You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
897 lines
42 KiB
897 lines
42 KiB
#!/usr/bin/env python
|
|
# Copyright 2018-2020 Splunk
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import print_function
|
|
|
|
import os
|
|
import platform
|
|
import json
|
|
import argparse
|
|
import re
|
|
import random
|
|
import string
|
|
from time import sleep
|
|
try:
|
|
from urllib.parse import urlparse
|
|
except ImportError:
|
|
from urlparse import urlparse
|
|
import socket
|
|
import requests
|
|
import urllib3
|
|
import yaml
|
|
|
|
urllib3.disable_warnings()
|
|
|
|
HERE = os.path.dirname(os.path.normpath(__file__))
|
|
_PLATFORM = platform.platform().lower()
|
|
PLATFORM = "windows" if ("windows" in _PLATFORM or "cygwin" in _PLATFORM) else "linux"
|
|
HOSTNAME = os.uname()[1]
|
|
JAVA_VERSION_WHITELIST = frozenset(("oracle:8", "openjdk:8", "openjdk:9", "openjdk:11"))
|
|
|
|
roleNames = [
|
|
'splunk_cluster_master', # (if it exists, set up indexer clustering)
|
|
'splunk_deployer',
|
|
'splunk_heavy_forwarder',
|
|
'splunk_standalone',
|
|
'splunk_search_head',
|
|
'splunk_indexer',
|
|
'splunk_license_master', # (if it exists, run adding license with a license master)
|
|
'splunk_search_head_captain', # TODO: remove this as we deprecate this role
|
|
'splunk_universal_forwarder',
|
|
'splunk_deployment_server',
|
|
'splunk_monitor'
|
|
]
|
|
|
|
varPrefix = "SPLUNK_VAR_"
|
|
reVarPrefix = r"${varPrefix}(.*)"
|
|
envPrefix = "SPLUNK_ROLE_"
|
|
reNamePattern = r"${envPrefix}(.*)"
|
|
udsSocketFilename = "/opt/splunkforwarder/var/run/splunk/cli.socket"
|
|
|
|
inventory = {
|
|
"_meta": {
|
|
"hostvars": {}
|
|
},
|
|
"all": {
|
|
"hosts": [],
|
|
"children": ["ungrouped"]
|
|
},
|
|
"ungrouped": {
|
|
"hosts": []
|
|
}
|
|
}
|
|
|
|
def getVars(rePattern):
|
|
"""
|
|
Return a mapping of environment keys::values if they match a given regex
|
|
"""
|
|
return {re.match(rePattern, k).group(1).lower():os.environ[k] for k in os.environ
|
|
if re.match(rePattern, k)}
|
|
|
|
def getSplunkInventory(inventory, reName=r"(.*)_URL"):
|
|
"""
|
|
Build an inventory of hosts based on a regex that defines host-groupings
|
|
"""
|
|
group_information = getVars(reName)
|
|
for group_name in group_information:
|
|
if group_name.lower() in roleNames:
|
|
inventory[group_name] = {}
|
|
hosts = [host.strip() for host in group_information[group_name].split(',')]
|
|
inventory[group_name] = {
|
|
'hosts': list([host.split(':')[0] for host in hosts])
|
|
}
|
|
inventory["all"]["vars"] = getDefaultVars()
|
|
inventory["all"]["vars"]["docker"] = False
|
|
|
|
if inventory["all"]["vars"]["splunk"]["splunk_http_enabled"] == "true":
|
|
if not os.path.exists(udsSocketFilename) or os.stat(udsSocketFilename).st_size == 0:
|
|
inventory["all"]["vars"]["splunk"]["splunk_http_enabled"] = "false"
|
|
|
|
if os.path.isfile("/.dockerenv") or os.path.isfile("/run/.containerenv") or os.path.isdir("/var/run/secrets/kubernetes.io") or os.environ.get("KUBERNETES_SERVICE_HOST"):
|
|
inventory["all"]["vars"]["docker"] = True
|
|
if "localhost" not in inventory["all"]["children"]:
|
|
inventory["all"]["hosts"].append("localhost")
|
|
inventory["_meta"]["hostvars"]["localhost"] = inventory["all"]["vars"]
|
|
inventory["_meta"]["hostvars"]["localhost"]["ansible_connection"] = "local"
|
|
|
|
def getDefaultVars():
|
|
"""
|
|
Load all splunk-ansible defaults and perform overwrites based on
|
|
environment variables to return a consolidated inventory object
|
|
"""
|
|
defaultVars = loadDefaults()
|
|
defaultVars["splunk"]["role"] = os.environ.get('SPLUNK_ROLE', defaultVars["splunk"].get("role") or "splunk_standalone")
|
|
overrideEnvironmentVars(defaultVars)
|
|
getAnsibleContext(defaultVars)
|
|
getASan(defaultVars)
|
|
getDisablePopups(defaultVars)
|
|
getHEC(defaultVars)
|
|
getSecrets(defaultVars)
|
|
getSplunkPaths(defaultVars)
|
|
getIndexerClustering(defaultVars)
|
|
getSearchHeadClustering(defaultVars)
|
|
# getMultisite() must be called after getIndexerClustering() + getSearchHeadClustering()
|
|
# in order to rectify multisite replication and search factors
|
|
getMultisite(defaultVars)
|
|
getSplunkWebSSL(defaultVars)
|
|
getSplunkdSSL(defaultVars)
|
|
getDistributedTopology(defaultVars)
|
|
getLicenses(defaultVars)
|
|
# Determine DMC settings
|
|
defaultVars["dmc_forwarder_monitoring"] = os.environ.get('DMC_FORWARDER_MONITORING', False)
|
|
defaultVars["dmc_asset_interval"] = os.environ.get('DMC_ASSET_INTERVAL', '3,18,33,48 * * * *')
|
|
# Determine SPLUNK_HOME owner
|
|
defaultVars["splunk_home_ownership_enforcement"] = True
|
|
if os.environ.get("SPLUNK_HOME_OWNERSHIP_ENFORCEMENT", "").lower() == "false":
|
|
defaultVars["splunk_home_ownership_enforcement"] = False
|
|
# Determine password visibility
|
|
if os.environ.get("HIDE_PASSWORD", "").lower() == "true":
|
|
defaultVars["hide_password"] = True
|
|
# Determine SHC preferred captaincy
|
|
defaultVars["splunk"]["preferred_captaincy"] = True
|
|
if os.environ.get("SPLUNK_PREFERRED_CAPTAINCY", "").lower() == "false":
|
|
defaultVars["splunk"]["preferred_captaincy"] = False
|
|
defaultVars["splunk"]["hostname"] = os.environ.get('SPLUNK_HOSTNAME', socket.getfqdn())
|
|
|
|
getJava(defaultVars)
|
|
getSplunkBuild(defaultVars)
|
|
getSplunkbaseToken(defaultVars)
|
|
getSplunkBuildAuth(defaultVars)
|
|
getSplunkApps(defaultVars)
|
|
getSplunkAppsLocal(defaultVars)
|
|
getLaunchConf(defaultVars)
|
|
getDFS(defaultVars)
|
|
getUFSplunkVariables(defaultVars)
|
|
getESSplunkVariables(defaultVars)
|
|
getDSP(defaultVars)
|
|
return defaultVars
|
|
|
|
def getSplunkPaths(vars_scope):
|
|
"""
|
|
Normalize the paths used by Splunk for downstream plays
|
|
"""
|
|
# TODO: Handle changes to SPLUNK_HOME that impact other paths (ex splunk.app_paths.*)
|
|
splunk_vars = vars_scope["splunk"]
|
|
splunk_vars["opt"] = os.environ.get("SPLUNK_OPT", splunk_vars.get("opt"))
|
|
splunk_vars["home"] = os.environ.get("SPLUNK_HOME", splunk_vars.get("home"))
|
|
# Not sure if we should expose this - exec is fixed relative to SPLUNK_HOME
|
|
splunk_vars["exec"] = os.environ.get("SPLUNK_EXEC", splunk_vars.get("exec"))
|
|
# Not sure if we should expose this - pid is fixed relative to SPLUNK_HOME
|
|
splunk_vars["pid"] = os.environ.get("SPLUNK_PID", splunk_vars.get("pid"))
|
|
|
|
def getIndexerClustering(vars_scope):
|
|
"""
|
|
Parse and set parameters to configure indexer clustering
|
|
"""
|
|
if "idxc" not in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["idxc"] = {}
|
|
idxc_vars = vars_scope["splunk"]["idxc"]
|
|
idxc_vars["label"] = os.environ.get("SPLUNK_IDXC_LABEL", idxc_vars.get("label"))
|
|
idxc_vars["secret"] = os.environ.get("SPLUNK_IDXC_SECRET", idxc_vars.get("secret"))
|
|
idxc_vars["pass4SymmKey"] = os.environ.get("SPLUNK_IDXC_PASS4SYMMKEY", idxc_vars.get("pass4SymmKey")) # Control flow for issue #316 backwards-compatibility
|
|
if idxc_vars["pass4SymmKey"]:
|
|
idxc_vars["secret"] = idxc_vars["pass4SymmKey"]
|
|
else:
|
|
idxc_vars["secret"] = os.environ.get("SPLUNK_IDXC_SECRET", idxc_vars.get("secret"))
|
|
idxc_vars["pass4SymmKey"] = idxc_vars["secret"]
|
|
# Support separate pass4SymmKey for indexer discovery
|
|
idxc_vars["discoveryPass4SymmKey"] = os.environ.get("SPLUNK_IDXC_DISCOVERYPASS4SYMMKEY", idxc_vars.get("discoveryPass4SymmKey"))
|
|
if not idxc_vars["discoveryPass4SymmKey"]:
|
|
idxc_vars["discoveryPass4SymmKey"] = idxc_vars["pass4SymmKey"]
|
|
# Rectify replication factor (https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Thereplicationfactor)
|
|
# Make sure default repl/search factor>0 else Splunk doesn't start unless user-defined
|
|
if inventory.get("splunk_indexer"):
|
|
# If there are indexers, we need to make sure the replication factor is <= number of indexers
|
|
indexer_count = len(inventory["splunk_indexer"].get("hosts", []))
|
|
else:
|
|
# Only occurs during create-defaults generation or topologies without indexers
|
|
indexer_count = idxc_vars.get("replication_factor", 1)
|
|
replf = os.environ.get("SPLUNK_IDXC_REPLICATION_FACTOR", idxc_vars.get("replication_factor", 1))
|
|
idxc_vars["replication_factor"] = min(indexer_count, int(replf))
|
|
# Rectify search factor (https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Thesearchfactor)
|
|
searchf = os.environ.get("SPLUNK_IDXC_SEARCH_FACTOR", idxc_vars.get("search_factor", 1))
|
|
idxc_vars["search_factor"] = min(idxc_vars["replication_factor"], int(searchf))
|
|
|
|
def getSearchHeadClustering(vars_scope):
|
|
"""
|
|
Parse and set parameters to configure search head clustering
|
|
"""
|
|
if "shc" not in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["shc"] = {}
|
|
shc_vars = vars_scope["splunk"]["shc"]
|
|
shc_vars["label"] = os.environ.get("SPLUNK_SHC_LABEL", shc_vars.get("label"))
|
|
shc_vars["pass4SymmKey"] = os.environ.get("SPLUNK_SHC_PASS4SYMMKEY", shc_vars.get("pass4SymmKey")) # Control flow for issue #316 backwards-compatibility
|
|
if shc_vars["pass4SymmKey"]:
|
|
shc_vars["secret"] = shc_vars["pass4SymmKey"]
|
|
else:
|
|
shc_vars["secret"] = os.environ.get("SPLUNK_SHC_SECRET", shc_vars.get("secret"))
|
|
shc_vars["pass4SymmKey"] = shc_vars["secret"]
|
|
# Rectify search factor (https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Thesearchfactor)
|
|
# Make sure default repl factor>0 else Splunk doesn't start unless user-defined
|
|
if inventory.get("splunk_search_head"):
|
|
# If there are indexers, we need to make sure the replication factor is <= number of search heads
|
|
shcount = len(inventory["splunk_search_head"].get("hosts", []))
|
|
else:
|
|
# Only occurs during create-defaults generation or topologies without search heads
|
|
shcount = shc_vars.get("replication_factor", 1)
|
|
replf = os.environ.get("SPLUNK_SHC_REPLICATION_FACTOR", shc_vars.get("replication_factor", 1))
|
|
shc_vars["replication_factor"] = min(shcount, int(replf))
|
|
|
|
def getMultisite(vars_scope):
|
|
"""
|
|
Parse and set parameters to configure multisite
|
|
"""
|
|
splunk_vars = vars_scope["splunk"]
|
|
if "SPLUNK_SITE" in os.environ or splunk_vars.get("site"):
|
|
splunk_vars["site"] = os.environ.get("SPLUNK_SITE", splunk_vars.get("site"))
|
|
|
|
all_sites = os.environ.get("SPLUNK_ALL_SITES", splunk_vars.get("all_sites"))
|
|
if all_sites:
|
|
splunk_vars["all_sites"] = all_sites
|
|
|
|
multisite_master = os.environ.get("SPLUNK_MULTISITE_MASTER", splunk_vars.get("multisite_master"))
|
|
if multisite_master:
|
|
splunk_vars["multisite_master"] = multisite_master
|
|
# TODO: Split this into its own splunk.multisite.* section
|
|
splunk_vars["multisite_master_port"] = int(os.environ.get("SPLUNK_MULTISITE_MASTER_PORT", splunk_vars.get("multisite_master_port", 8089)))
|
|
splunk_vars["multisite_replication_factor_origin"] = int(os.environ.get("SPLUNK_MULTISITE_REPLICATION_FACTOR_ORIGIN", splunk_vars.get("multisite_replication_factor_origin", 1)))
|
|
splunk_vars["multisite_replication_factor_total"] = int(os.environ.get("SPLUNK_MULTISITE_REPLICATION_FACTOR_TOTAL", splunk_vars.get("multisite_replication_factor_total", 1)))
|
|
splunk_vars["multisite_replication_factor_total"] = max(splunk_vars["multisite_replication_factor_total"], splunk_vars["idxc"]["replication_factor"])
|
|
splunk_vars["multisite_search_factor_origin"] = int(os.environ.get("SPLUNK_MULTISITE_SEARCH_FACTOR_ORIGIN", splunk_vars.get("multisite_search_factor_origin", 1)))
|
|
splunk_vars["multisite_search_factor_total"] = int(os.environ.get("SPLUNK_MULTISITE_SEARCH_FACTOR_TOTAL", splunk_vars.get("multisite_search_factor_total", 1)))
|
|
splunk_vars["multisite_search_factor_total"] = max(splunk_vars["multisite_search_factor_total"], splunk_vars["idxc"]["search_factor"])
|
|
|
|
def getSplunkWebSSL(vars_scope):
|
|
"""
|
|
Parse and set parameters to define Splunk Web accessibility
|
|
"""
|
|
# TODO: Split this into its own splunk.http.* section
|
|
splunk_vars = vars_scope["splunk"]
|
|
splunk_vars["http_enableSSL"] = os.environ.get('SPLUNK_HTTP_ENABLESSL', splunk_vars.get("http_enableSSL"))
|
|
splunk_vars["http_enableSSL_cert"] = os.environ.get('SPLUNK_HTTP_ENABLESSL_CERT', splunk_vars.get("http_enableSSL_cert"))
|
|
splunk_vars["http_enableSSL_privKey"] = os.environ.get('SPLUNK_HTTP_ENABLESSL_PRIVKEY', splunk_vars.get("http_enableSSL_privKey"))
|
|
splunk_vars["http_enableSSL_privKey_password"] = os.environ.get('SPLUNK_HTTP_ENABLESSL_PRIVKEY_PASSWORD', splunk_vars.get("http_enableSSL_privKey_password"))
|
|
splunk_vars["http_port"] = int(os.environ.get('SPLUNK_HTTP_PORT', splunk_vars.get("http_port")))
|
|
|
|
def getSplunkdSSL(vars_scope):
|
|
"""
|
|
Parse and set parameters to define Splunkd
|
|
"""
|
|
if "ssl" not in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["ssl"] = {}
|
|
ssl_vars = vars_scope["splunk"]["ssl"]
|
|
ssl_vars["cert"] = os.environ.get("SPLUNKD_SSL_CERT", ssl_vars.get("cert"))
|
|
ssl_vars["ca"] = os.environ.get("SPLUNKD_SSL_CA", ssl_vars.get("ca"))
|
|
ssl_vars["password"] = os.environ.get("SPLUNKD_SSL_PASSWORD", ssl_vars.get("password"))
|
|
ssl_vars["enable"] = ssl_vars.get("enable", True)
|
|
enable = os.environ.get("SPLUNKD_SSL_ENABLE", "")
|
|
if enable.lower() == "false":
|
|
ssl_vars["enable"] = False
|
|
vars_scope["cert_prefix"] = "http"
|
|
|
|
|
|
def getDistributedTopology(vars_scope):
|
|
"""
|
|
Parse and set parameters to define topology if this is a distributed environment
|
|
"""
|
|
license_master_url = os.environ.get("SPLUNK_LICENSE_MASTER_URL", vars_scope["splunk"].get("license_master_url", ""))
|
|
vars_scope["splunk"]["license_master_url"] = parseUrl(license_master_url, vars_scope)
|
|
vars_scope["splunk"]["deployer_url"] = os.environ.get("SPLUNK_DEPLOYER_URL", vars_scope["splunk"].get("deployer_url", ""))
|
|
vars_scope["splunk"]["cluster_master_url"] = os.environ.get("SPLUNK_CLUSTER_MASTER_URL", vars_scope["splunk"].get("cluster_master_url", ""))
|
|
vars_scope["splunk"]["search_head_captain_url"] = os.environ.get("SPLUNK_SEARCH_HEAD_CAPTAIN_URL", vars_scope["splunk"].get("search_head_captain_url", ""))
|
|
if not vars_scope["splunk"]["search_head_captain_url"] and "search_head_cluster_url" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["search_head_captain_url"] = vars_scope["splunk"]["search_head_cluster_url"]
|
|
|
|
def getLicenses(vars_scope):
|
|
"""
|
|
Determine the location of Splunk licenses to install at start-up time
|
|
"""
|
|
# Need to provide some file value (does not have to exist). The task will automatically skip over if the file is not found. Otherwise, will throw an error if no file is specified.
|
|
vars_scope["splunk"]["license_uri"] = os.environ.get("SPLUNK_LICENSE_URI", vars_scope["splunk"].get("license_uri") or "splunk.lic")
|
|
vars_scope["splunk"]["wildcard_license"] = False
|
|
if vars_scope["splunk"]["license_uri"] and '*' in vars_scope["splunk"]["license_uri"]:
|
|
vars_scope["splunk"]["wildcard_license"] = True
|
|
vars_scope["splunk"]["ignore_license"] = False
|
|
if os.environ.get("SPLUNK_IGNORE_LICENSE", "").lower() == "true":
|
|
vars_scope["splunk"]["ignore_license"] = True
|
|
vars_scope["splunk"]["license_download_dest"] = os.environ.get("SPLUNK_LICENSE_INSTALL_PATH", vars_scope["splunk"].get("license_download_dest") or "/tmp/splunk.lic")
|
|
|
|
def getJava(vars_scope):
|
|
"""
|
|
Parse and set Java installation parameters
|
|
"""
|
|
vars_scope["java_version"] = vars_scope.get("java_version")
|
|
vars_scope["java_download_url"] = vars_scope.get("java_download_url")
|
|
vars_scope["java_update_version"] = vars_scope.get("java_update_version")
|
|
java_version = os.environ.get("JAVA_VERSION")
|
|
if not java_version:
|
|
return
|
|
java_version = java_version.lower()
|
|
if java_version not in JAVA_VERSION_WHITELIST:
|
|
raise Exception("Invalid Java version supplied, supported versions are: {}".format(JAVA_VERSION_WHITELIST))
|
|
vars_scope["java_version"] = java_version
|
|
# TODO: We can probably DRY this up
|
|
if java_version == "oracle:8":
|
|
vars_scope["java_download_url"] = os.environ.get("JAVA_DOWNLOAD_URL", "https://download.oracle.com/otn-pub/java/jdk/8u141-b15/336fa29ff2bb4ef291e347e091f7f4a7/jdk-8u141-linux-x64.tar.gz")
|
|
try:
|
|
vars_scope["java_update_version"] = re.search(r"jdk-8u(\d+)-linux-x64.tar.gz", vars_scope["java_download_url"]).group(1)
|
|
except:
|
|
raise Exception("Invalid Java download URL format")
|
|
elif java_version == "openjdk:11":
|
|
vars_scope["java_download_url"] = os.environ.get("JAVA_DOWNLOAD_URL", "https://download.java.net/java/GA/jdk11/9/GPL/openjdk-11.0.2_linux-x64_bin.tar.gz")
|
|
try:
|
|
vars_scope["java_update_version"] = re.search(r"openjdk-(\d+\.\d+\.\d+)_linux-x64_bin.tar.gz", vars_scope["java_download_url"]).group(1)
|
|
except:
|
|
raise Exception("Invalid Java download URL format")
|
|
|
|
def getSplunkBuild(vars_scope):
|
|
"""
|
|
Determine the location of the Splunk build
|
|
"""
|
|
vars_scope["splunk"]["build_url_bearer_token"] = os.environ.get("SPLUNK_BUILD_URL_BEARER_TOKEN", vars_scope["splunk"].get("build_url_bearer_token"))
|
|
vars_scope["splunk"]["build_location"] = os.environ.get("SPLUNK_BUILD_URL", vars_scope["splunk"].get("build_location"))
|
|
|
|
def getSplunkbaseToken(vars_scope):
|
|
"""
|
|
Authenticate to SplunkBase and modify the variable scope in-place to utilize temporary session token
|
|
"""
|
|
vars_scope["splunkbase_token"] = None
|
|
vars_scope["splunkbase_username"] = os.environ.get("SPLUNKBASE_USERNAME", vars_scope.get("splunkbase_username"))
|
|
vars_scope["splunkbase_password"] = os.environ.get("SPLUNKBASE_PASSWORD", vars_scope.get("splunkbase_password"))
|
|
if vars_scope["splunkbase_username"] and vars_scope["splunkbase_password"]:
|
|
resp = requests.post("https://splunkbase.splunk.com/api/account:login/",
|
|
data={"username": vars_scope["splunkbase_username"], "password": vars_scope["splunkbase_password"]})
|
|
if resp.status_code != 200:
|
|
raise Exception("Invalid Splunkbase credentials - will not download apps from Splunkbase")
|
|
output = resp.content
|
|
if isinstance(output, bytes):
|
|
output = output.decode("utf-8", "ignore")
|
|
splunkbase_token = re.search("<id>(.*)</id>", output, re.IGNORECASE)
|
|
vars_scope["splunkbase_token"] = splunkbase_token.group(1) if splunkbase_token else None
|
|
|
|
def getSplunkBuildAuth(vars_scope):
|
|
"""
|
|
Load username and password to be used in basic auth when fetching splunk build or apps
|
|
"""
|
|
vars_scope["splunk"]["artifact_auth_user"] = os.environ.get("ARTIFACTORY_USER", vars_scope["splunk"].get("artifact_auth_user"))
|
|
vars_scope["splunk"]["artifact_auth_pass"] = os.environ.get("ARTIFACTORY_TOKEN", vars_scope["splunk"].get("artifact_auth_pass"))
|
|
|
|
def getSplunkApps(vars_scope):
|
|
"""
|
|
Determine the set of Splunk apps to install as union of defaults.yml and environment variables
|
|
"""
|
|
appList = []
|
|
if not "apps_location" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["apps_location"] = []
|
|
# From default.yml
|
|
elif type(vars_scope["splunk"]["apps_location"]) == str:
|
|
appList = vars_scope["splunk"]["apps_location"].split(",")
|
|
elif type(vars_scope["splunk"]["apps_location"]) == list:
|
|
appList = vars_scope["splunk"]["apps_location"]
|
|
# From environment variables
|
|
apps = os.environ.get("SPLUNK_APPS_URL")
|
|
if apps:
|
|
apps = apps.split(",")
|
|
for app in apps:
|
|
if app not in appList:
|
|
appList.append(app)
|
|
vars_scope["splunk"]["apps_location"] = appList
|
|
|
|
def getSplunkAppsLocal(vars_scope):
|
|
"""
|
|
Determine the set of Splunk apps to install locally only as union of defaults.yml and environment variables
|
|
"""
|
|
# Check if theres a local apps list for CM/Deployer roles
|
|
appListLocal = []
|
|
if not "apps_location_local" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["apps_location_local"] = []
|
|
# From default.yml
|
|
elif type(vars_scope["splunk"]["apps_location_local"]) == str:
|
|
appListLocal = vars_scope["splunk"]["apps_location_local"].split(",")
|
|
elif type(vars_scope["splunk"]["apps_location_local"]) == list:
|
|
appListLocal = vars_scope["splunk"]["apps_location_local"]
|
|
# From environment variables
|
|
apps = os.environ.get("SPLUNK_APPS_URL_LOCAL")
|
|
if apps:
|
|
apps = apps.split(",")
|
|
for app in apps:
|
|
if app not in appListLocal:
|
|
appListLocal.append(app)
|
|
vars_scope["splunk"]["apps_location_local"] = appListLocal
|
|
|
|
def getSplunkAppPathInstall(vars_scope):
|
|
"""
|
|
Determine the set of Splunk apps to install at which location as a
|
|
union of defaults.yml. The actual path to install to is determined by
|
|
the splunk.app_paths.* variable
|
|
"""
|
|
appPaths = ["shc", "idxc", "default", "deployment"]
|
|
if not "app_paths_install" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["app_paths_install"] = {}
|
|
for path in appPaths:
|
|
vars_scope["splunk"]["app_paths_install"][path] = []
|
|
else:
|
|
for path in appPaths:
|
|
appList = []
|
|
if path in vars_scope["splunk"]["app_paths_install"]:
|
|
# From default.yml
|
|
if type(vars_scope["splunk"]["app_paths_install"][path]) == str:
|
|
appList = vars_scope["splunk"]["app_paths_install"][path].split(",")
|
|
elif type(vars_scope["splunk"]["app_paths_install"][path]) == list:
|
|
appList = vars_scope["splunk"]["app_paths_install"][path]
|
|
|
|
vars_scope["splunk"]["app_paths_install"][path] = appList
|
|
|
|
def getSecrets(vars_scope):
|
|
"""
|
|
Parse sensitive passphrases
|
|
"""
|
|
vars_scope["splunk"]["password"] = os.environ.get("SPLUNK_PASSWORD", vars_scope["splunk"].get("password"))
|
|
if not vars_scope["splunk"]["password"]:
|
|
raise Exception("Splunk password must be supplied!")
|
|
if os.path.isfile(vars_scope["splunk"]["password"]):
|
|
with open(vars_scope["splunk"]["password"], "r") as f:
|
|
vars_scope["splunk"]["password"] = f.read().strip()
|
|
if not vars_scope["splunk"]["password"]:
|
|
raise Exception("Splunk password supplied is empty/null")
|
|
dpw = os.environ.get("SPLUNK_DECLARATIVE_ADMIN_PASSWORD", "")
|
|
if dpw.lower() == "true":
|
|
vars_scope["splunk"]["declarative_admin_password"] = True
|
|
else:
|
|
vars_scope["splunk"]["declarative_admin_password"] = bool(vars_scope["splunk"].get("declarative_admin_password"))
|
|
vars_scope["splunk"]["pass4SymmKey"] = os.environ.get('SPLUNK_PASS4SYMMKEY', vars_scope["splunk"].get("pass4SymmKey"))
|
|
vars_scope["splunk"]["secret"] = os.environ.get('SPLUNK_SECRET', vars_scope["splunk"].get("secret"))
|
|
|
|
def getLaunchConf(vars_scope):
|
|
"""
|
|
Parse key/value pairs to set in splunk-launch.conf
|
|
"""
|
|
launch = {}
|
|
if not "launch" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["launch"] = {}
|
|
# From default.yml
|
|
if type(vars_scope["splunk"]["launch"]) == dict:
|
|
launch.update(vars_scope["splunk"]["launch"])
|
|
# From environment variables
|
|
settings = os.environ.get("SPLUNK_LAUNCH_CONF")
|
|
if settings:
|
|
launch.update({k:v for k,v in [x.split("=", 1) for x in settings.split(",")]})
|
|
vars_scope["splunk"]["launch"] = launch
|
|
|
|
def ensureListValue(value, separator):
|
|
if isinstance(value, list):
|
|
return value
|
|
elif (not value) or (not value.strip()):
|
|
return []
|
|
else:
|
|
return splitAndStrip(value, separator)
|
|
|
|
def splitAndStrip(value, separator):
|
|
if not value:
|
|
return []
|
|
return [x.strip() for x in value.split(separator)]
|
|
|
|
def transformEnvironmentVariable(environmentVariableName, transform, default):
|
|
if environmentVariableName in os.environ:
|
|
return transform(os.environ.get(environmentVariableName))
|
|
else:
|
|
return default
|
|
|
|
def getAnsibleContext(vars_scope):
|
|
"""
|
|
Parse parameters that influence Ansible execution
|
|
"""
|
|
stringSeparator = ","
|
|
vars_scope["ansible_pre_tasks"] = transformEnvironmentVariable("SPLUNK_ANSIBLE_PRE_TASKS", lambda v: splitAndStrip(v, stringSeparator), ensureListValue(vars_scope.get("ansible_pre_tasks"), stringSeparator))
|
|
vars_scope["ansible_post_tasks"] = transformEnvironmentVariable("SPLUNK_ANSIBLE_POST_TASKS", lambda v: splitAndStrip(v, stringSeparator), ensureListValue(vars_scope.get("ansible_post_tasks"), stringSeparator))
|
|
vars_scope["ansible_environment"] = vars_scope.get("ansible_environment") or {}
|
|
env = os.environ.get("SPLUNK_ANSIBLE_ENV")
|
|
if env:
|
|
vars_scope["ansible_environment"].update({k:v for k,v in [x.split("=", 1) for x in env.split(",")]})
|
|
|
|
def getASan(vars_scope):
|
|
"""
|
|
Enable ASan debug builds
|
|
"""
|
|
vars_scope["splunk"]["asan"] = bool(os.environ.get("SPLUNK_ENABLE_ASAN", vars_scope["splunk"].get("asan")))
|
|
if vars_scope["splunk"]["asan"]:
|
|
vars_scope["ansible_environment"].update({"ASAN_OPTIONS": "detect_leaks=0"})
|
|
|
|
def getDisablePopups(vars_scope):
|
|
"""
|
|
Configure pop-up settings
|
|
"""
|
|
vars_scope["splunk"]["disable_popups"] = bool(vars_scope["splunk"].get("disable_popups"))
|
|
popups_disabled = os.environ.get("SPLUNK_DISABLE_POPUPS", "")
|
|
if popups_disabled.lower() == "true":
|
|
vars_scope["splunk"]["disable_popups"] = True
|
|
elif popups_disabled.lower() == "false":
|
|
vars_scope["splunk"]["disable_popups"] = False
|
|
|
|
def getHEC(vars_scope):
|
|
"""
|
|
Configure HEC settings
|
|
"""
|
|
if not "hec" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["hec"] = {}
|
|
vars_scope["splunk"]["hec"]["token"] = os.environ.get("SPLUNK_HEC_TOKEN", vars_scope["splunk"]["hec"].get("token"))
|
|
vars_scope["splunk"]["hec"]["port"] = int(os.environ.get("SPLUNK_HEC_PORT", vars_scope["splunk"]["hec"].get("port")))
|
|
ssl = os.environ.get("SPLUNK_HEC_SSL", "")
|
|
if ssl.lower() == "false":
|
|
vars_scope["splunk"]["hec"]["ssl"] = False
|
|
else:
|
|
vars_scope["splunk"]["hec"]["ssl"] = bool(vars_scope["splunk"]["hec"].get("ssl"))
|
|
|
|
def getDSP(vars_scope):
|
|
"""
|
|
Configure DSP settings
|
|
"""
|
|
if not "dsp" in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["dsp"] = {}
|
|
vars_scope["splunk"]["dsp"]["server"] = os.environ.get("SPLUNK_DSP_SERVER", vars_scope["splunk"]["dsp"].get("server"))
|
|
vars_scope["splunk"]["dsp"]["cert"] = os.environ.get("SPLUNK_DSP_CERT", vars_scope["splunk"]["dsp"].get("cert"))
|
|
vars_scope["splunk"]["dsp"]["verify"] = bool(vars_scope["splunk"]["dsp"].get("verify"))
|
|
verify = os.environ.get("SPLUNK_DSP_VERIFY", "")
|
|
if verify.lower() == "true":
|
|
vars_scope["splunk"]["dsp"]["verify"] = True
|
|
vars_scope["splunk"]["dsp"]["enable"] = bool(vars_scope["splunk"]["dsp"].get("enable"))
|
|
enable = os.environ.get("SPLUNK_DSP_ENABLE", "")
|
|
if enable.lower() == "true":
|
|
vars_scope["splunk"]["dsp"]["enable"] = True
|
|
vars_scope["splunk"]["dsp"]["pipeline_name"] = os.environ.get("SPLUNK_DSP_PIPELINE_NAME", vars_scope["splunk"]["dsp"].get("pipeline_name"))
|
|
vars_scope["splunk"]["dsp"]["pipeline_desc"] = os.environ.get("SPLUNK_DSP_PIPELINE_DESC", vars_scope["splunk"]["dsp"].get("pipeline_desc"))
|
|
vars_scope["splunk"]["dsp"]["pipeline_spec"] = os.environ.get("SPLUNK_DSP_PIPELINE_SPEC", vars_scope["splunk"]["dsp"].get("pipeline_spec"))
|
|
|
|
def getESSplunkVariables(vars_scope):
|
|
"""
|
|
Get any special Enterprise Security configuration variables
|
|
"""
|
|
ssl_enablement_env = os.environ.get("SPLUNK_ES_SSL_ENABLEMENT")
|
|
if not ssl_enablement_env and (not "es" in vars_scope["splunk"] or not "ssl_enablement" in vars_scope["splunk"]["es"]):
|
|
# This feature is only for specific versions of ES.
|
|
# if it is missing, don't pass any value in.
|
|
vars_scope["es_ssl_enablement"] = ""
|
|
else:
|
|
# Use the environment variable unless the ssl enablement value is present
|
|
ssl_enablement = ssl_enablement_env or vars_scope["splunk"]["es"]["ssl_enablement"]
|
|
# Build the flag in it's entirety here
|
|
if ssl_enablement not in ["auto", "strict", "ignore"]:
|
|
raise Exception("Invalid ssl_enablement flag {0}".format(ssl_enablement))
|
|
vars_scope["es_ssl_enablement"] = "--ssl_enablement {0}".format(ssl_enablement)
|
|
|
|
def overrideEnvironmentVars(vars_scope):
|
|
vars_scope["splunk"]["user"] = os.environ.get("SPLUNK_USER", vars_scope["splunk"]["user"])
|
|
vars_scope["splunk"]["group"] = os.environ.get("SPLUNK_GROUP", vars_scope["splunk"]["group"])
|
|
vars_scope["cert_prefix"] = os.environ.get("SPLUNK_CERT_PREFIX", vars_scope.get("cert_prefix", "https"))
|
|
vars_scope["splunk"]["root_endpoint"] = os.environ.get('SPLUNK_ROOT_ENDPOINT', vars_scope["splunk"]["root_endpoint"])
|
|
vars_scope["splunk"]["svc_port"] = os.environ.get('SPLUNK_SVC_PORT', vars_scope["splunk"]["svc_port"])
|
|
vars_scope["splunk"]["splunk_http_enabled"] = os.environ.get('ENABLE_TCP_MODE', vars_scope["splunk"]["enable_tcp_mode"])
|
|
vars_scope["splunk"]["s2s"]["port"] = int(os.environ.get('SPLUNK_S2S_PORT', vars_scope["splunk"]["s2s"]["port"]))
|
|
vars_scope["splunk"]["enable_service"] = os.environ.get('SPLUNK_ENABLE_SERVICE', vars_scope["splunk"]["enable_service"])
|
|
vars_scope["splunk"]["service_name"] = os.environ.get('SPLUNK_SERVICE_NAME', vars_scope["splunk"]["service_name"])
|
|
vars_scope["splunk"]["allow_upgrade"] = os.environ.get('SPLUNK_ALLOW_UPGRADE', vars_scope["splunk"]["allow_upgrade"])
|
|
vars_scope["splunk"]["appserver"]["port"] = os.environ.get('SPLUNK_APPSERVER_PORT', vars_scope["splunk"]["appserver"]["port"])
|
|
vars_scope["splunk"]["kvstore"]["port"] = os.environ.get('SPLUNK_KVSTORE_PORT', vars_scope["splunk"]["kvstore"]["port"])
|
|
vars_scope["splunk"]["connection_timeout"] = int(os.environ.get('SPLUNK_CONNECTION_TIMEOUT', vars_scope["splunk"]["connection_timeout"]))
|
|
|
|
if vars_scope["splunk"]["splunk_http_enabled"] == "false" and "forwarder" not in vars_scope["splunk"]["role"].lower():
|
|
vars_scope["splunk"]["splunk_http_enabled"] = "true"
|
|
# Set set_search_peers to False to disable peering to indexers when creating multisite topology
|
|
if os.environ.get("SPLUNK_SET_SEARCH_PEERS", "").lower() == "false":
|
|
vars_scope["splunk"]["set_search_peers"] = False
|
|
|
|
def getDFS(vars_scope):
|
|
"""
|
|
Parse and set parameters to configure Data Fabric Search
|
|
"""
|
|
if "dfs" not in vars_scope["splunk"]:
|
|
vars_scope["splunk"]["dfs"] = {}
|
|
dfs_vars = vars_scope["splunk"]["dfs"]
|
|
dfs_vars["enable"] = bool(os.environ.get("SPLUNK_ENABLE_DFS", dfs_vars.get("enable")))
|
|
dfs_vars["dfw_num_slots"] = int(os.environ.get("SPLUNK_DFW_NUM_SLOTS", dfs_vars.get("dfw_num_slots", 10)))
|
|
dfs_vars["dfc_num_slots"] = int(os.environ.get("SPLUNK_DFC_NUM_SLOTS", dfs_vars.get("dfc_num_slots", 4)))
|
|
dfs_vars["dfw_num_slots_enabled"] = bool(os.environ.get('SPLUNK_DFW_NUM_SLOTS_ENABLED', dfs_vars.get("dfw_num_slots_enabled")))
|
|
dfs_vars["spark_master_host"] = os.environ.get("SPARK_MASTER_HOST", dfs_vars.get("spark_master_host", "127.0.0.1"))
|
|
dfs_vars["spark_master_webui_port"] = int(os.environ.get("SPARK_MASTER_WEBUI_PORT", dfs_vars.get("spark_master_webui_port", 8080)))
|
|
|
|
def getUFSplunkVariables(vars_scope):
|
|
"""
|
|
Set or override specific environment variables for universal forwarders
|
|
"""
|
|
if os.environ.get("SPLUNK_DEPLOYMENT_SERVER"):
|
|
vars_scope["splunk"]["deployment_server"] = os.environ.get("SPLUNK_DEPLOYMENT_SERVER")
|
|
if os.environ.get("SPLUNK_ADD"):
|
|
vars_scope["splunk"]["add"] = os.environ.get("SPLUNK_ADD").split(",")
|
|
if os.environ.get("SPLUNK_BEFORE_START_CMD"):
|
|
vars_scope["splunk"]["before_start_cmd"] = os.environ.get("SPLUNK_BEFORE_START_CMD").split(",")
|
|
if os.environ.get("SPLUNK_CMD"):
|
|
vars_scope["splunk"]["cmd"] = os.environ.get("SPLUNK_CMD").split(",")
|
|
if os.environ.get("SPLUNK_DEPLOYMENT_CLIENT_NAME"):
|
|
vars_scope["splunk"]["deployment_client"] = {
|
|
"name": os.environ.get("SPLUNK_DEPLOYMENT_CLIENT_NAME")
|
|
}
|
|
|
|
def getRandomString():
|
|
"""
|
|
Generate a random string consisting of characters + digits
|
|
"""
|
|
char_set = string.ascii_uppercase + string.digits
|
|
return ''.join(random.sample(char_set * 6, 6))
|
|
|
|
def parseUrl(url, vars_scope):
|
|
"""
|
|
Parses role URL to handle non-default schemes, ports, etc.
|
|
"""
|
|
if not url:
|
|
return ""
|
|
scheme = vars_scope.get("cert_prefix", "https")
|
|
port = vars_scope["splunk"].get("svc_port", 8089)
|
|
parsed = urlparse(url)
|
|
# If netloc exists, we should consider the url provided well-formatted w/ scheme provided
|
|
if parsed.netloc:
|
|
# Strip auth info, if it exists
|
|
netloc = parsed.netloc.split("@", 1)[-1]
|
|
if ":" not in netloc:
|
|
return "{}://{}:{}".format(parsed.scheme, netloc, port)
|
|
return "{}://{}".format(parsed.scheme, netloc)
|
|
# Strip auth info, if it exists
|
|
parsed = url.split("@", 1)[-1]
|
|
# Strip path, if it exists
|
|
parsed = parsed.split("/", 1)[0]
|
|
# Extract hostname and port
|
|
parsed = parsed.split(":", 1)
|
|
hostname = parsed[0]
|
|
if len(parsed) == 2:
|
|
port = parsed[1]
|
|
return "{}://{}:{}".format(scheme, hostname, port)
|
|
|
|
def merge_dict(dict1, dict2, path=None):
|
|
"""
|
|
Merge two dictionaries such that all the keys in dict2 overwrite those in dict1
|
|
"""
|
|
if path is None: path = []
|
|
for key in dict2:
|
|
if key in dict1:
|
|
if isinstance(dict1[key], dict) and isinstance(dict2[key], dict):
|
|
merge_dict(dict1[key], dict2[key], path + [str(key)])
|
|
elif isinstance(dict1[key], list) and isinstance(dict2[key], list):
|
|
dict1[key] += dict2[key]
|
|
else:
|
|
dict1[key] = dict2[key]
|
|
else:
|
|
dict1[key] = dict2[key]
|
|
return dict1
|
|
|
|
def mergeDefaults(vars_scope, key, src):
|
|
"""
|
|
Helper method to fetch defaults from various sources/other methods
|
|
"""
|
|
if not src or not src.strip():
|
|
return vars_scope
|
|
src = src.strip().lower()
|
|
if src.startswith("file://"):
|
|
src = src[7:]
|
|
if src.startswith(("http://", "https://")):
|
|
headers = None
|
|
verify = False
|
|
if vars_scope.get("config") and vars_scope["config"].get(key):
|
|
headers = vars_scope["config"][key].get("headers")
|
|
verify = bool(vars_scope["config"][key].get("verify"))
|
|
vars_scope = mergeDefaultsFromURL(vars_scope, src, headers, verify)
|
|
else:
|
|
vars_scope = mergeDefaultsFromFile(vars_scope, src)
|
|
return vars_scope
|
|
|
|
def mergeDefaultsFromURL(vars_scope, url, headers=None, verify=False):
|
|
"""
|
|
Fetch defaults from a URL and merge them into a single dict
|
|
"""
|
|
if not url:
|
|
return vars_scope
|
|
if not headers:
|
|
headers = {}
|
|
max_retries = int(os.environ.get("SPLUNK_DEFAULTS_HTTP_MAX_RETRIES", vars_scope["config"].get("max_retries")))
|
|
max_delay = int(os.environ.get("SPLUNK_DEFAULTS_HTTP_MAX_DELAY", vars_scope["config"].get("max_delay")))
|
|
max_timeout = int(os.environ.get("SPLUNK_DEFAULTS_HTTP_MAX_TIMEOUT", vars_scope["config"].get("max_timeout")))
|
|
auth = os.environ.get("SPLUNK_DEFAULTS_HTTP_AUTH_HEADER")
|
|
if auth:
|
|
headers["Authorization"] = auth
|
|
unlimited_retries = (max_retries == -1)
|
|
current_retry = 0
|
|
while True:
|
|
try:
|
|
resp = requests.get(url.format(hostname=HOSTNAME, platform=PLATFORM),
|
|
headers=headers, timeout=max_timeout, verify=verify)
|
|
resp.raise_for_status()
|
|
output = resp.content
|
|
if isinstance(output, bytes):
|
|
output = output.decode("utf-8", "ignore")
|
|
vars_scope = merge_dict(vars_scope, yaml.load(output, Loader=yaml.Loader))
|
|
break
|
|
except Exception as err:
|
|
if unlimited_retries or current_retry < max_retries:
|
|
current_retry += 1
|
|
print('URL request #{0} failed, sleeping {1} seconds and retrying'.format(current_retry, max_delay))
|
|
sleep(max_delay)
|
|
continue
|
|
raise err
|
|
return vars_scope
|
|
|
|
def mergeDefaultsFromFile(vars_scope, file):
|
|
"""
|
|
Fetch defaults from a file and merge them into a single dict
|
|
"""
|
|
if not file:
|
|
return vars_scope
|
|
if os.path.exists(file):
|
|
with open(file, "r") as f:
|
|
vars_scope = merge_dict(vars_scope, yaml.load(f.read(), Loader=yaml.Loader))
|
|
return vars_scope
|
|
|
|
def loadDefaults():
|
|
"""
|
|
Generate a consolidated map containing variables used to drive Ansible functionality.
|
|
Defaults are loaded in a particular order such that latter overrides former.
|
|
"""
|
|
# Load base defaults from splunk-ansible repository
|
|
base = loadBaseDefaults()
|
|
if not base.get("config"):
|
|
return base
|
|
# Add "baked" files to array
|
|
for yml in loadBakedDefaults(base.get("config")):
|
|
base = mergeDefaults(base, yml["key"], yml["src"])
|
|
# Add "env" files to array
|
|
for yml in loadEnvDefaults(base.get("config")):
|
|
base = mergeDefaults(base, yml["key"], yml["src"])
|
|
# Add "host" files to array
|
|
for yml in loadHostDefaults(base.get("config")):
|
|
base = mergeDefaults(base, yml["key"], yml["src"])
|
|
return base
|
|
|
|
def loadBaseDefaults():
|
|
"""
|
|
Load the base defaults shipped in splunk-ansible
|
|
"""
|
|
yml = {}
|
|
filename = "splunk_defaults_{}.yml".format(PLATFORM)
|
|
if os.environ.get("SPLUNK_ROLE") == "splunk_universal_forwarder":
|
|
filename = "splunkforwarder_defaults_{}.yml".format(PLATFORM)
|
|
with open(os.path.join(HERE, filename), "r") as yaml_file:
|
|
yml = yaml.load(yaml_file, Loader=yaml.Loader)
|
|
return yml
|
|
|
|
def loadBakedDefaults(config):
|
|
"""
|
|
Load the defaults in "baked" key of the configuration.
|
|
"""
|
|
if not config or not config.get("baked"):
|
|
return []
|
|
files = config["baked"].split(",")
|
|
default_dir = config.get("defaults_dir", "")
|
|
return [{"key": "baked", "src": os.path.join(default_dir, f.strip())} for f in files]
|
|
|
|
def loadEnvDefaults(config):
|
|
"""
|
|
Load the defaults in "env" key of the configuration.
|
|
"""
|
|
if not config or not config.get("env") or not config["env"].get("var"):
|
|
return []
|
|
urls = os.environ.get(config["env"]["var"], "")
|
|
if not urls:
|
|
return []
|
|
return [{"key": "env", "src": url} for url in urls.split(",")]
|
|
|
|
def loadHostDefaults(config):
|
|
"""
|
|
Load the defaults in "host" key of the configuration.
|
|
"""
|
|
if not config or not config.get("host") or not config["host"].get("url"):
|
|
return []
|
|
urls = config["host"]["url"].split(",")
|
|
return [{"key": "host", "src": url} for url in urls]
|
|
|
|
def obfuscate_vars(inventory):
|
|
"""
|
|
Remove sensitive variables when dumping inventory out to stdout or file
|
|
"""
|
|
stars = "*"*14
|
|
splunkVars = inventory.get("all", {}).get("vars", {}).get("splunk", {})
|
|
if splunkVars.get("password"):
|
|
splunkVars["password"] = stars
|
|
if splunkVars.get("pass4SymmKey"):
|
|
splunkVars["pass4SymmKey"] = stars
|
|
if splunkVars.get("shc") and splunkVars["shc"].get("secret"):
|
|
splunkVars["shc"]["secret"] = stars
|
|
if splunkVars.get("shc") and splunkVars["shc"].get("pass4SymmKey"):
|
|
splunkVars["shc"]["pass4SymmKey"] = stars
|
|
if splunkVars.get("idxc") and splunkVars["idxc"].get("secret"):
|
|
splunkVars["idxc"]["secret"] = stars
|
|
if splunkVars.get("idxc") and splunkVars["idxc"].get("pass4SymmKey"):
|
|
splunkVars["idxc"]["pass4SymmKey"] = stars
|
|
if splunkVars.get("smartstore") and splunkVars["smartstore"].get("index"):
|
|
splunkIndexes = splunkVars["smartstore"]["index"]
|
|
for idx in range(0, len(splunkIndexes)):
|
|
if splunkIndexes[idx].get("s3"):
|
|
if splunkIndexes[idx]["s3"].get("access_key"):
|
|
splunkIndexes[idx]["s3"]["access_key"] = stars
|
|
if splunkIndexes[idx]["s3"].get("secret_key"):
|
|
splunkIndexes[idx]["s3"]["secret_key"] = stars
|
|
return inventory
|
|
|
|
def create_parser():
|
|
"""
|
|
Create an argparser to control dynamic inventory execution
|
|
"""
|
|
parser = argparse.ArgumentParser(description='Return Ansible inventory defined in the environment.')
|
|
parser.add_argument('--list', action='store_true', default=True, help='List all hosts (default: True)')
|
|
parser.add_argument('--host', action='store', help='Only get information for a specific host.')
|
|
parser.add_argument('--write-to-file', action='store_true', default=False, help='Write to file for debugging')
|
|
parser.add_argument('--write-to-stdout', action='store_true', default=False, help='create a default.yml file shown on stdout from current vars')
|
|
return parser
|
|
|
|
def prep_for_yaml_out(inventory):
|
|
"""
|
|
Prune the inventory by removing select keys before printing/writing to file
|
|
"""
|
|
inventory_to_dump = inventory["all"]["vars"]
|
|
|
|
keys_to_del = ["ansible_ssh_user",
|
|
"apps_location",
|
|
"build_location",
|
|
"hostname",
|
|
"role",
|
|
"preferred_captaincy",
|
|
"license_uri"]
|
|
for key in keys_to_del:
|
|
if key in inventory_to_dump:
|
|
del inventory_to_dump[key]
|
|
if key in inventory_to_dump["splunk"]:
|
|
del inventory_to_dump["splunk"][key]
|
|
if key in inventory_to_dump["splunk"]["app_paths"]:
|
|
del inventory_to_dump["splunk"]["app_paths"][key]
|
|
if key in inventory_to_dump["splunk"]["shc"]:
|
|
del inventory_to_dump["splunk"]["shc"][key]
|
|
if key in inventory_to_dump["splunk"]["idxc"]:
|
|
del inventory_to_dump["splunk"]["idxc"][key]
|
|
#remove extra stuff when we know it's the forwarder
|
|
if inventory_to_dump["splunk"]["home"] == "/opt/splunkforwarder":
|
|
del inventory_to_dump["splunk"]["idxc"]
|
|
del inventory_to_dump["splunk"]["shc"]
|
|
return inventory_to_dump
|
|
|
|
def main():
|
|
"""
|
|
Primary entrypoint to dynamic inventory script
|
|
"""
|
|
parser = create_parser()
|
|
args = parser.parse_args()
|
|
|
|
getSplunkInventory(inventory)
|
|
if args.write_to_file:
|
|
with open(os.path.join("/opt/container_artifact", "ansible_inventory.json"), "w") as outfile:
|
|
json.dump(obfuscate_vars(inventory), outfile, sort_keys=True, indent=4, ensure_ascii=False)
|
|
elif args.write_to_stdout:
|
|
#remove keys we don't want to print
|
|
inventory_to_dump = prep_for_yaml_out(inventory)
|
|
print("---")
|
|
print(yaml.dump(inventory_to_dump, default_flow_style=False))
|
|
else:
|
|
print(json.dumps(inventory))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|