From beba2692e82c4b82289bc998934813ab98296648 Mon Sep 17 00:00:00 2001 From: Olivier Navas Date: Sun, 11 Aug 2024 20:47:04 +0200 Subject: [PATCH] Gestion token --- configure-awx.yml | 364 ++++++++++++++++++++++++---------------------- 1 file changed, 187 insertions(+), 177 deletions(-) diff --git a/configure-awx.yml b/configure-awx.yml index 6fe5e4f..57e9c90 100644 --- a/configure-awx.yml +++ b/configure-awx.yml @@ -19,197 +19,207 @@ controller_username: "{{ awx_controller_username }}" controller_password: "{{ awx_controller_password }}" - - name: Définition des organisations de base - awx.awx.organization: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_organization }}" - state: "{{ _state }}" - galaxy_credentials: - - "Ansible Galaxy" + - name: Block avec token + block: + - name: Définition des organisations de base + awx.awx.organization: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_organization }}" + state: "{{ _state }}" + galaxy_credentials: + - "Ansible Galaxy" - - name: Définition du secret pour récuperer les projets depuis git - awx.awx.credential: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ item.name }}" - organization: "{{ awx_organization }}" - credential_type: "Source Control" - description: "Secret d'accès d'AWX au repo git" - inputs: - username: "{{ item.username }}" - password: "{{ item.password }}" - with_items: "{{ awx_git_credentials }}" - no_log: true - when: _state == "present" + - name: Définition du secret pour récuperer les projets depuis git + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ item.name }}" + organization: "{{ awx_organization }}" + credential_type: "Source Control" + description: "Secret d'accès d'AWX au repo git" + inputs: + username: "{{ item.username }}" + password: "{{ item.password }}" + with_items: "{{ awx_git_credentials }}" + no_log: true + when: _state == "present" - - name: Définition du secret ansible-vault utilisé dans les projets git - awx.awx.credential: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ item.name }}" - organization: "{{ awx_organization }}" - credential_type: "Vault" - description: "Secret du ansible-vault pour le chiffrement dans les projets git" - inputs: - vault_password: "{{ item.password }}" - with_items: "{{ awx_vault_credentials }}" - no_log: true - when: _state == "present" + - name: Définition du secret ansible-vault utilisé dans les projets git + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ item.name }}" + organization: "{{ awx_organization }}" + credential_type: "Vault" + description: "Secret du ansible-vault pour le chiffrement dans les projets git" + inputs: + vault_password: "{{ item.password }}" + with_items: "{{ awx_vault_credentials }}" + no_log: true + when: _state == "present" - - name: Définition du secret de connexion aux machines - awx.awx.credential: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ item.name }}" - description: "Clé d'accès pour se connecter aux machines" - organization: "{{ awx_organization }}" - credential_type: "Machine" - inputs: - username: "{{ item.username }}" - ssh_key_data: "{{ item.ssh_key_data }}" - with_items: "{{ awx_machine_credentials }}" - no_log: true - when: _state == "present" + - name: Définition du secret de connexion aux machines + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ item.name }}" + description: "Clé d'accès pour se connecter aux machines" + organization: "{{ awx_organization }}" + credential_type: "Machine" + inputs: + username: "{{ item.username }}" + ssh_key_data: "{{ item.ssh_key_data }}" + with_items: "{{ awx_machine_credentials }}" + no_log: true + when: _state == "present" - - name: Définition du type de secret aap_ressources - awx.awx.credential_type: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "aap_ressources" - description: "Secrets pour se connecter à un serveur de ressources ansible" - state: "{{ _state }}" - kind: net - inputs: "{{ lookup('file', 'files/aap_ressources_credential_type_inputs.json') }}" - injectors: "{{ lookup('file', 'files/aap_ressources_credential_type_injectors.json') }}" + - name: Définition du type de secret aap_ressources + awx.awx.credential_type: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "aap_ressources" + description: "Secrets pour se connecter à un serveur de ressources ansible" + state: "{{ _state }}" + kind: net + inputs: "{{ lookup('file', 'files/aap_ressources_credential_type_inputs.json') }}" + injectors: "{{ lookup('file', 'files/aap_ressources_credential_type_injectors.json') }}" - - name: Définition du secret de connexion au serveur de ressources Ansible - awx.awx.credential: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_aap_ressources_credential_name }}" - description: "Secrets pour se connecter au serveur de ressources ansible" - organization: "{{ awx_organization }}" - credential_type: "aap_ressources" - inputs: - url: "{{ awx_aap_ressources_url }}" - username: "{{ awx_aap_ressources_username }}" - password: "{{ awx_aap_ressources_password }}" - no_log: true - when: _state == "present" + - name: Définition du secret de connexion au serveur de ressources Ansible + awx.awx.credential: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_aap_ressources_credential_name }}" + description: "Secrets pour se connecter au serveur de ressources ansible" + organization: "{{ awx_organization }}" + credential_type: "aap_ressources" + inputs: + url: "{{ awx_aap_ressources_url }}" + username: "{{ awx_aap_ressources_username }}" + password: "{{ awx_aap_ressources_password }}" + no_log: true + when: _state == "present" - - name: Définition des environnements d'exécution - awx.awx.execution_environment: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_ee }}" - image: "{{ awx_ee_image }}:{{ awx_ee_version }}" - state: "{{ _state }}" + - name: Définition des environnements d'exécution + awx.awx.execution_environment: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_ee }}" + image: "{{ awx_ee_image }}:{{ awx_ee_version }}" + state: "{{ _state }}" - - name: Creation des équipes pour application des droits - awx.awx.team: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ item.team }}" - organization: "{{ item.organization }}" - with_items: - - "{{ awx_team_list }}" - when: _state == "present" + - name: Creation des équipes pour application des droits + awx.awx.team: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ item.team }}" + organization: "{{ item.organization }}" + with_items: + - "{{ awx_team_list }}" + when: _state == "present" - - name: Affectation des droits aux équipes - awx.awx.role: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - organizations: "{{ item.organization }}" - teams: "{{ item.team }}" - role: "{{ item.role }}" - with_items: - - "{{ awx_team_roles_list }}" - when: _state == "present" + - name: Affectation des droits aux équipes + awx.awx.role: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + organizations: "{{ item.organization }}" + teams: "{{ item.team }}" + role: "{{ item.role }}" + with_items: + - "{{ awx_team_roles_list }}" + when: _state == "present" - # on vérifie ici car no_log de la tâche qui utilise empêche d'avoir une explication en cas d'oubli - - name: Vérifie que awx_custom_settings est défini (besoin que l'environnement soit précisé) - ansible.builtin.assert: - that: - - awx_custom_settings is defined + # on vérifie ici car no_log de la tâche qui utilise empêche d'avoir une explication en cas d'oubli + - name: Vérifie que awx_custom_settings est défini (besoin que l'environnement soit précisé) + ansible.builtin.assert: + that: + - awx_custom_settings is defined - - name: Définition de paramètres spécifiques - awx.awx.settings: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - settings: "{{ awx_custom_settings }}" - no_log: true + - name: Définition de paramètres spécifiques + awx.awx.settings: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + settings: "{{ awx_custom_settings }}" + no_log: true - # Configuration d'awx - projet + # Configuration d'awx - projet - - name: Définition du projet - awx.awx.project: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_project_name }}" - scm_type: git - scm_url: "{{ awx_project_url }}" - scm_update_on_launch: true - scm_update_cache_timeout: 60 - scm_credential: "{{ awx_git_credential_name }}" - state: "{{ _state }}" - allow_override: true - organization: "{{ awx_organization }}" - default_environment: "{{ awx_ee }}" + - name: Définition du projet + awx.awx.project: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_project_name }}" + scm_type: git + scm_url: "{{ awx_project_url }}" + scm_update_on_launch: true + scm_update_cache_timeout: 60 + scm_credential: "{{ awx_git_credential_name }}" + state: "{{ _state }}" + allow_override: true + organization: "{{ awx_organization }}" + default_environment: "{{ awx_ee }}" - - name: Définition de l'inventaire - awx.awx.inventory: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_project_name }}_{{ environnement }}" - state: "{{ _state }}" - organization: "{{ awx_organization }}" + - name: Définition de l'inventaire + awx.awx.inventory: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_project_name }}_{{ environnement }}" + state: "{{ _state }}" + organization: "{{ awx_organization }}" - - name: Définition de la source d'inventaire - awx.awx.inventory_source: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_project_name }}_{{ environnement }}" - inventory: "{{ awx_project_name }}_{{ environnement }}" - state: "{{ _state }}" - organization: "{{ awx_organization }}" - source: scm - source_project: "{{ awx_project_name }}" - source_path: "inventory/{{ environnement }}/hosts" - overwrite: true - update_on_launch: true - # les sources disparaissent avec l'inventaire qui les contient - when: _state == "present" + - name: Définition de la source d'inventaire + awx.awx.inventory_source: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_project_name }}_{{ environnement }}" + inventory: "{{ awx_project_name }}_{{ environnement }}" + state: "{{ _state }}" + organization: "{{ awx_organization }}" + source: scm + source_project: "{{ awx_project_name }}" + source_path: "inventory/{{ environnement }}/hosts" + overwrite: true + update_on_launch: true + # les sources disparaissent avec l'inventaire qui les contient + when: _state == "present" - - name: Définition du playbook setup-env - awx.awx.job_template: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_project_name }}_{{ environnement }}_{{ item }}" - project: "{{ awx_project_name }}" - inventory: "{{ awx_project_name }}_{{ environnement }}" - state: "{{ _state }}" - organization: "{{ awx_organization }}" - job_type: run - ask_job_type_on_launch: true - playbook: "{{ item }}" - become_enabled: true - credentials: - - "{{ awx_vault_credential_name }}" - - "{{ awx_machine_credential_name }}" - - "{{ awx_aap_ressources_credential_name }}" - with_items: - - setup-env.yml + - name: Définition du playbook setup-env + awx.awx.job_template: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_project_name }}_{{ environnement }}_{{ item }}" + project: "{{ awx_project_name }}" + inventory: "{{ awx_project_name }}_{{ environnement }}" + state: "{{ _state }}" + organization: "{{ awx_organization }}" + job_type: run + ask_job_type_on_launch: true + playbook: "{{ item }}" + become_enabled: true + credentials: + - "{{ awx_vault_credential_name }}" + - "{{ awx_machine_credential_name }}" + - "{{ awx_aap_ressources_credential_name }}" + with_items: + - setup-env.yml - - name: Planification remise en conformité régulière - awx.awx.schedule: - controller_host: "{{ awx_controller_host }}" - controller_oauthtoken: "{{ controller_token }}" - name: "{{ awx_project_name }}_{{ environnement }}_{{ item }}-schedule-daily" - unified_job_template: "{{ awx_project_name }}_{{ environnement }}_{{ item }}" - rrule: "{{ query('awx.awx.schedule_rrule', 'day', start_date='2024-01-01 12:30:00', timezone='Europe/Paris') }}" - enabled: false # TODO: corriger un souci avec les variables quand exécution depuis awx - with_items: - - setup-env.yml - when: _state == "present" + - name: Planification remise en conformité régulière + awx.awx.schedule: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + name: "{{ awx_project_name }}_{{ environnement }}_{{ item }}-schedule-daily" + unified_job_template: "{{ awx_project_name }}_{{ environnement }}_{{ item }}" + rrule: "{{ query('awx.awx.schedule_rrule', 'day', start_date='2024-01-01 12:30:00', timezone='Europe/Paris') }}" + enabled: false # TODO: corriger un souci avec les variables quand exécution depuis awx + with_items: + - setup-env.yml + when: _state == "present" + + always: + - name: Destruction du token + awx.awx.token: + controller_host: "{{ awx_controller_host }}" + controller_oauthtoken: "{{ controller_token }}" + existing_token: "{{ controller_token }}" + state: absent