search

splunk / ansible-role-for-splunk

Splunk@Splunk's Ansible role for installing Splunk, upgrading Splunk, and installing apps/addons on Splunk deployments (VM/bare metal)
Apache License 2.0
146 stars 101 forks source link

Enhancement : Install app from Splunkbase #46

Open lmnogues opened 3 years ago

lmnogues commented 3 years ago

As a Splunk Admin with a restricted git repo size, I want to be able to automatically install application from Splunk Base instead of GIT.

mason-splunk commented 3 years ago

So, I actually did a POC playbook for this last year that we may be able to reuse and incorporate into this role. There are some drawbacks and constraints to pulling apps from Splunkbase, namely:

  1. Apps can be removed or retired from Splunkbase.
  2. Splunkbase does not offer service accounts so a personal login is required to authenticate for downloads.
  3. Splunkbase does not provide a way to pull the "latest" version. You have to specify the version number of each app/addon that you want to download.
  4. Splunkbase download URLs are not human readable (e.g. TA NIX is only identified as "833") so we may want to include an extra var in Ansible with the human readable app name for our own sanity.
  5. Downloading and installing straight from Splunkbase may be undesirable in some cases (e.g. if you want to disable/enable inputs, change index names, or customize anything before deploying).

All that said, this is possible. Here's the POC playbook that I wrote for reference:

# ansible-playbook --connection=local --inventory 127.0.0.1, install_splunkbase_app_rest.yml 
- hosts:
    - localhost
  gather_facts: no
  vars:
    - splunkbase_username: user@splunk.com
    - splunkbase_password: somepassword
    - splunkbase_auth_url: https://splunkbase.splunk.com/api/account:login/
    - splunk_host: mysplunkhost
    - splunk_user: admin
    - splunk_password: somepassword
    - app_url: https://splunkbase.splunk.com/app/833/release/8.1.0/download
  tasks:
    - name: Get splunkbase authentication token
      uri:
        url: "{{ splunkbase_auth_url }}"
        method: POST
        return_content: yes
        body_format: form-urlencoded
        body:
          username: "{{ splunkbase_username }}"
          password: "{{ splunkbase_password }}"
      register: login

    - name: Create splunkbase_token var
      set_fact:
        splunkbase_token: "{{ login.content | regex_search('<id>(.*)<\\/id>', '\\1' ) | first }}"

    - name: Install Splunkbase app
      uri:
        url: "https://{{ splunk_host }}:8089/services/apps/local"
        method: POST
        user: "{{ splunk_user }}"
        password: "{{ splunk_password }}"
        validate_certs: false
        body:
          name: "{{ app_url }}"
          update: "true"
          filename: "true"
          auth: "{{ splunkbase_token }}"
        body_format: "form-urlencoded"
        status_code: [ 200, 201 ]
        timeout: 300
      when:
        - "'splunkbase.splunk.com' in app_url"
        - splunkbase_token is defined
        - splunkbase_token != None
mason-splunk commented 3 years ago

One consideration for implementing this task: We will likely want to support installing apps from both Splunkbase and from Git on the same host.

lmnogues commented 3 years ago

For splunkbase url you can do https://splunkbase.splunk.com/apps/id/lookup_editor to get the app number