Extend configure license task (#182)

* Extend configure license task

* Added check_decrypted_secret task desc to README

Author: schneewe

README.md

@@ -132,6 +132,7 @@ Note: Any task with an **adhoc** prefix means that it can be used independently
 - **adhoc_fix_server_certificate.yml** - Use to delete an expired server.pem and generate a new one (default certs). Useful if your server.pem certificate has expired and you are using Splunk's default certificate for splunkd. Note that default certificates present a security risk and that their use should be avoided, if possible.
 - **adhoc_kill_splunkd.yml** - Some releases of Splunk have a "feature" that leaves zombie splunkd processes after a 'splunk stop'. Use this task after a 'splunk stop' to make sure that it's really stopped. Useful for upgrades on some of the 7.x releases, and automatically called by the upgrade_splunk.yml task.
 - **check_splunk.yml** - Check if Splunk is installed. If Splunk is not installed, it will be installed on the host. If Splunk is already installed, the task will execute a "splunk version" command on the host, and then compare the version and build number of Splunk to the version and build number of the expected version of Splunk. Note that the expected version of Splunk does not need to be statically defined; The expected Splunk version and build are automatically extracted from the value of splunk_package_url_full or splunk_package_url_uf using Jinja regex filters. This task will work for both the Universal Forwarder and full Splunk Enterprise packages. You define which host uses what package by organizing it under the appropriate group ('full' or 'uf') in your Ansible inventory.
+- **check_decrypted_secret.yml** - Check the decrypted value of a given `pass4SymmKey`. This can be called by a task to compare the desired value with the currently configured value to see if they match. This pervents unnessecary changes to be applied.
 - **configure_apps.yml** - This task should be called directly from a playbook in order to deploy apps or configurations (from git repositories) to Splunk hosts. Tip: Add a this task to a playbook after the check_splunk.yml play. Doing so will perform a "install (or upgrade) and deploy apps" run, all in one playbook.
 - **configure_authentication.yml** - Uses the template identified by the `splunk_authenticationconf` variable to install an authentication.conf file to $SPLUNK_HOME/etc/system/local/authentication.conf. We are including this task here since Ansible is able to securely deploy an authentication.conf configuration by using ansible-vault to encrypt sensitive values such as the value of the `ad_bind_password` variable. Note: If you are using a common splunk.secret file, you can omit this task and instead use configure_apps.yml to deploy an authentication.conf file from a Git repository containing an authentication.conf app with pre-hashed credentials.
 - **configure_bash.yml** - Configures bashrc and bash_profile files for the splunk user. Please note that the templates included with this role will overwrite any existing files for the splunk user (if they exist). The templates will define a custom PS1 at the bash prompt, configure the $SPLUNK_HOME environment variable so that you can issue "splunk <command>" without specifying the full path to the Splunk binary, and will enable auto-completion of Splunk CLI commands in bash.

roles/splunk/tasks/configure_license.yml

@@ -16,7 +16,7 @@
       mode: "0700"
       owner: "{{ splunk_nix_user }}"
       group: "{{ splunk_nix_group }}"
-    become: yes
+    become: true
     when:
       - splunk_license_group=="Enterprise"
   - name: Copy license file
@@ -27,19 +27,21 @@
       group: "{{ splunk_nix_group }}"
       mode: "0600"
     loop: "{{ splunk_license_file }}"
-    become: yes
+    become: true
     when:
       - splunk_license_group=="Enterprise"
-  - name: "Remove {{ mode_option }} when using local license"
+  - name: "Remove license manager uri when using local license"
     ini_file:
       path: "{{ splunk_home }}/etc/system/local/server.conf"
       section: license
-      option: "{{ mode_option }}"
-      value: "{{ splunk_uri_lm }}"
+      option: "{{ item }}"
       owner: "{{ splunk_nix_user }}"
       group: "{{ splunk_nix_group }}"
       state: absent
-    become: yes
+    with_items: 
+      - manager_uri
+      - master_uri
+    become: true
   - name: Configure License Group
     ini_file:
       path: "{{ splunk_home }}/etc/system/local/server.conf"
@@ -48,7 +50,7 @@
       value: "{{ splunk_license_group }}"
       owner: "{{ splunk_nix_user }}"
       group: "{{ splunk_nix_group }}"
-    become: yes
+    become: true
     notify: restart splunk
   when:
     - not splunk_license_group=="Peer"
@@ -64,7 +66,14 @@
       value: "{{ splunk_uri_lm }}"
       owner: "{{ splunk_nix_user }}"
       group: "{{ splunk_nix_group }}"
-    become: yes
+    become: true
+
+  - name: Extract encrypted value
+    include_tasks: check_decrypted_secret.yml
+    vars:
+      req_secret_conf: server
+      req_secret_section: general
+      req_secret_option: pass4SymmKey
 
   - name: Set pass4SymmKey to match LM
     ini_file:
@@ -74,8 +83,11 @@
       value: "{{ splunk_general_key }}"
       owner: "{{ splunk_nix_user }}"
       group: "{{ splunk_nix_group }}"
-    become: yes
+    become: true
     notify: restart splunk
+    when:
+      - splunk_general_key != "undefined"
+      - encrypted_secret_value.stdout == "" or (splunk_general_key != decrypted_secret_value.stdout | default(''))
     no_log: true
   when:
     - splunk_license_group=="Peer"