Updates for the March 2021 training session.

Updates for the March 2021 training session.

.gitignore

@@ -2,6 +2,7 @@ AWS-Trng-1.pem
 bin
 include
 lib
+lib64
 share
 ssh_config
 ssh_mux*

README.md

@@ -64,12 +64,15 @@ To set up the environment for ansible the first time:
 ```
 git clone https://github.com/cilogon/comanage-registry-ansible.git
 cd comanage-registry-training-deployment
-virtualenv -p python3.7 ./
+python3 -m venv .
 source bin/activate
 pip install --upgrade pip
-pip install ansible==2.10.1
+pip install ansible==2.10.7
 pip install boto
 pip install boto3
+ansible-galaxy collection install amazon.aws
+ansible-galaxy collection install community.aws
+ansible-galaxy collection install community.docker
 cp /path/to/AWS-Trng-1.pem .
 ```
 
@@ -83,7 +86,7 @@ Create a file to hold the vault password, e.g.
 touch ./.vault_pass.txt
 chmod 600 ./.vault_pass.txt
 ```
-Find the vault password from and enter it into the file you just created.
+Find the vault password and enter it into the file you just created.
 
 ## Initialization Before Running Playbooks
 
@@ -112,35 +115,23 @@ Most of the configurable details, including the number of training nodes to
 deploy, are set in the file
 
 ```
-vars/global.yml
+group_vars/all.yml
 ```
 
 Review that file before running the playbook.
 
 ## Changing Training Password
 
 The password used by trainees for SSH, authenticating to the IdP,
-and for the LDAP users, needs to be set in three (3) places:
+and for configuring the COmanage LDAP Provisioner is also set in the file
+`group_vars/all.yml`.
 
-1. The file `roles/common/tasks/users.yml`. Use the `mkpasswd` Linux utility to hash the
-password:
-    ```
-    mkpasswd --method=sha-512
-    ```
+Once you have determined the password, use the following command to
+generate the encrypted version to paste into that file:
 
-1. The LDIF files `roles/idp/files/config-always-01.ldif` and
-`roles/training/files/config-always-01.ldif`. Use the `slappasswd` Linux utilty to
-hash the password and then edit the file using `ansible-vault edit`:
-
-    ```
-    /usr/sbin/slappasswd -c '$6$rounds=5000$%.86s'
-    ```
-
-1. The file `roles/training/vars/main.yml`. To encrypt the file use
-
-    ```
-    ansible-vault encrypt_string 'PASSWORD' --name olc_root_dn_password
-    ```
+```
+ansible-vault encrypt_string 'PASSWORD' --name comanage_training_password
+```
 
 ## Provision the COmanage Training Infrastructure
 
@@ -182,6 +173,15 @@ ansible-playbook \
     -e force_update_stack_file=yes
 ```
 
+To force an update of the LDIF used by training node LDAP:
+
+```
+ansible-playbook \
+    training_nodes.yml \
+    --tags update_structure_ldif_file \
+    -e force_update_structure_ldif_file=yes
+```
+
 ## SSH Access
 
 Trainers may use their provisioned SSH keys to access all nodes. Each trainer

comanage_registry_training.yml

@@ -3,12 +3,6 @@
   connection: local
   gather_facts: False
 
-  tasks:
-    - name: import global variables
-      include_vars:
-        file: "vars/global.yml"
-
-# Combine multiple playbooks
 - name: configure COmanage training VPC
   import_playbook: vpc.yml
 

group_vars/all.yml

@@ -0,0 +1,72 @@
+---
+
+# This encrypted version of the training password is created by running
+#
+# ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password'
+comanage_training_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31636362373339666232313164373435343362373936613838393035663732623533616238373564
+          3637653337636564616131663831346531363033396266330a613162666636666235333135383631
+          64633832633837363263653462306361636338643964326531393133643063353738626165613132
+          6462336164333237340a393062353239306564303838366264636230643136393033623064343661
+          6431
+
+# It should not be necessary to change the password salt.
+comanage_training_password_salt: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39623864653434666530376532373536616136303833383862663631333439393833656436353661
+          3765313563653037623737373563326235646439633635640a643165313437343966376661373862
+          61363564353632383964393439656565326161326338323131373464313736373761666164633837
+          3062623335653037650a383538633936386537333865306230323162656434326634323139396461
+          64663664306265623839363736343361313635313638633863363131323635333466
+
+comanage_training_region: "us-west-2"
+
+r53_hosted_zone: incommon.training
+r53_dns_domain: "comanage.{{ r53_hosted_zone }}"
+
+# The full ARN for an X.509 wildcard certificate provisioned by the
+# AWS Certificate Manager for domain *.comanage.incommong.training
+aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:626413038627:certificate/162508f9-f5e4-479d-bdb8-f614d8a7ccb0"
+
+vpc_cidr_block: 192.168.0.0/16
+
+# We need to have at least two private subnets across two availability
+# zones. The application load balancer requires it.
+vpc_availability_zone:
+    a:
+        public_subnet: 192.168.10.0/24
+        private_subnet: 192.168.110.0/24
+        bastion_ip: 192.168.10.10
+        bastion_hostname: ssh
+    b:
+        public_subnet: 192.168.11.0/24
+        private_subnet: 192.168.111.0/24
+        bastion_ip: 192.168.11.10
+        bastion_hostname: ssh-b
+
+ssh_bastion_instance_type: t2.nano
+# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
+ssh_bastion_ami_id: ami-0a4497cbe959da512
+ssh_bastion_user: centos
+ssh_bastion_device_name: /dev/sda1
+ssh_bastion_volume_type: gp2
+ssh_bastion_volume_size: 10
+
+idp_node_instance_type: t2.small
+# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
+idp_node_ami_id: ami-0a4497cbe959da512
+idp_node_user: centos
+idp_node_device_name: /dev/sda1
+idp_node_volume_type: gp2
+idp_node_volume_size: 20
+
+training_node_count: 2
+
+training_node_instance_type: t2.small
+# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
+training_node_ami_id: ami-0a4497cbe959da512
+training_node_user: centos
+training_node_device_name: /dev/sda1
+training_node_volume_type: gp2
+training_node_volume_size: 20

idp_node.yml

@@ -15,7 +15,7 @@
         idp_node_rules: "{{ idp_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '8080', 'cidr_ip': '192.168.0.0/16', 'rule_desc': 'web traffic port 8080'}] ) }}"
 
     - name: Security group COmanage IdP node
-      ec2_group:
+      amazon.aws.ec2_group:
         name: "comanage-idp-node"
         tags:
           Name: "comanage-idp-node"
@@ -26,7 +26,7 @@
       register: idp_node_sg
 
     - name: Provision COmanage IdP node
-      ec2:
+      amazon.aws.ec2:
         key_name: AWS-Trng-1
         group_id: "{{ idp_node_sg.group_id }}"
         instance_type: "{{ idp_node_instance_type }}"
@@ -61,7 +61,7 @@
         groups: ssh_idp_node_host
 
     - name: Create A record entry for IdP node private interface
-      route53:
+      community.aws.route53:
         state: present
         zone: "{{ r53_hosted_zone }}"
         record: "{{ idp_node.tagged_instances[0].tags.private_fqdn }}"

roles/common/tasks/users.yml

@@ -40,22 +40,22 @@
       user: skoranda
       key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr9amUAycDrDj2f2kLkK6b5X5DYr+4kmRcYfjcOQG9capsUDh44E8C1KKKRtVZNCM4QAXjHHuIQhb7/YysH6XpjUypzHciDNyJ6f3H0Phrcu9X5HSXlPNuyHlq1rtxtuXnd/UPmrZlSuy1Kt4bjjk5EYI6XMXQjlZMet9mT8y0kB1NALGqfLm1LesjShEmKCqP97fj//jRakm661TDdphjKR7e/O6wB80BHZAUznd+4XqYoQ8wPMWFKk21ZtwNWEpgooPhwC956BmsGRXHzySct/LISNAwbQdNaxTKeWdLGvsD6uivBsbBe2egrkCB0UKzcyXTuQv3W4cElAzDFROEQ== skoranda@oregano.local"
 
-  - name: Paul Caskey
+  - name: Shayna Atkinson
     user:
-      name: pcaskey
-      comment: Paul Caskey
-      uid: 1011
-      home: /home/pcaskey
+      name: satkinson
+      comment: Shayna Atkinson
+      uid: 1012
+      home: /home/satkinson
       password: "*"
       shell: /bin/bash
       group: trainers
       append: yes
       groups: wheel
 
-  - name: Paul Caskey authorized ssh key
+  - name: Shayna Atkinson authorized ssh key
     authorized_key:
-      user: pcaskey
-      key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ3+4TSLAruT/RLBHL9aGTDeP4I0XxuqICWj1Ag8H+JVdwrRtW7uGFiFrTbqqfCsBKFIgl64C3ioRixzA4RW8SxeGQj33xJAR+B9EdJg1neIaCwPAdm0snv7A0sRU/0PltHInd2Dcm6EzjIfzyMMPc+t78p9kgyisIKxOTKTjT+Ucty3HoxL2g4Vs3o3T61aM+k1mBGPYIoJxpRkNKho/VviTkJiooemKl4w5sXAzxY7FNpJ18Ir/iUo4hk1Z2766EDObaM1CECSXrEAfo0LA6LbV9ns4BJ1xq9HS4DWxJ6rp1YJcsmihX6nBjnvkM4h+ihjZgxi4iYVWxmAX7OjLV"
+      user: satkinson
+      key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RfhrA38OgbAECtlav8sRSF/v61xzmfmVBRWti9YYnW+Ik0vkJgC2pwT2dVnFYn334KQan9o2y7enCOuw0N2od/gUdtHeeUzYggS5azqHRDvOH5Q5Xx73YBdt6Vf3MGOCTS1+Beroja5Ni1+wN6HLNwN4AalLMxJbLEdCjndLmaLNHPYRN8HwLch/0M8fNHr6MEMhV1wW5tRg1s1NgNGjoBJBHJ1TLWokTFgnPlTwUaEC2jt32dOfrcKVWN6H9zfROnUM0PFsIAWnwVjsUlvesTqwVCFHVj+5nCxrmqE/zSgdFKiHxPiUtNxHBlwTFgtw3390kTI7rz1/fno177Vp"
 
   - name: Training unix group
     group:
@@ -68,11 +68,7 @@
       comment: COmanage Training User
       uid: 2000
       home: /home/training
-      # The password chosen can be hashed using mkpasswd command found on most Linux deployments
-      #
-      # mkpasswd --method=sha-512
-      password: "$6$k72rMBqah9omQW$ii9NcQTJHJtlESDq1PyX0Xc7bqwcogk0qwZtDsSjKi9gLRirHvSTDOIUP.x3IuVsIp1jc2MQyjvRtSulYWDDq."
+      password: "{{ comanage_training_password | string | password_hash('sha512', comanage_training_password_salt) }}"
       shell: /bin/bash
       group: training
       append: yes
-