Summary
It would be useful if the role could manage custom Elasticsearch security roles via role variables, similar to how it manages other Elasticsearch configuration.
Current situation
Users need to write individual ansible.builtin.uri tasks for each custom ES role:
- name: Create logstash_writer role
ansible.builtin.uri:
url: "https://{{ inventory_hostname }}:9200/_security/role/logstash_writer"
method: PUT
# ... auth boilerplate ...
body:
cluster: [manage_index_templates, monitor, manage_ilm]
indices:
- names: ["*"]
privileges: [write, delete, create_index, manage, manage_ilm]
body_format: jsonProposed solution
Add a role variable like:
elasticsearch_security_roles:
- name: logstash_writer
cluster: [manage_index_templates, monitor, manage_ilm]
indices:
- names: ["*"]
privileges: [write, delete, create_index, manage, manage_ilm]
- name: sensu_user
cluster: [monitor]
indices:
- names: ["filebeat-*", "metricbeat-*"]
privileges: [all]The role would loop over this list and create the roles via the _security/role API. Combined with #65 (user management) and #66 (role mappings), this would allow full declarative security configuration via role variables.
Summary
It would be useful if the role could manage custom Elasticsearch security roles via role variables, similar to how it manages other Elasticsearch configuration.
Current situation
Users need to write individual
ansible.builtin.uritasks for each custom ES role:Proposed solution
Add a role variable like:
The role would loop over this list and create the roles via the
_security/roleAPI. Combined with #65 (user management) and #66 (role mappings), this would allow full declarative security configuration via role variables.