From cf2906ff33034eee1cb0b8c6f5fc33d757691d4b Mon Sep 17 00:00:00 2001 From: Piotr Rogowski Date: Wed, 10 Apr 2024 14:38:23 +0200 Subject: [PATCH] Implement rds ssl requirement This enables required ssl connection to magento enforces ssl connection for rds uses secure connection for provisioning actions Keep in mind this does not do certificate verification --- group_vars/all.yml | 19 +- requirements-python.txt | 11 +- .../defaults/main/app-etc.yml | 61 +++--- .../tasks/000-prepare-runtime-config.yml | 102 +++++----- .../tasks/080-core-config.yml | 8 +- .../tasks/action/configure-env.yml | 188 +++++++++--------- 6 files changed, 214 insertions(+), 175 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 9cd1b7307..72140b09f 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -492,13 +492,21 @@ aws_rds_encryption_key_name: "{{ mageops_app_name }}-db" # Default configuration tunes for MySQL aws_rds_param_group_params_default: - log_bin_trust_function_creators: 1 - max_heap_table_size: 67108864 - tmp_table_size: 67108864 - explicit_defaults_for_timestamp: 1 + log_bin_trust_function_creators: 1 + max_heap_table_size: 67108864 + tmp_table_size: 67108864 + explicit_defaults_for_timestamp: 1 + +aws_rds_param_group_params_require_ssl: + require_secure_transport: 1 + +aws_rds_param_group_params_tpl: +- "{{ aws_rds_param_group_params_default }}" +- "{{ mageops_mysql_require_ssl | ternary(aws_rds_param_group_params_require_ssl, {}) }}" +- "{{ aws_rds_param_group_params_extra | default({}) }}" # Parameters to tune MySQL configuration -aws_rds_param_group_params: "{{ aws_rds_param_group_params_default | combine(aws_rds_param_group_params_extra | default({}), recursive=True) }}" +aws_rds_param_group_params: "{{ aws_rds_param_group_params_tpl | combine }}" # Storage encryption aws_rds_storage_encrypt: "{{ mageops_encryption }}" @@ -674,6 +682,7 @@ php_opcache_prewarm_dirs: # MySQL instance shall be provisioned? (or provide host) mageops_mysql_create: yes mageops_mysql_host: +mageops_mysql_require_ssl: no # Root DB password, not used directly by the application, needed for managing app dbs and users mageops_mysql_root_user: root diff --git a/requirements-python.txt b/requirements-python.txt index a6deb79fb..b335fa82a 100644 --- a/requirements-python.txt +++ b/requirements-python.txt @@ -16,7 +16,16 @@ netaddr # needed for managing databases (e.g. creating project db in infra step) # mysql -PyMySQL +# We are using a fork of PyMySQL that has SSL enabled by default +# Ansible ansible_util does not allow setting ssl parameter without setting ca_cert at the same time +# This could be workarounded by using config_file parameter but this only works when implementation +# uses real mysql client and not PyMySQL +# PyMySQL implementation also loads the config file but it does not support setting ssl parameter +# while it makes inpossible to enable ssl without providing certificate, implementation supports such scenario +# in later code. This is why we are using forked version of PyMySQL that enables ssl by default +# when it's not explicitly disabled. This should be always safe, because if ssl is not enabled on server +# implementation will fallback to non-ssl connection. +git+https://github.com/mageops/PyMySQL.git@dev-ssl-by-default#egg=PyMySQL # needed for running docker (e.g. building aws lambda artifacts) docker-py diff --git a/roles/cs.magento-configure/defaults/main/app-etc.yml b/roles/cs.magento-configure/defaults/main/app-etc.yml index 7c4680958..394da4c10 100644 --- a/roles/cs.magento-configure/defaults/main/app-etc.yml +++ b/roles/cs.magento-configure/defaults/main/app-etc.yml @@ -78,11 +78,20 @@ magento_app_etc_config: install: date: "Tue, 11 Nov 2016 11:11:00 +0000" +magento_mysql_ssl_required: + db: + connection: + default: + # Because we need to serialize and deserialize configuration, we cannot use php constants directly + # Therefore we need here to use the actual value of the constant as keys + driver_options: + 1014: false # \PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT + 1009: /dev/null # \PDO::MYSQL_ATTR_SSL_CA magento_app_etc_config_http_cache: http_cache_hosts: - - host: "{{ magento_varnish_host }}" - port: "{{ magento_varnish_port }}" + - host: "{{ magento_varnish_host }}" + port: "{{ magento_varnish_port }}" # Optional elasticsuite config magento_app_etc_config_elasticsuite: @@ -112,30 +121,30 @@ magento_app_etc_config_cache_default_redis: magento_app_etc_config_cache_default_redis_l2: cache: - frontend: - default: - backend: \Magento\Framework\Cache\Backend\RemoteSynchronizedCache - backend_options: - remote_backend: "{{ magento_redis_cache_backend_fqcn }}" - remote_backend_options: - persistent: 0 - server: "{{ mageops_redis_host }}" - database: "0" - port: "{{ mageops_redis_port }}" - password: "" - preload_keys: - - EAV_ENTITY_TYPES:hash - - GLOBAL_PLUGIN_LIST:hash - - DB_IS_UP_TO_DATE:hash - - SYSTEM_DEFAULT:hash - local_backend: Cm_Cache_Backend_File - local_backend_options: - cache_dir: "{{ magento_redis_cache_l2_dir }}" - frontend_options: - write_control: false - type: - default: - frontend: default + frontend: + default: + backend: \Magento\Framework\Cache\Backend\RemoteSynchronizedCache + backend_options: + remote_backend: "{{ magento_redis_cache_backend_fqcn }}" + remote_backend_options: + persistent: 0 + server: "{{ mageops_redis_host }}" + database: "0" + port: "{{ mageops_redis_port }}" + password: "" + preload_keys: + - EAV_ENTITY_TYPES:hash + - GLOBAL_PLUGIN_LIST:hash + - DB_IS_UP_TO_DATE:hash + - SYSTEM_DEFAULT:hash + local_backend: Cm_Cache_Backend_File + local_backend_options: + cache_dir: "{{ magento_redis_cache_l2_dir }}" + frontend_options: + write_control: false + type: + default: + frontend: default magento_app_etc_config_cache_page_redis: cache: diff --git a/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml b/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml index 1d9bc1605..4e07648f2 100644 --- a/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml +++ b/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml @@ -2,65 +2,65 @@ # that should be ready for the next ones. - name: Configure magepack JS bundling task hook block: - - name: Configure deploy for bundling - block: - - name: Create bundling configs - set_fact: - magento_magepack_js_bundling_task: - name: "magesuite-magepack-bundle" - image: "mageops/magesuite-magepack" - workdir: "{{ magento_release_dir }}" - commandline: "" - container_workdir: "/workdir" - user: "{{ magento_uid }}:{{ magento_gid }}" - # If magepack fails, it should keep magento in working condition - # we want to continue deployment even if magepack couldn't succeed - ignore_error: yes + - name: Configure deploy for bundling + block: + - name: Create bundling configs + set_fact: + magento_magepack_js_bundling_task: + name: "magesuite-magepack-bundle" + image: "mageops/magesuite-magepack" + workdir: "{{ magento_release_dir }}" + commandline: "" + container_workdir: "/workdir" + user: "{{ magento_uid }}:{{ magento_gid }}" + # If magepack fails, it should keep magento in working condition + # we want to continue deployment even if magepack couldn't succeed + ignore_error: yes - - name: Append the bundling task config to the task list - set_fact: - magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_magepack_js_bundling_task] }}" + - name: Append the bundling task config to the task list + set_fact: + magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_magepack_js_bundling_task] }}" when: magento_scd_advanced_js_bundling and magento_scd_advanced_js_bundling_strategy == 'magepack' - name: Configure baler JS bundling task hook block: - - name: Configure deploy for bundling - block: - - name: Create bundling configs - set_fact: - magento_baler_js_bundling_task: - name: "magesuite-baler-bundle" - image: "mageops/magesuite-baler:v0.1.1" - workdir: "{{ magento_release_dir }}" - commandline: "" - container_workdir: "/workdir" - user: "{{ magento_uid }}:{{ magento_gid }}" + - name: Configure deploy for bundling + block: + - name: Create bundling configs + set_fact: + magento_baler_js_bundling_task: + name: "magesuite-baler-bundle" + image: "mageops/magesuite-baler:v0.1.1" + workdir: "{{ magento_release_dir }}" + commandline: "" + container_workdir: "/workdir" + user: "{{ magento_uid }}:{{ magento_gid }}" - magento_baler_js_bundling_core_config: - - name: Enable baler bundling - path: "dev/js/enable_baler_js_bundling" - value: "1" - - name: Disable JS merging (because baler bundling is enabled) - path: "dev/js/merge_files" - value: "0" - - name: Disable JS minification (because baler bundling is enabled) - path: "dev/js/minify_files" - value: "0" - - name: Disable JS bundling (baler bundling is enabled) - path: "dev/js/enable_js_bundling" - value: "0" - - name: Disable MageSuite JavaScript defer. - path: "deferjs/general/active" - value: "0" + magento_baler_js_bundling_core_config: + - name: Enable baler bundling + path: "dev/js/enable_baler_js_bundling" + value: "1" + - name: Disable JS merging (because baler bundling is enabled) + path: "dev/js/merge_files" + value: "0" + - name: Disable JS minification (because baler bundling is enabled) + path: "dev/js/minify_files" + value: "0" + - name: Disable JS bundling (baler bundling is enabled) + path: "dev/js/enable_js_bundling" + value: "0" + - name: Disable MageSuite JavaScript defer. + path: "deferjs/general/active" + value: "0" - - name: Append the bundling task config to the task list - set_fact: - magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_baler_js_bundling_task] }}" + - name: Append the bundling task config to the task list + set_fact: + magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_baler_js_bundling_task] }}" - - name: Ensure that Magento's js minification, merging and bundling is disabled - set_fact: - magento_core_config_settings: "{{ magento_core_config_settings + magento_baler_js_bundling_core_config }}" + - name: Ensure that Magento's js minification, merging and bundling is disabled + set_fact: + magento_core_config_settings: "{{ magento_core_config_settings + magento_baler_js_bundling_core_config }}" when: magento_scd_advanced_js_bundling and magento_scd_advanced_js_bundling_strategy == 'baler' - name: Install required python modules @@ -70,7 +70,7 @@ state: present - name: Check if database is initialized - command: mysql -N --batch -u {{ mageops_app_mysql_user|quote }} -p{{ mageops_app_mysql_pass|quote }} -h {{ mageops_mysql_host|quote }} -e "SHOW TABLES FROM `{{ mageops_app_mysql_db }}` LIKE 'admin_user';" + command: mysql {{ mageops_mysql_require_ssl | ternary("--ssl", "") }} -N --batch -u {{ mageops_app_mysql_user|quote }} -p{{ mageops_app_mysql_pass|quote }} -h {{ mageops_mysql_host|quote }} -e "SHOW TABLES FROM `{{ mageops_app_mysql_db }}` LIKE 'admin_user';" changed_when: false register: admins diff --git a/roles/cs.magento-configure/tasks/080-core-config.yml b/roles/cs.magento-configure/tasks/080-core-config.yml index 2bfe10b11..d626edf10 100644 --- a/roles/cs.magento-configure/tasks/080-core-config.yml +++ b/roles/cs.magento-configure/tasks/080-core-config.yml @@ -9,7 +9,9 @@ magento_core_config_settings: "{{ magento_core_config_settings + _extra_items }}" when: magento_varnish_host | default(false, true) -- name: Ensure core config database settings' values +- name: Ensure core config database settings values + delegate_to: localhost + become: no mysql_query: name: "{{ mageops_app_mysql_db }}" table: core_config_data @@ -29,6 +31,8 @@ loop_var: magento_db_setting - name: Ensure core config database default values (no update if exists) + delegate_to: localhost + become: no mysql_query: name: "{{ mageops_app_mysql_db }}" table: core_config_data @@ -47,6 +51,8 @@ loop_var: magento_db_setting - name: Ensure core config database settings are absent (defaults are used) + delegate_to: localhost + become: no mysql_query: state: absent name: "{{ mageops_app_mysql_db }}" diff --git a/roles/cs.magento-configure/tasks/action/configure-env.yml b/roles/cs.magento-configure/tasks/action/configure-env.yml index b896c54e6..995a57856 100644 --- a/roles/cs.magento-configure/tasks/action/configure-env.yml +++ b/roles/cs.magento-configure/tasks/action/configure-env.yml @@ -1,107 +1,113 @@ - name: Configure Magento environment (env.php) block: - - name: Enable HTTP cache - when: magento_http_cache_enable - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_http_cache, recursive=true) }} + - name: Enable HTTP cache + when: magento_http_cache_enable + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_http_cache, recursive=true) }} - - name: Enable ElasticSuite configuration - when: elasticsuite_version | default(false, true) - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_elasticsuite, recursive=true) }} - - - name: Configure Redis caching - when: magento_redis_cache - block: - - name: Enable default Redis cache - when: not magento_redis_cache_l2 - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_cache_default_redis, recursive=true) }} - - - name: Enable 2-level default Redis cache - when: magento_redis_cache_l2 - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_cache_default_redis_l2, recursive=true) }} - - - name: Configure Redis page cache - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_cache_page_redis, recursive=true) }} - - - name: Enable RabbitMQ queue configuration - when: magento_rabbitmq_queue - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_queue_rabbitmq, recursive=true) }} + - name: Enable ElasticSuite configuration + when: elasticsuite_version | default(false, true) + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_elasticsuite, recursive=true) }} - - name: Adjust configuration for consumer workers - when: magento_consumer_workers_enable + - name: Configure Redis caching + when: magento_redis_cache + block: + - name: Enable default Redis cache + when: not magento_redis_cache_l2 set_fact: magento_app_etc_config: >- {{ magento_app_etc_config - | combine(magento_app_etc_config_consumer_workers, recursive=true) }} + | combine(magento_app_etc_config_cache_default_redis, recursive=true) }} - - name: Adjust configuration for cron consumers - when: magento_cron_consumers_enable + - name: Enable 2-level default Redis cache + when: magento_redis_cache_l2 set_fact: magento_app_etc_config: >- {{ magento_app_etc_config - | combine(magento_app_etc_config_cron_consumers, recursive=true) }} + | combine(magento_app_etc_config_cache_default_redis_l2, recursive=true) }} - - name: Configure X-Magento-Vary cookie signing - when: magento_vary_sign + - name: Configure Redis page cache set_fact: magento_app_etc_config: >- {{ magento_app_etc_config - | combine(magento_app_etc_config_cookie_sign, recursive=true) }} + | combine(magento_app_etc_config_cache_page_redis, recursive=true) }} - - name: Set extra options - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_extra, recursive=true) }} - - - name: Export configuration as PHP code - command: - stdin: "{{ magento_app_etc_config | to_json }}" - argv: - - php - - -r - - >- - echo "- + {{ magento_app_etc_config + | combine(magento_app_etc_config_queue_rabbitmq, recursive=true) }} + + - name: Adjust configuration for consumer workers + when: magento_consumer_workers_enable + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_consumer_workers, recursive=true) }} + + - name: Adjust configuration for cron consumers + when: magento_cron_consumers_enable + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_cron_consumers, recursive=true) }} + + - name: Configure X-Magento-Vary cookie signing + when: magento_vary_sign + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_cookie_sign, recursive=true) }} + + - name: Enable mysql ssl requirement + when: mageops_mysql_require_ssl + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_mysql_ssl_required, recursive=true) }} + + - name: Set extra options + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_extra, recursive=true) }} + + - name: Export configuration as PHP code + command: + stdin: "{{ magento_app_etc_config | to_json }}" + argv: + - php + - -r + - >- + echo "