Setup BWC repos, Install BWC and Setup RBAC

roles/bwc/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+bwc_pkg_repo: "enterprise"
+# 'latest' to get latest version or numeric like '2.1.1'
+bwc_version: latest
+# used only if 'bwc_version' is numeric
+bwc_revision: 1
+
+st2_config_file_path: /etc/st2/st2.conf

roles/bwc/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: reload bwc_rbac
+  become: yes
+  command: st2-apply-rbac-definitions --config-file {{ st2_config_file_path }}

roles/bwc/meta/main.yml

@@ -0,0 +1,27 @@
+---
+galaxy_info:
+  description: Install BWC Entperprise components, setup RBAC and LDAP
+  author: lakshmi-kannan
+  company: StackStorm
+  license: Apache 2.0
+  min_ansible_version: 2.2
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+    - name: EL
+      versions:
+        - 6
+        - 7
+  categories:
+    - stackstorm
+    - BWC
+    - Brocade Workflow Composer
+    - repositories
+    - packagecloud
+  dependencies:
+    - role: st2repos
+    - role: st2
+    - role: st2web
+    - role: bwc_repos

roles/bwc/tasks/ldap.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Setup st2.conf auth backend to LDAP
+  become: yes
+  ini_file:
+    dest: "{{ st2_config_file_path }}"
+    section: auth
+    option: backend
+    value: ldap
+    backup: yes
+
+- name: Setup st2.conf auth backend_kwargs for LDAP
+  become: yes
+  ini_file:
+    dest: "{{ st2_config_file_path }}"
+    section: auth
+    option: backend_kwargs
+    value: "{{ ldap.config | to_nice_json }}"
+    backup: yes
+  notify:
+    - restart st2api
+    - restart st2stream

roles/bwc/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+- name: Install latest bwc-enterprise package
+  become: yes
+  package:
+    name: bwc-enterprise
+    state: latest
+  when: bwc_version == "latest"
+  tags:
+    - bwc
+    - st2 enterprise
+
+- name: Install pinned bwc-enterprise package
+  become: yes
+  package:
+    name: bwc-enterprise={{ bwc_version }}-{{ bwc_revision }}
+    state: present
+  when: bwc_version != "latest"
+  tags:
+    - bwc
+    - st2 enterprise
+
+- name: Setup RBAC and setup roles and assignments if enable_rbac is defined
+  include: "rbac.yml"
+  when: rbac is defined
+
+- name: Setup LDAP and set up LDAP configuration
+  include: "ldap.yml"
+  when: ldap is defined

roles/bwc/tasks/rbac.yml

@@ -0,0 +1,47 @@
+---
+
+  - name: Create BWC RBAC directories
+    become: yes
+    file:
+      path: "{{ item }}"
+      mode: "u+rw,g-wx,o-rwx"
+      owner: st2
+      group: st2
+      state: directory
+    with_items:
+      - /opt/stackstorm/rbac/assignments
+      - /opt/stackstorm/rbac/roles
+
+  - name: Copy RBAC roles to /opt/stackstorm/rbac/roles directory
+    become: yes
+    template:
+      src: rbac_roles/roles.yml.j2
+      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    with_items: "{{ rbac.roles }}"
+    when: rbac_roles is defined
+
+  - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory
+    become: yes
+    template:
+      src: rbac_assignments/assignments.yml.j2
+      dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    with_items: "{{ rbac.assignments }}"
+    when: rbac_assignments is defined
+
+  - name: Enable RBAC in st2 configuration
+    become: yes
+    ini_file:
+      dest: /etc/st2/st2.conf
+      section: auth
+      option: enable
+      value: True
+      backup: yes
+    notify:
+      - restart st2
+      - reload bwc_rbac
+      - restart st2api
+

roles/bwc/templates/rbac_assignments/assignments.yml.j2

@@ -0,0 +1,4 @@
+---
+
+  username: {{ item.name }}
+  roles: {{ item.roles | to_nice_yaml }}

roles/bwc/templates/rbac_roles/roles.yml.j2

@@ -0,0 +1,5 @@
+---
+
+name: {{ item.name }}
+description: {{ item.description }}
+permission_grants: {{ item.permission_grants | to_nice_yaml }}

roles/bwc_repos/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+# BWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable.
+bwc_pkg_repo: enterprise
+
+deb_os: "{{ ansible_distribution|lower }}"
+deb_os_version: "{{ ansible_distribution_release|lower }}"
+
+rpm_os: "el"
+rpm_os_version: "{{ ansible_distribution_major_version }}"
+
+master_token: "{{ license }}"
+
+deb_gpg_key_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/enterprise/gpg_key_url.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}"
+
+deb_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}"
+deb_config_file_location: "/etc/apt/sources.list.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.list"
+
+rpm_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.repo?os={{ rpm_os }}&dist={{ rpm_os_version }}&name={{ ansible_nodename }}"
+rpm_config_file_location: "/etc/yum.repos.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.repo"

roles/bwc_repos/meta/main.yml

@@ -0,0 +1,22 @@
+---
+galaxy_info:
+  description: Install BWC PackageCloud repository
+  author: lakshmi-kannan
+  company: StackStorm
+  license: Apache 2.0
+  min_ansible_version: 2.2
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+    - name: EL
+      versions:
+        - 6
+        - 7
+  categories:
+    - stackstorm
+    - BWC
+    - Brocade Workflow Composer
+    - repositories
+    - packagecloud

roles/bwc_repos/tasks/bwc_repos_apt.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Assert that master_token is specified
+  fail: msg="License key must be supplied for BWC enterprise installation."
+  when: license is not defined
+
+- name: Install prereqs (Debian)
+  become: yes
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - debian-archive-keyring
+    - apt-transport-https
+
+- name: Get GPG key URL for private repo
+  become: yes
+  shell: 'curl "{{ deb_gpg_key_url }}"'
+  register: deb_gpg_key
+
+# This is the exact key as the open source repo but this behavior might change. So just
+# following what's in packagecloud docs for private repos.
+- name: Add GPG key to keyring
+  become: yes
+  shell: 'curl -L "{{ deb_gpg_key.stdout }}" | apt-key add -'
+  when: ansible_os_family == "Debian" and license is defined
+
+- name: "Adding packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token"
+  become: yes
+  shell: 'curl "{{ deb_config_file_url }}" > {{ deb_config_file_location }}'
+  args:
+   creates: "{{ deb_config_file_location }}"
+  register: added_bwc_deb_repository
+  when: ansible_os_family == "Debian" and license is defined
+
+- name: Update APT package cache
+  become: yes
+  apt:
+    update_cache: true
+  when: ansible_os_family == "Debian" and added_bwc_deb_repository|success

roles/bwc_repos/tasks/bwc_repos_yum.yml

@@ -0,0 +1,43 @@
+---
+
+- name: Assert that master_token is specified
+  fail: msg="License key must be supplied for BWC enterprise installation."
+  when: license is not defined
+
+# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2
+- name: Update ca-certificates package
+  become: yes
+  yum:
+    name: ca-certificates
+    state: latest
+  tags: skip_ansible_lint
+
+# See: https://github.com/docker-library/docs/tree/master/centos#package-documentation
+# We ship `nginx.conf` via `st2` package doc files, for example
+- name: Enable shipping package documentation files for EL
+  become: yes
+  ini_file:
+    dest: /etc/yum.conf
+    section: main
+    option: tsflags
+    value: nodocs
+    state: absent
+  when: ansible_os_family == "RedHat"
+
+- name: Add BWC enterprise repo
+  become: yes
+  shell: 'curl "{{ rpm_config_file_url }}" > {{ rpm_config_file_location }}'
+  args:
+    creates: "{{ rpm_config_file_location }}"
+  register: added_bwc_rpm_repository
+  when: ansible_os_family == "RedHat" and license is defined
+
+- name: Update yum package cache
+  become: yes
+  shell: yum -q makecache -y --disablerepo='*' --enablerepo='StackStorm_{{ bwc_pkg_repo|replace("/", "_") }}'
+  when: ansible_os_family == "RedHat" and added_bwc_rpm_repository|success
+
+- name: Update yum package cache BWC enterprise source repo
+  become: yes
+  shell: yum -q makecache -y --disablerepo='*' --enablerepo='StackStorm_{{ bwc_pkg_repo|replace("/", "_") }}-source'
+  when: ansible_os_family == "RedHat" and added_bwc_rpm_repository|success

roles/bwc_repos/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Add BWC enterprise repos on {{ ansible_distribution }}
+  include: bwc_repos_{{ ansible_pkg_mgr }}.yml
+  tags:
+    - BWC repos
+    - StackStorm enterprise