From 4b6163b46b26057d321b5a334dd16dad19d59060 Mon Sep 17 00:00:00 2001 From: Emlyn Kinzett Date: Mon, 23 May 2022 11:28:31 +0100 Subject: [PATCH 1/4] Attempt to fix static credentials handling when deploying to an ASG. --- .../database_backup-mysql/defaults/main.yml | 3 +++ .../database_backup-mysql/tasks/deploy.yml | 11 ++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/database_backup/database_backup-mysql/defaults/main.yml b/roles/database_backup/database_backup-mysql/defaults/main.yml index f7e070e9..820a6216 100644 --- a/roles/database_backup/database_backup-mysql/defaults/main.yml +++ b/roles/database_backup/database_backup-mysql/defaults/main.yml @@ -16,6 +16,9 @@ mysql_backup: # Uses the same user/pwd pair than the one found in the database.credentials_file. # This is useful for locked-down setups where you do not have GRANT permissions. credentials_handling: rotate + # If you're deploying to an ASG and you're using `static` for credentials_handling, + # you can set asg_deployment to `true` to ensure the database user password remains the same, always. + asg_deployment: false databases: - database: "{{ project_name }}_{{ build_type }}" user: "{{ project_name }}_{{ build_type }}" diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy.yml b/roles/database_backup/database_backup-mysql/tasks/deploy.yml index a67d240e..b2d8c507 100644 --- a/roles/database_backup/database_backup-mysql/tasks/deploy.yml +++ b/roles/database_backup/database_backup-mysql/tasks/deploy.yml @@ -26,7 +26,16 @@ when: mysql_backup.credentials_handling == 'static' - set_fact: _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ inventory_hostname }}/mysql/{{ _mysql_host }}/{{ database.database }}') }}" - when: mysql_backup.credentials_handling == 'static' + when: + - mysql_backup.credentials_handling == 'static' + - mysql_backup.asg_deployment is not defined or not mysql_backup.asg_deployment +- set_fact: + _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_asg/mysql/{{ _mysql_host }}/{{ database.database }}') }}" + when: + - mysql_backup.credentials_handling == 'static' + - mysql_backup.asg_deployment is defined + - mysql_backup.asg_deployment + run_once: true # Rotate: create user/pwd on each build. - set_fact: _mysql_build_user_name: "{{ database.user }}_{{ build_number }}" From fcb974e8b0073095c8e166ca9080def166a25238 Mon Sep 17 00:00:00 2001 From: Emlyn Kinzett Date: Mon, 23 May 2022 11:33:21 +0100 Subject: [PATCH 2/4] Include build_type in static password file location. --- roles/database_backup/database_backup-mysql/tasks/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy.yml b/roles/database_backup/database_backup-mysql/tasks/deploy.yml index b2d8c507..b25aa432 100644 --- a/roles/database_backup/database_backup-mysql/tasks/deploy.yml +++ b/roles/database_backup/database_backup-mysql/tasks/deploy.yml @@ -30,7 +30,7 @@ - mysql_backup.credentials_handling == 'static' - mysql_backup.asg_deployment is not defined or not mysql_backup.asg_deployment - set_fact: - _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_asg/mysql/{{ _mysql_host }}/{{ database.database }}') }}" + _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}_asg/mysql/{{ _mysql_host }}/{{ database.database }}') }}" when: - mysql_backup.credentials_handling == 'static' - mysql_backup.asg_deployment is defined From 6f89da1bdd2757f43c650e1cce8838e56d5836d6 Mon Sep 17 00:00:00 2001 From: Emlyn Kinzett Date: Mon, 23 May 2022 13:11:17 +0100 Subject: [PATCH 3/4] Move to using new location for static credentials handling, but try to catch any legacy stuff too, for now. --- .../database_backup-mysql/defaults/main.yml | 3 -- .../database_backup-mysql/tasks/deploy.yml | 52 ++++++++++++++++--- 2 files changed, 44 insertions(+), 11 deletions(-) diff --git a/roles/database_backup/database_backup-mysql/defaults/main.yml b/roles/database_backup/database_backup-mysql/defaults/main.yml index 820a6216..f7e070e9 100644 --- a/roles/database_backup/database_backup-mysql/defaults/main.yml +++ b/roles/database_backup/database_backup-mysql/defaults/main.yml @@ -16,9 +16,6 @@ mysql_backup: # Uses the same user/pwd pair than the one found in the database.credentials_file. # This is useful for locked-down setups where you do not have GRANT permissions. credentials_handling: rotate - # If you're deploying to an ASG and you're using `static` for credentials_handling, - # you can set asg_deployment to `true` to ensure the database user password remains the same, always. - asg_deployment: false databases: - database: "{{ project_name }}_{{ build_type }}" user: "{{ project_name }}_{{ build_type }}" diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy.yml b/roles/database_backup/database_backup-mysql/tasks/deploy.yml index b25aa432..282ea034 100644 --- a/roles/database_backup/database_backup-mysql/tasks/deploy.yml +++ b/roles/database_backup/database_backup-mysql/tasks/deploy.yml @@ -24,18 +24,54 @@ - set_fact: _mysql_build_user_name: "{{ database.user }}" when: mysql_backup.credentials_handling == 'static' -- set_fact: - _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ inventory_hostname }}/mysql/{{ _mysql_host }}/{{ database.database }}') }}" + +- name: Catch legacy static password handling. + ansible.builtin.stat: + path: "{{ _ce_deploy_data_dir }}/{{ inventory_hostname }}/mysql/{{ _mysql_host }}/{{ database.database }}" + register: _legacy_static_creds + delegate_to: localhost + run_once: true + when: mysql_backup.credentials_handling == 'static' + +- name: Create new static password location if it doesn't exist. + ansible.builtin.file: + path: "{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}/mysql/{{ _mysql_host }}" + state: directory + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + mode: 0755 + delegate_to: localhost + run_once: true + when: mysql_backup.credentials_handling == 'static' + +- name: Copy legacy static password to new location. + ansible.builtin.copy: + src: "{{ _ce_deploy_data_dir }}/{{ inventory_hostname }}/mysql/{{ _mysql_host }}/{{ database.database }}" + dest: "{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}/mysql/{{ _mysql_host }}/{{ database.database }}" + owner: "{{ deploy_user }}" + group: "{{ deploy_user }}" + mode: 0644 + delegate_to: localhost + run_once: true when: - mysql_backup.credentials_handling == 'static' - - mysql_backup.asg_deployment is not defined or not mysql_backup.asg_deployment -- set_fact: - _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}_asg/mysql/{{ _mysql_host }}/{{ database.database }}') }}" + - _legacy_static_creds is defined + - _legacy_static_creds.stat.exists + +- name: Delete legacy static password file if it exists. + ansible.builtin.file: + path: "{{ _ce_deploy_data_dir }}/{{ inventory_hostname }}/mysql/{{ _mysql_host }}/{{ database.database }}" + state: absent + delegate_to: localhost + run_once: true when: - mysql_backup.credentials_handling == 'static' - - mysql_backup.asg_deployment is defined - - mysql_backup.asg_deployment - run_once: true + - _legacy_static_creds is defined + - _legacy_static_creds.stat.exists + +- set_fact: + _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}/mysql/{{ _mysql_host }}/{{ database.database }}') }}" + when: mysql_backup.credentials_handling == 'static' # Rotate: create user/pwd on each build. - set_fact: _mysql_build_user_name: "{{ database.user }}_{{ build_number }}" From cd2967abb4dca425b6ef512e54cea29267545403 Mon Sep 17 00:00:00 2001 From: Emlyn Kinzett Date: Mon, 23 May 2022 14:08:05 +0100 Subject: [PATCH 4/4] Add a couple of comments to legacy handling of static credentials. --- roles/database_backup/database_backup-mysql/tasks/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/database_backup/database_backup-mysql/tasks/deploy.yml b/roles/database_backup/database_backup-mysql/tasks/deploy.yml index 282ea034..dbb39de7 100644 --- a/roles/database_backup/database_backup-mysql/tasks/deploy.yml +++ b/roles/database_backup/database_backup-mysql/tasks/deploy.yml @@ -25,6 +25,7 @@ _mysql_build_user_name: "{{ database.user }}" when: mysql_backup.credentials_handling == 'static' +### Start of legacy handling. Can remove in a few months. - name: Catch legacy static password handling. ansible.builtin.stat: path: "{{ _ce_deploy_data_dir }}/{{ inventory_hostname }}/mysql/{{ _mysql_host }}/{{ database.database }}" @@ -68,6 +69,7 @@ - mysql_backup.credentials_handling == 'static' - _legacy_static_creds is defined - _legacy_static_creds.stat.exists +### End of legacy handling. - set_fact: _mysql_build_password: "{{ lookup('password', '{{ _ce_deploy_data_dir }}/{{ project_name }}_{{ build_type }}/mysql/{{ _mysql_host }}/{{ database.database }}') }}"