Add elasticsearch_role module

Author: Tobias Bauriedel

molecule/elasticsearch_test_modules/converge.yml

@@ -0,0 +1,50 @@
+---
+# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another
+# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  collections:
+    - netways.elasticstack
+  hosts: all
+  vars:
+    #elasticsearch_security: true # needed for tests of > 7 releases
+    elasticstack_full_stack: false
+    elasticsearch_jna_workaround: true
+    elasticsearch_disable_systemcallfilterchecks: true
+    elasticstack_release: 8
+    elasticsearch_heap: "1"
+    elasticstack_no_log: false
+  tasks:
+    - name: Include Elastics repos role
+      ansible.builtin.include_role:
+        name: repos
+    - name: Include Elasticsearch
+      ansible.builtin.include_role:
+        name: elasticsearch
+
+    - name: Fetch Elastic password # noqa: risky-shell-pipe
+      ansible.builtin.shell: >
+        if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+        grep "PASSWORD elastic" /usr/share/elasticsearch/initial_passwords |
+        awk {' print $4 '}
+      register: elasticstack_password
+      changed_when: false
+
+    - name: Create role
+      netways.elasticstack.elasticsearch_role:
+        name: new-role3
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - foobar321
+              - barfoo123
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: "{{ elasticstack_password.stdout }}"
+        verify_certs: false
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt

molecule/elasticsearch_test_modules/molecule.yml

@@ -0,0 +1,34 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: elasticsearch_default1
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+  #- name: elasticsearch_default2
+  #  groups:
+  #    - elasticsearch
+  #  image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest"
+  #  command: ${MOLECULE_DOCKER_COMMAND:-""}
+  #  volumes:
+  #    - /sys/fs/cgroup:/sys/fs/cgroup:rw
+  #  cgroupns_mode: host
+  #  privileged: true
+  #  pre_build_image: true
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 3
+verifier:
+  name: ansible

molecule/elasticsearch_test_modules/prepare.yml

@@ -0,0 +1,23 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install packages for Debian
+      ansible.builtin.apt:
+        name:
+          - gpg
+          - gpg-agent
+          - procps
+          - curl
+          - iproute2
+          - git
+          - openssl
+          - python3
+        update_cache: yes
+
+    - name: Install python module dependencies
+      ansible.builtin.pip:
+        name: "{{ item }}"
+      loop:
+        - elasticsearch
+        - certifi

molecule/elasticsearch_test_modules/requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general

plugins/module_utils/api.py

@@ -0,0 +1,74 @@
+# !/usr/bin/python3
+
+# Copyright (c) 2024, Tobias Bauriedel <tobias.bauriedel@netways.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from asyncio.constants import SENDFILE_FALLBACK_READBUFFER_SIZE
+from elasticsearch import Elasticsearch
+import ssl
+
+def new_client_basic_auth(host, auth_user, auth_pass, ca_certs, verify_certs) -> Elasticsearch:
+    ctx = ssl.create_default_context(cafile=ca_certs)
+    ctx.check_hostname = False
+    ctx.verify_mode = False
+    return Elasticsearch(hosts=[host], basic_auth=(auth_user, auth_pass), ssl_context=ctx, verify_certs=verify_certs)
+
+
+class Role():
+    def __init__(self, result, role_name, cluster, indicies, state, host, auth_user, auth_pass, verify_certs, ca_certs):
+        self.role_name = role_name
+        self.cluster = cluster
+        self.indicies = indicies
+        self.state = state
+        self.result = result
+
+        if auth_user == "" or auth_pass == "":
+            result['stderr'] = "'basic_auth' for authentication defined but 'auth_user' or auth_pass' is empty"
+            return
+        self.client = new_client_basic_auth(host=host, auth_user=auth_user, auth_pass=auth_pass, verify_certs=verify_certs, ca_certs=ca_certs)
+
+        self.handle()
+
+
+    def return_result(self) -> dict:
+        return self.result
+  
+
+    def handle(self):
+        if self.state == 'absent':
+            res = self.delete()
+            if res['found'] == True:
+                self.result['changed'] = True
+                self.result['msg'] = self.role_name + " has been deleted."
+            return
+
+        elif self.state == 'present':
+            pre_role = self.get()
+            self.result['foo1'] = pre_role.raw
+            res = self.put()
+
+            if res.raw['role']['created'] == True:
+                self.result['changed'] = True
+                self.result['msg'] = self.role_name + " has been created."
+                return
+
+            self.result['foo2'] = self.get().raw
+            if pre_role.raw != self.get().raw:
+                self.result['changed'] = True
+                self.result['msg'] = self.role_name + " has been updated"
+                return
+        
+        return
+        
+
+    def get(self):
+        return self.client.security.get_role(name=self.role_name)
+
+
+    def put(self):                
+        return self.client.security.put_role(name=self.role_name, cluster=self.cluster, indices=self.indicies)
+
+    
+    def delete(self):
+        return self.client.security.delete_role(name=self.role_name)

plugins/modules/elasticsearch_role.py

@@ -0,0 +1,80 @@
+#!/usr/bin/python
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.netways.elasticstack.plugins.module_utils.api import (
+    Role
+)
+
+def run_module():
+    '''
+    Elasticsearch user management.
+
+    ```
+    netways.elasticstack.elasticsearch_role:
+        name: new-role
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - foobar
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt
+    ```
+    '''
+
+    # get role
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-role.html
+
+    # create or update role
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            name=dict(type=str, required=True),
+            cluster=dict(type=list, required=False),
+            indicies=dict(type=list, required=False), # indicies.{n}.name, indicies.{n}.privileges
+            state=dict(type=str, required=False, default='present'),
+            host=dict(type=str, required=True),
+            auth_user=dict(type=str, required=True),
+            auth_pass=dict(type=str, required=True),
+            ca_certs=dict(type=str, required=False),
+            verify_certs=dict(type=bool, required=False, default=True)
+        )
+    )
+
+    result = dict(
+        failed=False,
+        changed=False
+    )
+
+    role = Role(
+        result=result, 
+        role_name=module.params['name'], 
+        cluster=module.params['cluster'],
+        indicies=module.params['indicies'],
+        state=module.params['state'],
+        host=module.params['host'],
+        auth_user=module.params['auth_user'],
+        auth_pass=module.params['auth_pass'],
+        ca_certs=module.params['ca_certs'],
+        verify_certs=module.params['verify_certs'],
+    )
+
+    result = role.return_result()
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    run_module()

plugins/modules/elasticsearch_user.py

@@ -0,0 +1,80 @@
+#!/usr/bin/python
+
+# Copyright (c) 2024, Tobias Bauriedel <tobias.bauriedel@netways.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.netways.elasticstack.plugins.module_utils.elasticsearch_api import (
+    UserObject,
+)
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+def run_module():
+    '''
+    Elasticsearch user management.
+    '''
+
+    # https://github.com/NETWAYS/ansible-collection-elasticstack/blob/main/roles/logstash/tasks/logstash-security.yml#L405-L472
+
+    # get user
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-user.html
+
+    # create or update user
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-user.html
+
+    # delete user
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-delete-user.html
+
+    # enable user
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-enable-user.html
+
+    # disable user
+    # https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-disable-user.html
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            name=dict(type=str, required=True),
+            fullname=dict(type=str, required=False),
+            password=dict(type=str, required=True),
+            email=dict(type=str, required=False),
+            roles=dict(type=list, required=True),
+            metadata=dict(type=dict, required=False),
+            state=dict(type=str, required=False, default="present"), # 'present' or 'absent'
+            enabled=dict(type=bool, required=False, default=True), # True=enabled & False=disabled
+            endpoint=dict(type=str, required=False, default="https://localhost:9200"),
+            ca=dict(type=str, required=True), # Path to ca to authenticate API requests
+            es_version=dict(type=int, required=False, default=8), # Elasticsearch version
+        )
+    )
+
+    # Check if provided state is valid
+    valid_states = list("present", "absent")
+    if module.params['state'] not in valid_states:
+        module.exit_json(
+            failed=True,
+            changed=False,
+            stderr="Invalid state provided. Use 'present' or 'absent."
+        )
+
+    user = UserObject(module)
+
+    module.exit_json(
+        debug=user
+    )
+
+    # Block 1
+        # if (current state == configured state) && (current properties == configured properties) -> exit
+
+        # if (current enabled != configured enable) -> change
+
+        # if current state != configured state -> create or delete (based on configured state)
+
+        # if (current state == configured state) && (current properties != configured properties) -> update user properties
+
+    # Block 2
+
+if __name__ == "__main__":
+    run_module()