Resolve linting failures for install/elk.yml
Resolves linting issues: * [ANSIBLE0006] curl used in place of get_url or uri module * [ANSIBLE0013] Use shell only when shell functionality is required * [ANSIBLE0012] Commands should not change things if nothing needs doing * [ANSIBLE0010] Package installs should not use latest Executed via: ansible-lint ansible/install/elk.yml Change-Id: I0cfff457fa1e2aa770f532d761452279ee2bd10c
This commit is contained in:
parent
8a052006f8
commit
127f342e97
@ -103,6 +103,10 @@
|
||||
shell: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and es_listen_external
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# No systemctl module available in current stable release (Ansible 2.1)
|
||||
- skip_ansible_lint
|
||||
|
||||
# Firewalld
|
||||
- name: Determine if firewalld is in use
|
||||
|
@ -13,7 +13,8 @@
|
||||
become: true
|
||||
|
||||
- name: Import fluentd GPG Key
|
||||
rpm_key: key=https://packages.treasuredata.com/GPG-KEY-td-agent
|
||||
rpm_key:
|
||||
key=https://packages.treasuredata.com/GPG-KEY-td-agent
|
||||
state=present
|
||||
|
||||
- name: Install fluentd
|
||||
@ -44,18 +45,30 @@
|
||||
ignore_errors: true
|
||||
register: firewalld_in_use
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Actually need to determine if firewalld is in use.
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if firewalld is active
|
||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
||||
ignore_errors: true
|
||||
register: firewalld_is_active
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to know if firewalld is active.
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if TCP/{{fluentd_syslog_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_syslog_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp42185_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to determine is port already in use.
|
||||
- skip_ansible_lint
|
||||
|
||||
# add firewall rule via firewall-cmd
|
||||
- name: Add firewall rule for TCP/{{fluentd_syslog_port}} (firewalld)
|
||||
@ -74,6 +87,10 @@
|
||||
register: iptables_tcp42185_exists
|
||||
failed_when: iptables_tcp42185_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check firewall rules.
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Add firewall rule for TCP/{{fluentd_syslog_port}} (iptables-services)
|
||||
lineinfile:
|
||||
@ -89,25 +106,20 @@
|
||||
shell: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||
|
||||
# Firewalld
|
||||
- name: Determine if firewalld is in use
|
||||
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
||||
ignore_errors: true
|
||||
register: firewalld_in_use
|
||||
no_log: true
|
||||
|
||||
- name: Determine if firewalld is active
|
||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
||||
ignore_errors: true
|
||||
register: firewalld_is_active
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# No systemctl module available in current stable release (Ansible 2.1)
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if TCP/{{fluentd_http_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_http_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp9919_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if port is already active
|
||||
- skip_ansible_lint
|
||||
|
||||
# add firewall rule via firewall-cmd
|
||||
- name: Add firewall rule for TCP/{{fluentd_http_port}} (firewalld)
|
||||
@ -126,6 +138,10 @@
|
||||
register: iptables_tcp9919_exists
|
||||
failed_when: iptables_tcp9919_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if port is already active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Add firewall rule for TCP/{{fluentd_http_port}} (iptables-services)
|
||||
lineinfile:
|
||||
@ -141,13 +157,17 @@
|
||||
shell: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# No systemctl module available in current stable release (Ansible 2.1)
|
||||
- skip_ansible_lint
|
||||
|
||||
### end firewall settings ###
|
||||
|
||||
- name: Install fluentd elasticsearch plugin
|
||||
gem:
|
||||
name=fluent-plugin-elasticsearch
|
||||
state=latest
|
||||
state=present
|
||||
include_dependencies=yes
|
||||
user_install=no
|
||||
executable=/usr/sbin/td-agent-gem
|
||||
@ -157,27 +177,19 @@
|
||||
- name: Install fluentd beats plugin
|
||||
gem:
|
||||
name=fluent-plugin-beats
|
||||
state=latest
|
||||
state=present
|
||||
include_dependencies=yes
|
||||
user_install=no
|
||||
executable=/usr/sbin/td-agent-gem
|
||||
become: true
|
||||
ignore_errors: false
|
||||
|
||||
- name: Stage filebeat JSON index template
|
||||
copy:
|
||||
src=filebeat-index-template.json
|
||||
dest=/tmp/filebeat-index-template.json
|
||||
owner=root
|
||||
group=root
|
||||
mode=0644
|
||||
become: true
|
||||
|
||||
# note: we can't currently use the Ansible uri module here, curl is a workaround
|
||||
# https://github.com/ansible/ansible-modules-core/issues/265
|
||||
# http://stackoverflow.com/questions/28997007/translate-curl-put-into-ansible-uri-module
|
||||
- name: Load filebeat JSON index template
|
||||
command: curl -XPOST 'http://localhost:9200/_template/filebeat?pretty' -d@/tmp/filebeat-index-template.json
|
||||
uri:
|
||||
url: http://localhost:9200/_template/filebeat?pretty
|
||||
method: POST
|
||||
body: "{{ lookup('file', 'filebeat-index-template.json') }}"
|
||||
body_format: json
|
||||
ignore_errors: true
|
||||
become: true
|
||||
|
||||
|
@ -73,9 +73,20 @@
|
||||
ignore_errors: true
|
||||
when: kibana_dashboards_present != 0
|
||||
|
||||
- name: Validate kibana load.sh script is available for use
|
||||
stat:
|
||||
path: /tmp/beats-dashboards-master/load.sh
|
||||
ignore_errors: true
|
||||
register: kibana_dashboards_load_sh_present
|
||||
|
||||
- name: Configure kibana filebeat dashboards
|
||||
shell: sh /tmp/beats-dashboards-master/load.sh -url "http://localhost:9200" -user "admin:admin"
|
||||
ignore_errors: true
|
||||
when: kibana_dashboards_load_sh_present != 0
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# Shell required here during script execution
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Check kibana users
|
||||
stat: path=/etc/nginx/htpasswd.users
|
||||
|
@ -64,15 +64,6 @@
|
||||
mode=0644
|
||||
become: true
|
||||
|
||||
- name: Stage filebeat JSON index template
|
||||
copy:
|
||||
src=filebeat-index-template.json
|
||||
dest=/tmp/filebeat-index-template.json
|
||||
owner=root
|
||||
group=root
|
||||
mode=0644
|
||||
become: true
|
||||
|
||||
- name: Load OpenSSL CA Extended Configuration
|
||||
template:
|
||||
src=openssl_extras.cnf.j2
|
||||
@ -86,6 +77,10 @@
|
||||
shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
|
||||
ignore_errors: true
|
||||
register: subjectAltName_exists
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to understand if an entry exists
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Add OpenSSL SANs (SubjectAltName) entry for CA
|
||||
lineinfile:
|
||||
@ -96,11 +91,12 @@
|
||||
backup: yes
|
||||
when: subjectAltName_exists.stdout|int == 0
|
||||
|
||||
# note: we can't currently use the Ansible uri module here, curl is a workaround
|
||||
# https://github.com/ansible/ansible-modules-core/issues/265
|
||||
# http://stackoverflow.com/questions/28997007/translate-curl-put-into-ansible-uri-module
|
||||
- name: Load filebeat JSON index template
|
||||
command: curl -XPOST 'http://localhost:9200/_template/filebeat?pretty' -d@/tmp/filebeat-index-template.json
|
||||
uri:
|
||||
url: http://localhost:9200/_template/filebeat?pretty
|
||||
method: post
|
||||
body: "{{ lookups('file', 'filebeat-index-template.json') }}"
|
||||
body_format: json
|
||||
ignore_errors: true
|
||||
become: true
|
||||
|
||||
@ -118,16 +114,28 @@
|
||||
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
||||
ignore_errors: true
|
||||
register: firewalld_in_use
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Check if firewall is enabled
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if firewalld is active
|
||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
||||
ignore_errors: true
|
||||
register: firewalld_is_active
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if TCP/{{logstash_syslog_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp{{logstash_syslog_port}}_exists
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to validate if port already configured
|
||||
- skip_ansible_lint
|
||||
|
||||
# add firewall rule via firewall-cmd
|
||||
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (firewalld)
|
||||
@ -145,6 +153,10 @@
|
||||
ignore_errors: true
|
||||
register: iptables_tcp5044_exists
|
||||
failed_when: iptables_tcp{{logstash_syslog_port}}_exists == 127
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to validate if port already configured
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (iptables-services)
|
||||
lineinfile:
|
||||
@ -160,3 +172,7 @@
|
||||
shell: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# No systemctl module available in current stable release (Ansible 2.1)
|
||||
- skip_ansible_lint
|
||||
|
@ -49,9 +49,19 @@
|
||||
ignore_errors: true
|
||||
when: nginx_needs_restart != 0
|
||||
|
||||
- name: Check if nginx is in use
|
||||
shell: systemctl is-enabled nginx.service | egrep -qv 'masked|disabled'
|
||||
register: nginx_in_use
|
||||
ignore_errors: yes
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Determine if nginx is enabled
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Set nginx to start on boot
|
||||
command: systemctl enable nginx.service
|
||||
ignore_errors: true
|
||||
when: nginx_in_use.rc != 0
|
||||
|
||||
# we need TCP/80 and TCP/8080 open
|
||||
# determine firewall status and take action
|
||||
@ -64,18 +74,30 @@
|
||||
ignore_errors: true
|
||||
register: firewalld_in_use
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if firewalld is active
|
||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
||||
ignore_errors: true
|
||||
register: firewalld_is_active
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if TCP/{{nginx_kibana_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp80_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall rule already exists
|
||||
- skip_ansible_lint
|
||||
|
||||
# add firewall rule via firewall-cmd
|
||||
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
|
||||
@ -94,6 +116,10 @@
|
||||
register: iptables_tcp80_exists
|
||||
failed_when: iptables_tcp80_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall rule already exists
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
|
||||
lineinfile:
|
||||
@ -109,6 +135,10 @@
|
||||
shell: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# No systemctl module available in current stable release (Ansible 2.1)
|
||||
- skip_ansible_lint
|
||||
|
||||
# Firewalld
|
||||
- name: Determine if firewalld is in use
|
||||
@ -116,18 +146,30 @@
|
||||
ignore_errors: true
|
||||
register: firewalld_in_use
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if firewalld is active
|
||||
shell: systemctl is-active firewalld.service | grep -vq inactive
|
||||
ignore_errors: true
|
||||
register: firewalld_is_active
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall is active
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
|
||||
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
|
||||
ignore_errors: true
|
||||
register: firewalld_tcp8080_exists
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall rule already exists
|
||||
- skip_ansible_lint
|
||||
|
||||
# add firewall rule via firewall-cmd
|
||||
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
|
||||
@ -146,6 +188,10 @@
|
||||
register: iptables_tcp8080_exists
|
||||
failed_when: iptables_tcp8080_exists == 127
|
||||
no_log: true
|
||||
tags:
|
||||
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
||||
# Need to check if firewall rule already exists
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
||||
lineinfile:
|
||||
@ -161,4 +207,7 @@
|
||||
shell: systemctl restart iptables.service
|
||||
ignore_errors: true
|
||||
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
||||
|
||||
tags:
|
||||
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
||||
# No systemctl module available in current stable release (Ansible 2.1)
|
||||
- skip_ansible_lint
|
||||
|
Loading…
x
Reference in New Issue
Block a user