add possibility to disable user/role creation in logstash (#328)

Tobias Bauriedel · widhalmt · web-flow · commit 47976997469c · 2024-06-10T13:58:09.000Z
* Add possibility to disable user/role creation in logstash * I have also renamed the var `logstash_user` to `logstash_user_name` to have the same schema as for `logstash_role_name` Implemented for #320 --------- Co-authored-by: Thomas Widhalm <thomas.widhalm@netways.de>
diff --git a/docs/role-logstash.md b/docs/role-logstash.md
@@ -69,10 +69,12 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_cert_will_expire_soon*: Set it to true to renew logstash certificate (default: `false`), Or run the playbook with `--tags renew_logstash_cert` to do that.
 * *logstash_elasticsearch*: Address of Elasticsearch instance for default output (default: list of Elasticsearch nodes from `elasticsearch` role or `localhost` when used standalone)
 * *logstash_security*: Enable X-Security (No default set, but will be activated when in full stack mode)
-* *logstash_user*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`)
-* *logstash_user_email*: email-address that is linked with the logstash_user (Default: `""`)
-* *logstash_user_fullname*: fullname that is linked with the logstash_user (Default: `Internal Logstash User`)
-* *logstash_user_password*: Password of `logstash_user` in Elasticsearch. It must be at least 6 characters long (default: `password`)
+* *logstash_create_user*: Enables creation `logstash_user_name` (Default: `true`)
+* *logstash_user_name*: Name of the user to connect to Elasticsearch (Default: `logstash_writer`)
+* *logstash_user_email*: email-address that is linked with the logstash_user_name (Default: `""`)
+* *logstash_user_fullname*: fullname that is linked with the logstash_user_name (Default: `Internal Logstash User`)
+* *logstash_user_password*: Password of `logstash_user_name` in Elasticsearch. It must be at least 6 characters long (default: `password`)
+* *logstash_create_role*: Enables creation `logstash_role_name` (Default: `true`)
 * *logstash_role_name*: Name of the logstash role that is getting created (Default: `logstash_writer`)
 * *logstash_role_cluster_privileges*: Cluster privileges the role has access to (default: `"manage_index_templates", "monitor", "manage_ilm"`)
 * *logstash_role_indicies_names*: Indices the role has access to (default: `"ecs-logstash*", "logstash*", "logs*"`)
diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml
@@ -44,7 +44,9 @@ logstash_forwarder_queue_type: memory
 logstash_forwarder_queue_max_bytes: 1gb
 logstash_sniffing: false
 
-# logstash security
+# logstash role / user
+logstash_create_role: true
+logstash_role_name: logstash_writer
 logstash_role_cluster_privileges:
   - manage_index_templates
   - monitor
@@ -60,13 +62,14 @@ logstash_role_indicies_privileges:
   - create_index
   - manage
   - manage_ilm
-logstash_role_name: logstash_writer
-logstash_user: logstash_writer
+logstash_create_user: true
+logstash_user_name: logstash_writer
 logstash_user_password: password
 logstash_user_email: ""
 logstash_user_fullname: "Internal Logstash User"
 logstash_reset_writer_role: true
 
+# logstash security
 logstash_tls_key_passphrase: LogstashChangeMe
 logstash_certs_dir: /etc/logstash/certs
 logstash_cert_validity_period: 1095
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -376,10 +376,11 @@
     auth_pass: "{{ logstash_elasticstack_password.stdout }}"
     verify_certs: true
     ca_certs: "{{ logstash_certs_dir }}/ca.crt"
+  when: logstash_create_role | bool
 
-- name: Create logstash user {{ logstash_user }}
+- name: Create logstash user {{ logstash_user_name }}
   netways.elasticstack.elasticsearch_user:
-    name: "{{ logstash_user }}"
+    name: "{{ logstash_user_name }}"
     fullname: "{{ logstash_user_fullname }}"
     password: "{{ logstash_user_password }}"
     email: "{{ logstash_user_email }}"
@@ -392,3 +393,4 @@
     auth_pass: "{{ logstash_elasticstack_password.stdout }}"
     verify_certs: false
     ca_certs: "{{ logstash_certs_dir }}/ca.crt"
+  when: logstash_create_user | bool
diff --git a/roles/logstash/templates/elasticsearch-output.conf.j2 b/roles/logstash/templates/elasticsearch-output.conf.j2
@@ -36,7 +36,7 @@ output {
     keystore_password => "{{ logstash_tls_key_passphrase }}"
     cacert => "{{ logstash_certs_dir }}/ca.crt"
     ssl => true
-    user => "{{ logstash_user }}"
+    user => "{{ logstash_user_name }}"
     password => "{{ logstash_user_password }}"
 {% endif %}
   }

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ output {`
`36`	`36`	`keystore_password => "{{ logstash_tls_key_passphrase }}"`
`37`	`37`	`cacert => "{{ logstash_certs_dir }}/ca.crt"`
`38`	`38`	`ssl => true`
`39`		`- user => "{{ logstash_user }}"`
	`39`	`+ user => "{{ logstash_user_name }}"`
`40`	`40`	`password => "{{ logstash_user_password }}"`
`41`	`41`	`{% endif %}`
`42`	`42`	`}`