Merge pull request #267 from gingerwizard/master

Fixes and tests for idempotent behavour

.kitchen.yml

@@ -12,6 +12,7 @@ provisioner:
   http_proxy: <%= ENV['HTTP_PROXY'] %>
   https_proxy: <%= ENV['HTTPS_PROXY'] %>
   no_proxy: localhost,127.0.0.1
+  idempotency_test: true
 
 platforms:
   - name: ubuntu-14.04

handlers/main.yml

@@ -6,10 +6,6 @@
   service: name={{instance_init_script | basename}} state=restarted enabled=yes
   when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed))
 
-# All security specific actions should go in here
-- name: activate-security
-  include: ./handlers/security/elasticsearch-security.yml
-
 #Templates are a handler as they need to come after a restart e.g. suppose user removes security on a running node and doesn't
 #specify es_api_basic_auth_username and es_api_basic_auth_password.  The templates will subsequently not be removed if we don't wait for the node to restart.
 #Templates done after restart therefore - as a handler.

handlers/security/elasticsearch-security.yml

@@ -1,14 +0,0 @@
----
-- name: Ensure elasticsearch is started
-  service: name={{instance_init_script | basename}} state=started enabled=yes
-
-- name: Wait for elasticsearch to startup
-  wait_for: host={{es_api_host}} port={{es_api_port}} delay=10
-  
-- name: activate-license
-  include: ./handlers/security/elasticsearch-xpack-activation.yml
-  when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
-
-- name: load-native-realms
-  include: ./handlers/security/elasticsearch-security-native.yml
-  when: (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)

tasks/java.yml

@@ -8,15 +8,22 @@
 - name: RedHat - Ensure Java is installed
   yum: name={{ java }} state={{java_state}}
   when: ansible_os_family == 'RedHat'
-  
+
+- name: Refresh java repo
+  apt: update_cache=yes
+  changed_when: false
+  when: ansible_os_family == 'Debian'
+
 - name: Debian - Ensure Java is installed
-  apt: name={{ java }} state={{java_state}} update_cache=yes force=yes
+  apt: name={{ java }} state={{java_state}}
   when: ansible_os_family == 'Debian'
 
 - command: java -version 2>&1 | grep OpenJDK
   register: open_jdk
   changed_when: false
 
+#https://github.com/docker-library/openjdk/issues/19 - ensures tests pass due to java 8 broken certs
 - name: refresh the java ca-certificates
   command: /var/lib/dpkg/info/ca-certificates-java.postinst configure
-  when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0
+  when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0
+  changed_when: false

tasks/main.yml

@@ -45,4 +45,12 @@
 - meta: flush_handlers
 
 - name: Wait for elasticsearch to startup
-  wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
+  wait_for: host={{es_api_host}} port={{es_api_port}} delay=5 connect_timeout=1
+
+- name: activate-license
+  include: ./xpack/security/elasticsearch-xpack-activation.yml
+  when: es_enable_xpack and es_xpack_license is defined and es_xpack_license != ''
+
+#perform security actions here now elasticsearch is started
+- include: ./xpack/security/elasticsearch-security-native.yml
+  when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))

tasks/xpack/security/elasticsearch-security-file.yml

@@ -21,8 +21,8 @@
 - name: Remove Users
   command: >
     {{es_home}}/bin/x-pack/users userdel {{item}}
-  when: manage_file_users and (users_to_remove | length > 0)
   with_items: "{{users_to_remove | default([])}}"
+  when: manage_file_users and (users_to_remove | length > 0)
   environment:
     CONF_DIR: "{{ conf_dir }}"
     ES_HOME: "{{es_home}}"

tasks/xpack/security/elasticsearch-security-native.yml

@@ -46,7 +46,10 @@
     password: "{{es_api_basic_auth_password}}"
     force_basic_auth: yes
   when: manage_native_users and users_to_remove | length > 0
-  with_items: "{{users_to_remove}}"
+  with_items: "{{users_to_remove | default([]) }}"
+
+- set_fact: native_users={{ es_users.native }}
+  when: manage_native_users and es_users.native.keys() > 0
 
 #Overwrite all other users
 - name: Update Native Users
@@ -59,9 +62,9 @@
     user: "{{es_api_basic_auth_username}}"
     password: "{{es_api_basic_auth_password}}"
     force_basic_auth: yes
-  when: manage_native_users and es_users.native.keys() > 0
+  when: manage_native_users and native_users.keys() > 0
   no_log: True
-  with_dict: "{{es_users.native}}"
+  with_dict: "{{native_users | default({}) }}"
 
 #List current roles not. inc those reserved
 - name: List Native Roles
@@ -94,9 +97,12 @@
     password: "{{es_api_basic_auth_password}}"
     force_basic_auth: yes
   when: manage_native_roles and roles_to_remove | length > 0
-  with_items: "{{roles_to_remove}}"
+  with_items: "{{roles_to_remove | default([]) }}"
 
 
+- set_fact: native_roles={{ es_roles.native }}
+  when: manage_native_roles and es_roles.native.keys() > 0
+
 #Update other roles
 - name: Update Native Roles
   uri:
@@ -108,5 +114,5 @@
     user: "{{es_api_basic_auth_username}}"
     password: "{{es_api_basic_auth_password}}"
     force_basic_auth: yes
-  when: manage_native_roles and es_roles.native.keys() > 0
-  with_dict: "{{es_roles.native}}"
+  when: manage_native_roles and native_roles.keys() > 0
+  with_dict: "{{ native_roles | default({})}}"

tasks/xpack/security/elasticsearch-security.yml

@@ -8,12 +8,6 @@
 - include: elasticsearch-security-file.yml
   when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.file) or (es_roles is defined and es_roles.file is defined))
 
-#-----------------------------NATIVE BASED REALM----------------------------------------
-# The native realm requires the node to be started so we do as a handler
-- command: /bin/true
-  notify: activate-security
-  when: (es_enable_xpack and '"security" in es_xpack_features') and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
-
 #-----------------------------ROLE MAPPING ----------------------------------------
 
 #Copy Roles files