Second commit

.gitignore

@@ -0,0 +1,2 @@
+*.pyc
+*__pycache__/

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

README.md

@@ -0,0 +1,46 @@
+ansible-role-openpolicyagent
+============================
+
+The `ansible-role-openpolicyagent` ansible role installs and configures `Open Policy Agent <https://www.openpolicyagent.org/>`_.
+
+Requirements
+------------
+
+The role doesn't require any extra python requiremnets to use.
+
+To run `molecule` on the other hand, you might need to do the following.
+
+```
+$ pip install -r molecule/requirements.txt
+```
+
+Role Variables
+--------------
+
+| Variable                                                | Default                                                                                      | Description                                      |
+|:--------------------------------------------------------|:--------------------------------------------------------------------------------------------:|:-------------------------------------------------|
+| `openpolicyagent_version`                               | `v0.14.2`                                                                                    | OPA version                                      |
+| `openpolicyagent_home`                                  | `/opt/opa`                                                                                   | OPA home directory                               |
+| `openpolicyagent_bin`                                   | `/opt/opa/bin`                                                                               | OPA binary path                                  |
+| `openpolicyagent_name`                                  | `opa`                                                                                        | OPA name of file to download                     |
+| `openpolicyagent_user`                                  | `opa`                                                                                        | OPA user to create and use                       |
+| `openpolicyagent_group`                                 | `opa`                                                                                        | OPA group to create and use                      |
+| `openpolicyagent_base_url`                              | `Link <https://github.com/open-policy-agent/opa/releases/download>`_                         | OPA download base URL                            |
+| `openpolicyagent_url`                                   | `Link <https://github.com/open-policy-agent/opa/releases/download/v0.14.2/opa_linux_amd64>`_ | OPA download URL                                 |
+| `openpolicyagent_config_path`                           | `/etc/opa`                                                                                   | OPA configuration base path                      |
+| `openpolicyagent_config_d_path`                         | `/etc/opa/opa.d/`                                                                            | OPA config.d path                                |
+| `openpolicyagent_config_file`                           | `/etc/opa/config.yml`                                                                        | OPA configuration file path                      |
+| `*_openpolicyagent_services`                            | `[]`                                                                                         | OPA Services                                     |
+| `*_openpolicyagent_labels`                              | `{}`                                                                                         | OPA Labels                                       |
+| `*_openpolicyagent_bundles`                             | `[]`                                                                                         | OPA Bundles                                      |
+| `*_openpolicyagent_plugins`                             | `{}`                                                                                         | OPA Plugins                                      |
+| `openpolicyagent_config_default_decision`               | `/system/main`                                                                               | OPA Default Decision configuration               |
+| `openpolicyagent_config_default_authorization_decision` | `/system/authz/allow`                                                                        | OPA Default Authorization Decision configuration |
+| `openpolicyagent_config_decision_logs`                  | `{}`                                                                                         | OPA Decision Logs configuration                  |
+| `openpolicyagent_config_status`                         | `{}`                                                                                         | OPA Status configuration                         |
+| `openpolicyagent_config_discovery`                      | `{}`                                                                                         | OPA Discovery configuration                      |
+
+License
+-------
+
+BSD 2 Clause

action_plugins/openpolicyagent_config_generate.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+
+from ansible.plugins.action import ActionBase
+
+
+class ActionModule(ActionBase):
+    def run(self, tmp=None, task_vars=None):
+        config = self._task.args.get('config')
+        varname = self._task.args.get('var_name')
+        _config = {}
+
+        for config_item in config:
+            if config[config_item]:
+                _config[config_item] = self._templar.template(config[config_item])
+
+        return dict(
+            ansible_facts={varname: self._templar.template(_config)},
+            changed=False
+        )

action_plugins/openpolicyagent_merge.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+from ansible.plugins.action import ActionBase
+
+
+class ActionModule(ActionBase):
+    def run(self, tmp=None, task_vars=None):
+        suffix = self._task.args.get('suffix')
+        varname = self._task.args.get('var_name')
+        mergetype = self._task.args.get('type', 'dict')
+
+        merged = {} if mergetype == 'dict' else []
+        mergefunc = merged.update if mergetype == 'dict' else merged.extend
+        for var in (v for v in sorted(task_vars.keys()) if v.endswith(suffix)):
+            mergefunc(self._templar.template(task_vars[var]))
+
+        return dict(
+            ansible_facts={varname: self._templar.template(merged)},
+            changed=False
+        )

defaults/main.yml

@@ -0,0 +1,33 @@
+---
+openpolicyagent_version: v0.14.2
+
+openpolicyagent_home: /opt/opa
+openpolicyagent_bin: "{{ openpolicyagent_home }}/bin"
+openpolicyagent_name: opa
+
+openpolicyagent_user: opa
+openpolicyagent_group: opa
+
+openpolicyagent_base_url: https://github.com/open-policy-agent/opa/releases/download
+openpolicyagent_url: "{{ openpolicyagent_base_url }}/{{ openpolicyagent_version }}/opa_linux_amd64"
+
+openpolicyagent_config_path: /etc/opa
+openpolicyagent_config_d_path: /etc/opa/opa.d/
+openpolicyagent_config_file: "{{ openpolicyagent_config_path }}/config.yml"
+
+openpolicyagent_config:
+  services: "{{ openpolicyagent_services_merged }}"
+  labels: "{{ openpolicyagent_labels_merged }}"
+  bundles: "{{ openpolicyagent_bundles_merged }}"
+  status: "{{ openpolicyagent_config_status }}"
+  decision_logs: "{{ openpolicyagent_config_decision_logs }}"
+  discovery: "{{ openpolicyagent_config_discovery }}"
+  default_decision: "{{ openpolicyagent_config_default_decision }}"
+  default_authorization_decision: "{{ openpolicyagent_config_default_authorization_decision }}"
+  plugins: "{{ openpolicyagent_plugins_merged }}"
+
+openpolicyagent_config_default_decision: /system/main
+openpolicyagent_config_default_authorization_decision: /system/authz/allow
+openpolicyagent_config_decision_logs: {}
+openpolicyagent_config_status: {}
+openpolicyagent_config_discovery: {}

handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Reload systemctl
+  command: systemctl daemon-reload
+
+- name: Restart OPA
+  systemd:
+    name: opa
+    state: restarted
+

meta/main.yml

@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  author: Elia El Lazkani
+  description: Ansible role to deploy and configure Open Policy Agent
+  license: BSD 2-Clause
+  min_ansible_version: 2.7
+  platforms:
+    - name: CentOS
+      version:
+        - 7
+        - 8
+    - name: Ubuntu
+      version:
+        - 16.04
+        - 16.10
+        - 17.04
+        - 17.10
+        - 18.04
+        - 18.10
+        - 19.04
+
+  galaxy_tags: []
+dependencies: []

molecule/default/Dockerfile.j2

@@ -0,0 +1,22 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+{% if item.env is defined %}
+{% for var, value in item.env.items() %}
+{% if value %}
+ENV {{ var }} {{ value }}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi

molecule/default/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule[docker]'

molecule/default/molecule.yml

@@ -0,0 +1,28 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+platforms:
+  - name: opa-xenial
+    image: geerlingguy/docker-ubuntu1604-ansible
+    command: /lib/systemd/systemd
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: yes
+  - name: opa-centos7
+    image: geerlingguy/docker-centos7-ansible
+    command: /usr/lib/systemd/systemd
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: yes
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

molecule/default/playbook.yml

@@ -0,0 +1,33 @@
+---
+- name: Converge
+  hosts: all
+  post_tasks:
+    - name: Copy example_conf
+      copy:
+        src: example_conf/
+        dest: "{{ openpolicyagent_config_d_path }}"
+        owner: "{{ openpolicyagent_user }}"
+        group: "{{ openpolicyagent_group }}"
+
+  roles:
+    - role: ansible-role-openpolicyagent
+  vars:
+    local__openpolicyagent_services:
+      - name: "{{ ansible_hostname }}"
+        url: "http://{{ ansible_fqdn }}"
+      - name: "OPA"
+        url: "http://{{ ansible_fqdn }}/OPA"
+
+    local__openpolicyagent_labels:
+      host: "{{ ansible_fqdn }}"
+      service: "OPA"
+      app: "OPA"
+      environment: "molecule"
+
+    openpolicyagent_config_decision_logs:
+        service: "OPA"
+        reporting:
+            min_delay_seconds: 300
+            max_delay_seconds: 600
+
+      

molecule/default/tests/test_default.py

@@ -0,0 +1,15 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']
+).get_hosts('all')
+
+
+def test_hosts_file(host):
+    f = host.file('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'

molecule/requirements.txt

@@ -0,0 +1,3 @@
+molecule==2.22
+ansible==2.8.5
+docker==4.1.0

tasks/configuration.yml

@@ -0,0 +1,48 @@
+---
+- name: Create OPA configuration directory
+  file:
+    path: "{{ openpolicyagent_config_path }}"
+    state: directory
+    owner: "{{ openpolicyagent_user }}"
+    group: "{{ openpolicyagent_group }}"
+    mode: "0755"
+
+- name: Create OPA config.d directory
+  file:
+    path: "{{ openpolicyagent_config_d_path }}"
+    state: directory
+    owner: "{{ openpolicyagent_user }}"
+    group: "{{ openpolicyagent_group }}"
+    mode: "0755"
+
+- name: Merge OPA dictionary configuration
+  openpolicyagent_merge:
+    suffix: _openpolicyagent_{{ item }}
+    var_name: openpolicyagent_{{ item }}_merged
+    type: list
+  loop:
+    - services
+    - bundles
+
+- name: Merge OPA dictionary configuration
+  openpolicyagent_merge:
+    suffix: _openpolicyagent_{{ item }}
+    var_name: openpolicyagent_{{ item }}_merged
+  loop:
+    - labels
+    - plugins
+
+- name: Generate final configuration
+  openpolicyagent_config_generate:
+    config: "{{ openpolicyagent_config }}"
+    var_name: openpolicyagent_config
+
+- name: Deploy generated configuration
+  copy:
+    content: "{{ openpolicyagent_config | to_nice_yaml(indent=2) }}"
+    dest: "{{ openpolicyagent_config_file }}"
+    owner: "{{ openpolicyagent_user }}"
+    group: "{{ openpolicyagent_group }}"
+    mode: "0600"
+    validate: "{{ openpolicyagent_bin }}/opa run --addr :8182 --shutdown-grace-period 1 --config-file '%s'"
+  notify: Restart OPA

tasks/install.yml

@@ -0,0 +1,26 @@
+---
+- name: Download OPA binaries
+  get_url:
+    url: "{{ openpolicyagent_url }}"
+    dest: "{{ openpolicyagent_bin }}/{{ openpolicyagent_name }}_{{ openpolicyagent_version }}"
+    mode: '0755'
+    owner: "{{ openpolicyagent_user }}"
+    group: "{{ openpolicyagent_group }}"
+    checksum: "{{ vars_openpolicyagent_checksum[openpolicyagent_version] }}"
+
+- name: Symlink the binary to the current version
+  file:
+    src: "{{ openpolicyagent_bin}}/{{ openpolicyagent_name}}_{{ openpolicyagent_version }}"
+    dest: "{{ openpolicyagent_bin }}/{{ openpolicyagent_name }}"
+    state: link
+
+- name: Deploy systemctl environment configuration
+  template:
+    src: templates/opa.env.j2
+    dest: "{{ vars_openpolicyagent_env_var_path }}/opa"
+
+- name: Deploy systemctl service configuration
+  template:
+    src: templates/opa.service.j2
+    dest: "{{ vars_openpolicyagent_service_path }}/opa.service"
+  notify: Reload systemctl

tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Gather variables for each operating system
+  include_vars: "{{ item }}"
+  tags:
+    - configuration
+  with_first_found:
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}.yml"
+    - "{{ ansible_os_family | lower }}.yml"
+
+- include_tasks: prepare.yml
+- include_tasks: install.yml
+- include_tasks: configuration.yml
+  tags:
+    - configuration

tasks/prepare.yml

@@ -0,0 +1,23 @@
+---
+- name: Create OPA group
+  group:
+    name: "{{ openpolicyagent_group }}"
+    state: present
+
+- name: Create OPA user
+  user:
+    name: "{{ openpolicyagent_user }}"
+    comment: "Open Policy Agent user"
+    group: "{{ openpolicyagent_group }}"
+    shell: /bin/nologin
+    create_home: yes
+    home: "{{ openpolicyagent_home }}"
+    state: present
+
+- name: Create OPA bin directory
+  file:
+    path: "{{ openpolicyagent_bin }}"
+    owner: "{{ openpolicyagent_user }}"
+    group: "{{ openpolicyagent_group }}"
+    mode: "0755"
+    state: directory

templates/opa.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Open Policy Agent Daemon
+Requires=network.target
+After=syslog.target network.target
+[Service]
+Type=simple
+User={{ openpolicyagent_user }}
+EnvironmentFile={{ vars_openpolicyagent_env_var_path }}/opa
+ExecStart={{ openpolicyagent_bin }}/opa run --server --config-file {{ openpolicyagent_config_file }} --watch {{ openpolicyagent_config_d_path }}
+[Install]
+WantedBy=multi-user.target

vars/debian.yml

@@ -0,0 +1,3 @@
+---
+vars_openpolicyagent_env_var_path: /etc/default
+vars_openpolicyagent_service_path: /etc/systemd/system

vars/main.yml

@@ -0,0 +1,3 @@
+---
+vars_openpolicyagent_checksum:
+  v0.14.2: sha512:6d07aa4cfdf7c40d894bb99811db117f5e9ccc891711859210864f319f1c01aca59c9c0943db914b7637e8b70e64b0581523e5c03da58603caaa245b486d4fe3

vars/redhat.yml

@@ -0,0 +1,3 @@
+---
+vars_openpolicyagent_env_var_path: /etc/sysconfig
+vars_openpolicyagent_service_path: /etc/systemd/system