Skip to content

Commit ffcf7c4

Browse files
Merge pull request #180 from ministryofjustice/DBA-640
Use RMAN Catalog
2 parents 130d5ce + 370bb1e commit ffcf7c4

File tree

4 files changed

+86
-39
lines changed

4 files changed

+86
-39
lines changed

playbooks/oracle_backup/backup.yml

+4
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,10 @@
143143
shell: "{{ rman_command }}"
144144
async: "{{ allowable_duration|default(28800) }}"
145145
poll: 60
146+
environment:
147+
ASSUME_ROLE_NAME: "{{ secretsmanager_passwords['catalog'].assume_role_name }}"
148+
SECRET_ACCOUNT_ID: "{{ account_ids[secretsmanager_passwords['catalog'].account_name] }}"
149+
SECRET: "{{ secretsmanager_passwords['catalog'].secret }}"
146150
register: backup_cmd_output
147151

148152
rescue:

playbooks/oracle_backup/get_facts.yml

+47
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
- name: Set Secrets Dictionary
2+
set_fact:
3+
secretsmanager_passwords:
4+
emrep:
5+
account_name: "hmpps-oem-{{ aws_environment }}"
6+
assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
7+
secret: "/oracle/database/EMREP/shared-passwords"
8+
users:
9+
- sysman:
10+
catalog:
11+
account_name: "hmpps-oem-{{ aws_environment }}"
12+
assume_role_name: "EC2OracleEnterpriseManagementSecretsRole"
13+
secret: "/oracle/database/{{ catalog }}/shared-passwords"
14+
users:
15+
- rcvcatowner:
16+
17+
- name: Get Account Ids
18+
set_fact:
19+
account_ids: "{{ lookup('aws_ssm', 'account_ids', region='eu-west-2') }}"
20+
21+
- name: Get OEM secrets
22+
import_role:
23+
name: secretsmanager-passwords
24+
vars:
25+
secretsmanager_passwords: "{{ secretsmanager_passwords }}"
26+
27+
- name: Set password facts
28+
set_fact:
29+
sysman_password: "{{ secretsmanager_passwords_dict['emrep'].passwords['sysman'] }}"
30+
rcvcatowner_password: "{{ secretsmanager_passwords_dict['catalog'].passwords['rcvcatowner'] }}"
31+
32+
- name: Catalog Host Name
33+
when: not tnsnames_entry_exists
34+
block:
35+
- name: Get Catalog Host Name
36+
shell: |
37+
. ~/.bash_profile
38+
export PATH=$PATH:/u01/app/oracle/product/oem-agent/agent_{{ OEM_AGENT_VERSION }}/oracle_common/jdk/jre/bin
39+
{{ emcli }} sync 1>/dev/null 2>&1 || ( {{ emcli }} login -username=sysman -password=${SYSMAN_PASSWORD} -force && {{ emcli }} sync ) 1>/dev/null 2>&1
40+
{{ emcli }} get_targets -noheader -targets="%:oracle_oms" | awk '{print $NF}' | cut -d: -f1
41+
environment:
42+
SYSMAN_PASSWORD: "{{ sysman_password }}"
43+
register: getcataloghostname
44+
45+
- name: Set Catalog Host Name
46+
set_fact:
47+
catalog_hostname: "{{ getcataloghostname.stdout }}"

playbooks/oracle_backup/rman_backup.sh

+15-7
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,18 @@ set_ora_env () {
9999
export NLS_DATE_FORMAT=YYMMDDHH24MI
100100
}
101101

102+
get_rman_password () {
103+
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
104+
ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${ASSUME_ROLE_NAME}"
105+
SESSION="catalog-ansible"
106+
CREDS=$(aws sts assume-role --role-arn "${ROLE_ARN}" --role-session-name "${SESSION}" --output text --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]")
107+
export AWS_ACCESS_KEY_ID=$(echo "${CREDS}" | tail -1 | cut -f1)
108+
export AWS_SECRET_ACCESS_KEY=$(echo "${CREDS}" | tail -1 | cut -f2)
109+
export AWS_SESSION_TOKEN=$(echo "${CREDS}" | tail -1 | cut -f3)
110+
SECRET_ARN="arn:aws:secretsmanager:eu-west-2:${SECRET_ACCOUNT_ID}:secret:${SECRET}"
111+
RMANPASS=$(aws secretsmanager get-secret-value --secret-id "${SECRET_ARN}" --query SecretString --output text | jq -r .rcvcatowner)
112+
}
113+
102114
validate () {
103115
ACTION=$1
104116
case "$ACTION" in
@@ -199,13 +211,9 @@ validate () {
199211
then
200212
error "Catalog mode is $CATALOGMODE, specify catalog db"
201213
else
202-
INSTANCEID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
203-
ENVIRONMENT_NAME=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=environment-name" --query "Tags[].Value" --output text)
204-
DELIUS_ENVIRONMENT=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=delius-environment" --query "Tags[].Value" --output text)
205-
APPLICATION=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=application" --query "Tags[].Value" --output text | sed 's/-core//')
206-
RMANPASS=$(aws secretsmanager get-secret-value --secret-id ${ENVIRONMENT_NAME}-${DELIUS_ENVIRONMENT}-${APPLICATION}-dba-passwords --region eu-west-2 --query SecretString --output text| jq -r .rman)
207-
[ -z ${RMANPASS} ] && error "Password for rman in aws secret ${ENVIRONMENT_NAME}-${DELIUS_ENVIRONMENT}-${APPLICATION}-dba-passwords does not exist"
208-
CATALOG_CONNECT=rman19c/${RMANPASS}@$CATALOG_DB
214+
get_rman_password
215+
[ -z ${RMANPASS} ] && error "Password for RMAN catalog user ${RMANPASS} does not exist"
216+
CATALOG_CONNECT=rcvcatowner/${RMANPASS}@$CATALOG_DB
209217
fi
210218
fi
211219
;;

playbooks/oracle_backup/setup-catalog-tnsnames.yml

+20-32
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@
2424
debug:
2525
msg: "{{ catalog }} exists in tnsnames: {{ tnsnames_entry_exists }}"
2626

27+
- name: Get Passwords
28+
include_tasks: get_facts.yml
29+
2730
- name: Add catalog connect identifier to {{ oracle_home.stdout }}/network/admin/tnsnames.ora
2831
blockinfile:
2932
backup:
@@ -38,43 +41,28 @@
3841
(CONNECT_TIMEOUT=10)
3942
(RETRY_COUNT=3)
4043
(ADDRESS_LIST=
41-
(ADDRESS = (PROTOCOL = TCP)(HOST={{ hostvars[groups['rman_primarydb'][0]]['inventory_hostname'] }})(PORT = 1521))
44+
(ADDRESS = (PROTOCOL = TCP)(HOST={{ catalog_hostname }})(PORT = 1521))
4245
)
43-
(CONNECT_DATA=(SERVICE_NAME={{ catalog }}_TAF))
46+
(CONNECT_DATA=(SERVICE_NAME=RCV_TAF))
4447
)
4548
4649
owner: "oracle"
4750
marker: "# {mark} {{ marker_name }}"
4851
when: not tnsnames_entry_exists
4952

50-
- name: Check we can connect to the catalog
51-
block:
52-
- name: Get catalog rman password
53-
shell: |
54-
export PATH=$PATH:/usr/local/bin
55-
INSTANCEID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
56-
ENVIRONMENT_NAME=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=environment-name" --query "Tags[].Value" --output text)
57-
DELIUS_ENVIRONMENT=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=delius-environment" --query "Tags[].Value" --output text)
58-
APPLICATION=$(aws ec2 describe-tags --filters "Name=resource-id,Values=${INSTANCEID}" "Name=key,Values=application" --query "Tags[].Value" --output text | sed 's/-core//')
59-
aws secretsmanager get-secret-value --secret-id ${ENVIRONMENT_NAME}-${DELIUS_ENVIRONMENT}-${APPLICATION}-dba-passwords --region {{ region }} --query SecretString --output text| jq -r .rman
60-
changed_when: false
61-
register: rman_password
62-
no_log: true
63-
64-
- name: Attempt to connect to the catalog as rman
65-
shell:
66-
cmd: |
67-
. ~/.bash_profile
68-
sqlplus -s /nolog<< EOF
69-
whenever sqlerror exit failure
70-
connect rman19c/{{ rman_password.stdout }}@{{ catalog }}
71-
EOF
72-
become_user: oracle
73-
changed_when: false
74-
register: rman_connect
75-
no_log: true
53+
- name: Attempt to connect to the catalog as rman
54+
shell:
55+
cmd: |
56+
. ~/.bash_profile
57+
sqlplus -s /nolog<< EOF
58+
whenever sqlerror exit failure
59+
connect rcvcatowner/{{ rcvcatowner_password }}@{{ catalog }}
60+
EOF
61+
changed_when: false
62+
register: rman_connect
63+
no_log: true
7664

77-
- name: Display connection result
78-
debug:
79-
msg: "Catalog connection good"
80-
when: rman_connect.rc == 0
65+
- name: Display connection result
66+
debug:
67+
msg: "Catalog connection good"
68+
when: rman_connect.rc == 0

0 commit comments

Comments
 (0)