diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml index 27afb6e02..f74f6da29 100644 --- a/roles/aws/aws_iam_role/tasks/main.yml +++ b/roles/aws/aws_iam_role/tasks/main.yml @@ -21,16 +21,34 @@ _combined_policies: "{{ aws_iam_role.managed_policies }}" when: inline_policies.action is not defined or inline_policies.action == 0 +- name: Check if policy document file exists. + ansible.builtin.stat: + path: "{{ playbook_dir }}/files/{{ aws_iam_role.policy_document + '_document_policy.json' }}" + register: policy_file_stat + +- name: Fail if the assume role policy document file does not exist. + ansible.builtin.fail: + msg: "The assume role policy document file '{{ aws_iam_role.policy_document + '_document_policy.json' }}' does not exist." + when: not policy_file_stat.stat.exists + +- name: Debug file content before setting the fact + ansible.builtin.debug: + msg: "{{ lookup('file', 'files/' + aws_iam_role.policy_document + '_document_policy.json') }}" + - name: Create assume role policy document if predefined string is passed. ansible.builtin.set_fact: _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}" - when: aws_iam_role.policy_document | type_debug == 'string' + when: aws_iam_role.policy_document | type_debug == 'string' and policy_file_stat.stat.exists - name: Create assume role policy document if template is provided. ansible.builtin.set_fact: _assume_role_policy: "{{ aws_iam_role.policy_document }}" when: aws_iam_role.policy_document | type_debug != 'string' +- name: Debug assume role policy content + ansible.builtin.debug: + var: _assume_role_policy + - name: Create an IAM role. amazon.aws.iam_role: profile: "{{ aws_iam_role.aws_profile }}" diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml index ace30d274..3e9c69011 100644 --- a/roles/debian/varnish_config/tasks/main.yml +++ b/roles/debian/varnish_config/tasks/main.yml @@ -20,5 +20,4 @@ notify: - reload systemd - restart varnish - # TO DO: add varnish to unattended upgrades diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index c98a57e03..c1468b95e 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -102,6 +102,7 @@ wazuh: timeout: 3600 authd: enabled: false + use_password: false wazuh_manager_globals: - '1.1.1.1' agent_groups: [] # maps to `groups` string in agent config above diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 59a3711b7..52997ccc9 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -132,3 +132,44 @@ name: filebeat state: restarted when: filebeat_exists + +- name: Check if wazuh-manager service exists + ansible.builtin.command: systemctl list-unit-files --type=service --no-pager + register: wazuh_service + ignore_errors: true + changed_when: false + +- name: Generate random password + ansible.builtin.set_fact: + authd_password: "{{ lookup('password', '/dev/null length=32') }}" + when: "'wazuh-manager.service' in wazuh_service.stdout" + +- name: Check if wazuh-manager service exists + ansible.builtin.command: systemctl list-unit-files --type=service --no-pager + register: wazuh_service + ignore_errors: true + changed_when: false + +- name: Write the password to /var/ossec/etc/authd.pass + ansible.builtin.copy: + dest: /var/ossec/etc/authd.pass + content: "{{ _wazuh_authd }}" + mode: '0640' + owner: root + group: wazuh + when: "'wazuh-manager.service' in wazuh_service.stdout or 'wazuh-agent.service' in wazuh_service.stdout" + +- name: Write the password to /var/ossec/etc/authd.pass + ansible.builtin.copy: + dest: /var/ossec/etc/authd.pass + content: "{{ authd_password }}" + mode: '0640' + owner: root + group: wazuh + when: "'wazuh-manager.service' in wazuh_service.stdout" + +- name: Restart wazuh-manager to apply changes + ansible.builtin.systemd: + name: wazuh-manager + state: restarted + when: "'wazuh-manager.service' in wazuh_service.stdout"