Puppet Plan: complyadm::migrate

Defined in:
plans/migrate.pp

Summary

Install Security Compliance Management 3.x and migrate data from 2.x.

Overview

Use this plan to migrate data from Security Compliance Management 2.x. The plan installs a fresh instance of Security Compliance Management 3.x and allows you to migrate any 2.x data to the new install. For complete instructions on how to use this plan to migrate from 2.x to 3.x, see www.puppet.com/docs/comply/3.x/comply_bolt_migrate.

Parameters:

  • ignore_failing_preflights (Optional[Boolean]) (defaults to: false)

    Setting to true will ignore failed preflight checks.

  • upload_images (Optional[Boolean]) (defaults to: true)

    Setting to true will curl images locally from a public GCS bucket and then upload to the install target. Setting to false will pull images directly from the registry on the install target.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'plans/migrate.pp', line 9

plan complyadm::migrate(
  Optional[Boolean] $ignore_failing_preflights = false,
  Optional[Boolean] $upload_images = true
) {
  run_plan('complyadm::check_bolt_version')

  $message = @("MESSAGE")

===================================================================================================

  Puppet Enterprise customers are entitled to use the full Puppet Enterprise Suite:
  - Puppet Enterprise
  - Security Compliance Management
  - Continuous Delivery

  At the end of this Security Compliance Management installation process, you'll have the option
  to separately install Continuous Delivery.

  See https://www.puppet.com/docs/comply/3.x/comply.html for more information.

===================================================================================================

    | MESSAGE

  out::message($message)

  $comply_2_target = run_plan('complyadm::install::from_2x::bootstrap')

  #TODO: Decide on min version we need to upgrade from and update below preflight
  #  $migration_version_check_result = run_plan('complyadm::preflight::migration_version_check', {
  #      comply_2_target => $comply_2_target,
  #  })
  #  
  #  out::message(complyadm::checks::format_results('migration_version_check: Checking for minimum Comply version needed #for migration', $migration_version_check_result))
  #  if(length($migration_version_check_result[failed]) > 0) {
  #      fail_plan('One or more preflight checks did not pass', 'comply/error')
  #  }

  # if any of the PE MTLS certs have not been created, lets ask the user here
  $tls_crt = complyadm::get_yaml_key_value('tls_crt', 'data/common.yaml')
  $tls_key = complyadm::get_yaml_key_value('tls_key', 'data/common.yaml')
  $ca_crt = complyadm::get_yaml_key_value('ca_crt', 'data/common.yaml')
  if $tls_crt == '' or $tls_key == '' or $ca_crt == '' {
    run_plan('complyadm::configure_pe_certs')
  }

  # if any of the Comply TLS certs have not been created, lets ask the user here
  $cert_chain = complyadm::get_yaml_key_value('cert_chain', 'data/common.yaml')
  $private_key = complyadm::get_yaml_key_value('private_key', 'data/common.yaml')
  $crl = complyadm::get_yaml_key_value('crl', 'data/common.yaml')
  if $cert_chain == '' or $private_key == '' or $private_key == '' {
    run_plan('complyadm::configure_comply_certs')
  }

  run_plan('complyadm::install_from_config', {
      'ignore_failing_preflights' => $ignore_failing_preflights,
      'upload_images' => $upload_images
  })

  out::message('Migrating data from 2.x database.')
  run_plan('complyadm::install::from_2x::migrate_database', { comply_2_target_name => $comply_2_target.name, })

  out::message('Restarting Services.')
  run_plan('complyadm::ctl', { 'service' => 'all', 'action' => 'restart' })

  $kubernetes_conf = '/etc/kubernetes/admin.conf'

  $config = complyadm::config()
  $comply_scarpy_secret = run_command('kubectl get secret comply-scarpy -o jsonpath=\'{.data}\'', $comply_2_target, _env_vars => { 'KUBECONFIG' => $kubernetes_conf })[0].value['stdout'].parsejson
  $pepper = base64('decode', $comply_scarpy_secret['pepper'])
  $pat_salt = base64('decode', $comply_scarpy_secret['pat_salt'])

  $target = $config['roles']['backend']['targets'][0]

  $result = run_task(
    'complyadm::migrate_secrets',
    $target,
    {
      'runtime' => $config['runtime'],
      'salt' => $pat_salt,
      'pepper' => $pepper,
      '_run_as' => 'root',
    },
  )
  if(!$result[0]['successful']) {
    fail_plan('Failed to migrate salt and pepper. Please consider removing and readding your PE.')
  }
}