cyhy_amis/ansible/roles/orchestrator/tasks/main.yml at 7ca25edf567d4105380f929bdafa3ef25778a8a7 · cisagov/cyhy_amis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
---
#
# orchestrator secrets
#
- name: Create the secrets directory
  ansible.builtin.file:
    path: /var/cyhy/orchestrator/secrets
    group: cyhy
    mode: u=rwx,g=rx,o=rx
    owner: cyhy
    state: directory

- name: Create files with MongoDB credentials
  ansible.builtin.template:
    dest: "/var/cyhy/orchestrator/secrets/{{ item.filename }}"
    group: cyhy
    mode: u=r,g=r,o=
    owner: cyhy
    src: mongodb_credentials.yml.j2
  loop:
    # reporter
    - database: "{{ orchestrator_reporter_db }}"
      filename: cyhy_read_creds.yml
      username: "{{ orchestrator_reporter_user }}"
      password: "{{ orchestrator_reporter_pw }}"
    # scan-reader
    - database: "{{ orchestrator_scan_reader_db }}"
      filename: scan_read_creds.yml
      username: "{{ orchestrator_scan_reader_user }}"
      password: "{{ orchestrator_scan_reader_pw }}"
    # scan-writer
    - database: "{{ orchestrator_scan_writer_db }}"
      filename: scan_write_creds.yml
      username: "{{ orchestrator_scan_writer_user }}"
      password: "{{ orchestrator_scan_writer_pw }}"
  loop_control:
    label: "{{ item.filename }}"


- name: Create the AWS config
  ansible.builtin.template:
    dest: /var/cyhy/orchestrator/secrets/aws_config
    group: cyhy
    mode: u=r,g=r,o=
    owner: cyhy
    src: aws_config.j2

#
# Create a cron job for scanning
#
- name: Create the cron job
  when: production_workspace|bool
  block:
    - name: Add /usr/local/bin to cron's path
      ansible.builtin.cron:
        env: true
        name: PATH
        user: cyhy
        value: /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

    # This cron job runs at noon UTC on Friday, so it
    # should be done by noon UTC on Sunday.
    - name: Create a cron job for BOD 18-01 scanning
      ansible.builtin.cron:
        hour: '12'
        # TODO: Remove the docker compose down when possible.  See
        # #668 for more details.
        job: cd /var/cyhy/orchestrator && docker compose down && docker compose up --detach 2>&1 | /usr/bin/logger --tag orchestrator
        minute: '0'
        name: "BOD 18-01 scanning"
        user: cyhy
        weekday: '5'