From 96f415e4a439aa47a6d7c2ee2147cff618c8ad6f Mon Sep 17 00:00:00 2001 From: Shayna Atkinson Date: Tue, 21 Sep 2021 19:12:47 +0000 Subject: [PATCH] Updates for upcoming training Change AMI to use Debian; abstracted domain handling, abstracted login key for initial user --- README.md | 2 +- group_vars/all.yml | 47 ++++++++++--------- idp_node.yml | 2 +- roles/common/tasks/users.yml | 6 +-- roles/idp/templates/registry-metadata.xml | 2 +- roles/swarm/tasks/main.yml | 5 ++ .../files/comanage-registry-stack.yml | 6 +-- roles/training/tasks/main.yml | 9 +++- .../{files => templates}/idp-metadata.xml | 2 +- ssh_bastion.yml | 2 +- training_nodes.yml | 2 +- vpc.yml | 5 +- 12 files changed, 54 insertions(+), 36 deletions(-) rename roles/training/{files => templates}/idp-metadata.xml (97%) diff --git a/README.md b/README.md index 30d670d..12ee327 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ To set up the environment for ansible the first time: ``` git clone https://github.internet2.edu/skoranda/comanage-registry-training-ansible.git -cd comanage-registry-training-deployment +cd comanage-registry-training-ansible python3 -m venv . source bin/activate pip install --upgrade pip diff --git a/group_vars/all.yml b/group_vars/all.yml index 5fd76b0..9652239 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -5,11 +5,11 @@ # ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password' comanage_training_password: !vault | $ANSIBLE_VAULT;1.1;AES256 - 31636362373339666232313164373435343362373936613838393035663732623533616238373564 - 3637653337636564616131663831346531363033396266330a613162666636666235333135383631 - 64633832633837363263653462306361636338643964326531393133643063353738626165613132 - 6462336164333237340a393062353239306564303838366264636230643136393033623064343661 - 6431 + 32313732343132636531663538353439663964333130616633663761313336636663323938396566 + 6539353462616330626235646530626662333630613635340a323230333133326232326630396263 + 64383336316234656364666630396362313563346364383735303131323266326465623531373637 + 3138373937323761360a323138383436353439633031306438373766303763643630643263356530 + 3638 # It should not be necessary to change the password salt. comanage_training_password_salt: !vault | @@ -22,12 +22,15 @@ comanage_training_password_salt: !vault | comanage_training_region: "us-west-2" -r53_hosted_zone: incommon.training +r53_hosted_zone: scgvm.org r53_dns_domain: "comanage.{{ r53_hosted_zone }}" +# key for ssh-ing into training nodes +training_node_ssh_key_name: "AWS_oregon_SCG_training" + # The full ARN for an X.509 wildcard certificate provisioned by the # AWS Certificate Manager for domain *.comanage.incommong.training -aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:626413038627:certificate/162508f9-f5e4-479d-bdb8-f614d8a7ccb0" +aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:886593122405:certificate/317c209f-5552-453a-bb8b-764d65456623" vpc_cidr_block: 192.168.0.0/16 @@ -46,34 +49,34 @@ vpc_availability_zone: bastion_hostname: ssh-b ssh_bastion_instance_type: t2.nano -# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids -ssh_bastion_ami_id: ami-0a4497cbe959da512 -ssh_bastion_user: centos -ssh_bastion_device_name: /dev/sda1 +# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ +ssh_bastion_ami_id: ami-07fd151b9eb3b7264 +ssh_bastion_user: admin +ssh_bastion_device_name: /dev/xvda ssh_bastion_volume_type: gp2 ssh_bastion_volume_size: 10 idp_node_instance_type: t2.small -# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids -idp_node_ami_id: ami-0a4497cbe959da512 -idp_node_user: centos -idp_node_device_name: /dev/sda1 +# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ +idp_node_ami_id: ami-07fd151b9eb3b7264 +idp_node_user: admin +idp_node_device_name: /dev/xvda idp_node_volume_type: gp2 idp_node_volume_size: 20 training_node_count: 2 training_node_instance_type: t2.small -# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids -training_node_ami_id: ami-0a4497cbe959da512 -training_node_user: centos -training_node_device_name: /dev/sda1 +# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/ +training_node_ami_id: ami-07fd151b9eb3b7264 +training_node_user: admin +training_node_device_name: /dev/xvda training_node_volume_type: gp2 training_node_volume_size: 20 # Docker version -docker_ce_package_version: "5:20.10.5~3-0~debian-buster" -docker_ce_cli_package_version: "5:20.10.5~3-0~debian-buster" -containerd_io_package_version: "1.4.3-1" +docker_ce_package_version: "5:20.10.8~3-0~debian-bullseye" +docker_ce_cli_package_version: "5:20.10.8~3-0~debian-bullseye" +containerd_io_package_version: "1.4.9-1" diff --git a/idp_node.yml b/idp_node.yml index 4fa0509..ec9b4f3 100644 --- a/idp_node.yml +++ b/idp_node.yml @@ -27,7 +27,7 @@ - name: Provision COmanage IdP node amazon.aws.ec2: - key_name: AWS-Trng-1 + key_name: "{{ training_node_ssh_key_name }}" group_id: "{{ idp_node_sg.group_id }}" instance_type: "{{ idp_node_instance_type }}" image: "{{ idp_node_ami_id }}" diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml index 2526c20..18d5283 100644 --- a/roles/common/tasks/users.yml +++ b/roles/common/tasks/users.yml @@ -33,7 +33,7 @@ shell: /bin/bash group: trainers append: yes - groups: wheel + groups: sudo - name: Scott Koranda authorized ssh key authorized_key: @@ -50,7 +50,7 @@ shell: /bin/bash group: trainers append: yes - groups: wheel + groups: sudo - name: Shayna Atkinson authorized ssh key authorized_key: @@ -67,7 +67,7 @@ shell: /bin/bash group: trainers append: yes - groups: wheel + groups: sudo - name: Laura Paglione authorized ssh key authorized_key: diff --git a/roles/idp/templates/registry-metadata.xml b/roles/idp/templates/registry-metadata.xml index 705ab46..8352796 100644 --- a/roles/idp/templates/registry-metadata.xml +++ b/roles/idp/templates/registry-metadata.xml @@ -60,7 +60,7 @@ E+M/1FURO5+w6Q0wIjoraFRnfrBrIKCozNssAvbClcwHuiFuNX8hUmGBnbs7i6KX {% for myindex in range(1, lookup('vars', 'training_node_count') + 1, 1) | list %} {% endfor %} diff --git a/roles/swarm/tasks/main.yml b/roles/swarm/tasks/main.yml index a421dba..c071fb9 100644 --- a/roles/swarm/tasks/main.yml +++ b/roles/swarm/tasks/main.yml @@ -9,6 +9,11 @@ notify: - reload systemd-journald + - name: Install gnupg2 + apt: + name: gnupg2 + update_cache: yes + - name: Add Docker CE repository key apt_key: url: https://download.docker.com/linux/debian/gpg diff --git a/roles/training/files/comanage-registry-stack.yml b/roles/training/files/comanage-registry-stack.yml index 56bcc67..1b4d5f0 100644 --- a/roles/training/files/comanage-registry-stack.yml +++ b/roles/training/files/comanage-registry-stack.yml @@ -21,7 +21,7 @@ services: tag: "mariadb-{{.Name}}" registry: - image: i2incommon/comanage-registry:3.3.2-20210313 + image: i2incommon/comanage-registry:3.3.4-20210712 volumes: - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local - /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml @@ -66,7 +66,7 @@ services: tag: "registry_{{.Name}}" cron: - image: i2incommon/comanage-registry-cron:3.3.2-20210309 + image: i2incommon/comanage-registry-cron:3.3.4-20210712 volumes: - /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local environment: @@ -80,7 +80,7 @@ services: tag: "cron_{{.Name}}" ldap: - image: sphericalcowgroup/comanage-registry-slapd:4 + image: sphericalcowgroup/comanage-registry-slapd:5 command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"] volumes: - /srv/docker/var/lib/ldap:/var/lib/ldap diff --git a/roles/training/tasks/main.yml b/roles/training/tasks/main.yml index 1054a98..9248c0e 100644 --- a/roles/training/tasks/main.yml +++ b/roles/training/tasks/main.yml @@ -136,7 +136,14 @@ loop: - shibboleth2.xml - attribute-map.xml - - idp-metadata.xml + + - name: Copy Shibboleth SP metadata file + template: + src: idp-metadata.xml + dest: "/srv/docker/etc/shibboleth/idp-metadata.xml" + owner: root + group: root + mode: '0644' - name: Copy Apache configuration file template: diff --git a/roles/training/files/idp-metadata.xml b/roles/training/templates/idp-metadata.xml similarity index 97% rename from roles/training/files/idp-metadata.xml rename to roles/training/templates/idp-metadata.xml index ac4e87d..93a60af 100644 --- a/roles/training/files/idp-metadata.xml +++ b/roles/training/templates/idp-metadata.xml @@ -52,7 +52,7 @@ tWc0EHubiXGtYVs77EhA7wLWh8S6rv2dHCF3PZiYmRjT + Location="https://login.{{ r53_dns_domain }}/idp/profile/SAML2/Redirect/SSO"/> diff --git a/ssh_bastion.yml b/ssh_bastion.yml index 3f41d2f..536795e 100644 --- a/ssh_bastion.yml +++ b/ssh_bastion.yml @@ -24,7 +24,7 @@ # For each public subnet, build a bastion host - name: Provision SSH bastion hosts amazon.aws.ec2: - key_name: AWS-Trng-1 + key_name: "{{ training_node_ssh_key_name }}" group_id: "{{ bastion_ssh_security_group.group_id }}" instance_type: "{{ ssh_bastion_instance_type }}" image: "{{ ssh_bastion_ami_id }}" diff --git a/training_nodes.yml b/training_nodes.yml index b56a7fd..50e71f5 100644 --- a/training_nodes.yml +++ b/training_nodes.yml @@ -31,7 +31,7 @@ - name: Provision COmanage training nodes ec2: - key_name: AWS-Trng-1 + key_name: "{{ training_node_ssh_key_name }}" group_id: "{{ training_node_sg.group_id }}" instance_type: "{{ training_node_instance_type }}" image: "{{ training_node_ami_id }}" diff --git a/vpc.yml b/vpc.yml index 39228f4..3605b28 100644 --- a/vpc.yml +++ b/vpc.yml @@ -71,15 +71,18 @@ - dest: 0.0.0.0/0 gateway_id: igw - - name: NAT gateway for public subnet + - name: NAT gateway for public subnet A community.aws.ec2_vpc_nat_gateway: region: "{{ comanage_training_region }}" state: present subnet_id: "{{ item.subnet.id }}" + eip_address: "{{ (subnet_index == 0) | ternary( '18.236.23.61', '34.211.214.32') }}" if_exist_do_not_create: yes wait: yes register: nat_gateway loop: "{{ subnet_public.results }}" + loop_control: + index_var: subnet_index - name: List NAT GW information debug: