From 5c2ee70efa8f61a0059806eac3b8fe78c6f4d132 Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Mon, 22 Jan 2024 11:33:48 +0100 Subject: [PATCH 1/6] make elasticsearch group name configurable --- README.md | 2 +- molecule/elasticsearch_no-security/verify.yml | 7 ++++--- molecule/elasticstack_default/verify.yml | 17 +++++++++-------- molecule/logstash_full_stack-oss/verify.yml | 8 ++++---- roles/beats/defaults/main.yml | 2 ++ roles/beats/tasks/main.yml | 4 ++-- roles/beats/templates/auditbeat.yml.j2 | 4 ++-- roles/beats/templates/filebeat.yml.j2 | 4 ++-- roles/beats/templates/metricbeat.yml.j2 | 4 ++-- roles/elasticsearch/defaults/main.yml | 2 ++ .../tasks/elasticsearch-security.yml | 16 ++++++++-------- .../templates/elasticsearch.yml.j2 | 10 +++++----- roles/elasticsearch/templates/instances.j2 | 2 +- roles/kibana/defaults/main.yml | 2 ++ roles/kibana/tasks/kibana-security.yml | 4 ++-- roles/kibana/tasks/main.yml | 6 +++--- roles/logstash/defaults/main.yml | 2 ++ roles/logstash/tasks/logstash-security.yml | 4 ++-- roles/logstash/tasks/main.yml | 6 +++--- roles/repos/defaults/main.yml | 2 ++ 20 files changed, 60 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index b401cb14..3749e216 100644 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ There are some comments in the Playbook. Either fill them with the correct value ### Inventory -_Note_: The roles rely on hardcoded group names for placing services on hosts. Please make sure you have groups named `elasticsearch`, `logstash` and `kibana` in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation. +_Note_: The roles rely on hardcoded group names for placing services on hosts. Please make sure you have groups named `elasticsearch` (or define your desired group name using the var `elasticsearch_group_name`), `logstash` and `kibana` in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation. The execution order of the roles is important! (see below) diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml index 90cdacae..1018f56e 100644 --- a/molecule/elasticsearch_no-security/verify.yml +++ b/molecule/elasticsearch_no-security/verify.yml @@ -5,6 +5,7 @@ hosts: all vars: elasticstack_elasticsearch_http_port: 9200 + elasticsearch_group_name: elasticsearch tasks: # Remember, this is the no-security scenario. So no https @@ -19,7 +20,7 @@ until: result.json.status == "green" retries: 6 delay: 10 - when: groups['elasticsearch'] | length > 1 + when: groups[elasticsearch_group_name] | length > 1 - name: Node check ansible.builtin.uri: @@ -29,7 +30,7 @@ status_code: 200 validate_certs: false register: nodes - when: groups['elasticsearch'] | length > 1 + when: groups[elasticsearch_group_name] | length > 1 - name: Check if all Nodes see each other ansible.builtin.assert: @@ -38,4 +39,4 @@ fail_msg: "'{{ item }}' was not found in nodes.content" success_msg: "'{{ item }}' was found in nodes.content" with_inventory_hostnames: all - when: groups['elasticsearch'] | length > 1 + when: groups[elasticsearch_group_name] | length > 1 diff --git a/molecule/elasticstack_default/verify.yml b/molecule/elasticstack_default/verify.yml index 110673d4..d5158d3b 100644 --- a/molecule/elasticstack_default/verify.yml +++ b/molecule/elasticstack_default/verify.yml @@ -5,6 +5,7 @@ vars: elasticstack_elasticsearch_http_port: 9200 elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords + elasticsearch_group_name: elasticsearch tasks: - name: Run Logstash syntax check @@ -22,7 +23,7 @@ - name: Set elasticsearch_ca variable if not already done by user ansible.builtin.set_fact: - elasticsearch_ca: "{{ groups['elasticsearch'][0] }}" + elasticsearch_ca: "{{ groups[elasticsearch_group_name][0] }}" when: elasticsearch_ca is undefined - name: fetch Elastic password @@ -42,22 +43,22 @@ sort -n | tail -1 register: logstash_count - when: "'elasticsearch' in group_names" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" - name: Show full output ansible.builtin.debug: var: logstash_count - when: "'elasticsearch' in group_names" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" - name: Fail when logstash index is empty ansible.builtin.fail: msg: "Logstash Index is empty" - when: "'elasticsearch' in group_names and logstash_count.stdout == 0" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names and logstash_count.stdout == 0" - name: Show number of received events ansible.builtin.debug: msg: "Elasticsearch received {{ logstash_count.stdout }} events so far" - when: "'elasticsearch' in group_names" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" - name: Run Kibana checks when: "'kibana' in group_names" @@ -112,7 +113,7 @@ until: result.json.status == "green" retries: 6 delay: 10 - when: groups['elasticsearch'] | length > 1 + when: groups[elasticsearch_group_name] | length > 1 - name: Elasticsearch Node check ansible.builtin.uri: @@ -125,7 +126,7 @@ status_code: 200 validate_certs: false register: nodes - when: groups['elasticsearch'] | length > 1 + when: groups[elasticsearch_group_name] | length > 1 - name: Check if all Nodes see each other ansible.builtin.assert: @@ -134,5 +135,5 @@ fail_msg: "'{{ item }}' was not found in nodes.content" success_msg: "'{{ item }}' was found in nodes.content" with_inventory_hostnames: all - when: groups['elasticsearch'] | length > 1 + when: groups[elasticsearch_group_name] | length > 1 diff --git a/molecule/logstash_full_stack-oss/verify.yml b/molecule/logstash_full_stack-oss/verify.yml index 557b63b9..37a150f2 100644 --- a/molecule/logstash_full_stack-oss/verify.yml +++ b/molecule/logstash_full_stack-oss/verify.yml @@ -25,16 +25,16 @@ sort -n | tail -1 register: logstash_count - when: "'elasticsearch' in group_names" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" - name: Show full output ansible.builtin.debug: var: logstash_count - when: "'elasticsearch' in group_names" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" - name: Fail when logstash is empty ansible.builtin.fail: msg: "Logstash Index is empty" - when: "'elasticsearch' in group_names and logstash_count.stdout == 0" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names and logstash_count.stdout == 0" - name: Show number of received events ansible.builtin.debug: msg: "Elasticsearch received {{ logstash_count.stdout }} events so far" - when: "'elasticsearch' in group_names" + when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml index 5708617b..8cadf881 100644 --- a/roles/beats/defaults/main.yml +++ b/roles/beats/defaults/main.yml @@ -63,6 +63,8 @@ elasticstack_full_stack: true elasticstack_variant: elastic elasticstack_security: true +elasticsearch_group_name: elasticsearch + elasticstack_ca_dir: /opt/es-ca elasticstack_ca_pass: PleaseChangeMe elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords diff --git a/roles/beats/tasks/main.yml b/roles/beats/tasks/main.yml index cce08b9e..2e23f17e 100644 --- a/roles/beats/tasks/main.yml +++ b/roles/beats/tasks/main.yml @@ -27,11 +27,11 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups['elasticsearch'][0] }}" + elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" when: - beats_security | bool - elasticstack_ca is undefined - - groups['elasticsearch'] is defined + - groups[elasticsearch_group_name] is defined tags: - certificates - renew_ca diff --git a/roles/beats/templates/auditbeat.yml.j2 b/roles/beats/templates/auditbeat.yml.j2 index 3a72c505..46a15a93 100644 --- a/roles/beats/templates/auditbeat.yml.j2 +++ b/roles/beats/templates/auditbeat.yml.j2 @@ -33,7 +33,7 @@ setup.kibana: output.elasticsearch: {% if elasticsearch_http_security | bool %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['elasticsearch'] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} @@ -44,7 +44,7 @@ output.elasticsearch: ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"] {% else %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['elasticsearch'] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/beats/templates/filebeat.yml.j2 b/roles/beats/templates/filebeat.yml.j2 index 96bfebbe..166ed5a3 100644 --- a/roles/beats/templates/filebeat.yml.j2 +++ b/roles/beats/templates/filebeat.yml.j2 @@ -108,7 +108,7 @@ setup.kibana: output.elasticsearch: {% if beats_security | bool %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['elasticsearch'] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} @@ -119,7 +119,7 @@ output.elasticsearch: ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"] {% else %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['elasticsearch'] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/beats/templates/metricbeat.yml.j2 b/roles/beats/templates/metricbeat.yml.j2 index 86186f35..10edc51e 100644 --- a/roles/beats/templates/metricbeat.yml.j2 +++ b/roles/beats/templates/metricbeat.yml.j2 @@ -10,7 +10,7 @@ setup.kibana: output.elasticsearch: {% if elasticsearch_http_security | bool %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['elasticsearch'] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} @@ -21,7 +21,7 @@ output.elasticsearch: ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"] {% else %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['elasticsearch'] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 3f531606..a0ba0829 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -61,3 +61,5 @@ elasticstack_full_stack: true elasticstack_variant: elastic elasticstack_elasticsearch_http_port: 9200 elasticstack_no_log: true + +elasticsearch_group_name: elasticsearch diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 48bcb2aa..babdfe40 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -14,7 +14,7 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups['elasticsearch'][0] }}" + elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" when: elasticstack_ca is undefined tags: - certificates @@ -267,7 +267,7 @@ --dns {{ hostvars[item].ansible_hostname }},{{ hostvars[item].ansible_fqdn }},{{ hostvars[item].inventory_hostname }} --pass {{ elasticsearch_tls_key_passphrase }} --out {{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12 - loop: "{{ groups['elasticsearch'] }}" + loop: "{{ groups[elasticsearch_group_name] }}" no_log: "{{ elasticstack_no_log }}" args: creates: "{{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12" @@ -356,7 +356,7 @@ - name: Wait for all instances to start ansible.builtin.include_tasks: wait_for_instance.yml - loop: "{{ groups['elasticsearch'] }}" + loop: "{{ groups[elasticsearch_group_name] }}" - name: Restart if Elasticsearch was already running when: @@ -372,7 +372,7 @@ - name: Wait for all instances to start ansible.builtin.include_tasks: wait_for_instance.yml - loop: "{{ groups['elasticsearch'] }}" + loop: "{{ groups[elasticsearch_group_name] }}" tags: - certificates - renew_ca @@ -400,7 +400,7 @@ no_log: "{{ elasticstack_no_log }}" when: - not elasticsearch_passwords_file.stat.exists | bool - - groups['elasticsearch'] | length > 1 + - groups[elasticsearch_group_name] | length > 1 until: elasticsearch_api_status_bootstrap.json.cluster_name is defined retries: 5 delay: 10 @@ -419,7 +419,7 @@ no_log: "{{ elasticstack_no_log }}" when: - not elasticsearch_passwords_file.stat.exists | bool - - groups['elasticsearch'] | length > 1 + - groups[elasticsearch_group_name] | length > 1 until: elasticsearch_cluster_status_bootstrap.json.status == "green" retries: 5 delay: 10 @@ -446,7 +446,7 @@ no_log: "{{ elasticstack_no_log }}" when: - elasticsearch_passwords_file.stat.exists | bool - - groups['elasticsearch'] | length > 1 + - groups[elasticsearch_group_name] | length > 1 until: elasticsearch_api_status.json.cluster_name is defined retries: 20 delay: 10 @@ -497,7 +497,7 @@ no_log: "{{ elasticstack_no_log }}" when: - elasticsearch_passwords_file.stat.exists | bool - - groups['elasticsearch'] | length > 1 + - groups[elasticsearch_group_name] | length > 1 until: elasticsearch_cluster_status.json.status == "green" retries: 20 delay: 10 diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 1ae60acb..64361b84 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -18,23 +18,23 @@ http.publish_port: {{ elasticsearch_http_publish_port }} node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop.last %}, {% endif %}{% endfor %} ] {% endif %} -{% if elasticstack_release | int > 7 and groups['elasticsearch'] | length == 1 %} +{% if elasticstack_release | int > 7 and groups[elasticsearch_group_name] | length == 1 %} discovery.type: single-node {% endif %} -{% if elasticstack_release | int < 8 or groups['elasticsearch'] | length > 1 %} -discovery.seed_hosts: [ {% for host in groups['elasticsearch'] %} +{% if elasticstack_release | int < 8 or groups[elasticsearch_group_name] | length > 1 %} +discovery.seed_hosts: [ {% for host in groups[elasticsearch_group_name] %} "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% endif %} -{% if not elaticsearch_cluster_set_up | bool and groups['elasticsearch'] | length > 1 %} +{% if not elaticsearch_cluster_set_up | bool and groups[elasticsearch_group_name] | length > 1 %} {% if elasticsearch_node_types is defined %} cluster.initial_master_nodes: [ {% for host in groups['elasticsearch_role_master'] %} "{{ hostvars[host].ansible_hostname }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% else %} -cluster.initial_master_nodes: [ {% for host in groups['elasticsearch'] %} +cluster.initial_master_nodes: [ {% for host in groups[elasticsearch_group_name] %} "{{ hostvars[host].ansible_hostname }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% endif %} diff --git a/roles/elasticsearch/templates/instances.j2 b/roles/elasticsearch/templates/instances.j2 index bf7718d1..57be7b9a 100644 --- a/roles/elasticsearch/templates/instances.j2 +++ b/roles/elasticsearch/templates/instances.j2 @@ -1,5 +1,5 @@ instances: -{% for host in groups['elasticsearch'] %} +{% for host in groups[elasticsearch_group_name] %} - name: "{{ host }}" ip: - "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}" diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index 7aa06f7b..50e30f77 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -28,3 +28,5 @@ elasticstack_variant: elastic elasticstack_elasticsearch_http_port: 9200 elasticstack_kibana_port: 5601 elasticstack_no_log: true + +elasticsearch_group_name: elasticsearch diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 4bb14fbd..3a29a6e2 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -13,10 +13,10 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups['elasticsearch'][0] }}" + elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" when: - elasticstack_ca is undefined - - groups['elasticsearch'] is defined + - groups[elasticsearch_group_name] is defined tags: - certificates - renew_ca diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 87638d4d..9f336839 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -21,10 +21,10 @@ - name: Set Elasticsearch hosts if used with other roles ansible.builtin.set_fact: - kibana_elasticsearch_hosts: "{{ groups['elasticsearch'] }}" + kibana_elasticsearch_hosts: "{{ groups[elasticsearch_group_name] }}" when: - kibana_elasticsearch_hosts is undefined - - groups['elasticsearch'] is defined + - groups[elasticsearch_group_name] is defined - name: Set Elasticsearch hosts to localhost if no other info is available ansible.builtin.set_fact: @@ -32,7 +32,7 @@ - localhost when: - kibana_elasticsearch_hosts is undefined - - groups['elasticsearch'] is undefined + - groups[elasticsearch_group_name] is undefined - name: Construct exact name of Kibana package ansible.builtin.set_fact: diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index 1941e792..3b015241 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -91,6 +91,8 @@ elasticstack_security: true elasticstack_elasticsearch_http_port: 9200 elasticstack_beats_port: 5044 +elasticsearch_group_name: elasticsearch + # Variables for debugging and development elasticstack_override_beats_tls: false diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 5a93e9d9..8115cee8 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -13,10 +13,10 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups['elasticsearch'][0] }}" + elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" when: - elasticstack_ca is undefined - - groups['elasticsearch'] is defined + - groups[elasticsearch_group_name] is defined tags: - certificates - configuration diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 488926b6..5b208f07 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -20,10 +20,10 @@ - name: Set Elasticsearch hosts if used with other roles ansible.builtin.set_fact: - logstash_elasticsearch: "{{ groups['elasticsearch'] }}" + logstash_elasticsearch: "{{ groups[elasticsearch_group_name] }}" when: - logstash_elasticsearch is undefined - - groups['elasticsearch'] is defined + - groups[elasticsearch_group_name] is defined tags: - configuration - logstash_configuration @@ -41,7 +41,7 @@ - localhost when: - logstash_elasticsearch is undefined - - groups['elasticsearch'] is undefined + - groups[elasticsearch_group_name] is undefined tags: - configuration - logstash_configuration diff --git a/roles/repos/defaults/main.yml b/roles/repos/defaults/main.yml index 0b74c5d7..d2973c56 100644 --- a/roles/repos/defaults/main.yml +++ b/roles/repos/defaults/main.yml @@ -8,3 +8,5 @@ elasticstack_rpm_workaround: false elasticstack_enable_repos: true elasticstack_no_log: true + +elasticsearch_group_name: elasticsearch From 7648992aef2b9d8373bb93e6ca0a36651a3407c9 Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Sat, 27 Jan 2024 11:23:11 +0100 Subject: [PATCH 2/6] renamed var: elasticsearch_group_name -> elasticstack_elasticsearch_group_name --- README.md | 2 +- molecule/elasticsearch_no-security/verify.yml | 8 ++++---- molecule/elasticstack_default/verify.yml | 18 +++++++++--------- molecule/logstash_full_stack-oss/verify.yml | 8 ++++---- roles/beats/defaults/main.yml | 2 +- roles/beats/tasks/main.yml | 4 ++-- roles/beats/templates/auditbeat.yml.j2 | 4 ++-- roles/beats/templates/filebeat.yml.j2 | 4 ++-- roles/beats/templates/metricbeat.yml.j2 | 4 ++-- roles/elasticsearch/defaults/main.yml | 2 +- .../tasks/elasticsearch-security.yml | 16 ++++++++-------- .../templates/elasticsearch.yml.j2 | 10 +++++----- roles/elasticsearch/templates/instances.j2 | 2 +- roles/kibana/defaults/main.yml | 2 +- roles/kibana/tasks/kibana-security.yml | 4 ++-- roles/kibana/tasks/main.yml | 6 +++--- roles/logstash/defaults/main.yml | 2 +- roles/logstash/tasks/logstash-security.yml | 4 ++-- roles/logstash/tasks/main.yml | 6 +++--- roles/repos/defaults/main.yml | 2 +- 20 files changed, 55 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 3749e216..0ab1b6b0 100644 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ There are some comments in the Playbook. Either fill them with the correct value ### Inventory -_Note_: The roles rely on hardcoded group names for placing services on hosts. Please make sure you have groups named `elasticsearch` (or define your desired group name using the var `elasticsearch_group_name`), `logstash` and `kibana` in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation. +_Note_: The roles rely on hardcoded group names for placing services on hosts. Please make sure you have groups named `elasticsearch` (or define your desired group name using the var `elasticstack_elasticsearch_group_name`), `logstash` and `kibana` in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation. The execution order of the roles is important! (see below) diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml index 1018f56e..627c06b0 100644 --- a/molecule/elasticsearch_no-security/verify.yml +++ b/molecule/elasticsearch_no-security/verify.yml @@ -5,7 +5,7 @@ hosts: all vars: elasticstack_elasticsearch_http_port: 9200 - elasticsearch_group_name: elasticsearch + elasticstack_elasticsearch_group_name: elasticsearch tasks: # Remember, this is the no-security scenario. So no https @@ -20,7 +20,7 @@ until: result.json.status == "green" retries: 6 delay: 10 - when: groups[elasticsearch_group_name] | length > 1 + when: groups[elasticstack_elasticsearch_group_name] | length > 1 - name: Node check ansible.builtin.uri: @@ -30,7 +30,7 @@ status_code: 200 validate_certs: false register: nodes - when: groups[elasticsearch_group_name] | length > 1 + when: groups[elasticstack_elasticsearch_group_name] | length > 1 - name: Check if all Nodes see each other ansible.builtin.assert: @@ -39,4 +39,4 @@ fail_msg: "'{{ item }}' was not found in nodes.content" success_msg: "'{{ item }}' was found in nodes.content" with_inventory_hostnames: all - when: groups[elasticsearch_group_name] | length > 1 + when: groups[elasticstack_elasticsearch_group_name] | length > 1 diff --git a/molecule/elasticstack_default/verify.yml b/molecule/elasticstack_default/verify.yml index d5158d3b..7c2b570b 100644 --- a/molecule/elasticstack_default/verify.yml +++ b/molecule/elasticstack_default/verify.yml @@ -5,7 +5,7 @@ vars: elasticstack_elasticsearch_http_port: 9200 elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords - elasticsearch_group_name: elasticsearch + elasticstack_elasticsearch_group_name: elasticsearch tasks: - name: Run Logstash syntax check @@ -23,7 +23,7 @@ - name: Set elasticsearch_ca variable if not already done by user ansible.builtin.set_fact: - elasticsearch_ca: "{{ groups[elasticsearch_group_name][0] }}" + elasticsearch_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" when: elasticsearch_ca is undefined - name: fetch Elastic password @@ -43,22 +43,22 @@ sort -n | tail -1 register: logstash_count - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - name: Show full output ansible.builtin.debug: var: logstash_count - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - name: Fail when logstash index is empty ansible.builtin.fail: msg: "Logstash Index is empty" - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names and logstash_count.stdout == 0" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names and logstash_count.stdout == 0" - name: Show number of received events ansible.builtin.debug: msg: "Elasticsearch received {{ logstash_count.stdout }} events so far" - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - name: Run Kibana checks when: "'kibana' in group_names" @@ -113,7 +113,7 @@ until: result.json.status == "green" retries: 6 delay: 10 - when: groups[elasticsearch_group_name] | length > 1 + when: groups[elasticstack_elasticsearch_group_name] | length > 1 - name: Elasticsearch Node check ansible.builtin.uri: @@ -126,7 +126,7 @@ status_code: 200 validate_certs: false register: nodes - when: groups[elasticsearch_group_name] | length > 1 + when: groups[elasticstack_elasticsearch_group_name] | length > 1 - name: Check if all Nodes see each other ansible.builtin.assert: @@ -135,5 +135,5 @@ fail_msg: "'{{ item }}' was not found in nodes.content" success_msg: "'{{ item }}' was found in nodes.content" with_inventory_hostnames: all - when: groups[elasticsearch_group_name] | length > 1 + when: groups[elasticstack_elasticsearch_group_name] | length > 1 diff --git a/molecule/logstash_full_stack-oss/verify.yml b/molecule/logstash_full_stack-oss/verify.yml index 37a150f2..f4888fa6 100644 --- a/molecule/logstash_full_stack-oss/verify.yml +++ b/molecule/logstash_full_stack-oss/verify.yml @@ -25,16 +25,16 @@ sort -n | tail -1 register: logstash_count - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - name: Show full output ansible.builtin.debug: var: logstash_count - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" - name: Fail when logstash is empty ansible.builtin.fail: msg: "Logstash Index is empty" - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names and logstash_count.stdout == 0" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names and logstash_count.stdout == 0" - name: Show number of received events ansible.builtin.debug: msg: "Elasticsearch received {{ logstash_count.stdout }} events so far" - when: "elasticsearch_group_name is defined and elasticsearch_group_name in group_names" + when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names" diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml index 8cadf881..37ec79a6 100644 --- a/roles/beats/defaults/main.yml +++ b/roles/beats/defaults/main.yml @@ -63,7 +63,7 @@ elasticstack_full_stack: true elasticstack_variant: elastic elasticstack_security: true -elasticsearch_group_name: elasticsearch +elasticstack_elasticsearch_group_name: elasticsearch elasticstack_ca_dir: /opt/es-ca elasticstack_ca_pass: PleaseChangeMe diff --git a/roles/beats/tasks/main.yml b/roles/beats/tasks/main.yml index 2e23f17e..1a5d1c6d 100644 --- a/roles/beats/tasks/main.yml +++ b/roles/beats/tasks/main.yml @@ -27,11 +27,11 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" + elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" when: - beats_security | bool - elasticstack_ca is undefined - - groups[elasticsearch_group_name] is defined + - groups[elasticstack_elasticsearch_group_name] is defined tags: - certificates - renew_ca diff --git a/roles/beats/templates/auditbeat.yml.j2 b/roles/beats/templates/auditbeat.yml.j2 index 46a15a93..08d8451e 100644 --- a/roles/beats/templates/auditbeat.yml.j2 +++ b/roles/beats/templates/auditbeat.yml.j2 @@ -33,7 +33,7 @@ setup.kibana: output.elasticsearch: {% if elasticsearch_http_security | bool %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups[elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} @@ -44,7 +44,7 @@ output.elasticsearch: ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"] {% else %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups[elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/beats/templates/filebeat.yml.j2 b/roles/beats/templates/filebeat.yml.j2 index 166ed5a3..d5a6ce5f 100644 --- a/roles/beats/templates/filebeat.yml.j2 +++ b/roles/beats/templates/filebeat.yml.j2 @@ -108,7 +108,7 @@ setup.kibana: output.elasticsearch: {% if beats_security | bool %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups[elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} @@ -119,7 +119,7 @@ output.elasticsearch: ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"] {% else %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups[elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/beats/templates/metricbeat.yml.j2 b/roles/beats/templates/metricbeat.yml.j2 index 10edc51e..a8f06421 100644 --- a/roles/beats/templates/metricbeat.yml.j2 +++ b/roles/beats/templates/metricbeat.yml.j2 @@ -10,7 +10,7 @@ setup.kibana: output.elasticsearch: {% if elasticsearch_http_security | bool %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups[elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} @@ -21,7 +21,7 @@ output.elasticsearch: ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"] {% else %} {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups[elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index a0ba0829..9c3f72d5 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -62,4 +62,4 @@ elasticstack_variant: elastic elasticstack_elasticsearch_http_port: 9200 elasticstack_no_log: true -elasticsearch_group_name: elasticsearch +elasticstack_elasticsearch_group_name: elasticsearch diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index babdfe40..26c99c7c 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -14,7 +14,7 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" + elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" when: elasticstack_ca is undefined tags: - certificates @@ -267,7 +267,7 @@ --dns {{ hostvars[item].ansible_hostname }},{{ hostvars[item].ansible_fqdn }},{{ hostvars[item].inventory_hostname }} --pass {{ elasticsearch_tls_key_passphrase }} --out {{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12 - loop: "{{ groups[elasticsearch_group_name] }}" + loop: "{{ groups[elasticstack_elasticsearch_group_name] }}" no_log: "{{ elasticstack_no_log }}" args: creates: "{{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12" @@ -356,7 +356,7 @@ - name: Wait for all instances to start ansible.builtin.include_tasks: wait_for_instance.yml - loop: "{{ groups[elasticsearch_group_name] }}" + loop: "{{ groups[elasticstack_elasticsearch_group_name] }}" - name: Restart if Elasticsearch was already running when: @@ -372,7 +372,7 @@ - name: Wait for all instances to start ansible.builtin.include_tasks: wait_for_instance.yml - loop: "{{ groups[elasticsearch_group_name] }}" + loop: "{{ groups[elasticstack_elasticsearch_group_name] }}" tags: - certificates - renew_ca @@ -400,7 +400,7 @@ no_log: "{{ elasticstack_no_log }}" when: - not elasticsearch_passwords_file.stat.exists | bool - - groups[elasticsearch_group_name] | length > 1 + - groups[elasticstack_elasticsearch_group_name] | length > 1 until: elasticsearch_api_status_bootstrap.json.cluster_name is defined retries: 5 delay: 10 @@ -419,7 +419,7 @@ no_log: "{{ elasticstack_no_log }}" when: - not elasticsearch_passwords_file.stat.exists | bool - - groups[elasticsearch_group_name] | length > 1 + - groups[elasticstack_elasticsearch_group_name] | length > 1 until: elasticsearch_cluster_status_bootstrap.json.status == "green" retries: 5 delay: 10 @@ -446,7 +446,7 @@ no_log: "{{ elasticstack_no_log }}" when: - elasticsearch_passwords_file.stat.exists | bool - - groups[elasticsearch_group_name] | length > 1 + - groups[elasticstack_elasticsearch_group_name] | length > 1 until: elasticsearch_api_status.json.cluster_name is defined retries: 20 delay: 10 @@ -497,7 +497,7 @@ no_log: "{{ elasticstack_no_log }}" when: - elasticsearch_passwords_file.stat.exists | bool - - groups[elasticsearch_group_name] | length > 1 + - groups[elasticstack_elasticsearch_group_name] | length > 1 until: elasticsearch_cluster_status.json.status == "green" retries: 20 delay: 10 diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 64361b84..72e94af8 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -18,23 +18,23 @@ http.publish_port: {{ elasticsearch_http_publish_port }} node.roles: [ {% for type in elasticsearch_node_types %}{{ type }}{% if not loop.last %}, {% endif %}{% endfor %} ] {% endif %} -{% if elasticstack_release | int > 7 and groups[elasticsearch_group_name] | length == 1 %} +{% if elasticstack_release | int > 7 and groups[elasticstack_elasticsearch_group_name] | length == 1 %} discovery.type: single-node {% endif %} -{% if elasticstack_release | int < 8 or groups[elasticsearch_group_name] | length > 1 %} -discovery.seed_hosts: [ {% for host in groups[elasticsearch_group_name] %} +{% if elasticstack_release | int < 8 or groups[elasticstack_elasticsearch_group_name] | length > 1 %} +discovery.seed_hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %} "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% endif %} -{% if not elaticsearch_cluster_set_up | bool and groups[elasticsearch_group_name] | length > 1 %} +{% if not elaticsearch_cluster_set_up | bool and groups[elasticstack_elasticsearch_group_name] | length > 1 %} {% if elasticsearch_node_types is defined %} cluster.initial_master_nodes: [ {% for host in groups['elasticsearch_role_master'] %} "{{ hostvars[host].ansible_hostname }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% else %} -cluster.initial_master_nodes: [ {% for host in groups[elasticsearch_group_name] %} +cluster.initial_master_nodes: [ {% for host in groups[elasticstack_elasticsearch_group_name] %} "{{ hostvars[host].ansible_hostname }}"{% if not loop.last %},{% endif %} {% endfor %} ] {% endif %} diff --git a/roles/elasticsearch/templates/instances.j2 b/roles/elasticsearch/templates/instances.j2 index 57be7b9a..226f81a4 100644 --- a/roles/elasticsearch/templates/instances.j2 +++ b/roles/elasticsearch/templates/instances.j2 @@ -1,5 +1,5 @@ instances: -{% for host in groups[elasticsearch_group_name] %} +{% for host in groups[elasticstack_elasticsearch_group_name] %} - name: "{{ host }}" ip: - "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}" diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index 50e30f77..b29b707a 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -29,4 +29,4 @@ elasticstack_elasticsearch_http_port: 9200 elasticstack_kibana_port: 5601 elasticstack_no_log: true -elasticsearch_group_name: elasticsearch +elasticstack_elasticsearch_group_name: elasticsearch diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml index 3a29a6e2..77f53bdb 100644 --- a/roles/kibana/tasks/kibana-security.yml +++ b/roles/kibana/tasks/kibana-security.yml @@ -13,10 +13,10 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" + elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" when: - elasticstack_ca is undefined - - groups[elasticsearch_group_name] is defined + - groups[elasticstack_elasticsearch_group_name] is defined tags: - certificates - renew_ca diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 9f336839..d9bc8276 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -21,10 +21,10 @@ - name: Set Elasticsearch hosts if used with other roles ansible.builtin.set_fact: - kibana_elasticsearch_hosts: "{{ groups[elasticsearch_group_name] }}" + kibana_elasticsearch_hosts: "{{ groups[elasticstack_elasticsearch_group_name] }}" when: - kibana_elasticsearch_hosts is undefined - - groups[elasticsearch_group_name] is defined + - groups[elasticstack_elasticsearch_group_name] is defined - name: Set Elasticsearch hosts to localhost if no other info is available ansible.builtin.set_fact: @@ -32,7 +32,7 @@ - localhost when: - kibana_elasticsearch_hosts is undefined - - groups[elasticsearch_group_name] is undefined + - groups[elasticstack_elasticsearch_group_name] is undefined - name: Construct exact name of Kibana package ansible.builtin.set_fact: diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index 3b015241..f510d5b4 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -91,7 +91,7 @@ elasticstack_security: true elasticstack_elasticsearch_http_port: 9200 elasticstack_beats_port: 5044 -elasticsearch_group_name: elasticsearch +elasticstack_elasticsearch_group_name: elasticsearch # Variables for debugging and development diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml index 8115cee8..777f18bc 100644 --- a/roles/logstash/tasks/logstash-security.yml +++ b/roles/logstash/tasks/logstash-security.yml @@ -13,10 +13,10 @@ - name: Set elasticstack_ca variable if not already done by user ansible.builtin.set_fact: - elasticstack_ca: "{{ groups[elasticsearch_group_name][0] }}" + elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}" when: - elasticstack_ca is undefined - - groups[elasticsearch_group_name] is defined + - groups[elasticstack_elasticsearch_group_name] is defined tags: - certificates - configuration diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 5b208f07..bfef8462 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -20,10 +20,10 @@ - name: Set Elasticsearch hosts if used with other roles ansible.builtin.set_fact: - logstash_elasticsearch: "{{ groups[elasticsearch_group_name] }}" + logstash_elasticsearch: "{{ groups[elasticstack_elasticsearch_group_name] }}" when: - logstash_elasticsearch is undefined - - groups[elasticsearch_group_name] is defined + - groups[elasticstack_elasticsearch_group_name] is defined tags: - configuration - logstash_configuration @@ -41,7 +41,7 @@ - localhost when: - logstash_elasticsearch is undefined - - groups[elasticsearch_group_name] is undefined + - groups[elasticstack_elasticsearch_group_name] is undefined tags: - configuration - logstash_configuration diff --git a/roles/repos/defaults/main.yml b/roles/repos/defaults/main.yml index d2973c56..da512522 100644 --- a/roles/repos/defaults/main.yml +++ b/roles/repos/defaults/main.yml @@ -9,4 +9,4 @@ elasticstack_rpm_workaround: false elasticstack_enable_repos: true elasticstack_no_log: true -elasticsearch_group_name: elasticsearch +elasticstack_elasticsearch_group_name: elasticsearch From 808ed67363c3fdc8bf729c6325d044ede1a4c1a5 Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Sun, 28 Jan 2024 05:32:44 +0100 Subject: [PATCH 3/6] test elasticsearch_no-security with new group name --- molecule/elasticsearch_no-security/converge.yml | 1 + molecule/elasticsearch_no-security/molecule.yml | 4 ++-- molecule/elasticsearch_no-security/verify.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/molecule/elasticsearch_no-security/converge.yml b/molecule/elasticsearch_no-security/converge.yml index 379a32e9..b8fd37cc 100644 --- a/molecule/elasticsearch_no-security/converge.yml +++ b/molecule/elasticsearch_no-security/converge.yml @@ -13,6 +13,7 @@ elasticsearch_heap: "1" elasticstack_release: 7 elasticstack_no_log: false + elasticstack_elasticsearch_group_name: elasticsearchXYZ tasks: - name: Include Elastics repos role ansible.builtin.include_role: diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml index 8b08e708..d36a077a 100644 --- a/molecule/elasticsearch_no-security/molecule.yml +++ b/molecule/elasticsearch_no-security/molecule.yml @@ -8,7 +8,7 @@ driver: platforms: - name: elasticsearch-nosecurity1 groups: - - elasticsearch + - elasticsearchXYZ image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: @@ -18,7 +18,7 @@ platforms: pre_build_image: true - name: elasticsearch-nosecurity2 groups: - - elasticsearch + - elasticsearchXYZ image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml index 627c06b0..601be29f 100644 --- a/molecule/elasticsearch_no-security/verify.yml +++ b/molecule/elasticsearch_no-security/verify.yml @@ -5,7 +5,7 @@ hosts: all vars: elasticstack_elasticsearch_http_port: 9200 - elasticstack_elasticsearch_group_name: elasticsearch + elasticstack_elasticsearch_group_name: elasticsearchXYZ tasks: # Remember, this is the no-security scenario. So no https From 7c16d0a7e2ea40e73eff6c36025ebd0a082d77bb Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Sun, 4 Feb 2024 10:47:34 +0100 Subject: [PATCH 4/6] implemented elasticstack_logstash_group_name --- roles/beats/defaults/main.yml | 1 + roles/beats/templates/auditbeat.yml.j2 | 2 +- roles/beats/templates/filebeat.yml.j2 | 2 +- roles/beats/templates/metricbeat.yml.j2 | 2 +- roles/elasticsearch/defaults/main.yml | 1 + roles/elasticsearch/tasks/elasticsearch-security.yml | 5 +++-- 6 files changed, 8 insertions(+), 5 deletions(-) diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml index 37ec79a6..490eb610 100644 --- a/roles/beats/defaults/main.yml +++ b/roles/beats/defaults/main.yml @@ -64,6 +64,7 @@ elasticstack_variant: elastic elasticstack_security: true elasticstack_elasticsearch_group_name: elasticsearch +elasticstack_logstash_group_name: logstash elasticstack_ca_dir: /opt/es-ca elasticstack_ca_pass: PleaseChangeMe diff --git a/roles/beats/templates/auditbeat.yml.j2 b/roles/beats/templates/auditbeat.yml.j2 index 08d8451e..3cf82f22 100644 --- a/roles/beats/templates/auditbeat.yml.j2 +++ b/roles/beats/templates/auditbeat.yml.j2 @@ -53,7 +53,7 @@ output.elasticsearch: {% if beats_auditbeat_output == "logstash" %} output.logstash: {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['logstash'] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_logstash_group_name] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/beats/templates/filebeat.yml.j2 b/roles/beats/templates/filebeat.yml.j2 index d5a6ce5f..f7457cf4 100644 --- a/roles/beats/templates/filebeat.yml.j2 +++ b/roles/beats/templates/filebeat.yml.j2 @@ -128,7 +128,7 @@ output.elasticsearch: {% if beats_filebeat_output == "logstash" %} output.logstash: {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['logstash'] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_logstash_group_name] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/beats/templates/metricbeat.yml.j2 b/roles/beats/templates/metricbeat.yml.j2 index a8f06421..138eecf7 100644 --- a/roles/beats/templates/metricbeat.yml.j2 +++ b/roles/beats/templates/metricbeat.yml.j2 @@ -30,7 +30,7 @@ output.elasticsearch: {% if beats_metricbeat_output == "logstash" %} output.logstash: {% if elasticstack_full_stack | bool %} - hosts: [ {% for host in groups['logstash'] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] + hosts: [ {% for host in groups[elasticstack_logstash_group_name] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% else %} hosts: [ {% for host in beats_target_hosts %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}] {% endif %} diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 9c3f72d5..410a2574 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -63,3 +63,4 @@ elasticstack_elasticsearch_http_port: 9200 elasticstack_no_log: true elasticstack_elasticsearch_group_name: elasticsearch +elasticstack_logstash_group_name: logstash diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 26c99c7c..256e6591 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -61,11 +61,12 @@ ansible.builtin.service: name: logstash state: stopped - with_items: "{{ groups['logstash'] }}" + with_items: "{{ groups[elasticstack_logstash_group_name] }}" delegate_to: "{{ item }}" when: - "'renew_ca' in ansible_run_tags or elasticstack_ca_will_expire_soon | bool" - - groups['logstash'] is defined + - elasticstack_logstash_group_name is defined + - groups[elasticstack_logstash_group_name] is defined - name: Backup ca directory on elasticsearch ca host then remove when: (inventory_hostname == elasticstack_ca) and ('renew_ca' in "ansible_run_tags" or elasticstack_ca_will_expire_soon | bool) From bf6339df1f42b96a5c85e9f66ef31d825f2b3682 Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Sun, 4 Feb 2024 10:55:15 +0100 Subject: [PATCH 5/6] implemented elasticstack_kibana_group_name --- roles/elasticsearch/defaults/main.yml | 1 + roles/elasticsearch/handlers/main.yml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index 410a2574..4fa7c743 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -64,3 +64,4 @@ elasticstack_no_log: true elasticstack_elasticsearch_group_name: elasticsearch elasticstack_logstash_group_name: logstash +elasticstack_kibana_group_name: kibana diff --git a/roles/elasticsearch/handlers/main.yml b/roles/elasticsearch/handlers/main.yml index ff3b5ab5..78169736 100644 --- a/roles/elasticsearch/handlers/main.yml +++ b/roles/elasticsearch/handlers/main.yml @@ -12,9 +12,10 @@ - name: Restart kibana if available for elasticsearch certificates ansible.builtin.include_tasks: handlers/restart_kibana.yml - with_items: "{{ groups['kibana'] }}" + with_items: "{{ groups[elasticstack_kibana_group_name] }}" when: - elasticstack_full_stack: true - "not 'renew_ca' in ansible_run_tags" - "not elasticstack_ca_will_expire_soon | bool" - - groups['kibana'] is defined + - elasticstack_kibana_group_name is defined + - groups[elasticstack_kibana_group_name] is defined From 561ea5dd0541a977129c32e6b2368a00aa73801c Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Sun, 4 Feb 2024 12:20:58 +0100 Subject: [PATCH 6/6] updated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0ab1b6b0..23f7f9be 100644 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ There are some comments in the Playbook. Either fill them with the correct value ### Inventory -_Note_: The roles rely on hardcoded group names for placing services on hosts. Please make sure you have groups named `elasticsearch` (or define your desired group name using the var `elasticstack_elasticsearch_group_name`), `logstash` and `kibana` in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation. +_Note_: The roles rely on group names for placing services on hosts. Please make sure you have group names defined: `elasticstack_elasticsearch_group_name` (default: `elasticsearch`), `elasticstack_logstash_group_name` (default: `logstash`) and `elasticstack_kibana_group_name` (default: `kibana`) that will match your desired setup in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation. The execution order of the roles is important! (see below)