NETWAYS · widhalmt · Apr 17, 2024 · Jan 22, 2024 · Jan 27, 2024 · Jan 28, 2024
diff --git a/README.md b/README.md
@@ -125,7 +125,7 @@ There are some comments in the Playbook. Either fill them with the correct value
 
 ### Inventory
 
-_Note_: The roles rely on hardcoded group names for placing services on hosts. Please make sure you have groups named `elasticsearch`, `logstash` and `kibana` in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation.
+_Note_: The roles rely on group names for placing services on hosts. Please make sure you have group names defined: `elasticstack_elasticsearch_group_name` (default: `elasticsearch`), `elasticstack_logstash_group_name` (default: `logstash`) and `elasticstack_kibana_group_name` (default: `kibana`) that will match your desired setup in your Ansible inventory. Hosts in these groups will get the respective services. Just restricting your plays to the appropriate hosts will not work because the roles interact with hosts from other groups e.g. for certificate generation.
 
 The execution order of the roles is important! (see below)
 

diff --git a/molecule/elasticsearch_no-security/converge.yml b/molecule/elasticsearch_no-security/converge.yml
@@ -13,6 +13,7 @@
     elasticsearch_heap: "1"
     elasticstack_release: 7
     elasticstack_no_log: false
+    elasticstack_elasticsearch_group_name: elasticsearchXYZ
   tasks:
     - name: Include Elastics repos role
       ansible.builtin.include_role:

diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml
@@ -8,7 +8,7 @@ driver:
 platforms:
   - name: elasticsearch-nosecurity1
     groups:
-      - elasticsearch
+      - elasticsearchXYZ
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
@@ -18,7 +18,7 @@ platforms:
     pre_build_image: true
   - name: elasticsearch-nosecurity2
     groups:
-      - elasticsearch
+      - elasticsearchXYZ
     image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest"
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:

diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml
@@ -5,6 +5,7 @@
   hosts: all
   vars:
     elasticstack_elasticsearch_http_port: 9200
+    elasticstack_elasticsearch_group_name: elasticsearchXYZ
   tasks:
 
 # Remember, this is the no-security scenario. So no https
@@ -19,7 +20,7 @@
       until: result.json.status == "green"
       retries: 6
       delay: 10
-      when: groups['elasticsearch'] | length > 1
+      when: groups[elasticstack_elasticsearch_group_name] | length > 1
 
     - name: Node check
       ansible.builtin.uri:
@@ -29,7 +30,7 @@
         status_code: 200
         validate_certs: false
       register: nodes
-      when: groups['elasticsearch'] | length > 1
+      when: groups[elasticstack_elasticsearch_group_name] | length > 1
 
     - name: Check if all Nodes see each other
       ansible.builtin.assert:
@@ -38,4 +39,4 @@
         fail_msg: "'{{ item }}' was not found in nodes.content"
         success_msg: "'{{ item }}' was found in nodes.content"
       with_inventory_hostnames: all
-      when: groups['elasticsearch'] | length > 1
+      when: groups[elasticstack_elasticsearch_group_name] | length > 1
diff --git a/molecule/elasticstack_default/verify.yml b/molecule/elasticstack_default/verify.yml
@@ -5,6 +5,7 @@
   vars:
     elasticstack_elasticsearch_http_port: 9200
     elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords
+    elasticstack_elasticsearch_group_name: elasticsearch
   tasks:
 
     - name: Run Logstash syntax check
@@ -22,7 +23,7 @@
 
     - name: Set elasticsearch_ca variable if not already done by user
       ansible.builtin.set_fact:
-        elasticsearch_ca: "{{ groups['elasticsearch'][0] }}"
+        elasticsearch_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}"
       when: elasticsearch_ca is undefined
 
     - name: fetch Elastic password
@@ -42,22 +43,22 @@
         sort -n |
         tail -1
       register: logstash_count
-      when: "'elasticsearch' in group_names"
+      when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names"
 
     - name: Show full output
       ansible.builtin.debug:
         var: logstash_count
-      when: "'elasticsearch' in group_names"
+      when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names"
 
     - name: Fail when logstash index is empty
       ansible.builtin.fail:
         msg: "Logstash Index is empty"
-      when: "'elasticsearch' in group_names and logstash_count.stdout == 0"
+      when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names and logstash_count.stdout == 0"
 
     - name: Show number of received events
       ansible.builtin.debug:
         msg: "Elasticsearch received {{ logstash_count.stdout }} events so far"
-      when: "'elasticsearch' in group_names"
+      when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names"
 
     - name: Run Kibana checks
       when: "'kibana' in group_names"
@@ -112,7 +113,7 @@
       until: result.json.status == "green"
       retries: 6
       delay: 10
-      when: groups['elasticsearch'] | length > 1
+      when: groups[elasticstack_elasticsearch_group_name] | length > 1
 
     - name: Elasticsearch Node check
       ansible.builtin.uri:
@@ -125,7 +126,7 @@
         status_code: 200
         validate_certs: false
       register: nodes
-      when: groups['elasticsearch'] | length > 1
+      when: groups[elasticstack_elasticsearch_group_name] | length > 1
 
     - name: Check if all Nodes see each other
       ansible.builtin.assert:
@@ -134,5 +135,5 @@
         fail_msg: "'{{ item }}' was not found in nodes.content"
         success_msg: "'{{ item }}' was found in nodes.content"
       with_inventory_hostnames: all
-      when: groups['elasticsearch'] | length > 1
+      when: groups[elasticstack_elasticsearch_group_name] | length > 1
 
diff --git a/molecule/logstash_full_stack-oss/verify.yml b/molecule/logstash_full_stack-oss/verify.yml
@@ -25,16 +25,16 @@
       sort -n |
       tail -1
     register: logstash_count
-    when: "'elasticsearch' in group_names"
+    when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names"
   - name: Show full output
     ansible.builtin.debug:
       var: logstash_count
-    when: "'elasticsearch' in group_names"
+    when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names"
   - name: Fail when logstash is empty
     ansible.builtin.fail:
       msg: "Logstash Index is empty"
-    when: "'elasticsearch' in group_names and logstash_count.stdout == 0"
+    when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names and logstash_count.stdout == 0"
   - name: Show number of received events
     ansible.builtin.debug:
       msg: "Elasticsearch received {{ logstash_count.stdout }} events so far"
-    when: "'elasticsearch' in group_names"
+    when: "elasticstack_elasticsearch_group_name is defined and elasticstack_elasticsearch_group_name in group_names"
diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
@@ -63,6 +63,9 @@ elasticstack_full_stack: true
 elasticstack_variant: elastic
 elasticstack_security: true
 
+elasticstack_elasticsearch_group_name: elasticsearch
+elasticstack_logstash_group_name: logstash
+
 elasticstack_ca_dir: /opt/es-ca
 elasticstack_ca_pass: PleaseChangeMe
 elasticstack_initial_passwords: /usr/share/elasticsearch/initial_passwords

diff --git a/roles/beats/tasks/main.yml b/roles/beats/tasks/main.yml
@@ -27,11 +27,11 @@
 
     - name: Set elasticstack_ca variable if not already done by user
       ansible.builtin.set_fact:
-        elasticstack_ca: "{{ groups['elasticsearch'][0] }}"
+        elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}"
       when:
         - beats_security | bool
         - elasticstack_ca is undefined
-        - groups['elasticsearch'] is defined
+        - groups[elasticstack_elasticsearch_group_name] is defined
       tags:
         - certificates
         - renew_ca

diff --git a/roles/beats/templates/auditbeat.yml.j2 b/roles/beats/templates/auditbeat.yml.j2
@@ -33,7 +33,7 @@ setup.kibana:
 output.elasticsearch:
 {% if elasticsearch_http_security | bool %}
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['elasticsearch'] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
@@ -44,7 +44,7 @@ output.elasticsearch:
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['elasticsearch'] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
@@ -53,7 +53,7 @@ output.elasticsearch:
 {% if beats_auditbeat_output == "logstash" %}
 output.logstash:
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['logstash'] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_logstash_group_name] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}

diff --git a/roles/beats/templates/filebeat.yml.j2 b/roles/beats/templates/filebeat.yml.j2
@@ -108,7 +108,7 @@ setup.kibana:
 output.elasticsearch:
 {% if beats_security | bool %}
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['elasticsearch'] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
@@ -119,7 +119,7 @@ output.elasticsearch:
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['elasticsearch'] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
@@ -128,7 +128,7 @@ output.elasticsearch:
 {% if beats_filebeat_output == "logstash" %}
 output.logstash:
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['logstash'] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_logstash_group_name] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}

diff --git a/roles/beats/templates/metricbeat.yml.j2 b/roles/beats/templates/metricbeat.yml.j2
@@ -10,7 +10,7 @@ setup.kibana:
 output.elasticsearch:
 {% if elasticsearch_http_security | bool %}
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['elasticsearch'] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"https://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
@@ -21,7 +21,7 @@ output.elasticsearch:
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['elasticsearch'] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_elasticsearch_group_name] %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"http://{{ host }}:{{ elasticstack_elasticsearch_http_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
@@ -30,7 +30,7 @@ output.elasticsearch:
 {% if beats_metricbeat_output == "logstash" %}
 output.logstash:
 {% if elasticstack_full_stack | bool %}
-  hosts: [ {% for host in groups['logstash'] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
+  hosts: [ {% for host in groups[elasticstack_logstash_group_name] %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% else %}
   hosts: [ {% for host in beats_target_hosts %}"{{ host }}:{{ elasticstack_beats_port }}"{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}

diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml
@@ -63,3 +63,7 @@ elasticstack_full_stack: true
 elasticstack_variant: elastic
 elasticstack_elasticsearch_http_port: 9200
 elasticstack_no_log: true
+
+elasticstack_elasticsearch_group_name: elasticsearch
+elasticstack_logstash_group_name: logstash
+elasticstack_kibana_group_name: kibana
diff --git a/roles/elasticsearch/handlers/main.yml b/roles/elasticsearch/handlers/main.yml
@@ -12,9 +12,10 @@
 
 - name: Restart kibana if available for elasticsearch certificates
   ansible.builtin.include_tasks: handlers/restart_kibana.yml
-  with_items: "{{ groups['kibana'] }}"
+  with_items: "{{ groups[elasticstack_kibana_group_name] }}"
   when:
     - elasticstack_full_stack: true
     - "not 'renew_ca' in ansible_run_tags"
     - "not elasticstack_ca_will_expire_soon | bool"
-    - groups['kibana'] is defined
+    - elasticstack_kibana_group_name is defined
+    - groups[elasticstack_kibana_group_name] is defined
diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -14,7 +14,7 @@
 
 - name: Set elasticstack_ca variable if not already done by user
   ansible.builtin.set_fact:
-    elasticstack_ca: "{{ groups['elasticsearch'][0] }}"
+    elasticstack_ca: "{{ groups[elasticstack_elasticsearch_group_name][0] }}"
   when: elasticstack_ca is undefined
   tags:
     - certificates
@@ -61,11 +61,12 @@
   ansible.builtin.service:
     name: logstash
     state: stopped
-  with_items: "{{ groups['logstash'] }}"
+  with_items: "{{ groups[elasticstack_logstash_group_name] }}"
   delegate_to: "{{ item }}"
   when:
     - "'renew_ca' in ansible_run_tags or elasticstack_ca_will_expire_soon | bool"
-    - groups['logstash'] is defined
+    - elasticstack_logstash_group_name is defined
+    - groups[elasticstack_logstash_group_name] is defined
 
 - name: Backup ca directory on elasticsearch ca host then remove
   when: (inventory_hostname == elasticstack_ca) and ('renew_ca' in "ansible_run_tags" or elasticstack_ca_will_expire_soon | bool)
@@ -267,7 +268,7 @@
         --dns {{ hostvars[item].ansible_hostname }},{{ hostvars[item].ansible_fqdn }},{{ hostvars[item].inventory_hostname }}
         --pass {{ elasticsearch_tls_key_passphrase }}
         --out {{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12
-      loop: "{{ groups['elasticsearch'] }}"
+      loop: "{{ groups[elasticstack_elasticsearch_group_name] }}"
       no_log: "{{ elasticstack_no_log }}"
       args:
         creates: "{{ elasticstack_ca_dir }}/{{ hostvars[item].ansible_hostname }}.p12"
@@ -356,7 +357,7 @@
 
 - name: Wait for all instances to start
   ansible.builtin.include_tasks: wait_for_instance.yml
-  loop: "{{ groups['elasticsearch'] }}"
+  loop: "{{ groups[elasticstack_elasticsearch_group_name] }}"
 
 - name: Restart if Elasticsearch was already running
   when:
@@ -372,7 +373,7 @@
 
     - name: Wait for all instances to start
       ansible.builtin.include_tasks: wait_for_instance.yml
-      loop: "{{ groups['elasticsearch'] }}"
+      loop: "{{ groups[elasticstack_elasticsearch_group_name] }}"
       tags:
         - certificates
         - renew_ca
@@ -400,7 +401,7 @@
   no_log: "{{ elasticstack_no_log }}"
   when:
     - not elasticsearch_passwords_file.stat.exists | bool
-    - groups['elasticsearch'] | length > 1
+    - groups[elasticstack_elasticsearch_group_name] | length > 1
   until: elasticsearch_api_status_bootstrap.json.cluster_name is defined
   retries: 5
   delay: 10
@@ -419,7 +420,7 @@
   no_log: "{{ elasticstack_no_log }}"
   when:
     - not elasticsearch_passwords_file.stat.exists | bool
-    - groups['elasticsearch'] | length > 1
+    - groups[elasticstack_elasticsearch_group_name] | length > 1
   until: elasticsearch_cluster_status_bootstrap.json.status == "green"
   retries: 5
   delay: 10
@@ -446,7 +447,7 @@
   no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_passwords_file.stat.exists | bool
-    - groups['elasticsearch'] | length > 1
+    - groups[elasticstack_elasticsearch_group_name] | length > 1
   until: elasticsearch_api_status.json.cluster_name is defined
   retries: 20
   delay: 10
@@ -497,7 +498,7 @@
   no_log: "{{ elasticstack_no_log }}"
   when:
     - elasticsearch_passwords_file.stat.exists | bool
-    - groups['elasticsearch'] | length > 1
+    - groups[elasticstack_elasticsearch_group_name] | length > 1
   until: elasticsearch_cluster_status.json.status == "green"
   retries: 20
   delay: 10