Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPSEXP-2880 Add audit-storage role #996

Merged
merged 15 commits into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .envrc
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ export AWS_REGION=eu-west-1
export MOLECULE_IT_AWS_VPC_SUBNET_ID=subnet-6bdd4223
export BRANCH_NAME=local
export BUILD_NUMBER=1
export DTAS_VERSION=v1.5.3
export DTAS_VERSION=v1.6.0
export MOLECULE_IT_ID=$(echo "$LOGNAME" | sha256sum | cut -c1-6)
ANSIBLE_VAULT_PASSWORD_FILE=$(expand_path ./.vault_pass.txt)
export ANSIBLE_VAULT_PASSWORD_FILE
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/enteprise.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ on:
workflow_dispatch:

env:
DTAS_VERSION: v1.5.5
DTAS_VERSION: v1.6.0
BUILD_NUMBER: ${{ github.run_id }}
PY_COLORS: 1
PYTHONUNBUFFERED: 1
Expand Down Expand Up @@ -64,6 +64,7 @@ jobs:
- name: sfs
- name: sync
- name: trouter
- name: audit_storage
steps:
- name: Share var with further reusable workflows
id: jobvars
Expand Down Expand Up @@ -154,6 +155,12 @@ jobs:
fail-fast: false
matrix:
molecule_scenario:
- name: default
vars: vars-ubuntu20-72.yml
desc: EC2 ACS 7.2 (Ubuntu 20.04)
- name: default
vars: vars-ubuntu20-73.yml
desc: EC2 ACS 7.3 (Ubuntu 20.04)
- name: default
vars: vars-rocky8.yml
desc: EC2 ACS 7.4 (Rocky Linux 8.9)
Expand Down
51 changes: 0 additions & 51 deletions .github/workflows/enterprise-extended.yml

This file was deleted.

2 changes: 1 addition & 1 deletion 7.2.N-extra-vars.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ search_enterprise:
search:
artifact_name: alfresco-search-services
repository: "{{ nexus_repository.releases }}"
version: 2.0.13
version: 2.0.12 # ACS-9048
transform:
artifact_name: alfresco-transform-core-aio
repository: "{{ nexus_repository.releases }}"
Expand Down
2 changes: 1 addition & 1 deletion 7.3.N-extra-vars.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ search_enterprise:
search:
artifact_name: alfresco-search-services
repository: "{{ nexus_repository.releases }}"
version: 2.0.13
version: 2.0.12 # ACS-9048
transform:
artifact_name: alfresco-transform-core-aio
repository: "{{ nexus_repository.releases }}"
Expand Down
3 changes: 1 addition & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -194,8 +194,7 @@ Follow this quick checklist:

* review currently open dependabot/renovate and merge them
* copy the versions inside the group_vars/all.yml to a new XX.N-extra-vars.yml (in case of a new ACS major version)
* run [updatecli workflow](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/updatecli.yml)
* run [enterprise-extended](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/enterprise-extended.yml) and make sure it is green
* bump versions constraints in scripts/updatecli/updatecli_acs*.yml (workflow will take care of the rest)
* ensure that the [versions table in the main readme](docs/overview.md#versioning) has been updated
* ensure that docker images and AMI id for the root molecule tests are
reflecting any minor OS release (e.g. [default suite](../molecule/default/))
Expand Down
8 changes: 8 additions & 0 deletions group_vars/all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ api_explorer:
artifact_name: api-explorer
repository: "{{ nexus_repository.releases }}"
version: 23.4.0
audit_storage:
artifact_name: alfresco-audit-storage-distribution
repository: "{{ nexus_repository.enterprise_releases }}"
version: 1.0.0
search_enterprise:
artifact_name: alfresco-elasticsearch-connector-distribution
repository: "{{ nexus_repository.enterprise_releases }}"
Expand Down Expand Up @@ -122,6 +126,10 @@ downloads:
{{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip
adw_zip_sha1_checksum_url: >-
{{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip.sha1
audit_storage_zip_url: >-
{{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip
audit_storage_zip_sha1_checksum_url: >-
{{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip.sha1
search_enterprise_zip_url: >-
{{ search_enterprise.repository }}/{{ search_enterprise.artifact_name }}/{{ search_enterprise.version }}/{{ search_enterprise.artifact_name }}-{{ search_enterprise.version }}.zip
search_enterprise_zip_sha1_url: >-
Expand Down
4 changes: 4 additions & 0 deletions inventory_ha.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ all:
hosts:
sync.infra.local:

audit_storage:
hosts:
audit.infra.local:

other_repo_clients:
hosts:

Expand Down
4 changes: 4 additions & 0 deletions inventory_local.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ all:
children:
repository:

audit_storage:
children:
repository:

other_repo_clients:
hosts:

Expand Down
5 changes: 5 additions & 0 deletions inventory_ssh.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@ all:
syncservice_1:
ansible_host: targetIP

audit_storage:
hosts:
audit_storage_1:
ansible_host: targetIP

other_repo_clients:
hosts:

Expand Down
5 changes: 5 additions & 0 deletions molecule/docker_enterprise/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,11 @@ platforms:
- acc
- adw
- nginx
- audit_storage
published_ports:
- 0.0.0.0:443:443/tcp
- 0.0.0.0:8083:8083/tcp
- 0.0.0.0:9200:9200/tcp

provisioner:
name: ansible
Expand All @@ -47,3 +50,5 @@ provisioner:
verify: ../default/verify.yml
verifier:
name: ansible
env:
MOLECULE_IT_TEST_CONFIG: tests/test-config-aas.json
3 changes: 2 additions & 1 deletion molecule/elasticsearch/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ platforms:
- sfs
- syncservice
- transformers
- audit_storage
- trusted_resource_consumers
provisioner:
name: ansible
Expand All @@ -47,6 +48,6 @@ provisioner:
playbooks:
prepare: ../default/prepare.yml
converge: ../../playbooks/acs.yml
verify: ../multimachine/verify.yml
verify: ../default/verify.yml
verifier:
name: ansible
41 changes: 41 additions & 0 deletions playbooks/acs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -479,3 +479,44 @@
mode: "0755"
tags:
- sync

- name: Audit Storage Role
hosts: audit_storage
gather_facts: false
vars:
acs_version_requirement: "{{ acs.version is version('23.4', 'ge') }}"
pre_tasks:
- name: Assert that the required version is met
ansible.builtin.fail:
msg: "Audit Storage requires ACS 23.4 or later"
when: not acs_version_requirement
roles:
- role: "../roles/audit_storage"
when: acs.edition == "Enterprise" and acs_version_requirement
audit_storage_version: "{{ audit_storage.version }}"
audit_storage_zip_url: "{{ downloads.audit_storage_zip_url }}"
audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_checksum_url }}"
audit_storage_username: "{{ username }}"
audit_storage_group_name: "{{ group_name }}"
audit_storage_broker_url: "failover:({{ activemq_transport }}://{{ activemq_host }}:{{ ports_cfg.activemq[activemq_protocol] }})"
audit_storage_broker_username: "{{ activemq_username }}"
audit_storage_broker_password: "{{ activemq_password }}"
audit_storage_opensearch_url: "{{ elasticsearch_protocol }}://{{ elasticsearch_host }}:{{ ports_cfg.elasticsearch.http }}"
audit_storage_opensearch_username: "{{ elasticsearch_username }}"
audit_storage_opensearch_password: "{{ elasticsearch_password }}"
post_tasks:
- name: Update installation status file with Audit Storage
when: acs.edition == "Enterprise" and acs_version_requirement
become: true
vars:
audit_storage_components:
audit_storage: "{{ audit_storage }}"
ansible.builtin.blockinfile:
block: "{{ audit_storage_components | to_nice_yaml(indent=2) }}"
create: true
path: "{{ ansible_installation_status_file }}"
marker_begin: AUDIT_STORAGE_BEGIN
marker_end: AUDIT_STORAGE_END
mode: "0755"
tags:
- audit_storage
48 changes: 48 additions & 0 deletions roles/audit_storage/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
# defaults file for audit_storage
audit_storage_version: "1.0.0"
audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip
audit_storage_zip_sha1_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip.sha1

audit_storage_artifact_name: alfresco-audit-storage-app

audit_storage_username: alfresco
audit_storage_group_name: alfresco

audit_storage_server_port: 8083

audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000
audit_storage_broker_username: ''
audit_storage_broker_password: ''
audit_storage_opensearch_url: http://localhost:9200
audit_storage_opensearch_username: ''
audit_storage_opensearch_password: ''

audit_storage_default_environment:
SERVER_PORT: "{{ audit_storage_server_port }}"
SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}"
SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}"
SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}"
AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_URI: "{{ audit_storage_opensearch_url }}"
AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_USERNAME: "{{ audit_storage_opensearch_username }}"
AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_PASSWORD: "{{ audit_storage_opensearch_password }}"
AUDIT_EVENTINGESTION_URI: activemq:topic:alfresco.repo.event2
audit_storage_environment: {}

audit_storage_java_bin_path: /opt/openjdk-17.0.11/bin/java

audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}"
audit_storage_config_dir: "/etc/alfresco/audit-storage"

audit_storage_systemd_service_unit_name: "alfresco-audit-storage"
audit_storage_systemd_service_unit_description: "Alfresco Audit Storage"
audit_storage_systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}"
audit_storage_systemd_service_user: "{{ audit_storage_username }}"

audit_storage_systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
audit_storage_systemd_service_type: simple
audit_storage_systemd_service_exec_stop: kill -15 $MAINPID
audit_storage_systemd_service_working_directory: /tmp
audit_storage_systemd_service_additional_options: {}
audit_storage_systemd_service_state: started
audit_storage_systemd_service_enabled: true
13 changes: 13 additions & 0 deletions roles/audit_storage/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
# handlers file for audit_storage
- name: Reload systemd
become: true
ansible.builtin.systemd:
daemon_reload: true

- name: Restart {{ audit_storage_systemd_service_unit_name }}
become: true
ansible.builtin.systemd:
name: "{{ audit_storage_systemd_service_unit_name }}"
state: restarted
when: audit_storage_systemd_service_state == 'started'
33 changes: 33 additions & 0 deletions roles/audit_storage/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
galaxy_info:
author: Alfresco Ops Readiness
description: This role installs and configures the audit storage for Alfresco
company: Hyland Software

# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker

license: Apache-2.0

min_ansible_version: "2.12"

platforms:
- name: Ubuntu
versions:
- bionic
- focal
- name: EL
versions:
- "8"
- "9"

galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.

dependencies:
- role: java
7 changes: 7 additions & 0 deletions roles/audit_storage/molecule/default/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
- name: Converge
hosts: all
roles:
- role: activemq
- role: elasticsearch
- role: audit_storage
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ansible_user: ansible
32 changes: 32 additions & 0 deletions roles/audit_storage/molecule/default/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: $MOLECULE_ROLE_IMAGE
dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2
command: "/lib/systemd/systemd"
privileged: true
tmpfs:
- /run
- /run/lock
- /tmp
volume_mounts:
- "/sys/fs/cgroup:/sys/fs/cgroup:ro"
groups:
- audit_storage
- activemq
- elasticsearch
provisioner:
name: ansible
ansible_args:
- -e
- "@../../../../tests/molecule/secrets.yml"
inventory:
links:
group_vars: ../../../../group_vars
host_vars: host_vars
verifier:
name: ansible
Loading
Loading