Merge pull request #180 from ministryofjustice/DBA-640

Use RMAN Catalog

Author: ranbeersingh1

playbooks/oracle_backup/backup.yml

@@ -143,6 +143,10 @@
           shell: "{{ rman_command }}"
           async: "{{ allowable_duration|default(28800) }}"
           poll: 60
+          environment:
+            ASSUME_ROLE_NAME: "{{ secretsmanager_passwords['catalog'].assume_role_name }}"
+            SECRET_ACCOUNT_ID: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] }}"
+            SECRET: "{{ secretsmanager_passwords['catalog'].secret }}"
           register: backup_cmd_output
 
       rescue:

playbooks/oracle_backup/get_facts.yml

@@ -0,0 +1,47 @@
+- name: Set Secrets Dictionary
+  set_fact:
+    secretsmanager_passwords:
+      emrep:
+        account_name: "hmpps-oem-{{ aws_environment }}"
+        assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
+        secret: "/oracle/database/EMREP/shared-passwords"
+        users:
+          - sysman:
+      catalog:
+        account_name: "hmpps-oem-{{ aws_environment }}"
+        assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
+        secret: "/oracle/database/{{ catalog }}/shared-passwords"
+        users:
+          - rcvcatowner:
+
+- name: Get Account Ids
+  set_fact:
+    account_ids: "{{ lookup('aws_ssm', 'account_ids', region='eu-west-2') }}"
+
+- name: Get OEM secrets
+  import_role:
+    name: secretsmanager-passwords
+  vars:
+    secretsmanager_passwords: "{{ secretsmanager_passwords }}"
+
+- name: Set password facts
+  set_fact:
+    sysman_password: "{{ secretsmanager_passwords_dict['emrep'].passwords['sysman'] }}"
+    rcvcatowner_password: "{{ secretsmanager_passwords_dict['catalog'].passwords['rcvcatowner'] }}"
+
+- name: Catalog Host Name
+  when: not tnsnames_entry_exists
+  block:
+    - name: Get Catalog Host Name
+      shell: |
+        . ~/.bash_profile
+        export PATH=$PATH:/u01/app/oracle/product/oem-agent/agent_{{ OEM_AGENT_VERSION }}/oracle_common/jdk/jre/bin
+        {{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
+        {{ emcli }} get_targets -noheader -targets="%:oracle_oms" | awk '{print $NF}' | cut -d: -f1
+      environment:
+        SYSMAN_PASSWORD: "{{ sysman_password }}"
+      register: getcataloghostname
+
+    - name: Set Catalog Host Name
+      set_fact:
+        catalog_hostname: "{{ getcataloghostname.stdout }}"

playbooks/oracle_backup/rman_backup.sh

@@ -99,6 +99,18 @@ set_ora_env () {
   export NLS_DATE_FORMAT=YYMMDDHH24MI
 }
 
+get_rman_password () {
+  ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+  ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${ASSUME_ROLE_NAME}"
+  SESSION="catalog-ansible"
+  CREDS=$(aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name "${SESSION}"  --output text --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]")
+  export AWS_ACCESS_KEY_ID=$(echo "${CREDS}" | tail -1 | cut -f1)
+  export AWS_SECRET_ACCESS_KEY=$(echo "${CREDS}" | tail -1 | cut -f2)
+  export AWS_SESSION_TOKEN=$(echo "${CREDS}" | tail -1 | cut -f3)
+  SECRET_ARN="arn:aws:secretsmanager:eu-west-2:${SECRET_ACCOUNT_ID}:secret:${SECRET}"
+  RMANPASS=$(aws secretsmanager get-secret-value --secret-id "${SECRET_ARN}" --query SecretString --output text | jq -r .rcvcatowner)
+}
+
 validate () {
   ACTION=$1
   case "$ACTION" in
@@ -199,13 +211,9 @@ validate () {
                        then
                          error "Catalog mode is $CATALOGMODE, specify catalog db"
                        else
-                          INSTANCEID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-                          ENVIRONMENT_NAME=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=environment-name"  --query "Tags[].Value" --output text)
-                          DELIUS_ENVIRONMENT=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=delius-environment"  --query "Tags[].Value" --output text)
-                          APPLICATION=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=application"  --query "Tags[].Value" --output text | sed 's/-core//')
-                          RMANPASS=$(aws secretsmanager get-secret-value --secret-id ${ENVIRONMENT_NAME}-${DELIUS_ENVIRONMENT}-${APPLICATION}-dba-passwords --region eu-west-2 --query SecretString --output text| jq -r .rman)
-                         [ -z ${RMANPASS} ] && error "Password for rman in aws secret ${ENVIRONMENT_NAME}-${DELIUS_ENVIRONMENT}-${APPLICATION}-dba-passwords does not exist"
-                         CATALOG_CONNECT=rman19c/${RMANPASS}@$CATALOG_DB
+                         get_rman_password
+                         [ -z ${RMANPASS} ] && error "Password for RMAN catalog user ${RMANPASS} does not exist"
+                         CATALOG_CONNECT=rcvcatowner/${RMANPASS}@$CATALOG_DB
                        fi
                      fi
                      ;;

playbooks/oracle_backup/setup-catalog-tnsnames.yml

@@ -24,6 +24,9 @@
   debug:
     msg: "{{ catalog }} exists in tnsnames: {{ tnsnames_entry_exists }}"
 
+- name: Get Passwords
+  include_tasks: get_facts.yml
+
 - name: Add catalog connect identifier to {{ oracle_home.stdout }}/network/admin/tnsnames.ora
   blockinfile:
     backup:
@@ -38,43 +41,28 @@
           (CONNECT_TIMEOUT=10)
           (RETRY_COUNT=3)
           (ADDRESS_LIST=
-            (ADDRESS = (PROTOCOL = TCP)(HOST={{ hostvars[groups['rman_primarydb'][0]]['inventory_hostname'] }})(PORT = 1521))
+            (ADDRESS = (PROTOCOL = TCP)(HOST={{ catalog_hostname }})(PORT = 1521))
           )
-          (CONNECT_DATA=(SERVICE_NAME={{ catalog }}_TAF))
+          (CONNECT_DATA=(SERVICE_NAME=RCV_TAF))
         )
 
     owner: "oracle"
     marker: "# {mark} {{ marker_name }}"
   when: not tnsnames_entry_exists
 
-- name: Check we can connect to the catalog
-  block:
-    - name: Get catalog rman password
-      shell: |
-        export PATH=$PATH:/usr/local/bin
-        INSTANCEID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
-        ENVIRONMENT_NAME=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=environment-name"  --query "Tags[].Value" --output text)
-        DELIUS_ENVIRONMENT=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=delius-environment"  --query "Tags[].Value" --output text)
-        APPLICATION=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=application"  --query "Tags[].Value" --output text | sed 's/-core//')
-        aws secretsmanager get-secret-value --secret-id ${ENVIRONMENT_NAME}-${DELIUS_ENVIRONMENT}-${APPLICATION}-dba-passwords --region {{ region }} --query SecretString --output text| jq -r .rman
-      changed_when: false
-      register: rman_password
-      no_log: true
-
-    - name: Attempt to connect to the catalog as rman
-      shell:
-        cmd: |
-          . ~/.bash_profile
-          sqlplus -s /nolog<< EOF
-          whenever sqlerror exit failure
-          connect rman19c/{{ rman_password.stdout }}@{{ catalog }} 
-          EOF
-      become_user: oracle
-      changed_when: false
-      register: rman_connect
-      no_log: true
+- name: Attempt to connect to the catalog as rman
+  shell:
+    cmd: |
+      . ~/.bash_profile
+      sqlplus -s /nolog<< EOF
+      whenever sqlerror exit failure
+      connect rcvcatowner/{{ rcvcatowner_password }}@{{ catalog }}
+      EOF
+  changed_when: false
+  register: rman_connect
+  no_log: true
 
-    - name: Display connection result
-      debug:
-        msg: "Catalog connection good"
-      when: rman_connect.rc == 0
+- name: Display connection result
+  debug:
+    msg: "Catalog connection good"
+  when: rman_connect.rc == 0