OPSEXP-2880 Add audit-storage role (#996)

.envrc

@@ -4,7 +4,7 @@ export AWS_REGION=eu-west-1
 export MOLECULE_IT_AWS_VPC_SUBNET_ID=subnet-6bdd4223
 export BRANCH_NAME=local
 export BUILD_NUMBER=1
-export DTAS_VERSION=v1.5.3
+export DTAS_VERSION=v1.6.0
 export MOLECULE_IT_ID=$(echo "$LOGNAME" | sha256sum | cut -c1-6)
 ANSIBLE_VAULT_PASSWORD_FILE=$(expand_path ./.vault_pass.txt)
 export ANSIBLE_VAULT_PASSWORD_FILE

.github/workflows/enteprise.yml

@@ -19,7 +19,7 @@ on:
   workflow_dispatch:
 
 env:
-  DTAS_VERSION: v1.5.5
+  DTAS_VERSION: v1.6.0
   BUILD_NUMBER: ${{ github.run_id }}
   PY_COLORS: 1
   PYTHONUNBUFFERED: 1
@@ -70,6 +70,7 @@ jobs:
           - name: sfs
           - name: sync
           - name: trouter
+          - name: audit_storage
     steps:
       - name: Share var with further reusable workflows
         id: jobvars
@@ -164,6 +165,12 @@ jobs:
       fail-fast: false
       matrix:
         molecule_scenario:
+          - name: default
+            vars: vars-ubuntu20-72.yml
+            desc: EC2 ACS 7.2 (Ubuntu 20.04)
+          - name: default
+            vars: vars-ubuntu20-73.yml
+            desc: EC2 ACS 7.3 (Ubuntu 20.04)
           - name: default
             vars: vars-rocky8.yml
             desc: EC2 ACS 7.4 (Rocky Linux 8.9)

7.2.N-extra-vars.yml

@@ -27,7 +27,7 @@ search_enterprise:
 search:
   artifact_name: alfresco-search-services
   repository: "{{ nexus_repository.releases }}"
-  version: 2.0.13
+  version: 2.0.12 # ACS-9048
 transform:
   artifact_name: alfresco-transform-core-aio
   repository: "{{ nexus_repository.releases }}"

7.3.N-extra-vars.yml

@@ -27,7 +27,7 @@ search_enterprise:
 search:
   artifact_name: alfresco-search-services
   repository: "{{ nexus_repository.releases }}"
-  version: 2.0.13
+  version: 2.0.12 # ACS-9048
 transform:
   artifact_name: alfresco-transform-core-aio
   repository: "{{ nexus_repository.releases }}"

README.md

@@ -194,8 +194,7 @@ Follow this quick checklist:
 
 * review currently open dependabot/renovate and merge them
 * copy the versions inside the group_vars/all.yml to a new XX.N-extra-vars.yml (in case of a new ACS major version)
-* run [updatecli workflow](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/updatecli.yml)
-* run [enterprise-extended](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/enterprise-extended.yml) and make sure it is green
+* bump versions constraints in scripts/updatecli/updatecli_acs*.yml (workflow will take care of the rest)
 * ensure that the [versions table in the main readme](docs/overview.md#versioning) has been updated
 * ensure that docker images and AMI id for the root molecule tests are
   reflecting any minor OS release (e.g. [default suite](../molecule/default/))

group_vars/all.yml

@@ -46,6 +46,10 @@ api_explorer:
   artifact_name: api-explorer
   repository: "{{ nexus_repository.releases }}"
   version: 23.4.0
+audit_storage:
+  artifact_name: alfresco-audit-storage-distribution
+  repository: "{{ nexus_repository.enterprise_releases }}"
+  version: 1.0.0
 search_enterprise:
   artifact_name: alfresco-elasticsearch-connector-distribution
   repository: "{{ nexus_repository.enterprise_releases }}"
@@ -122,6 +126,10 @@ downloads:
     {{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip
   adw_zip_sha1_checksum_url: >-
     {{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip.sha1
+  audit_storage_zip_url: >-
+    {{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip
+  audit_storage_zip_sha1_checksum_url: >-
+    {{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip.sha1
   search_enterprise_zip_url: >-
     {{ search_enterprise.repository }}/{{ search_enterprise.artifact_name }}/{{ search_enterprise.version }}/{{ search_enterprise.artifact_name }}-{{ search_enterprise.version }}.zip
   search_enterprise_zip_sha1_url: >-

inventory_ha.yml

@@ -67,6 +67,10 @@ all:
       hosts:
         sync.infra.local:
 
+    audit_storage:
+      hosts:
+        audit.infra.local:
+
     other_repo_clients:
       hosts:
 

inventory_local.yml

@@ -55,6 +55,10 @@ all:
       children:
         repository:
 
+    audit_storage:
+      children:
+        repository:
+
     other_repo_clients:
       hosts:
 

inventory_ssh.yml

@@ -72,6 +72,11 @@ all:
         syncservice_1:
           ansible_host: targetIP
 
+    audit_storage:
+      hosts:
+        audit_storage_1:
+          ansible_host: targetIP
+
     other_repo_clients:
       hosts:
 

molecule/docker_enterprise/molecule.yml

@@ -27,8 +27,11 @@ platforms:
       - acc
       - adw
       - nginx
+      - audit_storage
     published_ports:
       - 0.0.0.0:443:443/tcp
+      - 0.0.0.0:8083:8083/tcp
+      - 0.0.0.0:9200:9200/tcp
 
 provisioner:
   name: ansible
@@ -47,3 +50,5 @@ provisioner:
     verify: ../default/verify.yml
 verifier:
   name: ansible
+  env:
+    MOLECULE_IT_TEST_CONFIG: tests/test-config-aas.json

molecule/elasticsearch/molecule.yml

@@ -29,6 +29,7 @@ platforms:
       - sfs
       - syncservice
       - transformers
+      - audit_storage
       - trusted_resource_consumers
 provisioner:
   name: ansible
@@ -47,6 +48,6 @@ provisioner:
   playbooks:
     prepare: ../default/prepare.yml
     converge: ../../playbooks/acs.yml
-    verify: ../multimachine/verify.yml
+    verify: ../default/verify.yml
 verifier:
   name: ansible

playbooks/acs.yml

@@ -479,3 +479,44 @@
         mode: "0755"
   tags:
     - sync
+
+- name: Audit Storage Role
+  hosts: audit_storage
+  gather_facts: false
+  vars:
+    acs_version_requirement: "{{ acs.version is version('23.4', 'ge') }}"
+  pre_tasks:
+    - name: Assert that the required version is met
+      ansible.builtin.fail:
+        msg: "Audit Storage requires ACS 23.4 or later"
+      when: not acs_version_requirement
+  roles:
+    - role: "../roles/audit_storage"
+      when: acs.edition == "Enterprise" and acs_version_requirement
+      audit_storage_version: "{{ audit_storage.version }}"
+      audit_storage_zip_url: "{{ downloads.audit_storage_zip_url }}"
+      audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_checksum_url }}"
+      audit_storage_username: "{{ username }}"
+      audit_storage_group_name: "{{ group_name }}"
+      audit_storage_broker_url: "failover:({{ activemq_transport }}://{{ activemq_host }}:{{ ports_cfg.activemq[activemq_protocol] }})"
+      audit_storage_broker_username: "{{ activemq_username }}"
+      audit_storage_broker_password: "{{ activemq_password }}"
+      audit_storage_opensearch_url: "{{ elasticsearch_protocol }}://{{ elasticsearch_host }}:{{ ports_cfg.elasticsearch.http }}"
+      audit_storage_opensearch_username: "{{ elasticsearch_username }}"
+      audit_storage_opensearch_password: "{{ elasticsearch_password }}"
+  post_tasks:
+    - name: Update installation status file with Audit Storage
+      when: acs.edition == "Enterprise" and acs_version_requirement
+      become: true
+      vars:
+        audit_storage_components:
+          audit_storage: "{{ audit_storage }}"
+      ansible.builtin.blockinfile:
+        block: "{{ audit_storage_components | to_nice_yaml(indent=2) }}"
+        create: true
+        path: "{{ ansible_installation_status_file }}"
+        marker_begin: AUDIT_STORAGE_BEGIN
+        marker_end: AUDIT_STORAGE_END
+        mode: "0755"
+  tags:
+    - audit_storage

roles/audit_storage/defaults/main.yml

@@ -0,0 +1,48 @@
+---
+# defaults file for audit_storage
+audit_storage_version: "1.0.0"
+audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip
+audit_storage_zip_sha1_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip.sha1
+
+audit_storage_artifact_name: alfresco-audit-storage-app
+
+audit_storage_username: alfresco
+audit_storage_group_name: alfresco
+
+audit_storage_server_port: 8083
+
+audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000
+audit_storage_broker_username: ''
+audit_storage_broker_password: ''
+audit_storage_opensearch_url: http://localhost:9200
+audit_storage_opensearch_username: ''
+audit_storage_opensearch_password: ''
+
+audit_storage_default_environment:
+  SERVER_PORT: "{{ audit_storage_server_port }}"
+  SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}"
+  SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}"
+  SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_URI: "{{ audit_storage_opensearch_url }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_USERNAME: "{{ audit_storage_opensearch_username }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_PASSWORD: "{{ audit_storage_opensearch_password }}"
+  AUDIT_EVENTINGESTION_URI: activemq:topic:alfresco.repo.event2
+audit_storage_environment: {}
+
+audit_storage_java_bin_path: /opt/openjdk-17.0.11/bin/java
+
+audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}"
+audit_storage_config_dir: "/etc/alfresco/audit-storage"
+
+audit_storage_systemd_service_unit_name: "alfresco-audit-storage"
+audit_storage_systemd_service_unit_description: "Alfresco Audit Storage"
+audit_storage_systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}"
+audit_storage_systemd_service_user: "{{ audit_storage_username }}"
+
+audit_storage_systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
+audit_storage_systemd_service_type: simple
+audit_storage_systemd_service_exec_stop: kill -15 $MAINPID
+audit_storage_systemd_service_working_directory: /tmp
+audit_storage_systemd_service_additional_options: {}
+audit_storage_systemd_service_state: started
+audit_storage_systemd_service_enabled: true

roles/audit_storage/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+# handlers file for audit_storage
+- name: Reload systemd
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart {{ audit_storage_systemd_service_unit_name }}
+  become: true
+  ansible.builtin.systemd:
+    name: "{{ audit_storage_systemd_service_unit_name }}"
+    state: restarted
+  when: audit_storage_systemd_service_state == 'started'

roles/audit_storage/meta/main.yml

@@ -0,0 +1,33 @@
+galaxy_info:
+  author: Alfresco Ops Readiness
+  description: This role installs and configures the audit storage for Alfresco
+  company: Hyland Software
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  license: Apache-2.0
+
+  min_ansible_version: "2.12"
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+        - focal
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies:
+  - role: java

roles/audit_storage/molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: activemq
+    - role: elasticsearch
+    - role: audit_storage

roles/audit_storage/molecule/default/host_vars/instance.yml

@@ -0,0 +1 @@
+ansible_user: ansible

roles/audit_storage/molecule/default/molecule.yml

@@ -0,0 +1,32 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: $MOLECULE_ROLE_IMAGE
+    dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2
+    command: "/lib/systemd/systemd"
+    privileged: true
+    tmpfs:
+      - /run
+      - /run/lock
+      - /tmp
+    volume_mounts:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    groups:
+      - audit_storage
+      - activemq
+      - elasticsearch
+provisioner:
+  name: ansible
+  ansible_args:
+    - -e
+    - "@../../../../tests/molecule/secrets.yml"
+  inventory:
+    links:
+      group_vars: ../../../../group_vars
+      host_vars: host_vars
+verifier:
+  name: ansible