add possibility to check a decrypted value, before setting a password value again

Author: schneewe

roles/splunk/tasks/check_decrypted_secret.yml

@@ -0,0 +1,17 @@
+---
+- name: "Extract encrypted {{ req_secret_option }} of {{ req_secret_conf }}.conf [{{ req_secret_section }}]"
+  shell: "{{ splunk_home }}/bin/splunk btool {{ req_secret_conf }} list {{ req_secret_section }} | grep '{{ req_secret_option }} = ' | awk -F ' = ' '{print $2}'"
+  register: encrypted_secret_value
+  become: true
+  become_user: "{{ splunk_nix_user }}"
+  changed_when: false
+  no_log: true
+
+- name: "Decrypt {{ req_secret_option }} of {{ req_secret_conf }}.conf [{{ req_secret_section }}]"
+  shell: "{{ splunk_home }}/bin/splunk show-decrypted --value '{{ encrypted_secret_value.stdout }}'"
+  register: decrypted_secret_value
+  become: true
+  no_log: true
+  changed_when: false
+  when:
+    - encrypted_secret_value.rc == 0 and encrypted_secret_value.stdout != ""

roles/splunk/tasks/configure_deploymentclient.yml

@@ -38,6 +38,13 @@
   notify: restart splunk
   when: phoneHomeIntervalInSecs != 'undefined'
 
+- name: Extract encrypted value
+  include_tasks: check_decrypted_secret.yml
+  vars:
+    req_secret_conf: server
+    req_secret_section: deployment
+    req_secret_option: pass4SymmKey
+
 - name: Configure deployment server pass4SymmKey in server.conf
   ini_file:
     path: "{{ splunk_home }}/etc/system/local/server.conf"
@@ -49,4 +56,6 @@
     mode: 0644
   become: true
   notify: restart splunk
-  when: splunk_ds_key != 'undefined'
+  when: 
+    - splunk_ds_key != 'undefined'
+    - encrypted_secret_value.stdout == "" or (splunk_ds_key != decrypted_secret_value.stdout | default(''))