RONCC
/
Dell-Omnia-Clusters-HPC-AI


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176
							# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---

# Include telemetry_login_vars.yml
- name: Check telemetry_login_vars file is encrypted
  command: cat {{ login_vars_file }}
  changed_when: false
  register: config_content
  no_log: true

- name: Decrpyt telemetry_login_vars.yml
  command: >-
    ansible-vault decrypt {{ login_vars_file }}
    --vault-password-file {{ vault_filename }}
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file telemetry_login_vars.yml
  include_vars: "{{ login_vars_file }}"
  no_log: true

- name: Assert usernames and passwords in telemetry_login_vars.yml
  block:
  - name: Assert timescaledb user name
    assert:
      that:
        - timescaledb_user | length > 1
        - '"-" not in timescaledb_user '
        - '"\\" not in timescaledb_user '
        - '"\"" not in timescaledb_user '
        - " \"'\" not in timescaledb_user "
    no_log: true

  - name: Assert timescaledb user password
    assert:
      that:
        - timescaledb_password | length > 1
        - '"-" not in timescaledb_password '
        - '"\\" not in timescaledb_password '
        - '"\"" not in timescaledb_password '
        - " \"'\" not in timescaledb_password "
        - '"@" not in timescaledb_password '
    no_log: true

  - name: Assert mysqldb user name
    assert:
      that:
        - mysqldb_user | length > 1
        - '"-" not in mysqldb_user '
        - '"\\" not in mysqldb_user '
        - '"\"" not in mysqldb_user '
        - " \"'\" not in mysqldb_user "
    no_log: true

  - name: Assert mysqldb user password
    assert:
      that:
        - mysqldb_password | length > 1
        - '"-" not in mysqldb_password '
        - '"\\" not in mysqldb_password '
        - '"\"" not in mysqldb_password '
        - " \"'\" not in mysqldb_password "
    no_log: true

  - name: Assert mysqldb root user password
    assert:
      that:
        - mysqldb_root_password | length > 1
        - '"-" not in mysqldb_root_password '
        - '"\\" not in mysqldb_root_password '
        - '"\"" not in mysqldb_root_password '
        - " \"'\" not in mysqldb_root_password "
    no_log: true

  rescue:
    - name: Validation issue in telemetry_login_vars.yml
      fail:
        msg: "{{ login_vars_fail_msg }}"

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Save vault key
  copy:
    dest: "{{ vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: "{{ vault_file_perm }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ login_vars_file }}
    --vault-password-file {{ vault_filename }}
  changed_when: false

# Include control_plane/login_vars.yml
- name: Check login_vars file is encrypted
  command: cat {{ ctrl_plane_login_vars_filename }}
  changed_when: false
  register: config_content
  no_log: true

- name: Decrpyt login_vars.yml
  command: >-
    ansible-vault decrypt {{ ctrl_plane_login_vars_filename }}
    --vault-password-file {{ ctrl_plane_login_vault_filename }}
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file control_plane/login_vars.yml
  include_vars: "{{ ctrl_plane_login_vars_filename }}"
  no_log: true

- name: Assert grafana credentials
  block:
    - name: Assert grafana_username and grafana_username
      assert:
        that:
          - grafana_username | length >= min_length_grafana
          - grafana_username | length <= max_length
          - '"-" not in grafana_username '
          - '"\\" not in grafana_username '
          - '"\"" not in grafana_username '
          - " \"'\" not in grafana_username "
          - grafana_password | length >= min_length_grafana
          - grafana_password | length <= max_length
          - not grafana_password == 'admin'
          - '"-" not in grafana_password '
          - '"\\" not in grafana_password '
          - '"\"" not in grafana_password '
          - " \"'\" not in grafana_password "
      no_log: true

  rescue:
    - name: Validation issue in control_plane/login_vars.yml
      fail:
        msg: "{{ ctrl_plane_login_vars_fail_msg }}"

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Save vault key
  copy:
    dest: "{{ ctrl_plane_login_vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: "{{ vault_file_perm }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ ctrl_plane_login_vars_filename }}
    --vault-password-file {{ ctrl_plane_login_vault_filename }}
  changed_when: false