ibm-mas · tomklapiscak · May 27, 2025 · Jun 3, 2025
@@ -71,10 +71,6 @@ def main():
         delete_wildcards = dict(
             type = 'bool'
         ),
-        edge_certificate_routes = dict(
-            type = 'list',
-            required = False
-        ),
         cis_proxy = dict(
             type = 'bool',
             required = False
@@ -98,7 +94,6 @@ def main():
     updateDNS = module.params['update_dns']
     delete_wildcards = module.params['delete_wildcards']
     cis_waf = module.params['cis_waf']
-    edgeCertRoutes = module.params['edge_certificate_routes']
     cisProxy = module.params['cis_proxy']
 
 

@@ -0,0 +1,167 @@
+# coding: utf-8 -*-
+# # (C) Copyright IBM Corp. 2025 All Rights Reserved.
+# Eclipse Public License 2.0 (see https://spdx.org/licenses/EPL-2.0.html)
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'status': ['preview'],
+    'supported_by': 'community'
+}
+
+DOCUMENTATION = r'''
+---
+module: cis_edge_cert_entries
+
+short_description: Manage MAS CIS Edge Cert entries
+
+version_added: "1.0.0"
+
+description: Manage MAS Edge Certs using IBM Cloud Internet Services.
+
+author:
+    - Andrew Whitfield (@whitfiea)
+'''
+
+import requests
+from requests.exceptions import HTTPError
+from ansible.module_utils.basic import AnsibleModule
+
+def main():
+
+    fields = dict(
+
+        edge_cert_entries = dict(
+            type = "list",
+            required = True,
+        ),
+        cis_crn = dict(
+            type = "str",
+            required = True,
+        ),
+        ibmcloud_apikey = dict(
+            type = "str",
+            required = True,
+            no_log = True,
+        ),
+        mas_instance_id = dict(
+            type = "str",
+            required = True,
+        ),
+        dns_zone = dict(
+            type = "str",
+        ),
+    )
+    module = AnsibleModule(
+        argument_spec=fields,
+        supports_check_mode = True,
+    )
+
+    if any(v == "" for v in [module.params['edge_cert_entries'], module.params['cis_crn'], module.params['ibmcloud_apikey'], module.params['mas_instance_id']]):
+        module.fail_json(msg = f"Required parameters: [edge_cert_entries, cis_crn, ibmcloud_apikey, mas_instance_id] cannot be empty")
+
+    crn = module.params['cis_crn']
+    ibmCloudApiKey = module.params['ibmcloud_apikey']
+    masInstanceId = module.params['mas_instance_id']
+    edgeCertEntries = module.params['edge_cert_entries']
+
+    # User may want to select an specific zone
+    dnsZone = module.params['dns_zone']
+
+    url = "https://iam.cloud.ibm.com/oidc/token"
+
+    payload='apikey=' + ibmCloudApiKey + '&response_type=cloud_iam&grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey'
+    headers = {
+        'Accept': 'application/json',
+        'Content-Type': 'application/x-www-form-urlencoded'
+    }
+
+    try:
+        response = requests.request("POST", url, headers=headers, data=payload)
+
+        # If the response was successful, no Exception will be raised
+
+        if response.status_code != 200:
+            module.fail_json(msg = f"Could not get IBM Cloud Token based on the provided API: {response.content}")
+
+        json_response = response.json()
+        access_token = json_response['access_token']
+
+        # Getting zones
+
+        url = f"https://api.cis.cloud.ibm.com/v1/{crn}/zones"
+
+        payload={}
+        headers = {
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+            'X-Auth-User-Token': access_token
+        }
+
+        response = requests.request("GET", url, headers=headers, data=payload)
+        json_response = response.json()
+
+        if response.status_code != 200:
+            module.fail_json(msg = f"Could not get Zones using provided CRN: {response.content}")
+
+        zones = json_response['result']
+
+        # Looking for available zones
+
+        for zone in zones:
+            if(dnsZone and dnsZone == zone['id']):
+                currentZone = zone
+            elif(not dnsZone):
+                currentZone = zone
+
+        zoneName = currentZone['name']
+        zoneId = currentZone['id']
+
+        if len(zones) > 1 and not dnsZone:
+            module.fail_json(msg = f"More than one zone found please choose one and export DNS_ZONE_ID env var.")
+        elif len(zones) == 0:
+            module.fail_json(msg = f"No DNS zones found, aborting...")
+
+        url = f"https://api.cis.cloud.ibm.com/v1/{crn}/zones/{zoneId}/ssl/certificate_packs?per_page=500"
+
+        payload={}
+        headers = {
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+            'X-Auth-User-Token': access_token
+        }
+
+        response = requests.request("GET", url, headers=headers, data=payload)
+        json_response = response.json()
+
+        if response.status_code != 200:
+            module.fail_json(msg = f"Could not get SSL Certificates using provided CRN and Zone: {response.content}")
+
+        results = json_response['result']
+
+        msg = ""
+        existingCertHosts = []
+        for certs in results:
+            if certs['type'] == "advanced":
+                for host in certs['hosts']:
+                    if masInstanceId in host:
+                        existingCertHosts.append(host)
+
+        exitingCertHostsFound = len(existingCertHosts)
+
+        entryMissing = False
+        for entryName in edgeCertEntries:
+            if not any(entryName == host for host in existingCertHosts):
+                entryMissing = True
+                msg = msg + f"{entryName} not in exisitng hosts. \n "
+
+        if not entryMissing:
+            msg = "All expected edge cert hosts present in existing edge certificates"
+
+    except requests.exceptions.RequestException as e:  # This is the correct syntax
+        module.fail_json(msg = f"Error {e} calling : {url}")
+
+    result = {"changed": False, "reorder": entryMissing, "msg": msg, "exitingCertHostsFound": exitingCertHostsFound}
+    module.exit_json(**result)
+
+if __name__ == '__main__':
+    main()
@@ -45,10 +45,18 @@
     docdb_instance_password: "{{ lookup('password', '/dev/null length=20 chars=ascii_lowercase,ascii_uppercase,digits') }}"
   when: docdb_instance_password is undefined or docdb_instance_password == ""
 
-- name: "Download Amazon DocumentDB public key"
+- name: "Download Amazon DocumentDB public CA certs"
   shell: |
     wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem -O /tmp/global-bundle.pem
 
+- name: "Download Amazon DocumentDB public govcloud CA certs"
+  shell: |
+    wget https://truststore.pki.us-gov-west-1.rds.amazonaws.com/global/global-bundle.pem -O /tmp/global-bundle-govcloud.pem
+
+- name: "Concatenate PRM files"
+  shell: |
+    cat /tmp/global-bundle.pem /tmp/global-bundle-govcloud.pem > /tmp/global-bundle-complete.pem
+
 - name: create js file from template
   template:
     src: create_user.js.j2
@@ -66,20 +74,20 @@
 
 - name: Create docdb user for MAS instance
   shell: |
-    mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle.pem --username {{ docdb_master_username }}  --password {{ docdb_master_password }} /tmp/create_user.js
+    mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle-complete.pem --username {{ docdb_master_username }}  --password {{ docdb_master_password }} /tmp/create_user.js
   register: creating_user_output
   when: user_action == 'add'
   failed_when: creating_user_output.rc not in [0] and ('User already exists' not in creating_user_output.stderr )
 
 - name: Change docdb user password for MAS instance
   shell: |
-    mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle.pem --username {{ docdb_master_username }}  --password {{ docdb_master_password }} /tmp/change_user_password.js
+    mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle-complete.pem --username {{ docdb_master_username }}  --password {{ docdb_master_password }} /tmp/change_user_password.js
   register: change_user_password_output
   when: user_action == 'add' and creating_user_output.rc not in [0] and ('User already exists' in creating_user_output.stderr )
 
 - name: Drop docdb user of MAS instance
   shell: |
-    mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle.pem --username {{ docdb_master_username }}  --password {{ docdb_master_password }} /tmp/drop_user.js
+    mongosh --tls --host {{ docdb_hosts }} --tlsCAFile /tmp/global-bundle-complete.pem --username {{ docdb_master_username }}  --password {{ docdb_master_password }} /tmp/drop_user.js
   register: drop_user_password_output
   when: user_action == 'remove'
 

@@ -29,12 +29,12 @@
     ocp_version: "{{ rotate_ocp_version[ansible_date_time['weekday']] ~ ('_openshift' if cluster_type == 'roks' else '') }}"
   vars:
     rotate_ocp_version:
-      Monday: 4.17
-      Tuesday: 4.15
-      Wednesday: 4.14
-      Thursday: 4.16
-      Friday: 4.15
-      Saturday: 4.17
+      Monday: 4.18
+      Tuesday: 4.17
+      Wednesday: 4.16
+      Thursday: 4.15
+      Friday: 4.14
+      Saturday: 4.18
       Sunday: 4.16
 
 - name: "Set default OCP version"

@@ -55,11 +55,7 @@
     force_basic_auth: yes
     validate_certs: false
   register: _cluster_exist
-  failed_when: _cluster_exist.status == 403
-
-- name: "fyre : Debug cluster lookup"
-  debug:
-    var: _cluster_exist
+  failed_when: _cluster_exist.status in [403, 401]  # Forbidden, Unauthorized
 
 
 # 4. Deploy the OCP+ cluster

@@ -52,7 +52,6 @@
     ibmcloud_apikey: "{{ cis_apikey }}"
     dns_entries: "{{ dns_entries['nowildcard'] }}"
     cis_waf: null
-    edge_certificate_routes: null
     cis_proxy: "{{ cis_proxy }}"
   register: dnsoutput
 

@@ -39,29 +39,47 @@
   ansible.builtin.shell: |
     oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- sudo chmod 777 /tmp/prepare_db_files/create-tablespaces.sql /tmp/prepare_db_files/create-schema.sql /tmp/prepare_db_files/db2configdb.sh
   register: shell_status
+  until: shell_status.rc == 0
+  retries: 5
+  delay: 60 # seconds
 
 - name: Disable HA for maintanance
   ansible.builtin.shell: |
     oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- sudo wvcli system disable -m "Disable HA before Db2 maintenance"
   register: shell_status
+  until: shell_status.rc == 0
+  retries: 5
+  delay: 60 # seconds
 
 - name: Executing db2configdb.sh
   ansible.builtin.shell: |
     oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- su - db2inst1 -c "sh /tmp/prepare_db_files/db2configdb.sh "
   register: shell_status
+  until: shell_status.rc == 0
+  retries: 5
+  delay: 60 # seconds
 
 - name: Executing create-tablespaces.sql
   ansible.builtin.shell: |
     oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- su - db2inst1 -c "db2 -tvf /tmp/prepare_db_files/create-tablespaces.sql "
   register: shell_status
+  until: shell_status.rc == 0
+  retries: 5
+  delay: 60 # seconds
 
 - name: Executing create-schema.sql
   when: db2_schema is defined
   ansible.builtin.shell: |
     oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- su - db2inst1 -c "db2 -tvf /tmp/prepare_db_files/create-schema.sql "
   register: shell_status
+  until: shell_status.rc == 0
+  retries: 5
+  delay: 60 # seconds
 
 - name: Enable HA after maintenance
   ansible.builtin.shell: |
     oc exec -n {{ db2_namespace }} -ti {{ db2_pod_name }} -- sudo wvcli system enable -m "Enable HA after Db2 maintenance"
   register: shell_status
+  until: shell_status.rc == 0
+  retries: 5
+  delay: 60 # seconds
@@ -70,23 +70,11 @@
       - "Db2 database name ...................... {{ db2_dbname }}"
       - "Db2 Schema name ........................ {{ db2_schema }}"
 
-# 4. Determine if the schema has been created
-# -----------------------------------------------------------------------------
-- name: Checking if schema is already created
-  kubernetes.core.k8s_exec:
-    namespace: "{{ db2_namespace }}"
-    pod: "{{ db2_pod_name }}"
-    container: db2u
-    command: su - db2inst1 -c "db2 connect to {{ db2_dbname }} >/dev/null && db2 'select schemaname from syscat.schemata' | grep '{{ db2_schema }}' | tr -d ' ' " > /tmp/ts_numd.txt
-  register: db2_output
-  retries: 10
-  delay: 60
 
-# 5. Execute DB2 config enforcement
+# 4. Execute DB2 config enforcement
 # -----------------------------------------------------------------------------
-- include_tasks: tasks/apply-db2-dbconfig.yml
-  when: ( db2_output.stdout_lines | length ) == 0
+- name: apply Real Estate and Facilities configurations for db2
+  include_tasks: tasks/apply-db2-dbconfig.yml
 
 - name: run prepare DB scripts
   include_tasks: db2/preparedb.yml
-  when: ( db2_output.stdout_lines | length ) == 0
@@ -209,15 +209,26 @@ Location to output the edge-routes-{mas_instance_id}.txt
 - Environment Variable: `OUTPUT_DIR`
 - Default: `.` (which will set the directory file in ibm/mas_devops)
 
-### saas_mode
-If true:
- - saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2
-   This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50 so only a single edge route certificate is required
- - Ensures that the default edge certificates configured by CIS are excluded from checks, even when the CIS domain includes the MAS instance ID.
+### cis_entries_to_add
+Comma seperated list of entries to add for edge certificates. These are broken down into functional areas of MAS. The options are:
+
+  - `all` to include all entries (this is the default behaviour)
+  - `core` to include the MAS Core edge certificates
+  - `health` to include the MAS Health App edge certificates
+  - `iot` to include the MAS IoT app edge certificates
+  - `manage` to include the MAS Manage app edge certificates
+  - `monitor` to include the MAS Monitor app edge certificates
+  - `predict` to include the MAS Predict app edge certificates
+  - `visualinspection` to include the MAS VisualInspection app edge certificates
+  - `optimizer` to include the MAS Optimizer app edge certificates
+  - `assist` to include the MAS Assist app edge certificates
+  - `arcgis` to include the MAS Arcgis edge certificates
+  - `reportdb` to include the MAS ReportDB edge certificates
+  - `facilities` to include the MAS Facilities app edge certificates
 
 - Optional
-- Environment Variable: `SAAS_MODE`
-- Default: false
+- Environment Variable: `CIS_ENTRIES_TO_ADD`
+- Default: `all`
 
 Role Variables - AWS Route 53
 ------------------------------------------------------------

@@ -65,11 +65,7 @@ delete_wildcards: "{{ lookup('env', 'DELETE_WILDCARDS') | default('false', true)
 # Override and delete any existing edge certificates in cis instance
 override_edge_certs: "{{ lookup('env', 'OVERRIDE_EDGE_CERTS') | default('true', true) | bool }}"
 
-# If true:
-#  - saas_edge_certificate_routes.yml.j2 template will be used instead of edge_certificate_routes.yml.j2
-#    This template omits routes that will not be present in SaaS envs to reduce the hostname count to under 50 so only a single edge route certificate is required
-#  - Ensures that the default edge certificates configured by CIS are excluded from checks, even when the CIS domain includes the MAS instance ID.
-saas_mode: "{{ lookup('env', 'SAAS_MODE') | default('false', true) | bool }}"
+cis_entries_to_add: "{{ lookup('env', 'CIS_ENTRIES_TO_ADD') | default('all', true) }}"
 
 cis_apiservice:
   group_name: acme.cis.ibm.com