main.yml

---
- name: Create cyhy-feeds config
  ansible.builtin.copy:
    content: "{{ cyhy_feeds_config }}"
    dest: "/var/cyhy/scripts/cyhy-feeds/cyhy-data-extract.cfg"
    group: cyhy
    mode: u=r,g=r,o=r
    owner: cyhy

#
# Create the AWS config
#
- name: Create the AWS config
  ansible.builtin.template:
    dest: /var/cyhy/scripts/cyhy-feeds/aws_config
    group: cyhy
    mode: u=r,g=r,o=
    owner: cyhy
    src: aws_config.j2

#
# Create yml files for db access
#

- name: Create files with MongoDB credentials
  ansible.builtin.template:
    dest: "/var/cyhy/scripts/cyhy-feeds/{{ item.filename }}"
    group: cyhy
    mode: u=rw,g=rw,o=
    owner: cyhy
    src: mongodb_credentials.yml.j2
  loop:
    # reporter
    - database: "{{ cyhy_feeds_reporter_db }}"
      filename: cyhy.yml
      username: "{{ cyhy_feeds_reporter_user }}"
      password: "{{ cyhy_feeds_reporter_pw }}"
    # scan-reader
    - database: "{{ cyhy_feeds_scan_reader_db }}"
      filename: scan_reader.yml
      username: "{{ cyhy_feeds_scan_reader_user }}"
      password: "{{ cyhy_feeds_scan_reader_pw }}"
    # assessment-reader
    - database: "{{ cyhy_feeds_assessment_read_db }}"
      filename: assessment_reader.yml
      username: "{{ cyhy_feeds_assessment_read_user }}"
      password: "{{ cyhy_feeds_assessment_read_pw }}"
  loop_control:
    label: "{{ item.filename }}"

#
# Import keys and trust
#
# Note we disable the no-changed-when check for ansible-lint because a
# provisioner rerun should update GPG key information.
#

# The --batch flag makes sure that gpg2 doesn't attempt to do anything
# interactive.
- name: Import gpg keys
  ansible.builtin.shell:
    cmd: set -o pipefail && echo {{ item | quote }} | gpg2 --trustdb-name /var/cyhy/.gnupg/trustdb.gpg --import --batch
    executable: /bin/bash
  become: true
  become_user: cyhy
  changed_when: "'imported: 1' in cyhy_feeds_import_gpg_key.stderr"
  loop:
    - "{{ cyhy_feeds_ncps_ae_public_gpg_key }}"
    - "{{ cyhy_feeds_nsd_public_gpg_key }}"
    - "{{ cyhy_feeds_private_gpg_key }}"
    - "{{ cyhy_feeds_public_gpg_key }}"
  loop_control:
    label: "<key redacted>"
  register: cyhy_feeds_import_gpg_key

- name: Import gpg trust
  # The value stored in the Parameter Store has a newline so we trim the value
  # before quoting. A quoted newline causes a failure when gpg2 attempts to
  # import the owner trust.
  ansible.builtin.shell:
    cmd: set -o pipefail && echo {{ cyhy_feeds_gpg_trust | trim | quote }} | gpg2 --import-ownertrust --batch
    executable: /bin/bash
  become: true
  become_user: cyhy
  changed_when: "'inserting ownertrust' in cyhy_feeds_import_gpg_ownertrust.stderr"
  register: cyhy_feeds_import_gpg_ownertrust

#
# Create a cron job to run the extract script nightly at 0000 (UTC) as cyhy
# NOTE:
# We run at this time to reduce the odds of having documents, specifically
# tickets, get missed in successive daily extracts. The previous time of 08:15
# left an eight hour gap between the close of the query window for the script
# and the start of the extract process. Since we are continuously scanning this
# resulted in documents being updated and their modification time being updated
# to fall past the end of the query cutoff. Changes were made to the script in
# relation to this issue, and more information can be found in the pull request at
# https://github.com/cisagov/cyhy-feeds/pull/37
#
- name: Set up nightly cron job to sync NSD data for MOE extract
  ansible.builtin.cron:
    hour: '0'
    job: cd /var/cyhy/scripts/cyhy-feeds && export AWS_CONFIG_FILE=/var/cyhy/scripts/cyhy-feeds/aws_config; python3 /var/cyhy/scripts/cyhy-feeds/cyhy-data-extract.py --cyhy-config /var/cyhy/scripts/cyhy-feeds/cyhy.yml --scan-config /var/cyhy/scripts/cyhy-feeds/scan_reader.yml --assessment-config /var/cyhy/scripts/cyhy-feeds/assessment_reader.yml --aws --cleanup-aws --config /var/cyhy/scripts/cyhy-feeds/cyhy-data-extract.cfg 2>&1 | /usr/bin/logger --tag cyhy-feeds
    minute: '0'
    name: Nightly cyhy extract
    user: cyhy
  when: production_workspace|bool