infamousjoeg.provisioning

Panoramica Versioni Approfondimenti

Provisioning

This is an Ansible role that helps simplify the process of adding accounts to CyberArk's Core Privileged Access Security (PAS) using CyberArk's Management API.

Available on Ansible Galaxy

Requirements

You need Ansible version 2.5 or higher.

Role Variables

Variable Description Required?
cyberark_api_base_url The main URL for the CyberArk Management API (e.g., https://pvwa.cyberark.com) Yes
cyberark_auth_type The method of authentication (CyberArk/LDAP/Radius/Windows) Yes
cyberark_validate_certs Whether to validate SSL certificates (yes/no) No
cyberark_username The username allowed to use the API Yes
cyberark_password The password for the API username Yes
cyberark_acct_name The unique "Name" for the credential object from PVWA Yes
cyberark_acct_address The address for the credential object from PVWA No
cyberark_acct_username The username for the credential object from PVWA No
cyberark_acct_password The password for the credential object from PVWA No
cyberark_acct_platformId The platform for managing the credential object Yes
cyberark_acct_safeName The safe to store the credential object Yes
cyberark_acct_secretType The type of secret being added (password/key) Yes
cyberark_acct_autoManagement Whether to enable or disable automatic management of the credential object (yes/no) No
cyberark_acct_manualReason Reason for disabling automatic management No

Example Playbook

Here is an example of setting up a LAMP stack and onboarding the MySQL database administrator created during MySQL initialization.

---
- hosts: localhost

  pre_tasks:
    - name: Install Apache & PHP
      yum:
        name: ['httpd', 'php', 'php-mysql']
        state: present

    - name: Install Necessary Dependencies
      yum:
        name: ['git', 'wget', 'curl', 'jq', 'libsemanage-python']
        state: present

    - name: Start Apache
      service:
        name: httpd
        state: started
        enabled: yes

    - name: Configure SELinux for Database Connectivity
      seboolean:
        name: httpd_can_network_connect_db
        state: true
        persistent: yes

    - name: Create index.php Start Page
      copy:
        dest: "/var/www/html/index.php"
        content: |
          <?php echo "Hello World!"; ?>

    - name: Install MariaDB
      yum:
        name: ['mariadb-server', 'MySQL-python']
        state: present

    - name: Configure SELinux for MySQL
      seboolean:
        name: mysql_connect_any
        state: true
        persistent: yes

    - name: Start MySQL Service
      service:
        name: mariadb
        state: started
        enabled: yes

    - name: Create a New Database
      mysql_db:
        name: demo
        state: present
        collation: utf8_general_ci

    - name: Set Current Remote Machine Hostname
      set_fact:
        mysql_address: "{{ inventory_hostname }}"

    - name: Set MySQL Database Username
      set_fact:
        mysql_username: demo

    - name: Set Randomized MySQL User Password
      set_fact:
        mysql_password: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
      no_log: yes

    - name: Create a Database User
      mysql_user:
        name: "{{ mysql_username }}"
        password: "{{ mysql_password }}"
        priv: "*.*:ALL"
        host: localhost
        state: present

    - name: Copy Sample Data to Temporary Location
      copy:
        src: files/dump.sql
        dest: /tmp/dump.sql
    
    - name: Insert Sample Data into MySQL
      shell: "mysql -u {{ mysql_username }} -p{{ mysql_password }} demo < /tmp/dump.sql"

    - name: Restart Apache 
      service:
        name: httpd
        state: restarted

    - name: Install Database Connection PHP Script
      copy:
        src: files/db.php
        dest: /var/www/html/db.php

  roles:
    - role: infamousjoeg.provisioning
      cyberark_api_base_url: https://components.cyberarkdemo.example
      cyberark_auth_type: LDAP
      cyberark_validate_certs: no
      cyberark_username: Svc_ProvTest_Fedora
      cyberark_password: Cyberark1
      cyberark_acct_name: TEST-AUTO-ONBOARD-{{ mysql_address }}-{{ mysql_username }}
      cyberark_acct_address: "{{ mysql_address }}"
      cyberark_acct_username: "{{ mysql_username }}"
      cyberark_acct_password: "{{ mysql_password }}"
      cyberark_acct_platformId: MySQL
      cyberark_acct_safeName: TEST-AUTO-ONBOARD
      cyberark_acct_secretType: password
      cyberark_acct_autoManagement: no
      cyberark_acct_manualReason: For demo purposes

asciicast

Test

Requirements

  • Python 2.7.x
  • Docker CE
  • Ansible version 2.5 or higher
  • Run pip install --user molecule
  • Run pip install molecule[docker]

Usage

To test using Ansible Molecule, run:

molecule test

License

MIT

Informazioni sul progetto

Onboarding and offboarding of credential objects in CyberArk's Privileged Access Security (PAS) Core solution

role cyberark identity offboard onboard password privileged provision vault
Installa
ansible-galaxy install infamousjoeg.provisioning
GitHub repository
8 stelle
1 fork
0 problemi aperti
Licenza
mit
Download
213
Proprietario
Joe Garcia
Sr. DevOps Security Engineer for @cyberark