diff --git a/roles/platform/tasks/create-properties-file.yml b/roles/platform/tasks/create-properties-file.yml index 7a284b7..8305ab9 100644 --- a/roles/platform/tasks/create-properties-file.yml +++ b/roles/platform/tasks/create-properties-file.yml @@ -4,46 +4,6 @@ # TODO: Do we still need to support the primary/secondary concept? -# Note: Platform's encrypt.js script does not take command line arguments. -# Instead, it prompts the user for input, reads it from stdin, and prints the key on the last line. -# This necessitates the use of the workaround below. -- name: Encrypt default passwords - when: not (platform_configure_vault | bool) - tags: encrypt_default_passwords - no_log: true - block: - - name: Generate encrypted passwords - ansible.builtin.shell: > - set -o pipefail && - (echo "{{ item.plaintext }}"; sleep 2; echo "{{ platform_encryption_key }}") | - node {{ platform_server_dir }}/utils/encrypt.js 2>&1 | - tail -n 1 - args: - executable: /bin/bash - loop: - - name: platform_redis_password_encrypted - plaintext: "{{ platform_redis_password }}" - - name: platform_redis_sentinel_password_encrypted - plaintext: "{{ platform_redis_sentinel_password }}" - - name: platform_mongo_password_encrypted - plaintext: "{{ platform_mongo_password }}" - - name: platform_default_user_password_encrypted - plaintext: "{{ platform_default_user_password }}" - register: encrypt_results - changed_when: false - failed_when: > - encrypt_results.rc != 0 or - encrypt_results.stdout == "" or - not encrypt_results.stdout.startswith("$ENC") or - (encrypt_results.stdout.split(':') | last | length) != 32 - - - name: Set encrypted passwords - ansible.builtin.set_fact: - "{{ item.item.name }}": "{{ item.stdout }}" - loop: "{{ encrypt_results.results }}" - loop_control: - label: "{{ item.item.name }}" - - name: Create the platform.properties file ansible.builtin.template: src: "{{ item }}" diff --git a/roles/platform/tasks/encrypt-passwords.yml b/roles/platform/tasks/encrypt-passwords.yml new file mode 100644 index 0000000..31863ad --- /dev/null +++ b/roles/platform/tasks/encrypt-passwords.yml @@ -0,0 +1,47 @@ +# Copyright (c) 2024, Itential, Inc +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) +--- +# Note: Platform's encrypt.js script does not take command line arguments. +# Instead, it prompts the user for input, reads it from stdin, and prints the key on the last line. +# This necessitates the use of the workaround below. +- name: Encrypt default passwords + when: not (platform_configure_vault | bool) + tags: encrypt_default_passwords + no_log: true + notify: Enable and Start Platform + block: + - name: Generate encrypted passwords + ansible.builtin.shell: > + set -o pipefail && + (echo "{{ item.plaintext }}"; sleep 2; echo "{{ platform_encryption_key }}") | + node {{ platform_server_dir }}/utils/encrypt.js 2>&1 | + tail -n 1 + args: + executable: /bin/bash + loop: + - name: platform_redis_password_encrypted + plaintext: "{{ platform_redis_password }}" + - name: platform_redis_sentinel_password_encrypted + plaintext: "{{ platform_redis_sentinel_password }}" + - name: platform_mongo_password_encrypted + plaintext: "{{ platform_mongo_password }}" + - name: platform_default_user_password_encrypted + plaintext: "{{ platform_default_user_password }}" + register: platform_encrypt_results + changed_when: false + failed_when: > + platform_encrypt_results.rc != 0 or + platform_encrypt_results.stdout == "" or + not platform_encrypt_results.stdout.startswith("$ENC") or + (platform_encrypt_results.stdout.split(':') | last | length) != 32 + + - name: Set encrypted passwords + ansible.builtin.set_fact: + "{{ item.item.name }}": "{{ item.stdout }}" + loop: "{{ platform_encrypt_results.results }}" + loop_control: + label: "{{ item.item.name }}" + + - name: Create properties.json file + ansible.builtin.include_tasks: + file: create-properties-file.yml