OPSEXP-2880 Add audit-storage role

.envrc

@@ -4,7 +4,7 @@ export AWS_REGION=eu-west-1
 export MOLECULE_IT_AWS_VPC_SUBNET_ID=subnet-6bdd4223
 export BRANCH_NAME=local
 export BUILD_NUMBER=1
-export DTAS_VERSION=v1.5.3
+export DTAS_VERSION=v1.6.0
 export MOLECULE_IT_ID=$(echo "$LOGNAME" | sha256sum | cut -c1-6)
 ANSIBLE_VAULT_PASSWORD_FILE=$(expand_path ./.vault_pass.txt)
 export ANSIBLE_VAULT_PASSWORD_FILE

.github/workflows/enteprise.yml

@@ -19,7 +19,7 @@ on:
   workflow_dispatch:
 
 env:
-  DTAS_VERSION: v1.5.5
+  DTAS_VERSION: v1.6.0
   BUILD_NUMBER: ${{ github.run_id }}
   PY_COLORS: 1
   PYTHONUNBUFFERED: 1
@@ -64,6 +64,7 @@ jobs:
           - name: sfs
           - name: sync
           - name: trouter
+          - name: audit_storage
     steps:
       - name: Share var with further reusable workflows
         id: jobvars
@@ -154,6 +155,12 @@ jobs:
       fail-fast: false
       matrix:
         molecule_scenario:
+          - name: default
+            vars: vars-ubuntu20-72.yml
+            desc: EC2 ACS 7.2 (Ubuntu 20.04)
+          - name: default
+            vars: vars-ubuntu20-73.yml
+            desc: EC2 ACS 7.3 (Ubuntu 20.04)
           - name: default
             vars: vars-rocky8.yml
             desc: EC2 ACS 7.4 (Rocky Linux 8.9)

README.md

@@ -194,8 +194,7 @@ Follow this quick checklist:
 
 * review currently open dependabot/renovate and merge them
 * copy the versions inside the group_vars/all.yml to a new XX.N-extra-vars.yml (in case of a new ACS major version)
-* run [updatecli workflow](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/updatecli.yml)
-* run [enterprise-extended](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/enterprise-extended.yml) and make sure it is green
+* bump versions constraints in scripts/updatecli/updatecli_acs*.yml (workflow will take care of the rest)
 * ensure that the [versions table in the main readme](docs/overview.md#versioning) has been updated
 * ensure that docker images and AMI id for the root molecule tests are
   reflecting any minor OS release (e.g. [default suite](../molecule/default/))

group_vars/all.yml

@@ -46,6 +46,10 @@ api_explorer:
   artifact_name: api-explorer
   repository: "{{ nexus_repository.releases }}"
   version: 23.4.0
+audit_storage:
+  artifact_name: alfresco-audit-storage-distribution
+  repository: "{{ nexus_repository.enterprise_releases }}"
+  version: 1.0.0
 search_enterprise:
   artifact_name: alfresco-elasticsearch-connector-distribution
   repository: "{{ nexus_repository.enterprise_releases }}"
@@ -122,6 +126,10 @@ downloads:
     {{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip
   adw_zip_sha1_checksum_url: >-
     {{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip.sha1
+  audit_storage_zip_url: >-
+    {{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip
+  audit_storage_zip_sha1_checksum_url: >-
+    {{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip.sha1
   search_enterprise_zip_url: >-
     {{ search_enterprise.repository }}/{{ search_enterprise.artifact_name }}/{{ search_enterprise.version }}/{{ search_enterprise.artifact_name }}-{{ search_enterprise.version }}.zip
   search_enterprise_zip_sha1_url: >-

inventory_ha.yml

@@ -67,6 +67,10 @@ all:
       hosts:
         sync.infra.local:
 
+    audit_storage:
+      hosts:
+        audit.infra.local:
+
     other_repo_clients:
       hosts:
 

inventory_local.yml

@@ -55,6 +55,10 @@ all:
       children:
         repository:
 
+    audit_storage:
+      children:
+        repository:
+
     other_repo_clients:
       hosts:
 

inventory_ssh.yml

@@ -72,6 +72,11 @@ all:
         syncservice_1:
           ansible_host: targetIP
 
+    audit_storage:
+      hosts:
+        audit_storage_1:
+          ansible_host: targetIP
+
     other_repo_clients:
       hosts:
 

molecule/docker_enterprise/molecule.yml

@@ -27,8 +27,11 @@ platforms:
       - acc
       - adw
       - nginx
+      - audit_storage
     published_ports:
       - 0.0.0.0:443:443/tcp
+      - 0.0.0.0:8083:8083/tcp
+      - 0.0.0.0:9200:9200/tcp
 
 provisioner:
   name: ansible
@@ -47,3 +50,5 @@ provisioner:
     verify: ../default/verify.yml
 verifier:
   name: ansible
+  env:
+    MOLECULE_IT_TEST_CONFIG: tests/test-config-aas.json

molecule/elasticsearch/molecule.yml

@@ -29,6 +29,7 @@ platforms:
       - sfs
       - syncservice
       - transformers
+      - audit_storage
       - trusted_resource_consumers
 provisioner:
   name: ansible
@@ -47,6 +48,6 @@ provisioner:
   playbooks:
     prepare: ../default/prepare.yml
     converge: ../../playbooks/acs.yml
-    verify: ../multimachine/verify.yml
+    verify: ../default/verify.yml
 verifier:
   name: ansible

playbooks/acs.yml

@@ -479,3 +479,44 @@
         mode: "0755"
   tags:
     - sync
+
+- name: Audit Storage Role
+  hosts: audit_storage
+  gather_facts: false
+  vars:
+    acs_version_requirement: "{{ acs.version is version('23.4', 'ge') }}"
+  pre_tasks:
+    - name: Assert that the required version is met
+      ansible.builtin.fail:
+        msg: "Audit Storage requires ACS 23.4 or later"
+      when: not acs_version_requirement
+  roles:
+    - role: "../roles/audit_storage"
+      when: acs.edition == "Enterprise" and acs_version_requirement
+      audit_storage_version: "{{ audit_storage.version }}"
+      audit_storage_zip_url: "{{ downloads.audit_storage_zip_url }}"
+      audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_checksum_url }}"
+      audit_storage_username: "{{ username }}"
+      audit_storage_group_name: "{{ group_name }}"
+      audit_storage_broker_url: "failover:({{ activemq_transport }}://{{ activemq_host }}:{{ ports_cfg.activemq[activemq_protocol] }})"
+      audit_storage_broker_username: "{{ activemq_username }}"
+      audit_storage_broker_password: "{{ activemq_password }}"
+      audit_storage_opensearch_url: "{{ elasticsearch_protocol }}://{{ elasticsearch_host }}:{{ ports_cfg.elasticsearch.http }}"
+      audit_storage_opensearch_username: "{{ elasticsearch_username }}"
+      audit_storage_opensearch_password: "{{ elasticsearch_password }}"
+  post_tasks:
+    - name: Update installation status file with Audit Storage
+      when: acs.edition == "Enterprise" and acs_version_requirement
+      become: true
+      vars:
+        audit_storage_components:
+          audit_storage: "{{ audit_storage }}"
+      ansible.builtin.blockinfile:
+        block: "{{ audit_storage_components | to_nice_yaml(indent=2) }}"
+        create: true
+        path: "{{ ansible_installation_status_file }}"
+        marker_begin: AUDIT_STORAGE_BEGIN
+        marker_end: AUDIT_STORAGE_END
+        mode: "0755"
+  tags:
+    - audit_storage

roles/audit_storage/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/audit_storage/defaults/main.yml

@@ -0,0 +1,48 @@
+---
+# defaults file for audit_storage
+audit_storage_version: "1.0.0"
+audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip
+audit_storage_zip_sha1_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip.sha1
+
+audit_storage_artifact_name: alfresco-audit-storage-app
+
+audit_storage_username: alfresco
+audit_storage_group_name: alfresco
+
+audit_storage_server_port: 8083
+
+audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000
+audit_storage_broker_username: admin
+audit_storage_broker_password: admin
+audit_storage_opensearch_url: http://localhost:9200
+audit_storage_opensearch_username: ''
+audit_storage_opensearch_password: ''
+
+audit_storage_default_environment:
+  SERVER_PORT: "{{ audit_storage_server_port }}"
+  SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}"
+  SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}"
+  SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_URI: "{{ audit_storage_opensearch_url }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_USERNAME: "{{ audit_storage_opensearch_username }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_PASSWORD: "{{ audit_storage_opensearch_password }}"
+  AUDIT_EVENTINGESTION_URI: activemq:topic:alfresco.repo.event2
+audit_storage_environment: {}
+
+audit_storage_java_bin_path: /opt/openjdk-17.0.11/bin/java
+
+audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}"
+audit_storage_config_dir: "/etc/alfresco/audit-storage"
+
+audit_storage_systemd_service_unit_name: "alfresco-audit-storage"
+audit_storage_systemd_service_unit_description: "Alfresco Audit Storage"
+audit_storage_systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}"
+audit_storage_systemd_service_user: "{{ audit_storage_username }}"
+
+audit_storage_systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
+audit_storage_systemd_service_type: simple
+audit_storage_systemd_service_exec_stop: kill -15 $MAINPID
+audit_storage_systemd_service_working_directory: /tmp
+audit_storage_systemd_service_additional_options: {}
+audit_storage_systemd_service_state: started
+audit_storage_systemd_service_enabled: true

roles/audit_storage/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+# handlers file for audit_storage
+- name: Reload systemd
+  become: true
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart {{ audit_storage_systemd_service_unit_name }}
+  become: true
+  ansible.builtin.systemd:
+    name: "{{ audit_storage_systemd_service_unit_name }}"
+    state: restarted
+  when: audit_storage_systemd_service_state == 'started'

roles/audit_storage/meta/main.yml

@@ -0,0 +1,33 @@
+galaxy_info:
+  author: Alfresco Ops Readiness
+  description: This role installs and configures the audit storage for Alfresco
+  company: Hyland Software
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  license: Apache-2.0
+
+  min_ansible_version: "2.12"
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+        - focal
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies:
+  - role: java

roles/audit_storage/molecule/default/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: activemq
+    - role: elasticsearch
+    - role: audit_storage

roles/audit_storage/molecule/default/host_vars/instance.yml

@@ -0,0 +1 @@
+ansible_user: ansible