Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

draft of a quarantine playbook for EDA #5477

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion group_vars/vsphere/production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ vcenter_cluster: "VMCluster"
vcenter_username: "vmansible"
vcenter_password: "{{ vault_vcenter_password }}"
vm_delete_me_folder: "/Library/vm/ToBeDeleted"

vm_quarantine_folder: "/Library/vm/Quarantine"
1 change: 1 addition & 0 deletions group_vars/vsphere/staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ vcenter_cluster: "VMCluster"
vcenter_username: "vmansible"
vcenter_password: "{{ vault_vcenter_password }}"
vm_delete_me_folder: "/Library-Dev/vm/ToBeDeleted"
vm_quarantine_folder: "/Library-Dev/vm/Quarantine"
202 changes: 202 additions & 0 deletions playbooks/utils/isolate_vm_host.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
---
# This playbook responds if we have a security incident on a VM,
# powers down and quarantines the VM and replaces it from a vSphere template.
#
- name: quarantine and replace the {{ replacement_vm }} VM on the {{ runtime_env | default('staging') }} vSphere
hosts: localhost
remote_user: pulsys
become: true

vars:
slack_alerts_channel: "#infrastructure"

vars_files:
- ../../group_vars/all/vault.yml
- ../../group_vars/vsphere/vault.yml
- ../../group_vars/vsphere/{{ runtime_env | default('staging') }}.yml

tasks:
- name: Gather info on VM to replace
community.vmware.vmware_vm_info:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
show_allocated: true
show_folder: true
show_datacenter: true
show_mac_address: true
vm_name: "{{ replacement_vm }}"
register: old_vm_info

- name: set the vm network to the private network if the IP starts with 172.20
ansible.builtin.set_fact:
vm_network: "VM Network - ip4-library-servers"
when: old_vm_info.virtual_machines[0].ip_address is match("172.20.*")

- name: set the vm network to the public network if the IP starts with 128.112
ansible.builtin.set_fact:
vm_network: "Virtual Machine Network"
when: old_vm_info.virtual_machines[0].ip_address is match("128.112.*")

- name: Power off old VM using UUID
community.vmware.vmware_guest_powerstate:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
uuid: "{{ old_vm_info.virtual_machines[0].uuid }}"
state: powered-off

- name: Move old VM to the Quarantine folder
community.vmware.vmware_guest_move:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
dest_folder: "{{ vm_quarantine_folder }}"
uuid: "{{ old_vm_info.virtual_machines[0].uuid }}"

- name: Create a new virtual machine from a template
community.vmware.vmware_guest:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
cluster: "{{ vcenter_cluster }}"
folder: "{{ old_vm_info.virtual_machines[0].folder }}"
name: "{{ replacement_vm }}"
state: present
template: "{{ vm_template | default('template_jammy_spring_2024')}}"
disk:
- size: "{{ (old_vm_info.virtual_machines[0].allocated.storage / 1024) | int }}kb"
# we are not able to use 'type: thin' with our fall 2024 templates
# type: thin
datastore: "{{ old_vm_info.virtual_machines[0].datastore_url }}"
# TODO: Add another disk from an existing VMDK
hardware:
memory_mb: "{{ old_vm_info.virtual_machines[0].allocated.memory | int | default('16384') }}"
num_cpus: "{{ old_vm_info.virtual_machines[0].allocated.cpu | int | default('2') }}"
num_cpu_cores_per_socket: "{{ vm_cpu_cores | default('1') }}"
scsi: paravirtual
version: latest # Hardware version of virtual machine
boot_firmware: "efi"
cdrom:
- controller_number: 0
unit_number: 0
state: present
networks:
- name: "{{ vm_network }}"
wait_for_ip_address: true
register: new_vm_deets

- name: view new VM details
ansible.builtin.debug:
var: new_vm_deets

- name: power down the VM so we can mess with the network settings
community.vmware.vmware_guest_powerstate:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
# new VM var does not include UUID; use moid, which is unique in each vCenter instance
moid: "{{ new_vm_deets.instance.moid }}"
state: powered-off

- name: delete NIC with automatic mac address
community.vmware.vmware_guest_network:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
# new VM var does not include UUID; use moid, which is unique in each vCenter instance
moid: "{{ new_vm_deets.instance.moid }}"
network_name: "{{ vm_network }}"
state: absent
mac_address: "{{ new_vm_deets.instance.hw_eth0.macaddress }}"

- name: add NIC with custom mac address
community.vmware.vmware_guest_network:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
# new VM var does not include UUID; use moid, which is unique in each vCenter instance
moid: "{{ new_vm_deets.instance.moid }}"
folder: "{{ old_vm_info.virtual_machines[0].folder }}"
network_name: "{{ vm_network }}"
device_type: "vmxnet3"
connected: true
mac_address: "{{ old_vm_info.virtual_machines[0].mac_address[0] }}"

- name: Power the new VM on
community.vmware.vmware_guest_powerstate:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
datacenter: "{{ vcenter_datacenter }}"
folder: "{{ old_vm_info.virtual_machines[0].folder }}"
# new VM var does not include UUID; use moid, which is unique in each vCenter instance
moid: "{{ new_vm_deets.instance.moid }}"
state: powered-on

- name: Gather details on new VM
community.vmware.vmware_vm_info:
hostname: "{{ vcenter_hostname }}"
username: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
validate_certs: false
show_datacenter: true
show_mac_address: true
show_allocated: true
show_folder: true
vm_name: "{{ replacement_vm }}"
register: new_vm_info

- name: Print out relevant details of old VM
vars:
msg: |
The VM you replaced had
an UUID of {{ old_vm_info.virtual_machines[0].uuid }}
a mac address of {{ old_vm_info.virtual_machines[0].mac_address[0] }}
in the {{ vm_network }} network
{{ old_vm_info.virtual_machines[0].allocated.cpu }} CPUs
{{ (old_vm_info.virtual_machines[0].allocated.memory | int / 1024) }} GB of memory
{{ old_vm_info.virtual_machines[0].allocated.storage | human_readable }} of disk allocated
ansible.builtin.debug:
msg: "{{ msg.split('\n') }}"

- name: Print out relevant details of new VM
vars:
msg: |
The VM you just created has
an UUID of {{ new_vm_info.virtual_machines[0].uuid }}
a mac address of {{ new_vm_info.virtual_machines[0].mac_address[0] }}
in the {{ vm_network }} network
{{ new_vm_info.virtual_machines[0].allocated.cpu }} CPUs
{{ (new_vm_info.virtual_machines[0].allocated.memory | int / 1024) }} GB of memory
{{ new_vm_info.virtual_machines[0].allocated.storage | human_readable }} of disk allocated
ansible.builtin.debug:
msg: "{{ msg.split('\n') }}"

- name: Remove old host from TowerDeploy1 known hosts
ansible.builtin.known_hosts:
path: /home/deploy/.ssh/known_hosts
name: "{{ replacement_vm }}.princeton.edu"
state: "absent"
delegate_to: towerdeploy1.princeton.edu
become: true
become_user: deploy

post_tasks:
- name: send information to slack
ansible.builtin.include_tasks:
file: slack_tasks_end_of_playbook.yml
Loading