index of hostname (address) to instance ID + self.index = {} + + # Boto profile to use (if any) + self.boto_profile = None + + # AWS credentials. + self.credentials = {} + + # Read settings and parse CLI arguments + self.parse_cli_args() + self.read_settings() + + # Make sure that profile_name is not passed at all if not set + # as pre 2.24 boto will fall over otherwise + if self.boto_profile: + if not hasattr(boto.ec2.EC2Connection, 'profile_name'): + self.fail_with_error("boto version must be >= 2.24 to use profile") + + # Cache + if self.args.refresh_cache: + self.do_api_calls_update_cache() + elif not self.is_cache_valid(): + self.do_api_calls_update_cache() + + # Data to print + if self.args.host: + data_to_print = self.get_host_info() + + elif self.args.list: + # Display list of instances for inventory + if self.inventory == self._empty_inventory(): + data_to_print = self.get_inventory_from_cache() + else: + data_to_print = self.json_format_dict(self.inventory, True) + + print(data_to_print) + + def is_cache_valid(self): + ''' Determines if the cache files have expired, or if it is still valid ''' + + if os.path.isfile(self.cache_path_cache): + mod_time = os.path.getmtime(self.cache_path_cache) + current_time = time() + if (mod_time + self.cache_max_age) > current_time: + if os.path.isfile(self.cache_path_index): + return True + + return False + + def read_settings(self): + ''' Reads the settings from the ec2.ini file ''' + + scriptbasename = __file__ + scriptbasename = os.path.basename(scriptbasename) + scriptbasename = scriptbasename.replace('.py', '') + + defaults = { + 'ec2': { + 'ini_fallback': os.path.join(os.path.dirname(__file__), 'ec2.ini'), + 'ini_path': os.path.join(os.path.dirname(__file__), '%s.ini' % scriptbasename) + } + } + + if six.PY3: + config = configparser.ConfigParser(DEFAULTS) + else: + config = configparser.SafeConfigParser(DEFAULTS) + ec2_ini_path = os.environ.get('EC2_INI_PATH', defaults['ec2']['ini_path']) + ec2_ini_path = os.path.expanduser(os.path.expandvars(ec2_ini_path)) + + if not os.path.isfile(ec2_ini_path): + ec2_ini_path = os.path.expanduser(defaults['ec2']['ini_fallback']) + + if os.path.isfile(ec2_ini_path): + config.read(ec2_ini_path) + + # Add empty sections if they don't exist + try: + config.add_section('ec2') + except configparser.DuplicateSectionError: + pass + + try: + config.add_section('credentials') + except configparser.DuplicateSectionError: + pass + + # is eucalyptus? + self.eucalyptus = config.getboolean('ec2', 'eucalyptus') + self.eucalyptus_host = config.get('ec2', 'eucalyptus_host') + + # Regions + self.regions = [] + config_regions = config.get('ec2', 'regions') + if (config_regions == 'all'): + if self.eucalyptus_host: + self.regions.append(boto.connect_euca(host=self.eucalyptus_host).region.name, **self.credentials) + else: + config_regions_exclude = config.get('ec2', 'regions_exclude') + + for region_info in ec2.regions(): + if region_info.name not in config_regions_exclude: + self.regions.append(region_info.name) + else: + self.regions = config_regions.split(",") + if 'auto' in self.regions: + env_region = os.environ.get('AWS_REGION') + if env_region is None: + env_region = os.environ.get('AWS_DEFAULT_REGION') + self.regions = [env_region] + + # Destination addresses + self.destination_variable = config.get('ec2', 'destination_variable') + self.vpc_destination_variable = config.get('ec2', 'vpc_destination_variable') + self.hostname_variable = config.get('ec2', 'hostname_variable') + + if config.has_option('ec2', 'destination_format') and \ + config.has_option('ec2', 'destination_format_tags'): + self.destination_format = config.get('ec2', 'destination_format') + self.destination_format_tags = config.get('ec2', 'destination_format_tags').split(',') + else: + self.destination_format = None + self.destination_format_tags = None + + # Route53 + self.route53_enabled = config.getboolean('ec2', 'route53') + self.route53_hostnames = config.get('ec2', 'route53_hostnames') + + self.route53_excluded_zones = [] + self.route53_excluded_zones = [a for a in config.get('ec2', 'route53_excluded_zones').split(',') if a] + + # Include RDS instances? + self.rds_enabled = config.getboolean('ec2', 'rds') + + # Include RDS cluster instances? + self.include_rds_clusters = config.getboolean('ec2', 'include_rds_clusters') + + # Include ElastiCache instances? + self.elasticache_enabled = config.getboolean('ec2', 'elasticache') + + # Return all EC2 instances? + self.all_instances = config.getboolean('ec2', 'all_instances') + + # Instance states to be gathered in inventory. Default is 'running'. + # Setting 'all_instances' to 'yes' overrides this option. + ec2_valid_instance_states = [ + 'pending', + 'running', + 'shutting-down', + 'terminated', + 'stopping', + 'stopped' + ] + self.ec2_instance_states = [] + if self.all_instances: + self.ec2_instance_states = ec2_valid_instance_states + elif config.has_option('ec2', 'instance_states'): + for instance_state in config.get('ec2', 'instance_states').split(','): + instance_state = instance_state.strip() + if instance_state not in ec2_valid_instance_states: + continue + self.ec2_instance_states.append(instance_state) + else: + self.ec2_instance_states = ['running'] + + # Return all RDS instances? (if RDS is enabled) + self.all_rds_instances = config.getboolean('ec2', 'all_rds_instances') + + # Return all ElastiCache replication groups? (if ElastiCache is enabled) + self.all_elasticache_replication_groups = config.getboolean('ec2', 'all_elasticache_replication_groups') + + # Return all ElastiCache clusters? (if ElastiCache is enabled) + self.all_elasticache_clusters = config.getboolean('ec2', 'all_elasticache_clusters') + + # Return all ElastiCache nodes? (if ElastiCache is enabled) + self.all_elasticache_nodes = config.getboolean('ec2', 'all_elasticache_nodes') + + # boto configuration profile (prefer CLI argument then environment variables then config file) + self.boto_profile = self.args.boto_profile or \ + os.environ.get('AWS_PROFILE') or \ + config.get('ec2', 'boto_profile') + + # AWS credentials (prefer environment variables) + if not (self.boto_profile or os.environ.get('AWS_ACCESS_KEY_ID') or + os.environ.get('AWS_PROFILE')): + + aws_access_key_id = config.get('credentials', 'aws_access_key_id') + aws_secret_access_key = config.get('credentials', 'aws_secret_access_key') + aws_security_token = config.get('credentials', 'aws_security_token') + + if aws_access_key_id: + self.credentials = { + 'aws_access_key_id': aws_access_key_id, + 'aws_secret_access_key': aws_secret_access_key + } + if aws_security_token: + self.credentials['security_token'] = aws_security_token + + # Cache related + cache_dir = os.path.expanduser(config.get('ec2', 'cache_path')) + if self.boto_profile: + cache_dir = os.path.join(cache_dir, 'profile_' + self.boto_profile) + if not os.path.exists(cache_dir): + os.makedirs(cache_dir) + + cache_name = 'ansible-ec2' + cache_id = self.boto_profile or os.environ.get('AWS_ACCESS_KEY_ID', self.credentials.get('aws_access_key_id')) + if cache_id: + cache_name = '%s-%s' % (cache_name, cache_id) + cache_name += '-' + str(abs(hash(__file__)))[1:7] + self.cache_path_cache = os.path.join(cache_dir, "%s.cache" % cache_name) + self.cache_path_index = os.path.join(cache_dir, "%s.index" % cache_name) + self.cache_max_age = config.getint('ec2', 'cache_max_age') + + self.expand_csv_tags = config.getboolean('ec2', 'expand_csv_tags') + + # Configure nested groups instead of flat namespace. + self.nested_groups = config.getboolean('ec2', 'nested_groups') + + # Replace dash or not in group names + self.replace_dash_in_groups = config.getboolean('ec2', 'replace_dash_in_groups') + + # IAM role to assume for connection + self.iam_role = config.get('ec2', 'iam_role') + + # Configure which groups should be created. + + group_by_options = [a for a in DEFAULTS if a.startswith('group_by')] + for option in group_by_options: + setattr(self, option, config.getboolean('ec2', option)) + + # Do we need to just include hosts that match a pattern? + self.pattern_include = config.get('ec2', 'pattern_include') + if self.pattern_include: + self.pattern_include = re.compile(self.pattern_include) + + # Do we need to exclude hosts that match a pattern? + self.pattern_exclude = config.get('ec2', 'pattern_exclude') + if self.pattern_exclude: + self.pattern_exclude = re.compile(self.pattern_exclude) + + # Do we want to stack multiple filters? + self.stack_filters = config.getboolean('ec2', 'stack_filters') + + # Instance filters (see boto and EC2 API docs). Ignore invalid filters. + self.ec2_instance_filters = [] + + if config.has_option('ec2', 'instance_filters') or 'EC2_INSTANCE_FILTERS' in os.environ: + filters = os.getenv('EC2_INSTANCE_FILTERS', config.get('ec2', 'instance_filters') if config.has_option('ec2', 'instance_filters') else '') + + if self.stack_filters and '&' in filters: + self.fail_with_error("AND filters along with stack_filter enabled is not supported.\n") + + filter_sets = [f for f in filters.split(',') if f] + + for filter_set in filter_sets: + filters = {} + filter_set = filter_set.strip() + for instance_filter in filter_set.split("&"): + instance_filter = instance_filter.strip() + if not instance_filter or '=' not in instance_filter: + continue + filter_key, filter_value = [x.strip() for x in instance_filter.split('=', 1)] + if not filter_key: + continue + filters[filter_key] = filter_value + self.ec2_instance_filters.append(filters.copy()) + + def parse_cli_args(self): + ''' Command line argument processing ''' + + parser = argparse.ArgumentParser(description='Produce an Ansible Inventory file based on EC2') + parser.add_argument('--list', action='store_true', default=True, + help='List instances (default: True)') + parser.add_argument('--host', action='store', + help='Get all the variables about a specific instance') + parser.add_argument('--refresh-cache', action='store_true', default=False, + help='Force refresh of cache by making API requests to EC2 (default: False - use cache files)') + parser.add_argument('--profile', '--boto-profile', action='store', dest='boto_profile', + help='Use boto profile for connections to EC2') + self.args = parser.parse_args() + + def do_api_calls_update_cache(self): + ''' Do API calls to each region, and save data in cache files ''' + + if self.route53_enabled: + self.get_route53_records() + + for region in self.regions: + self.get_instances_by_region(region) + if self.rds_enabled: + self.get_rds_instances_by_region(region) + if self.elasticache_enabled: + self.get_elasticache_clusters_by_region(region) + self.get_elasticache_replication_groups_by_region(region) + if self.include_rds_clusters: + self.include_rds_clusters_by_region(region) + + self.write_to_cache(self.inventory, self.cache_path_cache) + self.write_to_cache(self.index, self.cache_path_index) + + def connect(self, region): + ''' create connection to api server''' + if self.eucalyptus: + conn = boto.connect_euca(host=self.eucalyptus_host, **self.credentials) + conn.APIVersion = '2010-08-31' + else: + conn = self.connect_to_aws(ec2, region) + return conn + + def boto_fix_security_token_in_profile(self, connect_args): + ''' monkey patch for boto issue boto/boto#2100 ''' + profile = 'profile ' + self.boto_profile + if boto.config.has_option(profile, 'aws_security_token'): + connect_args['security_token'] = boto.config.get(profile, 'aws_security_token') + return connect_args + + def connect_to_aws(self, module, region): + connect_args = deepcopy(self.credentials) + + # only pass the profile name if it's set (as it is not supported by older boto versions) + if self.boto_profile: + connect_args['profile_name'] = self.boto_profile + self.boto_fix_security_token_in_profile(connect_args) + + if self.iam_role: + sts_conn = sts.connect_to_region(region, **connect_args) + role = sts_conn.assume_role(self.iam_role, 'ansible_dynamic_inventory') + connect_args['aws_access_key_id'] = role.credentials.access_key + connect_args['aws_secret_access_key'] = role.credentials.secret_key + connect_args['security_token'] = role.credentials.session_token + + conn = module.connect_to_region(region, **connect_args) + # connect_to_region will fail "silently" by returning None if the region name is wrong or not supported + if conn is None: + self.fail_with_error("region name: %s likely not supported, or AWS is down. connection to region failed." % region) + return conn + + def get_instances_by_region(self, region): + ''' Makes an AWS EC2 API call to the list of instances in a particular + region ''' + + try: + conn = self.connect(region) + reservations = [] + if self.ec2_instance_filters: + if self.stack_filters: + filters_dict = {} + for filters in self.ec2_instance_filters: + filters_dict.update(filters) + reservations.extend(conn.get_all_instances(filters=filters_dict)) + else: + for filters in self.ec2_instance_filters: + reservations.extend(conn.get_all_instances(filters=filters)) + else: + reservations = conn.get_all_instances() + + # Pull the tags back in a second step + # AWS are on record as saying that the tags fetched in the first `get_all_instances` request are not + # reliable and may be missing, and the only way to guarantee they are there is by calling `get_all_tags` + instance_ids = [] + for reservation in reservations: + instance_ids.extend([instance.id for instance in reservation.instances]) + + max_filter_value = 199 + tags = [] + for i in range(0, len(instance_ids), max_filter_value): + tags.extend(conn.get_all_tags(filters={'resource-type': 'instance', 'resource-id': instance_ids[i:i + max_filter_value]})) + + tags_by_instance_id = defaultdict(dict) + for tag in tags: + tags_by_instance_id[tag.res_id][tag.name] = tag.value + + if (not self.aws_account_id) and reservations: + self.aws_account_id = reservations[0].owner_id + + for reservation in reservations: + for instance in reservation.instances: + instance.tags = tags_by_instance_id[instance.id] + self.add_instance(instance, region) + + except boto.exception.BotoServerError as e: + if e.error_code == 'AuthFailure': + error = self.get_auth_error_message() + else: + backend = 'Eucalyptus' if self.eucalyptus else 'AWS' + error = "Error connecting to %s backend.\n%s" % (backend, e.message) + self.fail_with_error(error, 'getting EC2 instances') + + def tags_match_filters(self, tags): + ''' return True if given tags match configured filters ''' + if not self.ec2_instance_filters: + return True + + for filters in self.ec2_instance_filters: + for filter_name, filter_value in filters.items(): + if filter_name[:4] != 'tag:': + continue + filter_name = filter_name[4:] + if filter_name not in tags: + if self.stack_filters: + return False + continue + if isinstance(filter_value, list): + if self.stack_filters and tags[filter_name] not in filter_value: + return False + if not self.stack_filters and tags[filter_name] in filter_value: + return True + if isinstance(filter_value, six.string_types): + if self.stack_filters and tags[filter_name] != filter_value: + return False + if not self.stack_filters and tags[filter_name] == filter_value: + return True + + return self.stack_filters + + def get_rds_instances_by_region(self, region): + ''' Makes an AWS API call to the list of RDS instances in a particular + region ''' + + if not HAS_BOTO3: + self.fail_with_error("Working with RDS instances requires boto3 - please install boto3 and try again", + "getting RDS instances") + + client = ec2_utils.boto3_inventory_conn('client', 'rds', region, **self.credentials) + db_instances = client.describe_db_instances() + + try: + conn = self.connect_to_aws(rds, region) + if conn: + marker = None + while True: + instances = conn.get_all_dbinstances(marker=marker) + marker = instances.marker + for index, instance in enumerate(instances): + # Add tags to instances. + instance.arn = db_instances['DBInstances'][index]['DBInstanceArn'] + tags = client.list_tags_for_resource(ResourceName=instance.arn)['TagList'] + instance.tags = {} + for tag in tags: + instance.tags[tag['Key']] = tag['Value'] + if self.tags_match_filters(instance.tags): + self.add_rds_instance(instance, region) + if not marker: + break + except boto.exception.BotoServerError as e: + error = e.reason + + if e.error_code == 'AuthFailure': + error = self.get_auth_error_message() + elif e.error_code == "OptInRequired": + error = "RDS hasn't been enabled for this account yet. " \ + "You must either log in to the RDS service through the AWS console to enable it, " \ + "or set 'rds = False' in ec2.ini" + elif not e.reason == "Forbidden": + error = "Looks like AWS RDS is down:\n%s" % e.message + self.fail_with_error(error, 'getting RDS instances') + + def include_rds_clusters_by_region(self, region): + if not HAS_BOTO3: + self.fail_with_error("Working with RDS clusters requires boto3 - please install boto3 and try again", + "getting RDS clusters") + + client = ec2_utils.boto3_inventory_conn('client', 'rds', region, **self.credentials) + + marker, clusters = '', [] + while marker is not None: + resp = client.describe_db_clusters(Marker=marker) + clusters.extend(resp["DBClusters"]) + marker = resp.get('Marker', None) + + account_id = boto.connect_iam().get_user().arn.split(':')[4] + c_dict = {} + for c in clusters: + # remove these datetime objects as there is no serialisation to json + # currently in place and we don't need the data yet + if 'EarliestRestorableTime' in c: + del c['EarliestRestorableTime'] + if 'LatestRestorableTime' in c: + del c['LatestRestorableTime'] + + if not self.ec2_instance_filters: + matches_filter = True + else: + matches_filter = False + + try: + # arn:aws:rds:::: + tags = client.list_tags_for_resource( + ResourceName='arn:aws:rds:' + region + ':' + account_id + ':cluster:' + c['DBClusterIdentifier']) + c['Tags'] = tags['TagList'] + + if self.ec2_instance_filters: + for filters in self.ec2_instance_filters: + for filter_key, filter_values in filters.items(): + # get AWS tag key e.g. tag:env will be 'env' + tag_name = filter_key.split(":", 1)[1] + # Filter values is a list (if you put multiple values for the same tag name) + matches_filter = any(d['Key'] == tag_name and d['Value'] in filter_values for d in c['Tags']) + + if matches_filter: + # it matches a filter, so stop looking for further matches + break + + if matches_filter: + break + + except Exception as e: + if e.message.find('DBInstanceNotFound') >= 0: + # AWS RDS bug (2016-01-06) means deletion does not fully complete and leave an 'empty' cluster. + # Ignore errors when trying to find tags for these + pass + + # ignore empty clusters caused by AWS bug + if len(c['DBClusterMembers']) == 0: + continue + elif matches_filter: + c_dict[c['DBClusterIdentifier']] = c + + self.inventory['db_clusters'] = c_dict + + def get_elasticache_clusters_by_region(self, region): + ''' Makes an AWS API call to the list of ElastiCache clusters (with + nodes' info) in a particular region.''' + + # ElastiCache boto module doesn't provide a get_all_instances method, + # that's why we need to call describe directly (it would be called by + # the shorthand method anyway...) + clusters = [] + try: + conn = self.connect_to_aws(elasticache, region) + if conn: + # show_cache_node_info = True + # because we also want nodes' information + _marker = 1 + while _marker: + if _marker == 1: + _marker = None + response = conn.describe_cache_clusters(None, None, _marker, True) + _marker = response['DescribeCacheClustersResponse']['DescribeCacheClustersResult']['Marker'] + try: + # Boto also doesn't provide wrapper classes to CacheClusters or + # CacheNodes. Because of that we can't make use of the get_list + # method in the AWSQueryConnection. Let's do the work manually + clusters = clusters + response['DescribeCacheClustersResponse']['DescribeCacheClustersResult']['CacheClusters'] + except KeyError as e: + error = "ElastiCache query to AWS failed (unexpected format)." + self.fail_with_error(error, 'getting ElastiCache clusters') + except boto.exception.BotoServerError as e: + error = e.reason + + if e.error_code == 'AuthFailure': + error = self.get_auth_error_message() + elif e.error_code == "OptInRequired": + error = "ElastiCache hasn't been enabled for this account yet. " \ + "You must either log in to the ElastiCache service through the AWS console to enable it, " \ + "or set 'elasticache = False' in ec2.ini" + elif not e.reason == "Forbidden": + error = "Looks like AWS ElastiCache is down:\n%s" % e.message + self.fail_with_error(error, 'getting ElastiCache clusters') + + for cluster in clusters: + self.add_elasticache_cluster(cluster, region) + + def get_elasticache_replication_groups_by_region(self, region): + ''' Makes an AWS API call to the list of ElastiCache replication groups + in a particular region.''' + + # ElastiCache boto module doesn't provide a get_all_instances method, + # that's why we need to call describe directly (it would be called by + # the shorthand method anyway...) + try: + conn = self.connect_to_aws(elasticache, region) + if conn: + response = conn.describe_replication_groups() + + except boto.exception.BotoServerError as e: + error = e.reason + + if e.error_code == 'AuthFailure': + error = self.get_auth_error_message() + if not e.reason == "Forbidden": + error = "Looks like AWS ElastiCache [Replication Groups] is down:\n%s" % e.message + self.fail_with_error(error, 'getting ElastiCache clusters') + + try: + # Boto also doesn't provide wrapper classes to ReplicationGroups + # Because of that we can't make use of the get_list method in the + # AWSQueryConnection. Let's do the work manually + replication_groups = response['DescribeReplicationGroupsResponse']['DescribeReplicationGroupsResult']['ReplicationGroups'] + + except KeyError as e: + error = "ElastiCache [Replication Groups] query to AWS failed (unexpected format)." + self.fail_with_error(error, 'getting ElastiCache clusters') + + for replication_group in replication_groups: + self.add_elasticache_replication_group(replication_group, region) + + def get_auth_error_message(self): + ''' create an informative error message if there is an issue authenticating''' + errors = ["Authentication error retrieving ec2 inventory."] + if None in [os.environ.get('AWS_ACCESS_KEY_ID'), os.environ.get('AWS_SECRET_ACCESS_KEY')]: + errors.append(' - No AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY environment vars found') + else: + errors.append(' - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment vars found but may not be correct') + + boto_paths = ['/etc/boto.cfg', '~/.boto', '~/.aws/credentials'] + boto_config_found = [p for p in boto_paths if os.path.isfile(os.path.expanduser(p))] + if len(boto_config_found) > 0: + errors.append(" - Boto configs found at '%s', but the credentials contained may not be correct" % ', '.join(boto_config_found)) + else: + errors.append(" - No Boto config found at any expected location '%s'" % ', '.join(boto_paths)) + + return '\n'.join(errors) + + def fail_with_error(self, err_msg, err_operation=None): + '''log an error to std err for ansible-playbook to consume and exit''' + if err_operation: + err_msg = 'ERROR: "{err_msg}", while: {err_operation}'.format( + err_msg=err_msg, err_operation=err_operation) + sys.stderr.write(err_msg) + sys.exit(1) + + def get_instance(self, region, instance_id): + conn = self.connect(region) + + reservations = conn.get_all_instances([instance_id]) + for reservation in reservations: + for instance in reservation.instances: + return instance + + def add_instance(self, instance, region): + ''' Adds an instance to the inventory and index, as long as it is + addressable ''' + + # Only return instances with desired instance states + if instance.state not in self.ec2_instance_states: + return + + # Select the best destination address + # When destination_format and destination_format_tags are specified + # the following code will attempt to find the instance tags first, + # then the instance attributes next, and finally if neither are found + # assign nil for the desired destination format attribute. + if self.destination_format and self.destination_format_tags: + dest_vars = [] + inst_tags = getattr(instance, 'tags') + for tag in self.destination_format_tags: + if tag in inst_tags: + dest_vars.append(inst_tags[tag]) + elif hasattr(instance, tag): + dest_vars.append(getattr(instance, tag)) + else: + dest_vars.append('nil') + + dest = self.destination_format.format(*dest_vars) + elif instance.subnet_id: + dest = getattr(instance, self.vpc_destination_variable, None) + if dest is None: + dest = getattr(instance, 'tags').get(self.vpc_destination_variable, None) + else: + dest = getattr(instance, self.destination_variable, None) + if dest is None: + dest = getattr(instance, 'tags').get(self.destination_variable, None) + + if not dest: + # Skip instances we cannot address (e.g. private VPC subnet) + return + + # Set the inventory name + hostname = None + if self.hostname_variable: + if self.hostname_variable.startswith('tag_'): + hostname = instance.tags.get(self.hostname_variable[4:], None) + else: + hostname = getattr(instance, self.hostname_variable) + + # set the hostname from route53 + if self.route53_enabled and self.route53_hostnames: + route53_names = self.get_instance_route53_names(instance) + for name in route53_names: + if name.endswith(self.route53_hostnames): + hostname = name + + # If we can't get a nice hostname, use the destination address + if not hostname: + hostname = dest + # to_safe strips hostname characters like dots, so don't strip route53 hostnames + elif self.route53_enabled and self.route53_hostnames and hostname.endswith(self.route53_hostnames): + hostname = hostname.lower() + else: + hostname = self.to_safe(hostname).lower() + + # if we only want to include hosts that match a pattern, skip those that don't + if self.pattern_include and not self.pattern_include.match(hostname): + return + + # if we need to exclude hosts that match a pattern, skip those + if self.pattern_exclude and self.pattern_exclude.match(hostname): + return + + # Add to index + self.index[hostname] = [region, instance.id] + + # Inventory: Group by instance ID (always a group of 1) + if self.group_by_instance_id: + self.inventory[instance.id] = [hostname] + if self.nested_groups: + self.push_group(self.inventory, 'instances', instance.id) + + # Inventory: Group by region + if self.group_by_region: + self.push(self.inventory, region, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'regions', region) + + # Inventory: Group by availability zone + if self.group_by_availability_zone: + self.push(self.inventory, instance.placement, hostname) + if self.nested_groups: + if self.group_by_region: + self.push_group(self.inventory, region, instance.placement) + self.push_group(self.inventory, 'zones', instance.placement) + + # Inventory: Group by Amazon Machine Image (AMI) ID + if self.group_by_ami_id: + ami_id = self.to_safe(instance.image_id) + self.push(self.inventory, ami_id, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'images', ami_id) + + # Inventory: Group by instance type + if self.group_by_instance_type: + type_name = self.to_safe('type_' + instance.instance_type) + self.push(self.inventory, type_name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'types', type_name) + + # Inventory: Group by instance state + if self.group_by_instance_state: + state_name = self.to_safe('instance_state_' + instance.state) + self.push(self.inventory, state_name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'instance_states', state_name) + + # Inventory: Group by platform + if self.group_by_platform: + if instance.platform: + platform = self.to_safe('platform_' + instance.platform) + else: + platform = self.to_safe('platform_undefined') + self.push(self.inventory, platform, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'platforms', platform) + + # Inventory: Group by key pair + if self.group_by_key_pair and instance.key_name: + key_name = self.to_safe('key_' + instance.key_name) + self.push(self.inventory, key_name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'keys', key_name) + + # Inventory: Group by VPC + if self.group_by_vpc_id and instance.vpc_id: + vpc_id_name = self.to_safe('vpc_id_' + instance.vpc_id) + self.push(self.inventory, vpc_id_name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'vpcs', vpc_id_name) + + # Inventory: Group by security group + if self.group_by_security_group: + try: + for group in instance.groups: + key = self.to_safe("security_group_" + group.name) + self.push(self.inventory, key, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'security_groups', key) + except AttributeError: + self.fail_with_error('\n'.join(['Package boto seems a bit older.', + 'Please upgrade boto >= 2.3.0.'])) + + # Inventory: Group by AWS account ID + if self.group_by_aws_account: + self.push(self.inventory, self.aws_account_id, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'accounts', self.aws_account_id) + + # Inventory: Group by tag keys + if self.group_by_tag_keys: + for k, v in instance.tags.items(): + if self.expand_csv_tags and v and ',' in v: + values = map(lambda x: x.strip(), v.split(',')) + else: + values = [v] + + for v in values: + if v: + key = self.to_safe("tag_" + k + "=" + v) + else: + key = self.to_safe("tag_" + k) + self.push(self.inventory, key, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'tags', self.to_safe("tag_" + k)) + if v: + self.push_group(self.inventory, self.to_safe("tag_" + k), key) + + # Inventory: Group by Route53 domain names if enabled + if self.route53_enabled and self.group_by_route53_names: + route53_names = self.get_instance_route53_names(instance) + for name in route53_names: + self.push(self.inventory, name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'route53', name) + + # Global Tag: instances without tags + if self.group_by_tag_none and len(instance.tags) == 0: + self.push(self.inventory, 'tag_none', hostname) + if self.nested_groups: + self.push_group(self.inventory, 'tags', 'tag_none') + + # Global Tag: tag all EC2 instances + self.push(self.inventory, 'ec2', hostname) + + self.inventory["_meta"]["hostvars"][hostname] = self.get_host_info_dict_from_instance(instance) + self.inventory["_meta"]["hostvars"][hostname]['ansible_host'] = dest + + def add_rds_instance(self, instance, region): + ''' Adds an RDS instance to the inventory and index, as long as it is + addressable ''' + + # Only want available instances unless all_rds_instances is True + if not self.all_rds_instances and instance.status != 'available': + return + + # Select the best destination address + dest = instance.endpoint[0] + + if not dest: + # Skip instances we cannot address (e.g. private VPC subnet) + return + + # Set the inventory name + hostname = None + if self.hostname_variable: + if self.hostname_variable.startswith('tag_'): + hostname = instance.tags.get(self.hostname_variable[4:], None) + else: + hostname = getattr(instance, self.hostname_variable) + + # If we can't get a nice hostname, use the destination address + if not hostname: + hostname = dest + + hostname = self.to_safe(hostname).lower() + + # Add to index + self.index[hostname] = [region, instance.id] + + # Inventory: Group by instance ID (always a group of 1) + if self.group_by_instance_id: + self.inventory[instance.id] = [hostname] + if self.nested_groups: + self.push_group(self.inventory, 'instances', instance.id) + + # Inventory: Group by region + if self.group_by_region: + self.push(self.inventory, region, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'regions', region) + + # Inventory: Group by availability zone + if self.group_by_availability_zone: + self.push(self.inventory, instance.availability_zone, hostname) + if self.nested_groups: + if self.group_by_region: + self.push_group(self.inventory, region, instance.availability_zone) + self.push_group(self.inventory, 'zones', instance.availability_zone) + + # Inventory: Group by instance type + if self.group_by_instance_type: + type_name = self.to_safe('type_' + instance.instance_class) + self.push(self.inventory, type_name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'types', type_name) + + # Inventory: Group by VPC + if self.group_by_vpc_id and instance.subnet_group and instance.subnet_group.vpc_id: + vpc_id_name = self.to_safe('vpc_id_' + instance.subnet_group.vpc_id) + self.push(self.inventory, vpc_id_name, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'vpcs', vpc_id_name) + + # Inventory: Group by security group + if self.group_by_security_group: + try: + if instance.security_group: + key = self.to_safe("security_group_" + instance.security_group.name) + self.push(self.inventory, key, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'security_groups', key) + + except AttributeError: + self.fail_with_error('\n'.join(['Package boto seems a bit older.', + 'Please upgrade boto >= 2.3.0.'])) + # Inventory: Group by tag keys + if self.group_by_tag_keys: + for k, v in instance.tags.items(): + if self.expand_csv_tags and v and ',' in v: + values = map(lambda x: x.strip(), v.split(',')) + else: + values = [v] + + for v in values: + if v: + key = self.to_safe("tag_" + k + "=" + v) + else: + key = self.to_safe("tag_" + k) + self.push(self.inventory, key, hostname) + if self.nested_groups: + self.push_group(self.inventory, 'tags', self.to_safe("tag_" + k)) + if v: + self.push_group(self.inventory, self.to_safe("tag_" + k), key) + + # Inventory: Group by engine + if self.group_by_rds_engine: + self.push(self.inventory, self.to_safe("rds_" + instance.engine), hostname) + if self.nested_groups: + self.push_group(self.inventory, 'rds_engines', self.to_safe("rds_" + instance.engine)) + + # Inventory: Group by parameter group + if self.group_by_rds_parameter_group: + self.push(self.inventory, self.to_safe("rds_parameter_group_" + instance.parameter_group.name), hostname) + if self.nested_groups: + self.push_group(self.inventory, 'rds_parameter_groups', self.to_safe("rds_parameter_group_" + instance.parameter_group.name)) + + # Global Tag: instances without tags + if self.group_by_tag_none and len(instance.tags) == 0: + self.push(self.inventory, 'tag_none', hostname) + if self.nested_groups: + self.push_group(self.inventory, 'tags', 'tag_none') + + # Global Tag: all RDS instances + self.push(self.inventory, 'rds', hostname) + + self.inventory["_meta"]["hostvars"][hostname] = self.get_host_info_dict_from_instance(instance) + self.inventory["_meta"]["hostvars"][hostname]['ansible_host'] = dest + + def add_elasticache_cluster(self, cluster, region): + ''' Adds an ElastiCache cluster to the inventory and index, as long as + it's nodes are addressable ''' + + # Only want available clusters unless all_elasticache_clusters is True + if not self.all_elasticache_clusters and cluster['CacheClusterStatus'] != 'available': + return + + # Select the best destination address + if 'ConfigurationEndpoint' in cluster and cluster['ConfigurationEndpoint']: + # Memcached cluster + dest = cluster['ConfigurationEndpoint']['Address'] + is_redis = False + else: + # Redis sigle node cluster + # Because all Redis clusters are single nodes, we'll merge the + # info from the cluster with info about the node + dest = cluster['CacheNodes'][0]['Endpoint']['Address'] + is_redis = True + + if not dest: + # Skip clusters we cannot address (e.g. private VPC subnet) + return + + # Add to index + self.index[dest] = [region, cluster['CacheClusterId']] + + # Inventory: Group by instance ID (always a group of 1) + if self.group_by_instance_id: + self.inventory[cluster['CacheClusterId']] = [dest] + if self.nested_groups: + self.push_group(self.inventory, 'instances', cluster['CacheClusterId']) + + # Inventory: Group by region + if self.group_by_region and not is_redis: + self.push(self.inventory, region, dest) + if self.nested_groups: + self.push_group(self.inventory, 'regions', region) + + # Inventory: Group by availability zone + if self.group_by_availability_zone and not is_redis: + self.push(self.inventory, cluster['PreferredAvailabilityZone'], dest) + if self.nested_groups: + if self.group_by_region: + self.push_group(self.inventory, region, cluster['PreferredAvailabilityZone']) + self.push_group(self.inventory, 'zones', cluster['PreferredAvailabilityZone']) + + # Inventory: Group by node type + if self.group_by_instance_type and not is_redis: + type_name = self.to_safe('type_' + cluster['CacheNodeType']) + self.push(self.inventory, type_name, dest) + if self.nested_groups: + self.push_group(self.inventory, 'types', type_name) + + # Inventory: Group by VPC (information not available in the current + # AWS API version for ElastiCache) + + # Inventory: Group by security group + if self.group_by_security_group and not is_redis: + + # Check for the existence of the 'SecurityGroups' key and also if + # this key has some value. When the cluster is not placed in a SG + # the query can return None here and cause an error. + if 'SecurityGroups' in cluster and cluster['SecurityGroups'] is not None: + for security_group in cluster['SecurityGroups']: + key = self.to_safe("security_group_" + security_group['SecurityGroupId']) + self.push(self.inventory, key, dest) + if self.nested_groups: + self.push_group(self.inventory, 'security_groups', key) + + # Inventory: Group by engine + if self.group_by_elasticache_engine and not is_redis: + self.push(self.inventory, self.to_safe("elasticache_" + cluster['Engine']), dest) + if self.nested_groups: + self.push_group(self.inventory, 'elasticache_engines', self.to_safe(cluster['Engine'])) + + # Inventory: Group by parameter group + if self.group_by_elasticache_parameter_group: + self.push(self.inventory, self.to_safe("elasticache_parameter_group_" + cluster['CacheParameterGroup']['CacheParameterGroupName']), dest) + if self.nested_groups: + self.push_group(self.inventory, 'elasticache_parameter_groups', self.to_safe(cluster['CacheParameterGroup']['CacheParameterGroupName'])) + + # Inventory: Group by replication group + if self.group_by_elasticache_replication_group and 'ReplicationGroupId' in cluster and cluster['ReplicationGroupId']: + self.push(self.inventory, self.to_safe("elasticache_replication_group_" + cluster['ReplicationGroupId']), dest) + if self.nested_groups: + self.push_group(self.inventory, 'elasticache_replication_groups', self.to_safe(cluster['ReplicationGroupId'])) + + # Global Tag: all ElastiCache clusters + self.push(self.inventory, 'elasticache_clusters', cluster['CacheClusterId']) + + host_info = self.get_host_info_dict_from_describe_dict(cluster) + + self.inventory["_meta"]["hostvars"][dest] = host_info + + # Add the nodes + for node in cluster['CacheNodes']: + self.add_elasticache_node(node, cluster, region) + + def add_elasticache_node(self, node, cluster, region): + ''' Adds an ElastiCache node to the inventory and index, as long as + it is addressable ''' + + # Only want available nodes unless all_elasticache_nodes is True + if not self.all_elasticache_nodes and node['CacheNodeStatus'] != 'available': + return + + # Select the best destination address + dest = node['Endpoint']['Address'] + + if not dest: + # Skip nodes we cannot address (e.g. private VPC subnet) + return + + node_id = self.to_safe(cluster['CacheClusterId'] + '_' + node['CacheNodeId']) + + # Add to index + self.index[dest] = [region, node_id] + + # Inventory: Group by node ID (always a group of 1) + if self.group_by_instance_id: + self.inventory[node_id] = [dest] + if self.nested_groups: + self.push_group(self.inventory, 'instances', node_id) + + # Inventory: Group by region + if self.group_by_region: + self.push(self.inventory, region, dest) + if self.nested_groups: + self.push_group(self.inventory, 'regions', region) + + # Inventory: Group by availability zone + if self.group_by_availability_zone: + self.push(self.inventory, cluster['PreferredAvailabilityZone'], dest) + if self.nested_groups: + if self.group_by_region: + self.push_group(self.inventory, region, cluster['PreferredAvailabilityZone']) + self.push_group(self.inventory, 'zones', cluster['PreferredAvailabilityZone']) + + # Inventory: Group by node type + if self.group_by_instance_type: + type_name = self.to_safe('type_' + cluster['CacheNodeType']) + self.push(self.inventory, type_name, dest) + if self.nested_groups: + self.push_group(self.inventory, 'types', type_name) + + # Inventory: Group by VPC (information not available in the current + # AWS API version for ElastiCache) + + # Inventory: Group by security group + if self.group_by_security_group: + + # Check for the existence of the 'SecurityGroups' key and also if + # this key has some value. When the cluster is not placed in a SG + # the query can return None here and cause an error. + if 'SecurityGroups' in cluster and cluster['SecurityGroups'] is not None: + for security_group in cluster['SecurityGroups']: + key = self.to_safe("security_group_" + security_group['SecurityGroupId']) + self.push(self.inventory, key, dest) + if self.nested_groups: + self.push_group(self.inventory, 'security_groups', key) + + # Inventory: Group by engine + if self.group_by_elasticache_engine: + self.push(self.inventory, self.to_safe("elasticache_" + cluster['Engine']), dest) + if self.nested_groups: + self.push_group(self.inventory, 'elasticache_engines', self.to_safe("elasticache_" + cluster['Engine'])) + + # Inventory: Group by parameter group (done at cluster level) + + # Inventory: Group by replication group (done at cluster level) + + # Inventory: Group by ElastiCache Cluster + if self.group_by_elasticache_cluster: + self.push(self.inventory, self.to_safe("elasticache_cluster_" + cluster['CacheClusterId']), dest) + + # Global Tag: all ElastiCache nodes + self.push(self.inventory, 'elasticache_nodes', dest) + + host_info = self.get_host_info_dict_from_describe_dict(node) + + if dest in self.inventory["_meta"]["hostvars"]: + self.inventory["_meta"]["hostvars"][dest].update(host_info) + else: + self.inventory["_meta"]["hostvars"][dest] = host_info + + def add_elasticache_replication_group(self, replication_group, region): + ''' Adds an ElastiCache replication group to the inventory and index ''' + + # Only want available clusters unless all_elasticache_replication_groups is True + if not self.all_elasticache_replication_groups and replication_group['Status'] != 'available': + return + + # Skip clusters we cannot address (e.g. private VPC subnet or clustered redis) + if replication_group['NodeGroups'][0]['PrimaryEndpoint'] is None or \ + replication_group['NodeGroups'][0]['PrimaryEndpoint']['Address'] is None: + return + + # Select the best destination address (PrimaryEndpoint) + dest = replication_group['NodeGroups'][0]['PrimaryEndpoint']['Address'] + + # Add to index + self.index[dest] = [region, replication_group['ReplicationGroupId']] + + # Inventory: Group by ID (always a group of 1) + if self.group_by_instance_id: + self.inventory[replication_group['ReplicationGroupId']] = [dest] + if self.nested_groups: + self.push_group(self.inventory, 'instances', replication_group['ReplicationGroupId']) + + # Inventory: Group by region + if self.group_by_region: + self.push(self.inventory, region, dest) + if self.nested_groups: + self.push_group(self.inventory, 'regions', region) + + # Inventory: Group by availability zone (doesn't apply to replication groups) + + # Inventory: Group by node type (doesn't apply to replication groups) + + # Inventory: Group by VPC (information not available in the current + # AWS API version for replication groups + + # Inventory: Group by security group (doesn't apply to replication groups) + # Check this value in cluster level + + # Inventory: Group by engine (replication groups are always Redis) + if self.group_by_elasticache_engine: + self.push(self.inventory, 'elasticache_redis', dest) + if self.nested_groups: + self.push_group(self.inventory, 'elasticache_engines', 'redis') + + # Global Tag: all ElastiCache clusters + self.push(self.inventory, 'elasticache_replication_groups', replication_group['ReplicationGroupId']) + + host_info = self.get_host_info_dict_from_describe_dict(replication_group) + + self.inventory["_meta"]["hostvars"][dest] = host_info + + def get_route53_records(self): + ''' Get and store the map of resource records to domain names that + point to them. ''' + + if self.boto_profile: + r53_conn = route53.Route53Connection(profile_name=self.boto_profile) + else: + r53_conn = route53.Route53Connection() + all_zones = r53_conn.get_zones() + + route53_zones = [zone for zone in all_zones if zone.name[:-1] not in self.route53_excluded_zones] + + self.route53_records = {} + + for zone in route53_zones: + rrsets = r53_conn.get_all_rrsets(zone.id) + + for record_set in rrsets: + record_name = record_set.name + + if record_name.endswith('.'): + record_name = record_name[:-1] + + for resource in record_set.resource_records: + self.route53_records.setdefault(resource, set()) + self.route53_records[resource].add(record_name) + + def get_instance_route53_names(self, instance): + ''' Check if an instance is referenced in the records we have from + Route53. If it is, return the list of domain names pointing to said + instance. If nothing points to it, return an empty list. ''' + + instance_attributes = ['public_dns_name', 'private_dns_name', + 'ip_address', 'private_ip_address'] + + name_list = set() + + for attrib in instance_attributes: + try: + value = getattr(instance, attrib) + except AttributeError: + continue + + if value in self.route53_records: + name_list.update(self.route53_records[value]) + + return list(name_list) + + def get_host_info_dict_from_instance(self, instance): + instance_vars = {} + for key in vars(instance): + value = getattr(instance, key) + key = self.to_safe('ec2_' + key) + + # Handle complex types + # state/previous_state changed to properties in boto in https://github.com/boto/boto/commit/a23c379837f698212252720d2af8dec0325c9518 + if key == 'ec2__state': + instance_vars['ec2_state'] = instance.state or '' + instance_vars['ec2_state_code'] = instance.state_code + elif key == 'ec2__previous_state': + instance_vars['ec2_previous_state'] = instance.previous_state or '' + instance_vars['ec2_previous_state_code'] = instance.previous_state_code + elif isinstance(value, (int, bool)): + instance_vars[key] = value + elif isinstance(value, six.string_types): + instance_vars[key] = value.strip() + elif value is None: + instance_vars[key] = '' + elif key == 'ec2_region': + instance_vars[key] = value.name + elif key == 'ec2__placement': + instance_vars['ec2_placement'] = value.zone + elif key == 'ec2_tags': + for k, v in value.items(): + if self.expand_csv_tags and ',' in v: + v = list(map(lambda x: x.strip(), v.split(','))) + key = self.to_safe('ec2_tag_' + k) + instance_vars[key] = v + elif key == 'ec2_groups': + group_ids = [] + group_names = [] + for group in value: + group_ids.append(group.id) + group_names.append(group.name) + instance_vars["ec2_security_group_ids"] = ','.join([str(i) for i in group_ids]) + instance_vars["ec2_security_group_names"] = ','.join([str(i) for i in group_names]) + elif key == 'ec2_block_device_mapping': + instance_vars["ec2_block_devices"] = {} + for k, v in value.items(): + instance_vars["ec2_block_devices"][os.path.basename(k)] = v.volume_id + else: + pass + # TODO Product codes if someone finds them useful + # print key + # print type(value) + # print value + + instance_vars[self.to_safe('ec2_account_id')] = self.aws_account_id + + return instance_vars + + def get_host_info_dict_from_describe_dict(self, describe_dict): + ''' Parses the dictionary returned by the API call into a flat list + of parameters. This method should be used only when 'describe' is + used directly because Boto doesn't provide specific classes. ''' + + # I really don't agree with prefixing everything with 'ec2' + # because EC2, RDS and ElastiCache are different services. + # I'm just following the pattern used until now to not break any + # compatibility. + + host_info = {} + for key in describe_dict: + value = describe_dict[key] + key = self.to_safe('ec2_' + self.uncammelize(key)) + + # Handle complex types + + # Target: Memcached Cache Clusters + if key == 'ec2_configuration_endpoint' and value: + host_info['ec2_configuration_endpoint_address'] = value['Address'] + host_info['ec2_configuration_endpoint_port'] = value['Port'] + + # Target: Cache Nodes and Redis Cache Clusters (single node) + if key == 'ec2_endpoint' and value: + host_info['ec2_endpoint_address'] = value['Address'] + host_info['ec2_endpoint_port'] = value['Port'] + + # Target: Redis Replication Groups + if key == 'ec2_node_groups' and value: + host_info['ec2_endpoint_address'] = value[0]['PrimaryEndpoint']['Address'] + host_info['ec2_endpoint_port'] = value[0]['PrimaryEndpoint']['Port'] + replica_count = 0 + for node in value[0]['NodeGroupMembers']: + if node['CurrentRole'] == 'primary': + host_info['ec2_primary_cluster_address'] = node['ReadEndpoint']['Address'] + host_info['ec2_primary_cluster_port'] = node['ReadEndpoint']['Port'] + host_info['ec2_primary_cluster_id'] = node['CacheClusterId'] + elif node['CurrentRole'] == 'replica': + host_info['ec2_replica_cluster_address_' + str(replica_count)] = node['ReadEndpoint']['Address'] + host_info['ec2_replica_cluster_port_' + str(replica_count)] = node['ReadEndpoint']['Port'] + host_info['ec2_replica_cluster_id_' + str(replica_count)] = node['CacheClusterId'] + replica_count += 1 + + # Target: Redis Replication Groups + if key == 'ec2_member_clusters' and value: + host_info['ec2_member_clusters'] = ','.join([str(i) for i in value]) + + # Target: All Cache Clusters + elif key == 'ec2_cache_parameter_group': + host_info["ec2_cache_node_ids_to_reboot"] = ','.join([str(i) for i in value['CacheNodeIdsToReboot']]) + host_info['ec2_cache_parameter_group_name'] = value['CacheParameterGroupName'] + host_info['ec2_cache_parameter_apply_status'] = value['ParameterApplyStatus'] + + # Target: Almost everything + elif key == 'ec2_security_groups': + + # Skip if SecurityGroups is None + # (it is possible to have the key defined but no value in it). + if value is not None: + sg_ids = [] + for sg in value: + sg_ids.append(sg['SecurityGroupId']) + host_info["ec2_security_group_ids"] = ','.join([str(i) for i in sg_ids]) + + # Target: Everything + # Preserve booleans and integers + elif isinstance(value, (int, bool)): + host_info[key] = value + + # Target: Everything + # Sanitize string values + elif isinstance(value, six.string_types): + host_info[key] = value.strip() + + # Target: Everything + # Replace None by an empty string + elif value is None: + host_info[key] = '' + + else: + # Remove non-processed complex types + pass + + return host_info + + def get_host_info(self): + ''' Get variables about a specific host ''' + + if len(self.index) == 0: + # Need to load index from cache + self.load_index_from_cache() + + if self.args.host not in self.index: + # try updating the cache + self.do_api_calls_update_cache() + if self.args.host not in self.index: + # host might not exist anymore + return self.json_format_dict({}, True) + + (region, instance_id) = self.index[self.args.host] + + instance = self.get_instance(region, instance_id) + return self.json_format_dict(self.get_host_info_dict_from_instance(instance), True) + + def push(self, my_dict, key, element): + ''' Push an element onto an array that may not have been defined in + the dict ''' + group_info = my_dict.setdefault(key, []) + if isinstance(group_info, dict): + host_list = group_info.setdefault('hosts', []) + host_list.append(element) + else: + group_info.append(element) + + def push_group(self, my_dict, key, element): + ''' Push a group as a child of another group. ''' + parent_group = my_dict.setdefault(key, {}) + if not isinstance(parent_group, dict): + parent_group = my_dict[key] = {'hosts': parent_group} + child_groups = parent_group.setdefault('children', []) + if element not in child_groups: + child_groups.append(element) + + def get_inventory_from_cache(self): + ''' Reads the inventory from the cache file and returns it as a JSON + object ''' + + with open(self.cache_path_cache, 'r') as f: + json_inventory = f.read() + return json_inventory + + def load_index_from_cache(self): + ''' Reads the index from the cache file sets self.index ''' + + with open(self.cache_path_index, 'rb') as f: + self.index = json.load(f) + + def write_to_cache(self, data, filename): + ''' Writes data in JSON format to a file ''' + + json_data = self.json_format_dict(data, True) + with open(filename, 'w') as f: + f.write(json_data) + + def uncammelize(self, key): + temp = re.sub('(.)([A-Z][a-z]+)', r'\1_\2', key) + return re.sub('([a-z0-9])([A-Z])', r'\1_\2', temp).lower() + + def to_safe(self, word): + ''' Converts 'bad' characters in a string to underscores so they can be used as Ansible groups ''' + regex = r"[^A-Za-z0-9\_" + if not self.replace_dash_in_groups: + regex += r"\-" + return re.sub(regex + "]", "_", word) + + def json_format_dict(self, data, pretty=False): + ''' Converts a dict to a JSON object and dumps it as a formatted + string ''' + + if pretty: + return json.dumps(data, sort_keys=True, indent=2) + else: + return json.dumps(data) + + +if __name__ == '__main__': + # Run the script + Ec2Inventory() diff --git a/tests/playbooks/pas-infrastructure/outputs/hosts.yml b/tests/playbooks/pas-infrastructure/outputs/hosts.yml new file mode 100644 index 0000000..e69de29 diff --git a/tests/playbooks/roles/cf_deploy/.gitignore b/tests/playbooks/roles/cf_deploy/.gitignore new file mode 100644 index 0000000..f56f5b5 --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/.gitignore @@ -0,0 +1,3 @@ +*.retry +*/__pycache__ +*.pyc diff --git a/tests/playbooks/roles/cf_deploy/README.md b/tests/playbooks/roles/cf_deploy/README.md new file mode 100644 index 0000000..31b4978 --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/README.md @@ -0,0 +1,61 @@ + +cf_deploy +========= +This role deploys cloudformation to aws + +Role Tasks +-------------- +- **main** - Deploys the cloudformation + +Role Variables +-------------- + +### General variables + +- **deploy_bucket** - The S3 bucket used to upload the cloudformation before deploying +- **cf_template_url** - The URL to fetch the cloudformation before uploading it to the deployment bucket +- **cf_template_parameters** - The parameters passed to the cloudformation +- **aws_region** - The AWS Region that the cloudformation is going to be deployed to + +Outputs +------------ +- **cf_output** - The JSON output with all the cloudformation stack resources + +Dependencies +------------ + + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: localhost + connection: local + gather_facts: no + tasks: + - include_role: + name: cf_deploy + vars: + - bucket: mybucket + - cf_template_url: https://raw.githubusercontent.com/organization/repository/cloudformation.template + - cf_template_parameters: + Parameter1: Value1 + Parameter2: Value2 + - aws_region: us-east-1 + +Todo +------- + + +License +------- + +BSD + +Author Information +------------------ + +Avishay Bar, +Cloud Initiatives team, +CyberArk 2018 diff --git a/tests/playbooks/roles/cf_deploy/defaults/main.yml b/tests/playbooks/roles/cf_deploy/defaults/main.yml new file mode 100644 index 0000000..681ff0a --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for cf_deploy diff --git a/tests/playbooks/roles/cf_deploy/handlers/main.yml b/tests/playbooks/roles/cf_deploy/handlers/main.yml new file mode 100644 index 0000000..05731fc --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for cf_deploy diff --git a/tests/playbooks/roles/cf_deploy/meta/.galaxy_install_info b/tests/playbooks/roles/cf_deploy/meta/.galaxy_install_info new file mode 100644 index 0000000..5dba0e3 --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Sun Dec 30 11:01:47 2018', version: master} diff --git a/tests/playbooks/roles/cf_deploy/meta/main.yml b/tests/playbooks/roles/cf_deploy/meta/main.yml new file mode 100644 index 0000000..19c62fd --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/meta/main.yml @@ -0,0 +1,60 @@ +galaxy_info: + author: your name + description: your description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + #github_branch: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/tests/playbooks/roles/cf_deploy/tasks/main.yml b/tests/playbooks/roles/cf_deploy/tasks/main.yml new file mode 100644 index 0000000..05234ad --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/tasks/main.yml @@ -0,0 +1,54 @@ +--- +# tasks file for cf_deploy + +- name: Get Timestamp and Store it in a variable + set_fact: "timestamp={{ lookup('pipe','date +%Y-%m-%d-%H-%M-%S') }}" + +- name: Set String for CloudFormation Stack ID + set_fact: + cloudformation_stack_id: "ansible-cloudformation-{{ lookup('pipe','date +%Y-%m-%d-%H-%M-%S') }}" + +- name: Create workspace directory on temp folder + file: + path: "/tmp/tmp-{{ timestamp }}" + state: directory + register: workspace + +- set_fact: + tmp_path: "{{ workspace.path }}" + +- name: Get CloudFormation Template from Git + get_url: + url: "{{ cf_template_url }}" + dest: "{{ tmp_path }}/cf.json" + +- name: Manipulate CloudFormation + shell: "{{ manipulation_commands }}" + when: manipulation_commands != "" + +- name: Out file when manipulate cloudFormation is empty + shell: "cat {{ tmp_path }}/cf.json > {{ tmp_path }}/cf-out.json" + when: manipulation_commands == "" + +- name: Upload CloudFormation Template to S3 + aws_s3: + bucket: "{{ deploy_bucket }}" + object: "{{ tmp_path }}/cf.json" + src: "{{ tmp_path }}/cf-out.json" + mode: put + +- name: Create CloudFormation Stack + cloudformation: + stack_name: "{{ cloudformation_stack_id }}" + state: "present" + region: "{{ aws_region }}" + disable_rollback: true + template_url: "https://s3.amazonaws.com/{{ deploy_bucket }}{{ tmp_path }}/cf.json" + template_parameters: "{{ cf_template_parameters }}" + tags: + Stack: "ansible-cloudformation" + register: cf + +- name: Register Output to ansible fact + set_fact: + cf_output: "{{ cf.stack_resources }}" diff --git a/tests/playbooks/roles/cf_deploy/vars/main.yml b/tests/playbooks/roles/cf_deploy/vars/main.yml new file mode 100644 index 0000000..4145957 --- /dev/null +++ b/tests/playbooks/roles/cf_deploy/vars/main.yml @@ -0,0 +1,4 @@ +--- +# vars file for cf_deploy + +manipulation_commands: "" diff --git a/tests/requirements.txt b/tests/requirements.txt index 1d56083..fb813a8 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -1,2 +1,21 @@ -ansible-lint==3.4.23 -yamllint==1.11.1 \ No newline at end of file +awscli==1.16.269 +botocore==1.13.5 +colorama==0.4.1 +docopt==0.6.2 +docutils==0.15.2 +futures==3.3.0 +jmespath==0.9.4 +jq==0.1.6 +json2yaml==1.1.1 +pathspec==0.6.0 +pyaml==19.4.1 +pyasn1==0.4.7 +python-dateutil==2.8.0 +PyYAML==5.1.2 +rsa==3.4.2 +s3transfer==0.2.1 +six==1.12.0 +urllib3==1.25.6 +xmltodict==0.12.0 +yamllint==1.18.0 +yq==2.8.1 \ No newline at end of file