Merge pull request #30 from splunk/updates_022321

Mason Morales · web-flow · commit c3efc0d8cf2c · 2021-02-23T14:39:27.000-08:00
Multiple updates
diff --git a/README.md b/README.md
@@ -99,7 +99,6 @@ You may also override the auto-configured `splunk_app_deploy_path` at the reposi
 
 **Configure local splunk admin password at install**
 ```
-splunk_user_seed: true
 splunk_admin_username: youradminusername (optional, defaults to admin)
 splunk_admin_password: yourpassword
 ```
diff --git a/roles/splunk/defaults/main.yml b/roles/splunk/defaults/main.yml
@@ -19,8 +19,8 @@ splunk_uri_ds: undefined # e.g. mydeploymentserver.mydomain.com:8089 ; Note that
 clientName: undefined
 splunk_admin_username: admin
 splunk_admin_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
-splunk_user_seed: false # Requires splunk_admin_password var to be set
 splunk_configure_secret: false # If set to true, you need to update files/splunk.secret
+splunk_secret_file: splunk.secret # Used to specify your splunk.secret filename(s), files should be placed in the "files" folder of the role
 # Although there are tasks for the following Splunk configurations in this role, they are not included in any tasks by default. You can add them to your install_splunk.yml if you would like to have Ansible manage any of these files
 splunk_configure_authentication: false
 ad_bind_password: undefined # Use ansible-vault encrypt_string, e.g. ansible-vault encrypt_string --ask-vault-pass 'var_value_to_encrypt' --name 'var_name'
@@ -32,6 +32,10 @@ git_key: undefined # Path to SSH key for cloning repositories - Note that this m
 git_project: undefined
 git_version: master # Configure default version to clone, overridable inside the git_apps dictionary within host_vars
 splunk_app_deploy_path: undefined # Path under $SPLUNK_HOME/ to deploy apps to - Note that this may be set in group_vars, host_vars, playbook vars, or inside the git_apps dictionary within host_vars
+splunk_apply_cluster_bundle_retries: 3 # How many times to retry indexer cluster bundle apply if it fails
+splunk_apply_cluster_bundle_delay: 60 # Delay in seconds between retries to apply indexer cluster bundle
+splunk_apply_shcluster_bundle_retries: 3 # How many times to retry SHC bundle apply if it fails
+splunk_apply_shcluster_bundle_delay: 60 #  Delay in seconds between retries to apply SHC bundle
 # SHC Vars
 splunk_shc_key: mypass4symmkey
 splunk_shc_label: myshc
diff --git a/roles/splunk/handlers/main.yml b/roles/splunk/handlers/main.yml
@@ -41,9 +41,14 @@
   become: yes
 
 - name: apply indexer cluster bundle
-  shell: "{{ splunk_home }}/bin/splunk apply cluster-bundle --answer-yes --skip-validation -auth {{ splunk_auth }}"
+  command: "{{ splunk_home }}/bin/splunk apply cluster-bundle --answer-yes --skip-validation -auth {{ splunk_auth }}"
   become: yes
   become_user: "{{ splunk_nix_user }}"
+  register: apply_cluster_bundle_result
+  changed_when: apply_cluster_bundle_result.rc == 0
+  failed_when: apply_cluster_bundle_result.rc != 0
+  retries: "{{ splunk_apply_cluster_bundle_retries }}"
+  delay: "{{ splunk_apply_cluster_bundle_delay }}"
   no_log: true
   when: "'clustermaster' in group_names"
 
@@ -55,9 +60,14 @@
   when: "'deploymentserver' in group_names"
 
 - name: apply shcluster-bundle
-  shell: "{{ splunk_home }}/bin/splunk apply shcluster-bundle -preserve-lookups true --answer-yes -auth {{ splunk_auth }} -target {{ deploy_target }}"
+  command: "{{ splunk_home }}/bin/splunk apply shcluster-bundle -preserve-lookups true --answer-yes -auth {{ splunk_auth }} -target {{ deploy_target }}"
   become: yes
   become_user: "{{ splunk_nix_user }}"
+  register: apply_shcluster_bundle_result
+  changed_when: apply_shcluster_bundle_result.rc == 0
+  failed_when: apply_shcluster_bundle_result.rc != 0 
+  retries: "{{ splunk_apply_shcluster_bundle_retries }}"
+  delay: "{{ splunk_apply_shcluster_bundle_delay }}"
   no_log: true
   when: "'shdeployer' in group_names and deploy_target is defined"
 
diff --git a/roles/splunk/tasks/check_splunk.yml b/roles/splunk/tasks/check_splunk.yml
@@ -17,38 +17,35 @@
 
 - name: Execute this block only if splunk is already installed
   block:
- # If Splunk is installed, get the current version
-  - name: Run splunk version command to check currently installed version
-    shell: "{{ splunk_home }}/bin/splunk version --answer-yes --auto-ports --no-prompt --accept-license"
-    register: current_version
-    become: yes
-    become_user: "{{ splunk_nix_user }}"
-    changed_when: false
-
-  - name: "Checkpoint: Version" ##########################
-    debug:
-      msg: "The value of splunk_version is: {{ splunk_version }} and the current_version is: {{ current_version.stdout }}"
-
-  - name: "Checkpoint: Package"
-    debug:
-      msg: "We will download the latest release from {{ splunk_package_url }}"
-    when: current_version.stdout != splunk_version
-
-  - name: Check if Splunk needs to be stopped if we are not at the expected version
-    shell: "{{ splunk_home }}/bin/splunk status"
-    register: splunk_status
-    become: yes
-    become_user: "{{ splunk_nix_user }}"
-    when: current_version.stdout != splunk_version
-    changed_when: false
-    ignore_errors: true
-
-  - name: Stop Splunk if not at expected version and not currently stopped
-    include_tasks: splunk_stop.yml
-    when: current_version.stdout != splunk_version and splunk_status.stdout != 'splunkd is not running.'
-
-  - name: Upgrade Splunk if not at expected version
-    include_tasks: upgrade_splunk.yml
-    when: current_version.stdout != splunk_version
+
+    - name: Run splunk version command to check currently installed version
+      shell: "{{ splunk_home }}/bin/splunk version --answer-yes --auto-ports --no-prompt --accept-license"
+      register: current_version
+      become: yes
+      become_user: "{{ splunk_nix_user }}"
+      changed_when: false
+
+    - name: "Checkpoint: Version" ##########################
+      debug:
+        msg: "The value of splunk_version is: {{ splunk_version }} and the current_version is: {{ current_version.stdout }}"
+
+    - name: Execute this block only if the current version does not match the expected version
+      block:
+        - name: "Checkpoint: Package"
+          debug:
+            msg: "We will download the latest release from {{ splunk_package_url }}"
+
+        - name: Check if Splunk needs to be stopped if we are not at the expected version
+          include_tasks: check_splunk_status.yml
+          changed_when: false
+
+        - name: Stop Splunk if not at expected version and splunk is currently running
+          include_tasks: splunk_stop.yml
+          when: splunk_status.rc == 0
+
+        - name: Upgrade Splunk if not at expected version
+          include_tasks: upgrade_splunk.yml
+# Conditional for version mismatch block
+      when: current_version.stdout != splunk_version
 # Conditional for this block
   when: splunkd_path.stat.exists == true
diff --git a/roles/splunk/tasks/check_splunk_status.yml b/roles/splunk/tasks/check_splunk_status.yml
@@ -0,0 +1,7 @@
+---
+- name: Check if Splunk is currently running or stopped
+  command: "{{ splunk_home }}/bin/splunk status"
+  register: splunk_status
+  become: yes
+  become_user: "{{ splunk_nix_user }}"
+  changed_when: false
diff --git a/roles/splunk/tasks/configure_splunk_boot.yml b/roles/splunk/tasks/configure_splunk_boot.yml
@@ -4,12 +4,8 @@
   block:
     
   - name: Check if Splunk needs to be stopped if boot-start isn't configured as Ansible expects (or boot-start is not configured at all)
-    command: "{{ splunk_home }}/bin/splunk status"
-    register: splunk_status
-    become: yes
-    become_user: "{{ splunk_nix_user }}"
+    include_tasks: check_splunk_status.yml
     changed_when: false
-    failed_when: false
     when: >
       ((systemd_boot and splunk_use_initd) or
       (initd_boot.stat.exists and not splunk_use_initd) or
@@ -34,7 +30,7 @@
           - "'uf' in group_names"
     when:
       - systemd_boot and splunk_use_initd
-      - splunk_status.stdout != 'splunkd is not running.'
+      - splunk_status.rc == 0
 
   - name: Stop Splunk via init.d to prepare for conversion to systemd
     service:
@@ -43,7 +39,7 @@
     become: yes
     when:
       - initd_boot.stat.exists and not splunk_use_initd
-      - splunk_status.stdout != 'splunkd is not running.'
+      - splunk_status.rc == 0
 
   - name: Stop Splunk via command if boot-start is not configured at all and systemd is configured in Ansible
     command: "{{ splunk_home }}/bin/splunk stop"
@@ -52,7 +48,7 @@
       - not systemd_boot
       - not initd_boot.stat.exists
       - not splunk_use_initd
-      - splunk_status.stdout != 'splunkd is not running.'
+      - splunk_status.rc == 0
 
   - name: Disable boot-start if current configuration does not matched expected configuration
     shell: "{{ splunk_home }}/bin/splunk disable boot-start"
diff --git a/roles/splunk/tasks/configure_splunk_secret.yml b/roles/splunk/tasks/configure_splunk_secret.yml
@@ -1,6 +1,6 @@
 - name: Install splunk.secret
   copy:
-    src: splunk.secret
+    src: "{{ splunk_secret_file }}"
     dest: "{{ splunk_home }}/etc/auth/splunk.secret"
     owner: "{{ splunk_nix_user }}"
     group: "{{ splunk_nix_group }}"
diff --git a/roles/splunk/tasks/configure_user-seed.yml b/roles/splunk/tasks/configure_user-seed.yml
@@ -1,20 +1,20 @@
 ---
-- name: "Check for existing {{ splunk_home }}/etc/passwd"
-  stat:
-    path: "{{ splunk_home }}/etc/passwd"
-  register: splunk_etc_passwd
-  become: yes
-  become_user: "{{ splunk_nix_user }}"
+- name: Execute this block only when splunk_admin_password has been configured
+  block:
+    - name: "Check for existing {{ splunk_home }}/etc/passwd"
+      stat:
+        path: "{{ splunk_home }}/etc/passwd"
+      register: splunk_etc_passwd
+      become: yes
+      become_user: "{{ splunk_nix_user }}"
 
-- name: Create user-seed.conf file with splunk_admin_username and splunk_admin_password
-  template:
-    src: user-seed.conf.j2
-    dest: "{{ splunk_home }}/etc/system/local/user-seed.conf"
-    owner: "{{ splunk_nix_user }}"
-    group: "{{ splunk_nix_group }}"
-  notify: restart splunk
-  become: yes
+    - name: Create user-seed.conf file with splunk_admin_username and splunk_admin_password
+      template:
+        src: user-seed.conf.j2
+        dest: "{{ splunk_home }}/etc/system/local/user-seed.conf"
+        owner: "{{ splunk_nix_user }}"
+        group: "{{ splunk_nix_group }}"
+      become: yes
+      when: not splunk_etc_passwd.stat.exists
   when:
-    - not splunk_etc_passwd.stat.exists
-    - splunk_user_seed
     - splunk_admin_password != 'undefined'
diff --git a/roles/splunk/tasks/install_splunk.yml b/roles/splunk/tasks/install_splunk.yml
@@ -44,7 +44,6 @@
 - name: Include configure user-seed task
   include_tasks: configure_user-seed.yml
   when: 
-    - splunk_user_seed
     - splunk_admin_password != 'undefined'
 
 - name: Include configure default authentication.conf for AD authentication and admin role mapping
diff --git a/roles/splunk/tasks/remove_splunk.yml b/roles/splunk/tasks/remove_splunk.yml
@@ -0,0 +1,14 @@
+---
+- include_tasks: splunk_stop.yml
+
+- name: Disable boot-start
+  shell: "{{ splunk_home }}/bin/splunk disable boot-start"
+  become: yes
+
+- name: Remove splunk folder
+  file:
+    path: "{{ splunk_home }}"
+    state: absent
+  become: yes
+
+# Todo: Remove user, group, THP/ulimit files, check for cron jobs/scripts and remove those if present
