OPSEXP-3222 Add audit_storage role

.envrc

@@ -0,0 +1,5 @@
+# Required environment variables to launch molecule tests locally
+# On travis they are available from settings
+
+source_env_if_exists .env.credentials
+env_vars_required NEXUS_USERNAME NEXUS_PASSWORD

.github/workflows/build.yml

@@ -96,6 +96,7 @@ jobs:
           - role_name: java
           - role_name: systemd_service
           - role_name: hxi_connector
+          - role_name: audit_storage
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -111,6 +112,8 @@ jobs:
       - name: Run molecule
         env:
           ANSIBLE_DIFF_ALWAYS: "true"
+          NEXUS_USERNAME: ${{ secrets.NEXUS_USERNAME }}
+          NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
         working-directory: roles/${{ matrix.roles.role_name }}
         run: |
           uv run molecule test

.gitignore

@@ -6,3 +6,5 @@
 
 # https://ansible.readthedocs.io/projects/antsibull-changelog/changelogs/
 changelogs/.plugin-cache.yaml
+
+.env.credentials

changelogs/fragments/audit_storage-role.yaml

@@ -0,0 +1,2 @@
+major_changes:
+  - Add audit_storage service role

roles/audit_storage/README.md

@@ -0,0 +1,82 @@
+# audit_storage
+
+Install and configure Alfresco Audit Storage
+
+## Requirements
+
+For this role to function as intended, the following prerequisites must be met:
+
+* An **ActiveMQ instance** must be running and accessible by the target host
+  where the audit storage service will be deployed.
+* An **Elasticsearch (or OpenSearch) instance** must be running and accessible
+  by the target host for both read & **write** index operations.
+* Access to [Alfresco's artifacts repository](https://nexus.alfresco.com/nexus)
+  (or other artifact repository) to pull Alfresco Audit Storage application artifacts from.
+
+## Dependencies
+
+This role requires an openjdk installation to be present on the target system
+and provided as `audit_storage_java_home_path` variable.
+
+The role `alfresco.platform.java` is recommended to install the openjdk.
+
+You also need user and group created on host
+
+## Example Playbook
+
+```yaml
+- name: Converge Audit Storage Hosts
+  hosts: audit_storage
+  vars:
+    username: alfresco
+    group_name: alfresco
+  tasks:
+    - name: Add an application group
+      become: true
+      ansible.builtin.group:
+        name: "{{ group_name }}"
+        system: true
+
+    - name: Add an application user
+      become: true
+      ansible.builtin.user:
+        name: "{{ username }}"
+        system: true
+        group: "{{ group_name }}"
+
+    - name: Include java role
+      ansible.builtin.include_role:
+        name: alfresco.platform.java
+      vars:
+        java_version: 17.0.14+7
+
+    - name: Include main role
+      ansible.builtin.include_role:
+        name: alfresco.platform.audit_storage
+      vars:
+        audit_storage_java_home_path: "/opt/openjdk-17.0.14"
+        audit_storage_nexus_username: "{{ lookup('env', 'NEXUS_USERNAME') }}"
+        audit_storage_nexus_password: "{{ lookup('env', 'NEXUS_PASSWORD') }}"
+        audit_storage_username: "{{ username }}"
+        audit_storage_group_name: "{{ group_name }}"
+        audit_storage_broker_url: failover:(tcp://activemq:61616)
+        audit_storage_broker_username: admin
+        audit_storage_broker_password: admin
+        audit_storage_opensearch_url: http://elasticsearch:9200
+        audit_storage_opensearch_username: admin
+        audit_storage_opensearch_password: admin
+
+```
+
+> **Note:** While this component can run independently, an operational
+> **Alfresco Content Services (ACS) instance** is required for it to function
+> meaningfully. Without ACS, no audit events will be produced, and therefore
+> nothing will be indexed into the Elasticsearch instance.
+
+## License
+
+Apache-2.0
+
+## Author
+
+Alfresco Ops Readiness

roles/audit_storage/defaults/main.yml

@@ -0,0 +1,56 @@
+---
+# defaults file for audit_storage
+audit_storage_version: 1.1.0
+audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip # noqa yaml[line-length]
+audit_storage_zip_checksum: sha1:{{ audit_storage_zip_url }}.sha1
+
+audit_storage_download_location: /tmp
+
+audit_storage_download_artifact_name: alfresco-audit-storage-app
+audit_storage_nexus_username: ''
+audit_storage_nexus_password: ''
+
+audit_storage_username: alfresco
+audit_storage_group_name: alfresco
+
+audit_storage_server_port: 8083
+
+audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000
+audit_storage_broker_username: ''
+audit_storage_broker_password: ''
+audit_storage_opensearch_url: http://localhost:9200
+audit_storage_opensearch_username: ''
+audit_storage_opensearch_password: ''
+
+audit_storage_default_environment:
+  SERVER_PORT: "{{ audit_storage_server_port }}"
+  SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}"
+  SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}"
+  SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_URI: "{{ audit_storage_opensearch_url }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_USERNAME: "{{ audit_storage_opensearch_username }}"
+  AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_PASSWORD: "{{ audit_storage_opensearch_password }}"
+  AUDIT_EVENTINGESTION_URI: activemq:topic:alfresco.repo.event2
+audit_storage_environment: {}
+
+audit_storage_java_home_path: /opt/openjdk-17.0.15
+audit_storage_java_bin_path: "{{ audit_storage_java_home_path }}/bin/java"
+
+audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}"
+audit_storage_config_dir: "/etc/alfresco/audit-storage"
+
+audit_storage_packages:
+  - unzip
+
+audit_storage_systemd_service_unit_name: "alfresco-audit-storage"
+audit_storage_systemd_service_unit_description: "Alfresco Audit Storage"
+audit_storage_systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}"
+audit_storage_systemd_service_user: "{{ audit_storage_username }}"
+
+audit_storage_systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target
+audit_storage_systemd_service_type: simple
+audit_storage_systemd_service_exec_stop: kill -15 $MAINPID
+audit_storage_systemd_service_working_directory: /tmp
+audit_storage_systemd_service_additional_options: {}
+audit_storage_systemd_service_state: started
+audit_storage_systemd_service_enabled: true

roles/audit_storage/meta/argument_specs.yml

@@ -0,0 +1,103 @@
+argument_specs:
+  main:
+    short_description: Install a Alfresco Audit Storage
+    description: |
+      This role installs Alfresco Audit Storage and starts it.
+    options:
+      audit_storage_version:
+        type: str
+        description: Version of the Audit Storage to install
+      audit_storage_zip_url:
+        type: str
+        description: URL to download the Audit Storage distribution zip file
+      audit_storage_zip_checksum:
+        type: str
+        description: Checksum for the Audit Storage distribution zip file
+      audit_storage_download_location:
+        type: str
+        description: Location to download the Audit Storage distribution zip file
+      audit_storage_download_artifact_name:
+        type: str
+        description: Name of the Audit Storage artifact to download
+      audit_storage_nexus_username:
+        type: str
+        description: Username for the Nexus repository to download the Audit Storage artifact
+        required: true
+      audit_storage_nexus_password:
+        type: str
+        description: Password for the Nexus repository to download the Audit Storage artifact
+        required: true
+      audit_storage_username:
+        type: str
+        description: Username for the Audit Storage service
+        required: true
+      audit_storage_group_name:
+        type: str
+        description: Group name for the Audit Storage service
+        required: true
+      audit_storage_server_port:
+        type: int
+        description: Port for the Audit Storage service
+        default: 8083
+      audit_storage_broker_url:
+        type: str
+        description: URL for the message broker used by Audit Storage
+        required: true
+      audit_storage_broker_username:
+        type: str
+        description: Username for the message broker used by Audit Storage
+      audit_storage_broker_password:
+        type: str
+        description: Password for the message broker used by Audit Storage
+      audit_storage_opensearch_url:
+        type: str
+        description: URL for the OpenSearch instance used by Audit Storage
+        required: true
+      audit_storage_opensearch_username:
+        type: str
+        description: Username for the OpenSearch instance used by Audit Storage
+      audit_storage_opensearch_password:
+        type: str
+        description: Password for the OpenSearch instance used by Audit Storage
+      audit_storage_environment:
+        type: dict
+        description: Additional environment variables for the Audit Storage service
+      audit_storage_java_home_path:
+        type: str
+        description: Path to the Java home directory for the Audit Storage service
+        default: /opt/java
+      audit_storage_java_bin_path:
+        type: str
+        description: Path to the Java binary for the Audit Storage service
+        default: /opt/java/bin/java
+      audit_storage_binaries_dir:
+        type: str
+        description: Directory where the Audit Storage binaries will be installed
+      audit_storage_config_dir:
+        type: str
+        description: Directory where the Audit Storage configuration files will be stored
+  download:
+    short_description: Download the Audit Storage distribution
+    description: |
+      This task downloads the Audit Storage distribution zip file.
+    options:
+      audit_storage_zip_url:
+        type: str
+        description: URL to download the Audit Storage distribution zip file
+      audit_storage_zip_checksum:
+        type: str
+        description: Checksum for the Audit Storage distribution zip file
+      audit_storage_download_location:
+        type: str
+        description: Location to download the Audit Storage distribution zip file
+      audit_storage_download_artifact_name:
+        type: str
+        description: Name of the Audit Storage artifact to download
+      audit_storage_nexus_username:
+        type: str
+        description: Username for the Nexus repository to download the Audit Storage artifact
+        required: true
+      audit_storage_nexus_password:
+        type: str
+        description: Password for the Nexus repository to download the Audit Storage artifact
+        required: true

roles/audit_storage/meta/main.yml

@@ -0,0 +1,25 @@
+galaxy_info:
+  author: Alfresco Ops Readiness
+  namespace: alfresco
+  description: Install Alfresco Audit Storage
+  company: Hyland Software
+
+  license: Apache-2.0
+
+  min_ansible_version: "2.16"
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+        - noble
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+
+  galaxy_tags:
+    - alfresco
+
+dependencies: []

roles/audit_storage/molecule/default/converge.yml

@@ -0,0 +1,15 @@
+---
+- name: Converge
+  hosts: instance
+  tasks:
+    - name: Include java role
+      ansible.builtin.include_role:
+        name: alfresco.platform.java
+    - name: Include main role
+      ansible.builtin.include_role:
+        name: alfresco.platform.audit_storage
+      vars:
+        audit_storage_nexus_username: "{{ lookup('env', 'NEXUS_USERNAME') }}"
+        audit_storage_nexus_password: "{{ lookup('env', 'NEXUS_PASSWORD') }}"
+        audit_storage_broker_url: failover:(tcp://activemq-instance:61616)
+        audit_storage_opensearch_url: http://elasticsearch-instance:9200

roles/audit_storage/molecule/default/host_vars/instance.yml

@@ -0,0 +1 @@
+ansible_user: ansible

roles/audit_storage/molecule/default/molecule.yml

@@ -0,0 +1,56 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: elasticsearch-instance
+    image: elasticsearch:8.17.3
+    pre_build_image: true
+    env:
+      xpack.security.enabled: "false"
+      discovery.type: "single-node"
+    command: "eswrapper"
+    cap_add:
+      - IPC_LOCK
+    exposed_ports:
+      - 9200
+    networks:
+      - name: molecule_default
+
+  - name: activemq-instance
+    image: alfresco/alfresco-activemq:5.18-jre17-rockylinux8
+    pre_build_image: true
+    mem_limit: "1g"
+    command: "./init.sh /opt/activemq"
+    exposed_ports:
+      - 61616
+    networks:
+      - name: molecule_default
+
+  - name: instance
+    image: ${MOLECULE_ROLE_IMAGE:-rockylinux:9}
+    dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2
+    command: "/lib/systemd/systemd"
+    privileged: true
+    tmpfs:
+      - /run
+      - /run/lock
+      - /tmp
+    volume_mounts:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+    groups:
+      - audit_storage
+    networks:
+      - name: molecule_default
+        links:
+          - elasticsearch-instance
+          - activemq-instance
+
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      pipelining: true
+  inventory:
+    host_vars:
+      instance:
+        ansible_user: ansible

roles/audit_storage/molecule/default/prepare.yml

@@ -0,0 +1,14 @@
+---
+- name: Prepare
+  hosts: instance
+  become: true
+  tasks:
+    - name: Add an application group
+      ansible.builtin.group:
+        name: alfresco
+        system: true
+    - name: Add an application user
+      ansible.builtin.user:
+        name: alfresco
+        system: true
+        group: alfresco