Dba 791 backups (#473)

* Simply variable reference

* Refactor to use template script

* Template shell script

* Use shell script for checking catalog connection

* Extra condition to copy script

* Commit changes made by code formatters

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: ranbeersingh1

playbooks/oracle_backup/backup.yml

@@ -162,8 +162,8 @@
           async: "{{ allowable_duration|default(28800) }}"
           poll: 0
           environment:
-            ASSUME_ROLE_NAME: "{{ secretsmanager_passwords['catalog'].assume_role_name | default() }}"
-            SECRET_ACCOUNT_ID: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] | default() }}"
+            ASSUME_ROLE_NAME: "{{ assume_role_name | default() }}"
+            SECRET_ACCOUNT_ID: "{{ account_ids[account_name] | default() }}"
             SECRET: "{{ secretsmanager_passwords['catalog'].secret | default() }}"
           register: backup_cmd_output
 

playbooks/oracle_backup/check_defunct_backups.yml

@@ -37,8 +37,8 @@
 
 - name: Set Environment Variables Required For Shell And Script Modules
   set_fact:
-    assume_role_name: "{{ secretsmanager_passwords['catalog'].assume_role_name }}"
-    secret_account_id: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] }}"
+    assume_role_name: "{{ assume_role_name }}"
+    secret_account_id: "{{ account_ids[account_name] }}"
     secret: "{{ secretsmanager_passwords['catalog'].secret }}"
 
 # As we do not have a tnsnames.ora file on the standby we pick up the tnsnames definition for the catalog from the primary

playbooks/oracle_backup/get_facts.yml

@@ -1,15 +1,13 @@
 - name: Set Secrets Dictionary
   set_fact:
+    account_name: "hmpps-oem-{{ aws_environment }}"
+    assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
     secretsmanager_passwords:
       emrep:
-        account_name: "hmpps-oem-{{ aws_environment }}"
-        assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
         secret: "/oracle/database/EMREP/shared-passwords"
         users:
           - sysman:
       catalog:
-        account_name: "hmpps-oem-{{ aws_environment }}"
-        assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
         secret: "/oracle/database/{{ catalog }}/shared-passwords"
         users:
           - rcvcatowner:
@@ -18,50 +16,58 @@
   set_fact:
     account_ids: "{{ lookup('aws_ssm', 'account_ids', region='eu-west-2') }}"
 
-- name: Get OEM secrets
-  import_role:
-    name: secretsmanager-passwords
-  vars:
-    secretsmanager_passwords: "{{ secretsmanager_passwords }}"
+- name: Copy Get Facts Script On Conditions
+  when: (tnsnames_entry_exists is defined and not tnsnames_entry_exists) or (get_slack_channel is defined) or (copy_script | default(false) | bool)
+  block:
+    - name: Copy Get Facts Script
+      template:
+        src: get_facts_script.sh.j2
+        dest: /u02/stage/get_facts_script.sh
+        mode: "0700"
 
-- name: Set password facts
-  set_fact:
-    sysman_password: "{{ secretsmanager_passwords_dict['emrep'].passwords['sysman'] }}"
-    rcvcatowner_password: "{{ secretsmanager_passwords_dict['catalog'].passwords['rcvcatowner'] }}"
-    getslacktoken: "{{ secretsmanager_passwords_dict['emrep'].passwords['slack_token'] }}"
+    - name: Catalog Host Name
+      when:
+        - tnsnames_entry_exists is defined
+        - not tnsnames_entry_exists
+      block:
+        - name: Set Emcli Catalog Host Name Command
+          set_fact:
+            emcli_commands: |
+              {{ emcli }} get_targets -noheader -targets="%:oracle_oms" | awk '{print $NF}' | cut -d: -f1
 
-- name: Catalog Host Name
-  when:
-    - tnsnames_entry_exists is defined
-    - not tnsnames_entry_exists
-  block:
-    - name: Get Catalog Host Name
-      shell: |
-        . ~/.bash_profile
-        export PATH=$PATH:/u01/app/oracle/product/oem-agent/agent_{{ OEM_AGENT_VERSION }}/oracle_common/jdk/jre/bin
-        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-        {{ emcli }} get_targets -noheader -targets="%:oracle_oms" | awk '{print $NF}' | cut -d: -f1
-      environment:
-        SYSMAN_PASSWORD: "{{ sysman_password }}"
-      register: getcataloghostname
+        - name: Get Catalog Host Name
+          ansible.builtin.command: >
+            /u02/stage/get_facts_script.sh
+          environment:
+            ACCOUNT_NAME: "{{ account_name }}"
+            ASSUME_ROLE_NAME: "{{ assume_role_name }}"
+            EMCLI_COMMANDS: "{{ emcli_commands }}"
+          register: getcataloghostname
+          changed_when: false
 
-    - name: Set Catalog Host Name
-      set_fact:
-        catalog_hostname: "{{ getcataloghostname.stdout }}"
+        - name: Set Catalog Host Name
+          set_fact:
+            catalog_hostname: "{{ getcataloghostname.stdout }}"
 
-- name: Slack Channel
-  when: get_slack_channel is defined
-  block:
-    - name: Get Slack Channel
-      shell: |
-        . ~/.bash_profile
-        export PATH=$PATH:/u01/app/oracle/product/oem-agent/agent_{{ OEM_AGENT_VERSION }}/oracle_common/jdk/jre/bin
-        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
-        {{ emcli }} list -resource=TargetProperties -search="TARGET_NAME='{{ database_sid }}'"  -search="PROPERTY_NAME='orcl_gtp_contact'" -columns="PROPERTY_VALUE" -colsize="PROPERTY_VALUE:30" -noheader -format="name:script"
-      environment:
-        SYSMAN_PASSWORD: "{{ sysman_password }}"
-      register: getslackchannel
+    - name: Slack Channel
+      when: get_slack_channel is defined
+      block:
+        - name: Set Emcli Slack Channel Command
+          set_fact:
+            emcli_commands: |
+              {{ emcli }} list -resource=TargetProperties -search="TARGET_NAME='{{ database_sid }}'"  -search="PROPERTY_NAME='orcl_gtp_contact'" -columns="PROPERTY_VALUE" -colsize="PROPERTY_VALUE:30" -noheader -format="name:script"
+
+        - name: Get Slack Channel
+          ansible.builtin.command: >
+            /u02/stage/get_facts_script.sh
+          environment:
+            ACCOUNT_NAME: "{{ account_name }}"
+            ASSUME_ROLE_NAME: "{{ assume_role_name }}"
+            CATALOG_SECRET: "{{ secretsmanager_passwords['catalog'].secret }}"
+            EMCLI_COMMANDS: "{{ emcli_commands }}"
+          register: getslackchannel
+          changed_when: false
 
-    - name: Setup Slack Configuration
-      set_fact:
-        slack_channel: "{{ getslackchannel.stdout }}"
+        - name: Setup Slack Configuration
+          set_fact:
+            slack_channel: "{{ getslackchannel.stdout }}"

playbooks/oracle_backup/setup-catalog-tnsnames.yml

@@ -26,6 +26,8 @@
 
 - name: Get Passwords
   include_tasks: get_facts.yml
+  vars:
+    copy_script: true
 
 - name: Add catalog connect identifier to {{ oracle_home.stdout }}/network/admin/tnsnames.ora
   blockinfile:
@@ -51,16 +53,15 @@
   when: not tnsnames_entry_exists
 
 - name: Attempt to connect to the catalog as rman
-  shell:
-    cmd: |
-      . ~/.bash_profile
-      sqlplus -s /nolog<< EOF
-      whenever sqlerror exit failure
-      connect rcvcatowner/{{ rcvcatowner_password }}@{{ catalog }}
-      EOF
-  changed_when: false
+  ansible.builtin.command: >
+    /u02/stage/get_facts_script.sh
+  environment:
+    STEP: CONNECT_CATALOG
+    ACCOUNT_NAME: "{{ account_name }}"
+    ASSUME_ROLE_NAME: "{{ assume_role_name }}"
+    CATALOG_SECRET: "{{ secretsmanager_passwords['catalog'].secret }}"
   register: rman_connect
-  no_log: true
+  changed_when: false
 
 - name: Display connection result
   debug:

playbooks/oracle_backup/templates/get_facts_script.sh.j2

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+. ~/.bash_profile
+
+OEM_ACCOUNT_ID=$(aws ssm get-parameters --with-decryption --name account_ids |  jq --arg ACCOUNT_NAME ${ACCOUNT_NAME} -r 'with_entries(if (.key|test($ACCOUNT_NAME)) then ( {key: .key, value: .value}) else empty end)' | jq -r 'to_entries|.[0].value')
+OEM_SECRET_ARN="arn:aws:secretsmanager:eu-west-2:${OEM_ACCOUNT_ID}:secret:${OEM_SECRET}"
+ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+OEM_ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${ASSUME_ROLE_NAME}"
+CREDS=$(aws sts assume-role --role-arn "${OEM_ROLE_ARN}" --role-session-name "from-ansible"  --output text --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]")
+export AWS_ACCESS_KEY_ID=$(echo "${CREDS}" | tail -1 | cut -f1)
+export AWS_SECRET_ACCESS_KEY=$(echo "${CREDS}" | tail -1 | cut -f2)
+export AWS_SESSION_TOKEN=$(echo "${CREDS}" | tail -1 | cut -f3)
+
+SYSMAN_PASSWORD=$(aws secretsmanager get-secret-value --secret-id "${OEM_SECRET_ARN}" --query SecretString --output text | jq -r .sysman)
+export PATH=$PATH:/u01/app/oracle/product/oem-agent/agent_{{ OEM_AGENT_VERSION }}/oracle_common/jdk/jre/bin
+{{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
+
+[[ ! -z "${EMCLI_COMMANDS}" ]] && eval ${EMCLI_COMMANDS}
+if [[ "${STEP}" == "CONNECT_CATALOG" ]]
+then
+  RCVCATOWNER_PASSWORD=$(aws secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:eu-west-2:${OEM_ACCOUNT_ID}:secret:${CATALOG_SECRET}" --query SecretString --output text | jq -r .rcvcatowner) 
+  sqlplus -s /nolog << EOF
+  whenever sqlerror exit failure
+  connect rcvcatowner/${RCVCATOWNER_PASSWORD}@{{ catalog }}
+EOF
+fi

playbooks/oracle_backup/validate_backup.yml

@@ -20,8 +20,8 @@
 
     - name: Set Environment Variables Required For Shell And Script Modules
       set_fact:
-        assume_role_name: "{{ secretsmanager_passwords['catalog'].assume_role_name }}"
-        secret_account_id: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] }}"
+        assume_role_name: "{{ assume_role_name }}"
+        secret_account_id: "{{ account_ids[account_name] }}"
         secret: "{{ secretsmanager_passwords['catalog'].secret }}"
 
     # As we do not have a tnsnames.ora file on the standby we pick up the tnsnames definition for the catalog from the primary

playbooks/oracle_backup/validate_chunks.yml

@@ -48,8 +48,8 @@
 
 - name: Set Environment Variables Required For Shell And Script Modules
   set_fact:
-    assume_role_name: "{{ secretsmanager_passwords['catalog'].assume_role_name }}"
-    secret_account_id: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] }}"
+    assume_role_name: "{{ assume_role_name }}"
+    secret_account_id: "{{ account_ids[account_name] }}"
     secret: "{{ secretsmanager_passwords['catalog'].secret }}"
 
 - name: Get DBID