diff --git a/group_vars/all.yml b/group_vars/all.yml index 9cd1b730..72140b09 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -492,13 +492,21 @@ aws_rds_encryption_key_name: "{{ mageops_app_name }}-db" # Default configuration tunes for MySQL aws_rds_param_group_params_default: - log_bin_trust_function_creators: 1 - max_heap_table_size: 67108864 - tmp_table_size: 67108864 - explicit_defaults_for_timestamp: 1 + log_bin_trust_function_creators: 1 + max_heap_table_size: 67108864 + tmp_table_size: 67108864 + explicit_defaults_for_timestamp: 1 + +aws_rds_param_group_params_require_ssl: + require_secure_transport: 1 + +aws_rds_param_group_params_tpl: +- "{{ aws_rds_param_group_params_default }}" +- "{{ mageops_mysql_require_ssl | ternary(aws_rds_param_group_params_require_ssl, {}) }}" +- "{{ aws_rds_param_group_params_extra | default({}) }}" # Parameters to tune MySQL configuration -aws_rds_param_group_params: "{{ aws_rds_param_group_params_default | combine(aws_rds_param_group_params_extra | default({}), recursive=True) }}" +aws_rds_param_group_params: "{{ aws_rds_param_group_params_tpl | combine }}" # Storage encryption aws_rds_storage_encrypt: "{{ mageops_encryption }}" @@ -674,6 +682,7 @@ php_opcache_prewarm_dirs: # MySQL instance shall be provisioned? (or provide host) mageops_mysql_create: yes mageops_mysql_host: +mageops_mysql_require_ssl: no # Root DB password, not used directly by the application, needed for managing app dbs and users mageops_mysql_root_user: root diff --git a/requirements-python.txt b/requirements-python.txt index a6deb79f..b335fa82 100644 --- a/requirements-python.txt +++ b/requirements-python.txt @@ -16,7 +16,16 @@ netaddr # needed for managing databases (e.g. creating project db in infra step) # mysql -PyMySQL +# We are using a fork of PyMySQL that has SSL enabled by default +# Ansible ansible_util does not allow setting ssl parameter without setting ca_cert at the same time +# This could be workarounded by using config_file parameter but this only works when implementation +# uses real mysql client and not PyMySQL +# PyMySQL implementation also loads the config file but it does not support setting ssl parameter +# while it makes inpossible to enable ssl without providing certificate, implementation supports such scenario +# in later code. This is why we are using forked version of PyMySQL that enables ssl by default +# when it's not explicitly disabled. This should be always safe, because if ssl is not enabled on server +# implementation will fallback to non-ssl connection. +git+https://github.com/mageops/PyMySQL.git@dev-ssl-by-default#egg=PyMySQL # needed for running docker (e.g. building aws lambda artifacts) docker-py diff --git a/roles/cs.magento-configure/defaults/main/app-etc.yml b/roles/cs.magento-configure/defaults/main/app-etc.yml index 7c468095..394da4c1 100644 --- a/roles/cs.magento-configure/defaults/main/app-etc.yml +++ b/roles/cs.magento-configure/defaults/main/app-etc.yml @@ -78,11 +78,20 @@ magento_app_etc_config: install: date: "Tue, 11 Nov 2016 11:11:00 +0000" +magento_mysql_ssl_required: + db: + connection: + default: + # Because we need to serialize and deserialize configuration, we cannot use php constants directly + # Therefore we need here to use the actual value of the constant as keys + driver_options: + 1014: false # \PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT + 1009: /dev/null # \PDO::MYSQL_ATTR_SSL_CA magento_app_etc_config_http_cache: http_cache_hosts: - - host: "{{ magento_varnish_host }}" - port: "{{ magento_varnish_port }}" + - host: "{{ magento_varnish_host }}" + port: "{{ magento_varnish_port }}" # Optional elasticsuite config magento_app_etc_config_elasticsuite: @@ -112,30 +121,30 @@ magento_app_etc_config_cache_default_redis: magento_app_etc_config_cache_default_redis_l2: cache: - frontend: - default: - backend: \Magento\Framework\Cache\Backend\RemoteSynchronizedCache - backend_options: - remote_backend: "{{ magento_redis_cache_backend_fqcn }}" - remote_backend_options: - persistent: 0 - server: "{{ mageops_redis_host }}" - database: "0" - port: "{{ mageops_redis_port }}" - password: "" - preload_keys: - - EAV_ENTITY_TYPES:hash - - GLOBAL_PLUGIN_LIST:hash - - DB_IS_UP_TO_DATE:hash - - SYSTEM_DEFAULT:hash - local_backend: Cm_Cache_Backend_File - local_backend_options: - cache_dir: "{{ magento_redis_cache_l2_dir }}" - frontend_options: - write_control: false - type: - default: - frontend: default + frontend: + default: + backend: \Magento\Framework\Cache\Backend\RemoteSynchronizedCache + backend_options: + remote_backend: "{{ magento_redis_cache_backend_fqcn }}" + remote_backend_options: + persistent: 0 + server: "{{ mageops_redis_host }}" + database: "0" + port: "{{ mageops_redis_port }}" + password: "" + preload_keys: + - EAV_ENTITY_TYPES:hash + - GLOBAL_PLUGIN_LIST:hash + - DB_IS_UP_TO_DATE:hash + - SYSTEM_DEFAULT:hash + local_backend: Cm_Cache_Backend_File + local_backend_options: + cache_dir: "{{ magento_redis_cache_l2_dir }}" + frontend_options: + write_control: false + type: + default: + frontend: default magento_app_etc_config_cache_page_redis: cache: diff --git a/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml b/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml index 1d9bc160..4e07648f 100644 --- a/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml +++ b/roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml @@ -2,65 +2,65 @@ # that should be ready for the next ones. - name: Configure magepack JS bundling task hook block: - - name: Configure deploy for bundling - block: - - name: Create bundling configs - set_fact: - magento_magepack_js_bundling_task: - name: "magesuite-magepack-bundle" - image: "mageops/magesuite-magepack" - workdir: "{{ magento_release_dir }}" - commandline: "" - container_workdir: "/workdir" - user: "{{ magento_uid }}:{{ magento_gid }}" - # If magepack fails, it should keep magento in working condition - # we want to continue deployment even if magepack couldn't succeed - ignore_error: yes + - name: Configure deploy for bundling + block: + - name: Create bundling configs + set_fact: + magento_magepack_js_bundling_task: + name: "magesuite-magepack-bundle" + image: "mageops/magesuite-magepack" + workdir: "{{ magento_release_dir }}" + commandline: "" + container_workdir: "/workdir" + user: "{{ magento_uid }}:{{ magento_gid }}" + # If magepack fails, it should keep magento in working condition + # we want to continue deployment even if magepack couldn't succeed + ignore_error: yes - - name: Append the bundling task config to the task list - set_fact: - magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_magepack_js_bundling_task] }}" + - name: Append the bundling task config to the task list + set_fact: + magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_magepack_js_bundling_task] }}" when: magento_scd_advanced_js_bundling and magento_scd_advanced_js_bundling_strategy == 'magepack' - name: Configure baler JS bundling task hook block: - - name: Configure deploy for bundling - block: - - name: Create bundling configs - set_fact: - magento_baler_js_bundling_task: - name: "magesuite-baler-bundle" - image: "mageops/magesuite-baler:v0.1.1" - workdir: "{{ magento_release_dir }}" - commandline: "" - container_workdir: "/workdir" - user: "{{ magento_uid }}:{{ magento_gid }}" + - name: Configure deploy for bundling + block: + - name: Create bundling configs + set_fact: + magento_baler_js_bundling_task: + name: "magesuite-baler-bundle" + image: "mageops/magesuite-baler:v0.1.1" + workdir: "{{ magento_release_dir }}" + commandline: "" + container_workdir: "/workdir" + user: "{{ magento_uid }}:{{ magento_gid }}" - magento_baler_js_bundling_core_config: - - name: Enable baler bundling - path: "dev/js/enable_baler_js_bundling" - value: "1" - - name: Disable JS merging (because baler bundling is enabled) - path: "dev/js/merge_files" - value: "0" - - name: Disable JS minification (because baler bundling is enabled) - path: "dev/js/minify_files" - value: "0" - - name: Disable JS bundling (baler bundling is enabled) - path: "dev/js/enable_js_bundling" - value: "0" - - name: Disable MageSuite JavaScript defer. - path: "deferjs/general/active" - value: "0" + magento_baler_js_bundling_core_config: + - name: Enable baler bundling + path: "dev/js/enable_baler_js_bundling" + value: "1" + - name: Disable JS merging (because baler bundling is enabled) + path: "dev/js/merge_files" + value: "0" + - name: Disable JS minification (because baler bundling is enabled) + path: "dev/js/minify_files" + value: "0" + - name: Disable JS bundling (baler bundling is enabled) + path: "dev/js/enable_js_bundling" + value: "0" + - name: Disable MageSuite JavaScript defer. + path: "deferjs/general/active" + value: "0" - - name: Append the bundling task config to the task list - set_fact: - magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_baler_js_bundling_task] }}" + - name: Append the bundling task config to the task list + set_fact: + magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_baler_js_bundling_task] }}" - - name: Ensure that Magento's js minification, merging and bundling is disabled - set_fact: - magento_core_config_settings: "{{ magento_core_config_settings + magento_baler_js_bundling_core_config }}" + - name: Ensure that Magento's js minification, merging and bundling is disabled + set_fact: + magento_core_config_settings: "{{ magento_core_config_settings + magento_baler_js_bundling_core_config }}" when: magento_scd_advanced_js_bundling and magento_scd_advanced_js_bundling_strategy == 'baler' - name: Install required python modules @@ -70,7 +70,7 @@ state: present - name: Check if database is initialized - command: mysql -N --batch -u {{ mageops_app_mysql_user|quote }} -p{{ mageops_app_mysql_pass|quote }} -h {{ mageops_mysql_host|quote }} -e "SHOW TABLES FROM `{{ mageops_app_mysql_db }}` LIKE 'admin_user';" + command: mysql {{ mageops_mysql_require_ssl | ternary("--ssl", "") }} -N --batch -u {{ mageops_app_mysql_user|quote }} -p{{ mageops_app_mysql_pass|quote }} -h {{ mageops_mysql_host|quote }} -e "SHOW TABLES FROM `{{ mageops_app_mysql_db }}` LIKE 'admin_user';" changed_when: false register: admins diff --git a/roles/cs.magento-configure/tasks/080-core-config.yml b/roles/cs.magento-configure/tasks/080-core-config.yml index 2bfe10b1..d626edf1 100644 --- a/roles/cs.magento-configure/tasks/080-core-config.yml +++ b/roles/cs.magento-configure/tasks/080-core-config.yml @@ -9,7 +9,9 @@ magento_core_config_settings: "{{ magento_core_config_settings + _extra_items }}" when: magento_varnish_host | default(false, true) -- name: Ensure core config database settings' values +- name: Ensure core config database settings values + delegate_to: localhost + become: no mysql_query: name: "{{ mageops_app_mysql_db }}" table: core_config_data @@ -29,6 +31,8 @@ loop_var: magento_db_setting - name: Ensure core config database default values (no update if exists) + delegate_to: localhost + become: no mysql_query: name: "{{ mageops_app_mysql_db }}" table: core_config_data @@ -47,6 +51,8 @@ loop_var: magento_db_setting - name: Ensure core config database settings are absent (defaults are used) + delegate_to: localhost + become: no mysql_query: state: absent name: "{{ mageops_app_mysql_db }}" diff --git a/roles/cs.magento-configure/tasks/action/configure-env.yml b/roles/cs.magento-configure/tasks/action/configure-env.yml index b896c54e..995a5785 100644 --- a/roles/cs.magento-configure/tasks/action/configure-env.yml +++ b/roles/cs.magento-configure/tasks/action/configure-env.yml @@ -1,107 +1,113 @@ - name: Configure Magento environment (env.php) block: - - name: Enable HTTP cache - when: magento_http_cache_enable - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_http_cache, recursive=true) }} + - name: Enable HTTP cache + when: magento_http_cache_enable + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_http_cache, recursive=true) }} - - name: Enable ElasticSuite configuration - when: elasticsuite_version | default(false, true) - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_elasticsuite, recursive=true) }} - - - name: Configure Redis caching - when: magento_redis_cache - block: - - name: Enable default Redis cache - when: not magento_redis_cache_l2 - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_cache_default_redis, recursive=true) }} - - - name: Enable 2-level default Redis cache - when: magento_redis_cache_l2 - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_cache_default_redis_l2, recursive=true) }} - - - name: Configure Redis page cache - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_cache_page_redis, recursive=true) }} - - - name: Enable RabbitMQ queue configuration - when: magento_rabbitmq_queue - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_queue_rabbitmq, recursive=true) }} + - name: Enable ElasticSuite configuration + when: elasticsuite_version | default(false, true) + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_elasticsuite, recursive=true) }} - - name: Adjust configuration for consumer workers - when: magento_consumer_workers_enable + - name: Configure Redis caching + when: magento_redis_cache + block: + - name: Enable default Redis cache + when: not magento_redis_cache_l2 set_fact: magento_app_etc_config: >- {{ magento_app_etc_config - | combine(magento_app_etc_config_consumer_workers, recursive=true) }} + | combine(magento_app_etc_config_cache_default_redis, recursive=true) }} - - name: Adjust configuration for cron consumers - when: magento_cron_consumers_enable + - name: Enable 2-level default Redis cache + when: magento_redis_cache_l2 set_fact: magento_app_etc_config: >- {{ magento_app_etc_config - | combine(magento_app_etc_config_cron_consumers, recursive=true) }} + | combine(magento_app_etc_config_cache_default_redis_l2, recursive=true) }} - - name: Configure X-Magento-Vary cookie signing - when: magento_vary_sign + - name: Configure Redis page cache set_fact: magento_app_etc_config: >- {{ magento_app_etc_config - | combine(magento_app_etc_config_cookie_sign, recursive=true) }} + | combine(magento_app_etc_config_cache_page_redis, recursive=true) }} - - name: Set extra options - set_fact: - magento_app_etc_config: >- - {{ magento_app_etc_config - | combine(magento_app_etc_config_extra, recursive=true) }} - - - name: Export configuration as PHP code - command: - stdin: "{{ magento_app_etc_config | to_json }}" - argv: - - php - - -r - - >- - echo "- + {{ magento_app_etc_config + | combine(magento_app_etc_config_queue_rabbitmq, recursive=true) }} + + - name: Adjust configuration for consumer workers + when: magento_consumer_workers_enable + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_consumer_workers, recursive=true) }} + + - name: Adjust configuration for cron consumers + when: magento_cron_consumers_enable + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_cron_consumers, recursive=true) }} + + - name: Configure X-Magento-Vary cookie signing + when: magento_vary_sign + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_cookie_sign, recursive=true) }} + + - name: Enable mysql ssl requirement + when: mageops_mysql_require_ssl + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_mysql_ssl_required, recursive=true) }} + + - name: Set extra options + set_fact: + magento_app_etc_config: >- + {{ magento_app_etc_config + | combine(magento_app_etc_config_extra, recursive=true) }} + + - name: Export configuration as PHP code + command: + stdin: "{{ magento_app_etc_config | to_json }}" + argv: + - php + - -r + - >- + echo "