Merge pull request #91 from Expedient/tamper-protection

Tamper protection

galaxy.yml

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 ---
-version: 2.4.7
+version: 2.5.0
 namespace: expedient
 name: elastic
 readme: README.md

plugins/module_utils/kibana.py

@@ -742,7 +742,7 @@ def get_all_agent_policys(self, perPage = 500):
     agent_policy_objects = self.send_api_request(endpoint, 'GET')
     return agent_policy_objects
 
-  def create_agent_policy(self, agent_policy_id, agent_policy_name, agent_policy_desc, space_id="default", monitoring=[]):
+  def create_agent_policy(self, agent_policy_id, agent_policy_name, agent_policy_desc, protected=False, space_id="default", monitoring=[]):
     if agent_policy_id:
       agent_policy_object = self.get_agent_policy_byid(agent_policy_id)
     else:
@@ -753,7 +753,8 @@ def create_agent_policy(self, agent_policy_id, agent_policy_name, agent_policy_d
           "name": agent_policy_name,
           "namespace": space_id.lower(),
           "description": agent_policy_desc,
-          "monitoring_enabled": monitoring
+          "monitoring_enabled": monitoring,
+          "is_protected": protected
       }
       body_JSON = dumps(body)
 
@@ -778,6 +779,19 @@ def get_agent_policy_byid(self, agent_policy_id):
     endpoint  = 'fleet/agent_policies/' + agent_policy_id
     agent_policy_object = self.send_api_request(endpoint, 'GET')
     return agent_policy_object['item']
+
+  def update_agent_policy(self, agent_policy_id, agent_policy_name, agent_policy_desc, protected, space_id, monitoring):
+    endpoint  = 'fleet/agent_policies/' + agent_policy_id
+    body = {
+          "name": agent_policy_name,
+          "namespace": space_id.lower(),
+          "description": agent_policy_desc,
+          "monitoring_enabled": monitoring,
+          "is_protected": protected
+      }
+    body_JSON = dumps(body)
+    agent_policy_object = self.send_api_request(endpoint, 'PUT', data=body_JSON)
+    return agent_policy_object['item'] # the normal information we want is inside of the item key for put results
 
   def delete_agent_policy(self, agent_policy_id = None, agent_policy_name = None):
     if agent_policy_id:

plugins/modules/elastic_agentpolicy.py

@@ -69,6 +69,10 @@
   monitoring: 
     description: Monitoring Attributes
     type: list
+  protected:
+    description: whether or not to enable agent tamper protection
+    type: bool
+    default: False
 '''
 from ansible.module_utils.basic import _ANSIBLE_ARGS, AnsibleModule
 
@@ -82,7 +86,19 @@
   from kibana import Kibana
 
 results = {}
-
+
+def compare_agent_policy(agent_policy_object, agent_policy_name, agent_policy_desc, protected, namespace, monitoring):
+  if agent_policy_object['name'] != agent_policy_name:
+    return False
+  if agent_policy_object['description'] != agent_policy_desc:
+    return False
+  if agent_policy_object['is_protected'] != protected:
+    return False
+  if agent_policy_object['namespace'] != namespace:
+    return False
+  if agent_policy_object['monitoring_enabled'] != monitoring:
+    return False
+  return True
 def main():
 
     module_args=dict(    
@@ -96,7 +112,8 @@ def main():
         state=dict(type='str', default='present'),
         monitoring=dict(type='list', default=[]),
         deployment_info=dict(type='dict', default=None),
-        namespace=dict(type='str', default='default')
+        namespace=dict(type='str', default='default'),
+        protected=dict(type='bool', default=False),
     )
 
     argument_dependencies = []
@@ -114,6 +131,7 @@ def main():
     agent_policy_id = module.params.get('agent_policy_id')
     monitoring = module.params.get('monitoring')
     namespace = module.params.get('namespace')
+    protected = module.params.get('protected')
 
     if module.check_mode:
         results['changed'] = False
@@ -123,10 +141,16 @@ def main():
     if state == "present":
       agent_policy_object = kibana.get_agent_policy_byname(agent_policy_name)
       if agent_policy_object:
-        results['agent_policy_status'] = "Agent Policy already exists"
-        results['changed'] = False
+        # Check the provided data against the existing agent policy
+        if not compare_agent_policy(agent_policy_object, agent_policy_name, agent_policy_desc, protected, namespace, monitoring):
+          agent_policy_object = kibana.update_agent_policy(agent_policy_object['id'], agent_policy_name, agent_policy_desc, protected, namespace, monitoring)
+          results['agent_policy_status'] = "Agent Policy updated"
+          results['changed'] = True
+        else:
+          results['agent_policy_status'] = "Agent Policy already exists and is up to date"
+          results['changed'] = False
       else:
-        agent_policy_object = kibana.create_agent_policy(agent_policy_id, agent_policy_name, agent_policy_desc, namespace, monitoring)
+        agent_policy_object = kibana.create_agent_policy(agent_policy_id, agent_policy_name, agent_policy_desc, protected, namespace, monitoring)
         results['agent_policy_status'] = "Agent Policy created"
       results['agent_policy_object'] = agent_policy_object
     elif state == "absent":