-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsetup-aotdemo-tower.yml
275 lines (252 loc) · 7.97 KB
/
setup-aotdemo-tower.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
---
- name: Setup AOT Demo Tower
hosts: all
become: True
gather_facts: False
tasks:
# - name: Create Ansible Vault Password file
# template:
# src: ./vaultpass.j2
# dest: ./vaultpass
# run_once: true
# delegate_to: localhost
# tags:
# - license
# - name: Decrypt Ansible Tower license file and save it as another file
# command: ansible-vault decrypt --vault-password-file=vaultpass tower.lic --output mytower.lic
# run_once: true
# delegate_to: localhost
# tags:
# - license
# - name: Ensure EULA is accepted
# lineinfile:
# path: "./mytower.lic"
# line: ' "eula_accepted": true,'
# insertbefore: '"company_name"'
# state: present
# delegate_to: localhost
# run_once: true
# become: no
# tags:
# - addlicense
# - name: Post license key
# uri:
# url: https://localhost/api/v2/config/
# method: POST
# user: "{{ towuser }}"
# password: "{{ towpass }}"
# body: "{{ lookup('file','./mytower.lic') }}"
# body_format: json
# validate_certs: False
# force_basic_auth: yes
# delegate_to: localhost
# run_once: true
# become: no
# tags:
# - addlicense
- name: Add Insights SCM Credential to Tower
tower_credential:
name: Insights SCM Credential
organization: Default
kind: insights
username: "{{ rhnuser }}"
password: "{{ rhnpass }}"
state: present
tower_username: "{{ towuser }}"
tower_password: "{{ towpass }}"
tower_host: https://localhost
validate_certs: no
run_once: true
delegate_to: localhost
tags:
- credential
- name: Add Demo Machines SSH Credentials to Tower
tower_credential:
name: Machine SSH Credential
organization: Default
kind: ssh
username: "{{ machinesshuser }}"
password: "{{ machinesshpass }}"
state: present
tower_username: "{{ towuser }}"
tower_password: "{{ towpass }}"
tower_host: https://localhost
validate_certs: no
run_once: true
delegate_to: localhost
tags:
- credential
- name: Create Tower Inventory
tower_inventory:
name: "AOT Demo Inventory"
organization: "Default"
state: present
tower_username: "{{ towuser }}"
tower_password: "{{ towpass }}"
tower_host: https://localhost
validate_certs: no
run_once: true
delegate_to: localhost
tags:
- inventory
- name: Import Hosts into Tower Inventory
command: awx-manage inventory_import \
--source="/home/{{ studentid }}/lab_inventory/hosts" \
--inventory-name="AOT Demo Inventory"
run_once: true
delegate_to: localhost
tags:
- inventory
- name: Create Insights Project in Tower
# Using tower-cli because tower module does not have insights scm-type
# command: tower-cli project create -n "Insights Project" \
# use absolute path for run tower-cli to avoid errors
command: /usr/local/bin/tower-cli project create -n "Insights Project" \
--organization "Default" \
--scm-type "insights" \
--scm-credential "Insights SCM Credential" \
--insecure \
-u "{{ towuser }}" \
-p "{{ towpass }}"
run_once: true
delegate_to: localhost
tags:
- project
- name: Create AOT Demo Project in Tower
tower_project:
name: "AOT Demo Project"
organization: "Default"
scm_type: "git"
scm_url: "https://github.com/nicholas-chia/aotdemo2019.git"
# scm_credential: "gitlab"
state: present
tower_username: "{{ towuser }}"
tower_password: "{{ towpass }}"
tower_host: https://localhost
validate_certs: no
run_once: true
delegate_to: localhost
tags:
- project
- name: Sleep for 15 seconds and continue with play
# To avoid template creation error in the next task
wait_for:
timeout: 15
run_once: true
delegate_to: localhost
- name: Create Upload Insights Data Template
tower_job_template:
name: "Upload Insights Data"
job_type: "run"
inventory: "AOT Demo Inventory"
project: "AOT Demo Project"
playbook: "upload-insights-data.yml"
credential: "Machine SSH Credential"
state: "present"
tower_username: "{{ towuser }}"
tower_password: "{{ towpass }}"
tower_host: https://localhost
validate_certs: no
run_once: true
delegate_to: localhost
tags:
- template
- name: Create OpenSCAP Scan and Upload Template
tower_job_template:
name: "OpenSCAP Scan and Upload"
job_type: "run"
inventory: "AOT Demo Inventory"
project: "AOT Demo Project"
playbook: "oscap-scan-and-upload.yml"
credential: "Machine SSH Credential"
state: "present"
tower_username: "{{ towuser }}"
tower_password: "{{ towpass }}"
tower_host: https://localhost
validate_certs: no
run_once: true
delegate_to: localhost
tags:
- template
- name: Setup AOT Demo Managed Nodes
hosts: web
become: True
gather_facts: False
# vars:
# oscap_profile: xccdf_org.ssgproject.content_profile_standard
# oscap_policy: ssg-rhel7-ds
# scan_results: /tmp/scan.xml
tasks:
- name: Register as user with password and subscribe
redhat_subscription:
state: present
pool: '^Red Hat Enterprise Linux Server$'
username: "{{ rhnuser }}"
password: "{{ rhnpass }}"
force_register: true
# auto_attach: true
tags:
- subscribe
- name: Install Insights Client to Managed Nodes
yum:
name: insights-client
state: latest
tags:
- insights
- name: Register Insights Client(s) to cloud.redhat.com
command: insights-client --register --display-name="{{ country }}_{{ inventory_hostname_short }}"
tags:
- insights
- name: Install OpenSCAP Packages to Managed Nodes
yum:
name: "{{ item }}"
state: latest
with_items:
- openscap-scanner
- scap-security-guide
tags:
- oscap
# - name: Clean up any previous scan results
# file:
# name: /tmp/scan.xml
# state: absent
# tags:
# - oscap
# - name: Run Insights OpenSCAP scan and upload report to cloud.redhat.com
# command: insights-client --compliance
# ignore_errors: yes
# tags:
# - oscap
# - name: Run OpenSCAP scan and remediation
# command: oscap xccdf eval \
# --remediate \
# --profile {{ oscap_profile }} \
# --results {{ scan_results }} \
# /usr/share/xml/scap/ssg/content/{{ oscap_policy }}.xml
# ignore_errors: yes
# tags:
# - oscap
# - name: Upload scan results to cloud.redhat.com
# command: insights-client \
# --verbose --payload {{ scan_results }} \
# --content-type application/vnd.redhat.compliance.something+tgz
# tags:
# - oscap
# - name: Create Remediation Template
# tower_job_template:
# name: "Remediation with Red Hat Management Solutions"
# job_type: "check"
# inventory: "AOT Demo Inventory"
# project: "Insights Project"
# playbook: "aotdemoplaybook-b6960902-acd5-46b0-b32c-f1b84fa34d1f.yml"
# credential: "Machine SSH Credential"
# state: "present"
# tower_username: "{{ towuser }}"
# tower_password: "{{ towpass }}"
# tower_host: https://localhost
# validate_certs: no
# when: "{{ rhnuser }}" == "destinasia"
# run_once: true
# delegate_to: localhost
# tags:
# - template