Dba 791

playbooks/oracle_password_rotation/all_password_rotation/tasks/update_oem_targets.yml

@@ -1,32 +1,6 @@
-- name: Get SYSMAN Password
-  include_tasks: "{{ playbook_dir }}/../../common/tasks/get_facts.yml"
-
-- name: Synchronize OEM Monitoring Credentials
-  block:
-    - name: Emcli Setup
-      when: not target_environment_name is search('hmpps-oem')
-      block:
-        - name: Copy EMCLI Login scripts
-          template:
-            src: "{{ playbook_dir }}/../../common/templates/emcli_login.sh.j2"
-            dest: "{{ stage }}/emcli_login.sh"
-            mode: "0700"
-
-        - name: Set Emcli Login Script Variable
-          set_fact:
-            emcli_login: ". {{ stage }}/emcli_login.sh > /dev/null 2>&1"
-
-    - name: Include Set Monitoring Password Task From Oem Password Rotation Role
-      include_role:
-        name: "{{ playbook_dir }}/oem_password_rotation"
-        tasks_from: set_monitoring_passwords
-      vars:
-        sysman_password: "{{ oem_sysman_password }}"
-        target_environment_name: "{{ environment_name }}"
-
-  always:
-    - name: Remove Temporary Files from Stage Area
-      file:
-        path: "{{ stage }}/emcli_login.sh"
-        state: absent
-      when: not target_environment_name is search('hmpps-oem')
+- name: Include Set Monitoring Password Task From Oem Password Rotation Role
+  include_role:
+    name: "{{ playbook_dir }}/oem_password_rotation"
+    tasks_from: set_monitoring_passwords
+  vars:
+    target_environment_name: "{{ environment_name }}"

playbooks/oracle_password_rotation/oem_password_rotation/defaults/main.yml

@@ -23,3 +23,5 @@ agent_secretsmanager_passwords:
       - agentreg:
 
 asm_monitoring_secret_name: "/ec2/{{ ec2_name }}/asm-passwords"
+
+stage: /u02/stage

playbooks/oracle_password_rotation/oem_password_rotation/tasks/main.yml

@@ -23,13 +23,36 @@
       poll: 0
       register: lock_notification_polling
 
+    - name: Set Emctl & Emcli Script Variables
+      set_fact:
+        emctl_script: "{{ stage }}/emctl_script.sh"
+        emcli_script: "{{ stage }}/emcli_script.sh"
+
+    - name: Copy Emctl & Emcli scripts
+      template:
+        src: "{{ item }}"
+        dest: "{{ stage }}/{{ item.split('.')[:-1] | join('.') }}"
+        mode: "0700"
+      with_items:
+        - emctl_script.sh.j2
+        - emcli_script.sh.j2
+
     - name: Rotate OEM Passwords
       include_tasks: rotate_oem_passwords.yml
 
     # If we are rotating the OEM passwords then we should also rotate the Agent Registration Passwords
     - name: Rotate Agent Registration Password
       include_tasks: rotate_agent_registration_password.yml
 
+  always:
+    - name: Remove Temporary Files from Stage Area
+      file:
+        path: "{{ stage }}/{{ item }}"
+        state: absent
+      with_items:
+        - emctl_script.sh
+        - emcli_script.sh
+
 - name: Ensure OEM Target Passwords are in Sync with Secrets
   include_tasks: sync_monitoring_passwords.yml
   when: sync_monitoring_passwords | default(false) | bool

playbooks/oracle_password_rotation/oem_password_rotation/tasks/rotate_agent_registration_password.yml

@@ -11,16 +11,12 @@
   vars:
     secretsmanager_passwords: "{{ agent_secretsmanager_passwords }}"
 
-- name: Get Existing SYSMAN Password
-  shell: |
-    export PATH=$PATH:/usr/local/bin
-    aws secretsmanager get-secret-value --secret-id "{{ oem_secretsmanager_passwords['oem']['secret'] }}" --query SecretString --output text| jq -r .sysman
-  changed_when: false
-  register: "getsysmanpassword"
-  no_log: true
-
 - name: Set Agent Registration Password
-  shell: "{{ emctl_oem }} secure setpwd ${SYSMAN_PASSWORD} ${AGENT_REGISTRATION_PASSWORD}"
+  ansible.builtin.command: >
+    {{ emctl_script }}
   environment:
-    SYSMAN_PASSWORD: "{{ getsysmanpassword.stdout }}"
-    AGENT_REGISTRATION_PASSWORD: "{{ new_password }}"
+    ROTATE: AGENT
+  register: agent_registration
+  failed_when:
+    - agent_registration.rc > 0
+    - not agent_registration.stdout is search('Registration Password added successfully')

playbooks/oracle_password_rotation/oem_password_rotation/tasks/rotate_oem_passwords.yml

@@ -1,18 +1,3 @@
-- name: Set SYS Secret Name
-  set_fact:
-    secret_name: "{{ oemdb_secretsmanager_passwords['oemdb']['secret'] }}"
-  no_log: true
-
-- name: Get Existing SYS Password
-  import_role:
-    name: secretsmanager-passwords
-  vars:
-    secretsmanager_passwords: "{{ oemdb_secretsmanager_passwords }}"
-
-- name: Set Variable For SYS Password
-  set_fact:
-    sys_password: "{{ secretsmanager_passwords_dict['oemdb'].passwords['sys'] }}"
-
 - name: Check if the SYS Password Works
   script: get_sys_remote_lock.sh
   register: get_sys_primary_remote_lock
@@ -58,18 +43,19 @@
     # Always use this approach in case previous reset of the SYSMAN password has failed.
     # (Note non-standard successful return code of 1)
     - name: Change SYSMAN Password
-      shell: "{{ emctl_oem }} config oms -change_repos_pwd -use_sys_pwd -sys_pwd ${SYS_PASSWORD} -new_pwd ${NEW_PASSWORD}"
+      ansible.builtin.command: >
+        {{ emctl_script }}
+      environment:
+        ROTATE: OMS
       register: change_sysman_password
       failed_when: change_sysman_password.rc > 1
-      environment:
-        SYS_PASSWORD: "{{ sys_password }}"
-        NEW_PASSWORD: "{{ new_password }}"
 
     # We do not currently use the Management View user so the password can be set randomly
     - name: Change MGMT_VIEW Password
-      shell: "{{ emctl_oem }} config oms -change_view_user_pwd -sysman_pwd ${SYSMAN_PASSWORD} -auto_generate"
+      ansible.builtin.command: >
+        {{ emctl_script }}
       environment:
-        SYSMAN_PASSWORD: "{{ new_password }}"
+        ROTATE: MGMT_VIEW
 
     - name: Check Admin Server Status
       shell: '{{ emctl_oem }} status oms | grep "WebTier" | awk ''{print $NF}'''
@@ -94,12 +80,10 @@
         ansible_aws_ssm_timeout: 900
 
     - name: Update OEM_DB Named Credential
-      shell: |
-        . ~/.bash_profile
-        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-        {{ emcli }} modify_named_credential -cred_name=OEM_DB -cred_type=DBCreds -test -attributes="DBUserName:sysman;DBRole:Normal;DBPassword:${SYSMAN_PASSWORD}"
+      ansible.builtin.command: >
+        {{ emcli_script }}
       environment:
-        SYSMAN_PASSWORD: "{{ new_password }}"
+        EMCTL_COMMANDS: '{{ emcli }} modify_named_credential -cred_name=OEM_DB -cred_type=DBCreds -test -attributes="DBUserName:sysman;DBRole:Normal;DBPassword:${SYSMAN_PASSWORD}"'
       register: update_name_credential
       failed_when: update_name_credential.rc != 0
 # - name: Create New Password for Nodemanager

playbooks/oracle_password_rotation/oem_password_rotation/tasks/set_monitoring_password.yml

@@ -1,54 +1,13 @@
-- name: Initialise Secrets Dictionary
+- name: Set Emcli Monitoring Credential Command
   set_fact:
-    secretsmanager_passwords_dict: {}
+    emcli_commands: |
+      {{ emcli }} modify_target -name="{{ monitor_item }}" -type="{{ monitor_type }}" -credentials="UserName:{{ db_username }};password:${PASSWORD};Role:{{ monitor_role }}" -on_agent;
 
-- name: Setup Temporary Secrets Dictionary
-  set_fact:
-    secret_password_dict:
-      account:
-        secret: "{{ secret_name }}"
-  when: (not sync_monitoring_passwords | default(false) | bool) or ((sync_monitoring_passwords | default(false) | bool) and (target_environment_name is search('hmpps-oem')))
-
-- name: Special Case To Setup Secrets Dictionary Syncing Monitoring Passwords From OEM For None OEM Target Environment
-  when:
-    - sync_monitoring_passwords | default(false) | bool
-    - not target_environment_name is search('hmpps-oem')
-  block:
-    - name: Get EC2 Metadata Facts
-      amazon.aws.ec2_metadata_facts:
-
-    - name: Set Target Account Name For Secrets
-      set_fact:
-        target_account_name: "{{ target_environment_name.split('-')[:2] | join('-') + '-' + aws_environment }}"
-
-    - name: Setup Secrets Dictionary Syncing Monitoring Passwords From OEM
-      set_fact:
-        secret_password_dict:
-          account:
-            account_name: "{{ target_account_name }}"
-            assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
-            secret: "{{ secret_name }}"
-
-- name: Combine {{ db_username }} User To Secrets Dictionary
-  set_fact:
-    secret_password_dict: "{{ secret_password_dict |  combine({ 'account': { 'users': [{db_username: None}] }}, recursive=true) }}"
-
-- name: Get Password From Secrets
-  import_role:
-    name: secretsmanager-passwords
-  vars:
-    secretsmanager_passwords: "{{ secret_password_dict }}"
-
-- name: Set Variable {{ db_username }} Password
-  set_fact:
-    password: "{{ secretsmanager_passwords_dict['account'].passwords[db_username] }}"
-
-- name: Set the Monitoring Credential for {{ monitor_item }}
-  shell: |
-    . ~/.bash_profile
-    {{ emcli_login | default() }}
-    {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-    {{ emcli }} modify_target -name="{{ monitor_item }}" -type="{{ monitor_type }}" -credentials="UserName:{{ db_username }};password:${PASSWORD};Role:{{ monitor_role }}" -on_agent
+- name: Set the Monitoring Credential For {{ monitor_item }}
+  ansible.builtin.command: >
+    {{ emcli_script }}
   environment:
-    SYSMAN_PASSWORD: "{{ sysman_password }}"
-    PASSWORD: "{{ password }}"
+    SECRET_NAME: "{{ secret_name}}"
+    ACCOUNT_NAME: "{{ target_account_name }}"
+    DB_USERNAME: "{{ db_username }}"
+    EMCLI_COMMANDS: "{{ emcli_commands }}"

playbooks/oracle_password_rotation/oem_password_rotation/tasks/set_monitoring_passwords.yml

@@ -1,23 +1,37 @@
 - name: Sync SYS Password Parameter in the {{ target_environment_name }}
   block:
+    - name: Set Emcli Script Variable
+      set_fact:
+        emcli_script: "{{ stage }}/emcli_script.sh"
+
+    - name: Copy Emcli script
+      template:
+        src: emcli_script.sh.j2
+        dest: "{{ emcli_script }}"
+        mode: "0700"
+
     - name: Set Host Match
       set_fact:
         host_match: "{{ target_environment_name if (not target_environment_name is search('hmpps-oem')) else inventory_hostname }}"
+        target_account_name: "{{ target_environment_name.split('-')[:2] | join('-') + '-' + aws_environment if (not target_environment_name is search('hmpps-oem')) else target_environment_name }}"
 
     - name: Initialise Monitor List
       set_fact:
         monitor_list: []
 
-    - name: Get All Physical Standby Databases in this Environment (Delius)
-      shell: |
-        . ~/.bash_profile
-        {{ emcli_login | default() }}
-        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-        {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='Physical Standby'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/'
-        {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='Snapshot Standby'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/'
-      register: physical_standby
+    - name: Set Emcli Physical Standby Databases Command
+      set_fact:
+        emcli_commands: |
+          {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='Physical Standby'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/';
+          {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='Snapshot Standby'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/';
+
+    - name: Get All Physical Standby Databases in this Environment
+      ansible.builtin.command: >
+        {{ emcli_script }}
       environment:
-        SYSMAN_PASSWORD: "{{ sysman_password }}"
+        ACCOUNT_NAME: "{{ target_account_name }}"
+        EMCLI_COMMANDS: "{{ emcli_commands }}"
+      register: physical_standby
       changed_when: false
 
     - block:
@@ -50,17 +64,20 @@
     # In OEM, in a Data Guard Configuration the database type (TYPE_QUALIFIER4) is "Primary".   In a non-Data Guard Configuration TYPE_QUALIFIER4 is set to a single space character.  Handle both cases.
     # (This cannot be done within SEARCH as multiple conditions will be AND'ed together rather than OR'ed.  Therefore call the same function with both possibilities)
 
-    - name: Get All Primary Databases in this Environment (Delius)
-      shell: |
-        . ~/.bash_profile
-        {{ emcli_login | default() }}
-        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-        {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='Primary'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/'
-        {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='None'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/'
-        {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4=' '" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/'
-      register: primary
+    - name: Set Emcli Primary Databases Command
+      set_fact:
+        emcli_commands: |
+          {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='Primary'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/';
+          {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4='None'" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/';
+          {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='oracle_database'" -search="TYPE_QUALIFIER4=' '" -script -columns="TARGET_NAME,HOST_NAME" -noheader | sed 's/^\([a-zA-Z0-9_\.-]*\)[[:space:]]*\([a-zA-Z0-9_\.]*\)-\([a-zA-Z0-9_\.]*\)-.*$/\1 \2 \3/';
+
+    - name: Get All Primary Databases in this Environment
+      ansible.builtin.command: >
+        {{ emcli_script }}
       environment:
-        SYSMAN_PASSWORD: "{{ sysman_password }}"
+        ACCOUNT_NAME: "{{ target_account_name }}"
+        EMCLI_COMMANDS: "{{ emcli_commands }}"
+      register: primary
       changed_when: false
 
     - name: Create Lists For Primary Databases
@@ -93,16 +110,19 @@
       set_fact:
         monitor_list: []
 
+    - name: Set Emcli ASM Instances Command
+      set_fact:
+        emcli_commands: |
+          {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='osm_instance'" -script -columns="TARGET_NAME" -noheader | awk -F[_-] '{printf("%s %s %s\n",$0,$2,$3)}';
+
     # ASMSNMP is Used for ASM Instance Monitoring
     - name: Get All ASM Instances in this Environment
-      shell: |
-        . ~/.bash_profile
-        {{ emcli_login | default() }}
-        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-        {{ emcli }} get_targets -script -targets="%{{ host_match }}%:host;" -noheader | awk '{print $NF}' | xargs -i {{ emcli }} list -resource="Targets" -search="HOST_NAME='{}'" -search="TARGET_TYPE='osm_instance'" -script -columns="TARGET_NAME" -noheader | awk -F[_-] '{printf("%s %s %s\n",$0,$2,$3)}'
-      register: osm_instance
+      ansible.builtin.command: >
+        {{ emcli_script }}
       environment:
-        SYSMAN_PASSWORD: "{{ sysman_password }}"
+        ACCOUNT_NAME: "{{ target_account_name }}"
+        EMCLI_COMMANDS: "{{ emcli_commands }}"
+      register: osm_instance
       changed_when: false
 
     - name: Create Lists For ASM
@@ -130,3 +150,9 @@
       loop: "{{ monitor_list }}"
       loop_control:
         loop_var: target_env
+
+  always:
+    - name: Remove Temporary Files from Stage Area
+      file:
+        path: "{{ emcli_script }}"
+        state: absent

playbooks/oracle_password_rotation/oem_password_rotation/tasks/sync_monitoring_passwords.yml

@@ -1,12 +1,2 @@
-- name: Get OEM secrets
-  import_role:
-    name: secretsmanager-passwords
-  vars:
-    secretsmanager_passwords: "{{ oem_secretsmanager_passwords }}"
-
-- name: Set Variable For SYSMAN Password
-  set_fact:
-    sysman_password: "{{ secretsmanager_passwords_dict['oem'].passwords['sysman'] }}"
-
 - name: Update the OEM Targets to Match the Secrets
   include_tasks: set_monitoring_passwords.yml