Updates for upcoming training

Change AMI to use Debian; abstracted domain handling, abstracted login key for initial user

README.md

@@ -63,7 +63,7 @@ To set up the environment for ansible the first time:
 
 ```
 git clone https://github.internet2.edu/skoranda/comanage-registry-training-ansible.git
-cd comanage-registry-training-deployment
+cd comanage-registry-training-ansible
 python3 -m venv .
 source bin/activate
 pip install --upgrade pip

group_vars/all.yml

@@ -5,11 +5,11 @@
 # ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password'
 comanage_training_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
-          31636362373339666232313164373435343362373936613838393035663732623533616238373564
-          3637653337636564616131663831346531363033396266330a613162666636666235333135383631
-          64633832633837363263653462306361636338643964326531393133643063353738626165613132
-          6462336164333237340a393062353239306564303838366264636230643136393033623064343661
-          6431
+          32313732343132636531663538353439663964333130616633663761313336636663323938396566
+          6539353462616330626235646530626662333630613635340a323230333133326232326630396263
+          64383336316234656364666630396362313563346364383735303131323266326465623531373637
+          3138373937323761360a323138383436353439633031306438373766303763643630643263356530
+          3638
 
 # It should not be necessary to change the password salt.
 comanage_training_password_salt: !vault |
@@ -22,12 +22,15 @@ comanage_training_password_salt: !vault |
 
 comanage_training_region: "us-west-2"
 
-r53_hosted_zone: incommon.training
+r53_hosted_zone: scgvm.org
 r53_dns_domain: "comanage.{{ r53_hosted_zone }}"
 
+# key for ssh-ing into training nodes
+training_node_ssh_key_name: "AWS_oregon_SCG_training"
+
 # The full ARN for an X.509 wildcard certificate provisioned by the
 # AWS Certificate Manager for domain *.comanage.incommong.training
-aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:626413038627:certificate/162508f9-f5e4-479d-bdb8-f614d8a7ccb0"
+aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:886593122405:certificate/317c209f-5552-453a-bb8b-764d65456623"
 
 vpc_cidr_block: 192.168.0.0/16
 
@@ -46,34 +49,34 @@ vpc_availability_zone:
         bastion_hostname: ssh-b
 
 ssh_bastion_instance_type: t2.nano
-# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
-ssh_bastion_ami_id: ami-0a4497cbe959da512
-ssh_bastion_user: centos
-ssh_bastion_device_name: /dev/sda1
+# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
+ssh_bastion_ami_id: ami-07fd151b9eb3b7264
+ssh_bastion_user: admin
+ssh_bastion_device_name: /dev/xvda
 ssh_bastion_volume_type: gp2
 ssh_bastion_volume_size: 10
 
 idp_node_instance_type: t2.small
-# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
-idp_node_ami_id: ami-0a4497cbe959da512
-idp_node_user: centos
-idp_node_device_name: /dev/sda1
+# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
+idp_node_ami_id: ami-07fd151b9eb3b7264
+idp_node_user: admin
+idp_node_device_name: /dev/xvda
 idp_node_volume_type: gp2
 idp_node_volume_size: 20
 
 training_node_count: 2
 
 training_node_instance_type: t2.small
-# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
-training_node_ami_id: ami-0a4497cbe959da512
-training_node_user: centos
-training_node_device_name: /dev/sda1
+# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
+training_node_ami_id: ami-07fd151b9eb3b7264 
+training_node_user: admin
+training_node_device_name: /dev/xvda
 training_node_volume_type: gp2
 training_node_volume_size: 20
 
 # Docker version
-docker_ce_package_version: "5:20.10.5~3-0~debian-buster"
-docker_ce_cli_package_version: "5:20.10.5~3-0~debian-buster"
-containerd_io_package_version: "1.4.3-1"
+docker_ce_package_version: "5:20.10.8~3-0~debian-bullseye"
+docker_ce_cli_package_version: "5:20.10.8~3-0~debian-bullseye"
+containerd_io_package_version: "1.4.9-1"
 
 

idp_node.yml

@@ -27,7 +27,7 @@
 
     - name: Provision COmanage IdP node
       amazon.aws.ec2:
-        key_name: AWS-Trng-1
+        key_name: "{{ training_node_ssh_key_name }}"
         group_id: "{{ idp_node_sg.group_id }}"
         instance_type: "{{ idp_node_instance_type }}"
         image: "{{ idp_node_ami_id }}"

roles/common/tasks/users.yml

@@ -33,7 +33,7 @@
       shell: /bin/bash
       group: trainers
       append: yes
-      groups: wheel
+      groups: sudo
 
   - name: Scott Koranda authorized ssh key
     authorized_key:
@@ -50,7 +50,7 @@
       shell: /bin/bash
       group: trainers
       append: yes
-      groups: wheel
+      groups: sudo
 
   - name: Shayna Atkinson authorized ssh key
     authorized_key:
@@ -67,7 +67,7 @@
       shell: /bin/bash
       group: trainers
       append: yes
-      groups: wheel
+      groups: sudo
 
   - name: Laura Paglione authorized ssh key
     authorized_key:

roles/idp/templates/registry-metadata.xml

@@ -60,7 +60,7 @@ E+M/1FURO5+w6Q0wIjoraFRnfrBrIKCozNssAvbClcwHuiFuNX8hUmGBnbs7i6KX
 {% for myindex in range(1, lookup('vars', 'training_node_count') + 1, 1) | list %}
             <AssertionConsumerService 
                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
-                Location="https://registry{{ myindex }}.comanage.incommon.training/Shibboleth.sso/SAML2/POST" 
+		Location="https://registry{{ myindex }}.{{ r53_dns_domain }}/Shibboleth.sso/SAML2/POST" 
                 index="{{ myindex }}"/>
 {% endfor %}
 

roles/swarm/tasks/main.yml

@@ -9,6 +9,11 @@
     notify:
       - reload systemd-journald
 
+  - name: Install gnupg2
+    apt:
+      name: gnupg2
+      update_cache: yes
+
   - name: Add Docker CE repository key
     apt_key:
       url: https://download.docker.com/linux/debian/gpg

roles/training/files/comanage-registry-stack.yml

@@ -21,7 +21,7 @@ services:
                 tag: "mariadb-{{.Name}}"
 
     registry:
-        image: i2incommon/comanage-registry:3.3.2-20210313
+        image: i2incommon/comanage-registry:3.3.4-20210712
         volumes:
             - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
             - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
@@ -66,7 +66,7 @@ services:
                 tag: "registry_{{.Name}}"
 
     cron:
-        image: i2incommon/comanage-registry-cron:3.3.2-20210309
+        image: i2incommon/comanage-registry-cron:3.3.4-20210712
         volumes:
             - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
         environment:
@@ -80,7 +80,7 @@ services:
                 tag: "cron_{{.Name}}"
 
     ldap:
-        image: sphericalcowgroup/comanage-registry-slapd:4
+        image: sphericalcowgroup/comanage-registry-slapd:5
         command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"]
         volumes:
             - /srv/docker/var/lib/ldap:/var/lib/ldap

roles/training/tasks/main.yml

@@ -136,7 +136,14 @@
     loop:
       - shibboleth2.xml
       - attribute-map.xml
-      - idp-metadata.xml
+
+  - name: Copy Shibboleth SP metadata file
+    template:
+      src: idp-metadata.xml
+      dest: "/srv/docker/etc/shibboleth/idp-metadata.xml"
+      owner: root
+      group: root
+      mode: '0644'
 
   - name: Copy Apache configuration file
     template:

roles/training/files/idp-metadata.xml → roles/training/templates/idp-metadata.xml

@@ -52,7 +52,7 @@ tWc0EHubiXGtYVs77EhA7wLWh8S6rv2dHCF3PZiYmRjT
 
         <SingleSignOnService
                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-                Location="https://login.comanage.incommon.training/idp/profile/SAML2/Redirect/SSO"/>
+		Location="https://login.{{ r53_dns_domain }}/idp/profile/SAML2/Redirect/SSO"/>
     </IDPSSODescriptor>
 
     <Organization>

ssh_bastion.yml

@@ -24,7 +24,7 @@
     # For each public subnet, build a bastion host
     - name: Provision SSH bastion hosts
       amazon.aws.ec2:
-        key_name: AWS-Trng-1
+        key_name: "{{ training_node_ssh_key_name }}"
         group_id: "{{ bastion_ssh_security_group.group_id }}"
         instance_type: "{{ ssh_bastion_instance_type }}"
         image: "{{ ssh_bastion_ami_id }}"

training_nodes.yml

@@ -31,7 +31,7 @@
 
     - name: Provision COmanage training nodes
       ec2:
-        key_name: AWS-Trng-1
+        key_name: "{{ training_node_ssh_key_name }}"
         group_id: "{{ training_node_sg.group_id }}"
         instance_type: "{{ training_node_instance_type }}"
         image: "{{ training_node_ami_id }}"

vpc.yml

@@ -71,15 +71,18 @@
           - dest: 0.0.0.0/0
             gateway_id: igw
 
-    - name: NAT gateway for public subnet
+    - name: NAT gateway for public subnet A
       community.aws.ec2_vpc_nat_gateway:
         region: "{{ comanage_training_region }}"
         state: present
         subnet_id: "{{ item.subnet.id }}"
+        eip_address:  "{{ (subnet_index == 0) | ternary( '18.236.23.61', '34.211.214.32') }}"
         if_exist_do_not_create: yes
         wait: yes
       register: nat_gateway
       loop: "{{ subnet_public.results }}"
+      loop_control:
+         index_var: subnet_index
 
     - name: List NAT GW information
       debug: