diff --git a/README.md b/README.md
index 30d670d..12ee327 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ To set up the environment for ansible the first time:
```
git clone https://github.internet2.edu/skoranda/comanage-registry-training-ansible.git
-cd comanage-registry-training-deployment
+cd comanage-registry-training-ansible
python3 -m venv .
source bin/activate
pip install --upgrade pip
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 5fd76b0..9652239 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -5,11 +5,11 @@
# ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password'
comanage_training_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
- 31636362373339666232313164373435343362373936613838393035663732623533616238373564
- 3637653337636564616131663831346531363033396266330a613162666636666235333135383631
- 64633832633837363263653462306361636338643964326531393133643063353738626165613132
- 6462336164333237340a393062353239306564303838366264636230643136393033623064343661
- 6431
+ 32313732343132636531663538353439663964333130616633663761313336636663323938396566
+ 6539353462616330626235646530626662333630613635340a323230333133326232326630396263
+ 64383336316234656364666630396362313563346364383735303131323266326465623531373637
+ 3138373937323761360a323138383436353439633031306438373766303763643630643263356530
+ 3638
# It should not be necessary to change the password salt.
comanage_training_password_salt: !vault |
@@ -22,12 +22,15 @@ comanage_training_password_salt: !vault |
comanage_training_region: "us-west-2"
-r53_hosted_zone: incommon.training
+r53_hosted_zone: scgvm.org
r53_dns_domain: "comanage.{{ r53_hosted_zone }}"
+# key for ssh-ing into training nodes
+training_node_ssh_key_name: "AWS_oregon_SCG_training"
+
# The full ARN for an X.509 wildcard certificate provisioned by the
# AWS Certificate Manager for domain *.comanage.incommong.training
-aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:626413038627:certificate/162508f9-f5e4-479d-bdb8-f614d8a7ccb0"
+aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:886593122405:certificate/317c209f-5552-453a-bb8b-764d65456623"
vpc_cidr_block: 192.168.0.0/16
@@ -46,34 +49,34 @@ vpc_availability_zone:
bastion_hostname: ssh-b
ssh_bastion_instance_type: t2.nano
-# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
-ssh_bastion_ami_id: ami-0a4497cbe959da512
-ssh_bastion_user: centos
-ssh_bastion_device_name: /dev/sda1
+# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
+ssh_bastion_ami_id: ami-07fd151b9eb3b7264
+ssh_bastion_user: admin
+ssh_bastion_device_name: /dev/xvda
ssh_bastion_volume_type: gp2
ssh_bastion_volume_size: 10
idp_node_instance_type: t2.small
-# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
-idp_node_ami_id: ami-0a4497cbe959da512
-idp_node_user: centos
-idp_node_device_name: /dev/sda1
+# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
+idp_node_ami_id: ami-07fd151b9eb3b7264
+idp_node_user: admin
+idp_node_device_name: /dev/xvda
idp_node_volume_type: gp2
idp_node_volume_size: 20
training_node_count: 2
training_node_instance_type: t2.small
-# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
-training_node_ami_id: ami-0a4497cbe959da512
-training_node_user: centos
-training_node_device_name: /dev/sda1
+# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
+training_node_ami_id: ami-07fd151b9eb3b7264
+training_node_user: admin
+training_node_device_name: /dev/xvda
training_node_volume_type: gp2
training_node_volume_size: 20
# Docker version
-docker_ce_package_version: "5:20.10.5~3-0~debian-buster"
-docker_ce_cli_package_version: "5:20.10.5~3-0~debian-buster"
-containerd_io_package_version: "1.4.3-1"
+docker_ce_package_version: "5:20.10.8~3-0~debian-bullseye"
+docker_ce_cli_package_version: "5:20.10.8~3-0~debian-bullseye"
+containerd_io_package_version: "1.4.9-1"
diff --git a/idp_node.yml b/idp_node.yml
index 4fa0509..ec9b4f3 100644
--- a/idp_node.yml
+++ b/idp_node.yml
@@ -27,7 +27,7 @@
- name: Provision COmanage IdP node
amazon.aws.ec2:
- key_name: AWS-Trng-1
+ key_name: "{{ training_node_ssh_key_name }}"
group_id: "{{ idp_node_sg.group_id }}"
instance_type: "{{ idp_node_instance_type }}"
image: "{{ idp_node_ami_id }}"
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
index 2526c20..18d5283 100644
--- a/roles/common/tasks/users.yml
+++ b/roles/common/tasks/users.yml
@@ -33,7 +33,7 @@
shell: /bin/bash
group: trainers
append: yes
- groups: wheel
+ groups: sudo
- name: Scott Koranda authorized ssh key
authorized_key:
@@ -50,7 +50,7 @@
shell: /bin/bash
group: trainers
append: yes
- groups: wheel
+ groups: sudo
- name: Shayna Atkinson authorized ssh key
authorized_key:
@@ -67,7 +67,7 @@
shell: /bin/bash
group: trainers
append: yes
- groups: wheel
+ groups: sudo
- name: Laura Paglione authorized ssh key
authorized_key:
diff --git a/roles/idp/templates/registry-metadata.xml b/roles/idp/templates/registry-metadata.xml
index 705ab46..8352796 100644
--- a/roles/idp/templates/registry-metadata.xml
+++ b/roles/idp/templates/registry-metadata.xml
@@ -60,7 +60,7 @@ E+M/1FURO5+w6Q0wIjoraFRnfrBrIKCozNssAvbClcwHuiFuNX8hUmGBnbs7i6KX
{% for myindex in range(1, lookup('vars', 'training_node_count') + 1, 1) | list %}
{% endfor %}
diff --git a/roles/swarm/tasks/main.yml b/roles/swarm/tasks/main.yml
index a421dba..c071fb9 100644
--- a/roles/swarm/tasks/main.yml
+++ b/roles/swarm/tasks/main.yml
@@ -9,6 +9,11 @@
notify:
- reload systemd-journald
+ - name: Install gnupg2
+ apt:
+ name: gnupg2
+ update_cache: yes
+
- name: Add Docker CE repository key
apt_key:
url: https://download.docker.com/linux/debian/gpg
diff --git a/roles/training/files/comanage-registry-stack.yml b/roles/training/files/comanage-registry-stack.yml
index 56bcc67..1b4d5f0 100644
--- a/roles/training/files/comanage-registry-stack.yml
+++ b/roles/training/files/comanage-registry-stack.yml
@@ -21,7 +21,7 @@ services:
tag: "mariadb-{{.Name}}"
registry:
- image: i2incommon/comanage-registry:3.3.2-20210313
+ image: i2incommon/comanage-registry:3.3.4-20210712
volumes:
- /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
- /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
@@ -66,7 +66,7 @@ services:
tag: "registry_{{.Name}}"
cron:
- image: i2incommon/comanage-registry-cron:3.3.2-20210309
+ image: i2incommon/comanage-registry-cron:3.3.4-20210712
volumes:
- /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
environment:
@@ -80,7 +80,7 @@ services:
tag: "cron_{{.Name}}"
ldap:
- image: sphericalcowgroup/comanage-registry-slapd:4
+ image: sphericalcowgroup/comanage-registry-slapd:5
command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"]
volumes:
- /srv/docker/var/lib/ldap:/var/lib/ldap
diff --git a/roles/training/tasks/main.yml b/roles/training/tasks/main.yml
index 1054a98..9248c0e 100644
--- a/roles/training/tasks/main.yml
+++ b/roles/training/tasks/main.yml
@@ -136,7 +136,14 @@
loop:
- shibboleth2.xml
- attribute-map.xml
- - idp-metadata.xml
+
+ - name: Copy Shibboleth SP metadata file
+ template:
+ src: idp-metadata.xml
+ dest: "/srv/docker/etc/shibboleth/idp-metadata.xml"
+ owner: root
+ group: root
+ mode: '0644'
- name: Copy Apache configuration file
template:
diff --git a/roles/training/files/idp-metadata.xml b/roles/training/templates/idp-metadata.xml
similarity index 97%
rename from roles/training/files/idp-metadata.xml
rename to roles/training/templates/idp-metadata.xml
index ac4e87d..93a60af 100644
--- a/roles/training/files/idp-metadata.xml
+++ b/roles/training/templates/idp-metadata.xml
@@ -52,7 +52,7 @@ tWc0EHubiXGtYVs77EhA7wLWh8S6rv2dHCF3PZiYmRjT
+ Location="https://login.{{ r53_dns_domain }}/idp/profile/SAML2/Redirect/SSO"/>
diff --git a/ssh_bastion.yml b/ssh_bastion.yml
index 3f41d2f..536795e 100644
--- a/ssh_bastion.yml
+++ b/ssh_bastion.yml
@@ -24,7 +24,7 @@
# For each public subnet, build a bastion host
- name: Provision SSH bastion hosts
amazon.aws.ec2:
- key_name: AWS-Trng-1
+ key_name: "{{ training_node_ssh_key_name }}"
group_id: "{{ bastion_ssh_security_group.group_id }}"
instance_type: "{{ ssh_bastion_instance_type }}"
image: "{{ ssh_bastion_ami_id }}"
diff --git a/training_nodes.yml b/training_nodes.yml
index b56a7fd..50e71f5 100644
--- a/training_nodes.yml
+++ b/training_nodes.yml
@@ -31,7 +31,7 @@
- name: Provision COmanage training nodes
ec2:
- key_name: AWS-Trng-1
+ key_name: "{{ training_node_ssh_key_name }}"
group_id: "{{ training_node_sg.group_id }}"
instance_type: "{{ training_node_instance_type }}"
image: "{{ training_node_ami_id }}"
diff --git a/vpc.yml b/vpc.yml
index 39228f4..3605b28 100644
--- a/vpc.yml
+++ b/vpc.yml
@@ -71,15 +71,18 @@
- dest: 0.0.0.0/0
gateway_id: igw
- - name: NAT gateway for public subnet
+ - name: NAT gateway for public subnet A
community.aws.ec2_vpc_nat_gateway:
region: "{{ comanage_training_region }}"
state: present
subnet_id: "{{ item.subnet.id }}"
+ eip_address: "{{ (subnet_index == 0) | ternary( '18.236.23.61', '34.211.214.32') }}"
if_exist_do_not_create: yes
wait: yes
register: nat_gateway
loop: "{{ subnet_public.results }}"
+ loop_control:
+ index_var: subnet_index
- name: List NAT GW information
debug: