Implement rds ssl requirement

group_vars/all.yml

@@ -492,13 +492,21 @@ aws_rds_encryption_key_name: "{{ mageops_app_name }}-db"
 
 # Default configuration tunes for MySQL
 aws_rds_param_group_params_default:
-      log_bin_trust_function_creators: 1
-      max_heap_table_size: 67108864
-      tmp_table_size: 67108864
-      explicit_defaults_for_timestamp: 1
+  log_bin_trust_function_creators: 1
+  max_heap_table_size: 67108864
+  tmp_table_size: 67108864
+  explicit_defaults_for_timestamp: 1
+
+aws_rds_param_group_params_require_ssl:
+  require_secure_transport: 1
+
+aws_rds_param_group_params_tpl:
+- "{{ aws_rds_param_group_params_default }}"
+- "{{ mageops_mysql_require_ssl | ternary(aws_rds_param_group_params_require_ssl, {}) }}"
+- "{{ aws_rds_param_group_params_extra | default({}) }}"
 
 # Parameters to tune MySQL configuration
-aws_rds_param_group_params: "{{ aws_rds_param_group_params_default | combine(aws_rds_param_group_params_extra | default({}), recursive=True) }}"
+aws_rds_param_group_params: "{{ aws_rds_param_group_params_tpl | combine }}"
 
 # Storage encryption
 aws_rds_storage_encrypt: "{{ mageops_encryption }}"
@@ -674,6 +682,7 @@ php_opcache_prewarm_dirs:
 # MySQL instance shall be provisioned? (or provide host)
 mageops_mysql_create: yes
 mageops_mysql_host:
+mageops_mysql_require_ssl: no
 
 # Root DB password, not used directly by the application, needed for managing app dbs and users
 mageops_mysql_root_user: root

requirements-python.txt

@@ -16,7 +16,16 @@ netaddr
 
 # needed for managing databases (e.g. creating project db in infra step)
 # mysql
-PyMySQL
+# We are using a fork of PyMySQL that has SSL enabled by default
+# Ansible ansible_util does not allow setting ssl parameter without setting ca_cert at the same time
+# This could be workarounded by using config_file parameter but this only works when implementation
+# uses real mysql client and not PyMySQL
+# PyMySQL implementation also loads the config file but it does not support setting ssl parameter
+# while it makes inpossible to enable ssl without providing certificate, implementation supports such scenario
+# in later code. This is why we are using forked version of PyMySQL that enables ssl by default
+# when it's not explicitly disabled. This should be always safe, because if ssl is not enabled on server
+# implementation will fallback to non-ssl connection.
+git+https://github.com/mageops/PyMySQL.git@dev-ssl-by-default#egg=PyMySQL
 
 # needed for running docker (e.g. building aws lambda artifacts)
 docker-py

roles/cs.magento-configure/defaults/main/app-etc.yml

@@ -78,11 +78,20 @@ magento_app_etc_config:
   install:
     date: "Tue, 11 Nov 2016 11:11:00 +0000"
 
+magento_mysql_ssl_required:
+  db:
+    connection:
+      default:
+        # Because we need to serialize and deserialize configuration, we cannot use php constants directly
+        # Therefore we need here to use the actual value of the constant as keys
+        driver_options:
+          1014: false # \PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT
+          1009: /dev/null # \PDO::MYSQL_ATTR_SSL_CA
 
 magento_app_etc_config_http_cache:
   http_cache_hosts:
-    - host: "{{ magento_varnish_host }}"
-      port: "{{ magento_varnish_port }}"
+  - host: "{{ magento_varnish_host }}"
+    port: "{{ magento_varnish_port }}"
 
 # Optional elasticsuite config
 magento_app_etc_config_elasticsuite:
@@ -112,30 +121,30 @@ magento_app_etc_config_cache_default_redis:
 
 magento_app_etc_config_cache_default_redis_l2:
   cache:
-      frontend:
-          default:
-              backend: \Magento\Framework\Cache\Backend\RemoteSynchronizedCache
-              backend_options:
-                  remote_backend: "{{ magento_redis_cache_backend_fqcn }}"
-                  remote_backend_options:
-                      persistent: 0
-                      server: "{{ mageops_redis_host }}"
-                      database: "0"
-                      port: "{{ mageops_redis_port }}"
-                      password: ""
-                      preload_keys:
-                        - EAV_ENTITY_TYPES:hash
-                        - GLOBAL_PLUGIN_LIST:hash
-                        - DB_IS_UP_TO_DATE:hash
-                        - SYSTEM_DEFAULT:hash
-                  local_backend: Cm_Cache_Backend_File
-                  local_backend_options:
-                      cache_dir: "{{ magento_redis_cache_l2_dir }}"
-              frontend_options:
-                  write_control: false
-      type:
-          default:
-              frontend: default
+    frontend:
+      default:
+        backend: \Magento\Framework\Cache\Backend\RemoteSynchronizedCache
+        backend_options:
+          remote_backend: "{{ magento_redis_cache_backend_fqcn }}"
+          remote_backend_options:
+            persistent: 0
+            server: "{{ mageops_redis_host }}"
+            database: "0"
+            port: "{{ mageops_redis_port }}"
+            password: ""
+            preload_keys:
+            - EAV_ENTITY_TYPES:hash
+            - GLOBAL_PLUGIN_LIST:hash
+            - DB_IS_UP_TO_DATE:hash
+            - SYSTEM_DEFAULT:hash
+          local_backend: Cm_Cache_Backend_File
+          local_backend_options:
+            cache_dir: "{{ magento_redis_cache_l2_dir }}"
+        frontend_options:
+          write_control: false
+    type:
+      default:
+        frontend: default
 
 magento_app_etc_config_cache_page_redis:
   cache:

roles/cs.magento-configure/tasks/000-prepare-runtime-config.yml

@@ -2,65 +2,65 @@
 # that should be ready for the next ones.
 - name: Configure magepack JS bundling task hook
   block:
-    - name: Configure deploy for bundling
-      block:
-        - name: Create bundling configs
-          set_fact:
-            magento_magepack_js_bundling_task:
-              name: "magesuite-magepack-bundle"
-              image: "mageops/magesuite-magepack"
-              workdir: "{{ magento_release_dir }}"
-              commandline: ""
-              container_workdir: "/workdir"
-              user: "{{ magento_uid }}:{{ magento_gid }}"
-              # If magepack fails, it should keep magento in working condition
-              # we want to continue deployment even if magepack couldn't succeed
-              ignore_error: yes
+  - name: Configure deploy for bundling
+    block:
+    - name: Create bundling configs
+      set_fact:
+        magento_magepack_js_bundling_task:
+          name: "magesuite-magepack-bundle"
+          image: "mageops/magesuite-magepack"
+          workdir: "{{ magento_release_dir }}"
+          commandline: ""
+          container_workdir: "/workdir"
+          user: "{{ magento_uid }}:{{ magento_gid }}"
+          # If magepack fails, it should keep magento in working condition
+          # we want to continue deployment even if magepack couldn't succeed
+          ignore_error: yes
 
-        - name: Append the bundling task config to the task list
-          set_fact:
-            magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_magepack_js_bundling_task] }}"
+    - name: Append the bundling task config to the task list
+      set_fact:
+        magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_magepack_js_bundling_task] }}"
 
   when: magento_scd_advanced_js_bundling and magento_scd_advanced_js_bundling_strategy == 'magepack'
 
 - name: Configure baler JS bundling task hook
   block:
-    - name: Configure deploy for bundling
-      block:
-        - name: Create bundling configs
-          set_fact:
-            magento_baler_js_bundling_task:
-              name: "magesuite-baler-bundle"
-              image: "mageops/magesuite-baler:v0.1.1"
-              workdir: "{{ magento_release_dir }}"
-              commandline: ""
-              container_workdir: "/workdir"
-              user: "{{ magento_uid }}:{{ magento_gid }}"
+  - name: Configure deploy for bundling
+    block:
+    - name: Create bundling configs
+      set_fact:
+        magento_baler_js_bundling_task:
+          name: "magesuite-baler-bundle"
+          image: "mageops/magesuite-baler:v0.1.1"
+          workdir: "{{ magento_release_dir }}"
+          commandline: ""
+          container_workdir: "/workdir"
+          user: "{{ magento_uid }}:{{ magento_gid }}"
 
-            magento_baler_js_bundling_core_config:
-              - name: Enable baler bundling
-                path: "dev/js/enable_baler_js_bundling"
-                value: "1"
-              - name: Disable JS merging (because baler bundling is enabled)
-                path: "dev/js/merge_files"
-                value: "0"
-              - name: Disable JS minification (because baler bundling is enabled)
-                path: "dev/js/minify_files"
-                value: "0"
-              - name: Disable JS bundling (baler bundling is enabled)
-                path: "dev/js/enable_js_bundling"
-                value: "0"
-              - name: Disable MageSuite JavaScript defer.
-                path: "deferjs/general/active"
-                value: "0"
+        magento_baler_js_bundling_core_config:
+        - name: Enable baler bundling
+          path: "dev/js/enable_baler_js_bundling"
+          value: "1"
+        - name: Disable JS merging (because baler bundling is enabled)
+          path: "dev/js/merge_files"
+          value: "0"
+        - name: Disable JS minification (because baler bundling is enabled)
+          path: "dev/js/minify_files"
+          value: "0"
+        - name: Disable JS bundling (baler bundling is enabled)
+          path: "dev/js/enable_js_bundling"
+          value: "0"
+        - name: Disable MageSuite JavaScript defer.
+          path: "deferjs/general/active"
+          value: "0"
 
-        - name: Append the bundling task config to the task list
-          set_fact:
-            magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_baler_js_bundling_task] }}"
+    - name: Append the bundling task config to the task list
+      set_fact:
+        magento_scd_containerized_tasks: "{{ magento_scd_containerized_tasks + [magento_baler_js_bundling_task] }}"
 
-        - name: Ensure that Magento's js minification, merging and bundling is disabled
-          set_fact:
-            magento_core_config_settings: "{{ magento_core_config_settings + magento_baler_js_bundling_core_config }}"
+    - name: Ensure that Magento's js minification, merging and bundling is disabled
+      set_fact:
+        magento_core_config_settings: "{{ magento_core_config_settings + magento_baler_js_bundling_core_config }}"
   when: magento_scd_advanced_js_bundling and magento_scd_advanced_js_bundling_strategy == 'baler'
 
 - name: Install required python modules
@@ -70,7 +70,7 @@
     state: present
 
 - name: Check if database is initialized
-  command: mysql -N --batch -u {{ mageops_app_mysql_user|quote }} -p{{ mageops_app_mysql_pass|quote }} -h {{ mageops_mysql_host|quote }} -e "SHOW TABLES FROM `{{ mageops_app_mysql_db }}` LIKE 'admin_user';"
+  command: mysql {{ mageops_mysql_require_ssl | ternary("--ssl", "") }} -N --batch -u {{ mageops_app_mysql_user|quote }} -p{{ mageops_app_mysql_pass|quote }} -h {{ mageops_mysql_host|quote }} -e "SHOW TABLES FROM `{{ mageops_app_mysql_db }}` LIKE 'admin_user';"
   changed_when: false
   register: admins
 

roles/cs.magento-configure/tasks/080-core-config.yml

@@ -9,7 +9,9 @@
     magento_core_config_settings: "{{ magento_core_config_settings + _extra_items }}"
   when: magento_varnish_host | default(false, true)
 
-- name: Ensure core config database settings' values
+- name: Ensure core config database settings values
+  delegate_to: localhost
+  become: no
   mysql_query:
     name: "{{ mageops_app_mysql_db }}"
     table: core_config_data
@@ -29,6 +31,8 @@
     loop_var: magento_db_setting
 
 - name: Ensure core config database default values (no update if exists)
+  delegate_to: localhost
+  become: no
   mysql_query:
     name: "{{ mageops_app_mysql_db }}"
     table: core_config_data
@@ -47,6 +51,8 @@
     loop_var: magento_db_setting
 
 - name: Ensure core config database settings are absent (defaults are used)
+  delegate_to: localhost
+  become: no
   mysql_query:
     state: absent
     name: "{{ mageops_app_mysql_db }}"