feat: split management setup into own role (dev)

- the smardigo management instance is now configured by group management. connect is now only for dynamic smardigo instances. - <stage>-management-01-connect.<domain>
4 years ago · 04b5cfb0b7
parent 6571622662
commit 04b5cfb0b7
39 changed files with 426 additions and 285 deletions
--- a/create-database.yml
+++ b/create-database.yml
@ -81,9 +81,6 @@
    - role: connect-postgres
      when: "'connect' in group_names"

-    - role: management-connect-postgres
-      when: "'management_connect' in group_names"
-
    - role: keycloak-postgres
      when: "'keycloak' in group_names"

--- a/create-server.yml
+++ b/create-server.yml
@ -82,8 +82,6 @@
  roles:
    - role: hcloud

-
-
 #############################################################
 # Setup servers for created inventory
 #############################################################
--- a/create-service.yml
+++ b/create-service.yml
@ -58,11 +58,6 @@
      with_items: "{{ cluster_services }}"
      when: item in ['connect_wordpress']

-    - name: Remove hosts
-      hosts: "{{ stage }}-{{ tenant_id }}-{{ cluster_name }}-01"
-      tasks:
-        - meta: refresh_inventory
-
 #############################################################
 # Setup services for created inventory
 #############################################################
--- a/group_vars/keycloak/plain.yml
+++ b/group_vars/keycloak/plain.yml
@ -25,19 +25,13 @@ keycloak: {
      ],
      groups: [
        {
-          "name": "admin",
-        },
-        {
-          "name": "smardigo",
-        },
-        {
-          "name": "sensw",
+          "name": "awx",
        },
        {
-          "name": "ssp",
+          "name": "admin",
        },
        {
-          "name": "awx",
+          "name": "smardigo",
        },
      ],
      clients: [
@ -48,40 +42,12 @@ keycloak: {
          root_url: '',
          redirect_uris: '
            [
-              "https://{{ stage }}-docker-registry-01.{{ domain }}/*",
+              "{{ http_s }}://{{ stage }}-docker-registry-01.{{ domain }}/*",
            ]',
          secret: '{{ docker_registry_oidc_client_secret }}',
          web_origins: '
            [
-              "https://{{ stage }}-docker-registry-01.{{ domain }}",
-            ]',
-        }
-      ]
-    },
-    {
-      name: '{{ smardigo_management_oidc_realm }}',
-      display_name: '{{ smardigo_management_oidc_realm }}',
-      users: [
-        {
-          "username": "{{ management_admin_username }}",
-          "password": "{{ management_admin_password }}",
-          "email": "{{ connect_admin_email }}",
-        }
-      ],
-      clients: [
-        {
-          clientId: '{{ smardigo_management_oidc_client_id }}',
-          name: '{{ smardigo_management_oidc_client_id }}',
-          admin_url: '',
-          root_url: '',
-          redirect_uris: '
-            [
-              "https://{{ stage }}-management-smardigo-01-connect.{{ domain }}/*",
-            ]',
-          secret: '{{ smardigo_management_oidc_client_secret }}',
-          web_origins: '
-            [
-              "https://{{ stage }}-management-smardigo-01-connect.{{ domain }}",
+              "{{ http_s }}://{{ stage }}-docker-registry-01.{{ domain }}",
            ]',
        }
      ]
--- a/group_vars/management/plain.yml
+++ b/group_vars/management/plain.yml
@ -0,0 +1,55 @@
+---
+
+hetzner_server_type: cx21
+
+connect_image_version: "8.5.0-SMARCH-98-1-SNAPSHOT"
+
+connect_workflow_env: "stage:{{ stage }};smardigoUserToken:{{ management_smardigo_user_token }}"
+connect_process_search_module: "external"
+connect_oidc_client_secret: "{{ management_oidc_client_secret }}"
+spring_profiles_include: "prod,postgres,elastic,swagger"
+
+tenant_id: "{{ management_oidc_realm }}"
+cluster_size: "1"
+cluster_name: "{{ management_oidc_client_id }}"
+cluster_services_str: "connect"
+current_realm_name: "management"
+current_realm_display_name: "Stage Management"
+
+postgres_acls:
+  - name: "{{ connect_postgres_database }}"
+    password: "{{ connect_postgres_password }}"
+    trusted_cidr_entry: "{{ shared_service_network }}"
+
+current_realm_clients: [
+  {
+    name: '{{ management_oidc_client_id }}',
+    clientId: "{{ management_oidc_client_id }}",
+    admin_url: '',
+    root_url: '',
+    redirect_uris: '
+      [
+        "{{ http_s }}://{{ connect_base_url }}/*"
+      ]',
+    secret: '{{ management_oidc_client_secret }}',
+    web_origins: '
+      [
+        "{{ http_s }}://{{ connect_base_url }}"
+      ]',
+  }
+]
+
+current_realm_users: [
+  {
+    "username": "{{ management_admin_username }}",
+    "password": "{{ management_admin_password }}",
+    "email": "{{ connect_admin_email }}",
+  }
+]
+current_realm_admin_users: [
+  {
+    "username": "{{ management_realm_admin_username }}",
+    "password": "{{ management_realm_admin_password }}",
+    "email": "{{ connect_admin_email }}",
+  }
+]
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@ -30,7 +30,7 @@ shared_service_iam_hostname: "dev-iam-01.smardigo.digital"
 shared_service_keycloak_hostname: "dev-keycloak-01.smardigo.digital"
 shared_service_mail_hostname: "dev-mail-01.smardigo.digital"
 shared_service_webdav_hostname: "dev-webdav-01.smardigo.digital"
-management_service_connect_hostname: "dev-management-smardigo-01-connect.smardigo.digital"
+management_service_connect_hostname: "dev-management-01-connect.smardigo.digital"

 keycloak_server_url: "https://{{ shared_service_keycloak_hostname }}"

@ -100,8 +100,8 @@ postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},
 connect_image_version: "latest"
 iam_image_version: "latest"

-smardigo_management_oidc_realm: "smardigo"
-smardigo_management_oidc_client_id: "management-smardigo"
+management_oidc_realm: "management"
+management_oidc_client_id: "smardigo"

 smardigo_management_url: "{{ http_s }}://{{ management_service_connect_hostname }}/api/v1/scopes/{{ scope_id }}/processes/{{ process_instance_id }}/messages"
 smardigo_management_token: "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..rCRO1cVFgkyZ45D5cJNK5g.fc6JVOo5ja5sqe-0PQTfJGOivJ6tyiD-rwgY6rXJ3-U.tOgqgJ2zTjB3_M9BGtvVjQ"
@ -127,26 +127,30 @@ docker_admin_password: "docker-admin"

 management_admin_username: "management-admin"
 management_admin_password: "management-admin"
+management_realm_admin_username: "management-realm-admin"
+management_realm_admin_password: "management-realm-admin"

-#harbor_admin_username: "< see vault >"
-#harbor_admin_password: "< see vault >"
-#harbor_postgresql_password: "< see vault >"
+harbor_admin_username: "{{ harbor_admin_username_vault }}"
+harbor_admin_password: "{{ harbor_admin_password_vault }}"
+harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}"

-#docker_registry_username: "< see vault >"
-#docker_registry_token: "< see vault >"
+docker_registry_username: "{{ docker_registry_username_vault }}"
+docker_registry_token: "{{ docker_registry_token_vault }}"

-#elastic_admin_username: "< see vault >"
-#elastic_admin_password: "< see vault >"
+elastic_admin_username: "{{ elastic_admin_username_vault }}"
+elastic_admin_password: "{{ elastic_admin_password_vault }}"

-#postgres_replicator_user_password: "< see vault >"
+postgres_replicator_user_password: "{{ postgres_replicator_user_password_vault }}"

-#mysql_root_username: "< see vault >"
-#mysql_root_password: "< see vault >"
+mysql_root_username: "{{ mysql_root_username_vault }}"
+mysql_root_password: "{{ mysql_root_password_vault }}"

-#pgadmin4_admin_username: "< see vault >"
-#pgadmin4_admin_password: "< see vault >"
+pgadmin4_admin_username: "{{ pgadmin4_admin_username_vault }}"
+pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"

-#netgo_msteams_hook_alerting: "< see vault >"
+netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

-#docker_registry_oidc_client_secret: "< see vault >"
-#smardigo_management_oidc_client_secret: "< see vault >"
+docker_registry_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
+management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
+
+management_smardigo_user_token: "{{ management_smardigo_user_token_vault }}"
--- a/group_vars/stage_dev/vault.yml
+++ b/group_vars/stage_dev/vault.yml
@ -1,54 +1,65 @@
 $ANSIBLE_VAULT;1.1;AES256
-35346362306332356236376264393165646266386333313561616633613661363634323031363937
-3564323261346239313539626166373031653531653430350a353766353239353262376366343936
-63303633383837323533643461373062373833623864373762326538383332663835306465346662
-3536353130653762650a653138663463306661626365653430396636623532333061663632336564
-34353130383534386236323030613130636366303839363739643461633866356136623761633564
-66333239636363393030386232323535343363656266376537393639656131633630333362373437
-33373363326535316330353463306434346237663439343461366634633765383633336130663233
-63633933616537363235373132386232386538323431313465306338613665306237333039626164
-63333631323436623631333739346134373738303864316264343837383731323831383563633235
-35363332383338363832646166663630393930666531366335366533313433376231613032323134
-63613238326135623032653466616338663633633465363630353761306636356264653765353534
-64343062373339393563373530343065313233643862653839343265333730373537623230353135
-62373337346530653263343631333937353538326134383332646263336661623134383965393861
-33343031663139363033383935373161306562623066306462623730343763336661383037383137
-36643439363635343865663133363931313661383234386234393161313137303038653339643565
-37326365353166306533376263396230643830633432636338323537363636326330313863613463
-66383236383339326165373836373166366434343531316631356132613431376263353231393031
-65356265336132383337306632313365663266633133353062313531643966343338636131316437
-38326438313466366336386531643733393932613935646364616433646238616433643634333335
-36366263646466666639626563613631613363353535353465396330653365386262633662373937
-32643462343730376536613062346137633865356366626263643363386434336361313730633139
-37323135393036613838323739333236376363636536636333666638356232616233666462646138
-32393938643462656237396138363463323966633334366334636465396463336533656265373030
-31336330396266306233613466383036346164653337343762626338373538316339353963323761
-38386266313564303733393361633735313762373932383763633262636565363565373863313763
-64653666666633326639653938613364366463386537663330373630663338306436663561363035
-33633035633335306261323164616636363561343332336534666564633964323463353039616431
-30313833333933393637356563343336353034336432313861313163663732643635396135623332
-61373734343733396233336462313831623335643133353933653635303636643038343737393566
-61656238356436306365343032346432616630373565656563303233623961323062313863633037
-32653761356662386566323934303735643062643865623661646366336263616636393736636335
-63626530313237373962343362346137656230646437306265353030386234373235343735303638
-65333131666435333464303338366662396565353636313237353830336366343561616634363439
-39663638396236633432613236333561356537626262626431663437353331366462366534383339
-63646337333463346136383966333535633731303631633966636130633539366334333534326336
-38316565653561636339643864613633353032366166313763336264396130343164663737356362
-35386561313235643664356264656432346266333833326366666239303361666630633266346262
-65643235616637356133646335303565353162323965623331363964333632646366323637396630
-31623234313065306431616231306134376636626232393231346636663832396266333864373130
-61356434306534393566393931356331326539653064326637393930623133346164646231626165
-35396135376532373830396236653161653137633062376437303339663433653133383630633662
-65663165336237313537303431343933333961366633333565656165656336613331613432633733
-39646538306636343839383466613333316534656131663866316334306564316135383837653964
-31393365366461356532616563353137656262323438353063613739333835323236333335353862
-66353065336663623038323130656433656231643439633133346333663530313738656461396366
-39626461383339333966626235613334343439656631653465373932366163646332343063303666
-32373133616164313034623638393438613834303133363134623562653461306430326135616663
-61323662633837613531336337386266623535316235373730616362663662363734663561363735
-62363766303561363930386139643632333565353733353338643863633261663333643937356135
-62363561373165343632346266363634323332373735633039393235383330323035613830656166
-32366334636336393065326564366361383264386335613630643166353264323032353262393865
-34333066363437373636643432396262366630396463383334356664643337646530616135316438
-31373563633637313464346637363262303430616463363632306364326339643863
+31333365653764633037643362613138633531313832313434646339306436663839653238333461
+6263353233386636326430356634333937343665333930610a336638356238623131613038306564
+66363934333339626463383662616131393364313263343264383062343032613331323136633733
+3063343730623031380a613139643738356535383436386664373236333139643561396232316632
+39366636343263323339363161393436346461323933663662356264633630363164383064306535
+65363839393336346333303062333466313133383539353539626435616462363332666238626566
+31626239653335306564333530636334383765373936366430623765653232393764323239616664
+32333632393338343065666534636635356338653534363233613666333837616231396634666562
+61303838383137633462643831666266313036333562383131666562346463346133363037356331
+61333863303234383435343334643535313733316436326330373165366537643432613963666331
+62316366633834386335376536363131626563303263363262653065373662643632326434636530
+35613237646261303837393363313165343230396661383366306466636336303338623830663332
+31393866323834653438303234643934353166316362333439656133613466646535653739333338
+64333862623230306266646131313664343934613432653866666134396432646365303432613332
+37353236353933323034343536396666653530313837346530616634313532623236623465663864
+38303331323433323131333539363366393962646534326135343630616131373739303232633231
+33643265323831316463363134363339313865313062663366323263306239666137303065393165
+36643061363562666665323465656562323330666132613064303935376538333463353832633262
+62373535613230623238646362353963393238353434393239396339393533376237663430393565
+66343933666433636534666534643731663133303831626132326461613566356430626661623139
+64303532616439383631393563343538643531353438653565366130666463393935373261613335
+65316564623762303432306365343364303739343865633635666437376237373930356466363435
+64323336633962663630663165316163313236623665343631616365623834663730623263353332
+38323364343865636531386136613835653332383639306536656238633533303865386436653633
+36633831626230353736626231376165653162623733323863356261613864393966666566636136
+38656364316435396135393261383033646262653861393833633838323235653835333934633134
+65323538646138623535346164386164663133393032343862393363656436656430343834333263
+65656435623232346333353336353330633836316363656634623735306164393838393139306539
+37653636323531653537306564373330663138303236626639643365303339643832393839373365
+66323737373438616666636266396238346565633730323134363936336161393765623366386535
+66633232336166623534383835383533303338383335373630336564383938303731616438646135
+39656238616331363032643630623132376333303433623061323533633937303130356364613763
+62613834346464396263313061366230396235323332323331333235306664313030643462633365
+33633833626263646435396137303939653163353136353366326565626335663132333139663363
+33663239663238376566623833373133393338393630616231623632623239633031666534303363
+39636237613366306635336534666533616463366537303161633461393465333237623661623464
+33643236383834353165393966326162626230636161393834396535653462386161386262656334
+32316632316330363761366336353961356163643264663262326164303463626363663739366262
+34356437633666343966613231653633393930616238363561633637353963343765353065623434
+34313761373366636430356166646161396332663632643061303331343335316539396263656633
+31616264646263616166653530336134313633393939636632393730333736613963383762366135
+30353733313065623034303236333036613238363039343436333866343866356461396233613136
+61316137363932333966373065386635633062643638646261303065646534373531666530663437
+64323163326236346132326163316132633462366236623962386563623161316432656633346261
+64626239346239653465376235623539363332353435366239353865396164626437643062386261
+30633363656531663235373730353335383731386164633837633032613661663861376230333439
+30363133306163323731656639343564666635356665636438636265643138306231333638663632
+30343464373231613763386638623961656436616661373466336466353333323862653237643063
+34613266383834633137393864623464646131623037313862626437366363616532316561333639
+36653363396630663432366331343831633865633864393364666135633766393132303735613136
+30653037613637393864373361643831363866373166316233623431386465326461333761306562
+63633464366564366564333730633733326234613434386165353132663363623533653637663435
+39363332343334363031353630346138353334316564313539396231376137373639323433346563
+30646333663462653962393866613666336231373230663930366365313134326265623530313434
+33363936333865623561333331633763356238316339373963313039623930653531313662613764
+65626365323164666631303465303736356537333336383539633062383663386364386236653233
+35616430663136633561306136323463316533396565663730326132356565303333393162313062
+35393738346339626462366363376661353663626264643035623231333565383439666665333738
+32346237316630376332303630646362613632613535363730663766616531303332333462333137
+65366461633234356562323536396232313837343862366362393238393862393264613162663837
+39376134376563383236633832323066636338623066363230356666653365643566333331353430
+34643433343034663264666663386335313763303165626134663532303432663739336363376532
+62306237333865353362623165313263336464303633313938336338376366363738356132376562
+34393263383264316330
--- a/group_vars/stage_qa/plain.yml
+++ b/group_vars/stage_qa/plain.yml
@ -76,7 +76,7 @@ shared_service_iam_hostname: "{{ stage }}-iam-01.{{ domain }}"
 shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain }}"
 shared_service_webdav_hostname: "{{ stage }}-webdav-01.{{ domain }}"
 shared_service_keycloak_hostname: "{{ stage }}-keycloak-01.{{ domain }}"
-management_service_connect_hostname: "{{ stage }}-management-smardigo-01-connect.{{ domain }}"
+management_service_connect_hostname: "{{ stage }}-management-01-connect.{{ domain }}"

 shared_service_docker_registry_hostname: "{{ stage }}-docker-registry-01.{{ domain }}"

@ -148,8 +148,8 @@ postgres_listen_addresses: "listen_addresses = 'localhost,{{ stage_server_ip }},
 connect_image_version: "latest"
 iam_image_version: "latest"

-smardigo_management_oidc_realm: "smardigo"
-smardigo_management_oidc_client_id: "management-smardigo"
+management_oidc_realm: "management"
+management_oidc_client_id: "smardigo"

 smardigo_management_url: "{{ http_s }}://{{ management_service_connect_hostname }}/api/v1/scopes/{{ scope_id }}/processes/{{ process_instance_id }}/messages"
 smardigo_management_token: "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiZGlyIn0..ynbVHutFvwcnzGNpUrObEA.2kHkShTJHDQIRY5QVmwrC-pQOasbQeHb33L5W4wWDdw.OVghXkhWdkps0YYEomO-pg"
@ -176,25 +176,25 @@ docker_admin_password: "{{ docker_admin_password_vault }}"
 management_admin_username: "management-admin"
 management_admin_password: "{{ management_admin_password_vault }}"

-#harbor_admin_username: "< see vault >"
-#harbor_admin_password: "< see vault >"
-#harbor_postgresql_password: "< see vault >"
+harbor_admin_username: "{{ harbor_admin_username_vault }}"
+harbor_admin_password: "{{ harbor_admin_password_vault }}"
+harbor_postgresql_password: "{{ harbor_postgresql_password_vault }}"

-#docker_registry_username: "< see vault >"
-#docker_registry_token: "< see vault >"
+docker_registry_username: "{{ docker_registry_username_vault }}"
+docker_registry_token: "{{ docker_registry_token_vault }}"

-#elastic_admin_username: "< see vault >"
-#elastic_admin_password: "< see vault >"
+elastic_admin_username: "{{ elastic_admin_username_vault }}"
+elastic_admin_password: "{{ elastic_admin_password_vault }}"

-#postgres_replicator_user_password: "< see vault >"
+postgres_replicator_user_password: "{{ postgres_replicator_user_password_vault }}"

-#mysql_root_username: "< see vault >"
-#mysql_root_password: "< see vault >"
+mysql_root_username: "{{ mysql_root_username_vault }}"
+mysql_root_password: "{{ mysql_root_password_vault }}"

-#pgadmin4_admin_username: "< see vault >"
-#pgadmin4_admin_password: "< see vault >"
+pgadmin4_admin_username: "{{ pgadmin4_admin_username_vault }}"
+pgadmin4_admin_password: "{{ pgadmin4_admin_password_vault }}"

-#netgo_msteams_hook_alerting: "< see vault >"
+netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

-#docker_registry_oidc_client_secret: "< see vault >"
-#smardigo_management_oidc_client_secret: "< see vault >"
+docker_registry_oidc_client_secret: "{{ docker_registry_oidc_client_secret_vault }}"
+management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
--- a/host_vars/dev-management-smardigo-01.yml
+++ b/host_vars/dev-management-smardigo-01.yml
@ -1,13 +0,0 @@
---
-
-hetzner_server_type: cpx21
-
-connect_workflow_env: "stage:{{ stage }}"
-connect_elastic_prefix: "dev_management_smardigo_connect"
-connect_postgres_database: "dev_management_smardigo_connect"
-connect_process_search_module: "external"
-
-current_realm_name: "{{ smardigo_management_oidc_realm }}"
-cluster_name: "{{ smardigo_management_oidc_client_id }}"
-connect_oidc_client_secret: "{{ smardigo_management_oidc_client_secret }}"
-spring_profiles_include: "prod,postgres,elastic,swagger"
--- a/host_vars/qa-management-smardigo-01.yml
+++ b/host_vars/qa-management-smardigo-01.yml
@ -1,13 +0,0 @@
---
-
-hetzner_server_type: cpx21
-
-connect_workflow_env: "stage:{{ stage }}"
-connect_elastic_prefix: "qa_management_smardigo_connect"
-connect_postgres_database: "qa_management_smardigo_connect"
-connect_process_search_module: "external"
-
-current_realm_name: "{{ smardigo_management_oidc_realm }}"
-cluster_name: "{{ smardigo_management_oidc_client_id }}"
-connect_oidc_client_secret: "{{ smardigo_management_oidc_client_secret }}"
-spring_profiles_include: "prod,postgres,elastic,swagger"
--- a/roles/_digitalocean/tasks/_remove_dns.yml
+++ b/roles/_digitalocean/tasks/_remove_dns.yml
@ -38,7 +38,7 @@
  become: false
  tags:
    - update_dns
-    
+
 - name: "Delete DNS entry <{{ inventory_hostname }}> for <{{ domain }}>"
  uri:
    method: DELETE
--- a/roles/_digitalocean/tasks/domain.yml
+++ b/roles/_digitalocean/tasks/domain.yml
@ -1,6 +1,61 @@
 ---

- name: Create DNS entry for <{{ record_name }}> if necessary
+- name: "Read DNS entry for {{ record_name }}.{{ domain }} from digitalocean"
+  uri:
+    url: "https://api.digitalocean.com/v2/domains/{{ domain }}/records?name={{ record_name }}.{{ domain }}"
+    headers:
+      accept: application/json
+      authorization: Bearer {{ digitalocean_authentication_token }}
+    return_content: yes
+  register: domain_records_response
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_dns
+
+- name: "Save DNS entry as variable (fact)"
+  set_fact: 
+    domain_records_response_json: "{{ domain_records_response.json }}"
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_dns
+
+- name: "Parse DNS entry for {{ record_name }}.{{ domain }}"
+  set_fact:  
+    domain_record: "{{ domain_records_response_json.domain_records | json_query(jmesquery) | first | default({'name': '-', 'ip': '-'}) }}"
+  vars:
+    jmesquery: '[*].{id: id, name: name, ip: data}'
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_dns
+
+- name: "Print DNS entry for {{ record_name }}.{{ domain }}"
+  debug:
+    msg: "{{ domain_record }}"
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_dns
+
+- name: "Delete DNS entry for <{{ record_data }}:{{ record_name }}> if necessary"
+  uri:
+    method: DELETE
+    url: "https://api.digitalocean.com/v2/domains/{{ domain }}/records/{{ domain_record.id }}"
+    headers:
+      authorization: Bearer {{ digitalocean_authentication_token }}
+    return_content: yes
+    status_code: 204
+  when:
+        domain_record.ip != '-'
+    and record_data != domain_record.ip
+  delegate_to: 127.0.0.1
+  become: false
+  tags:
+    - update_dns
+
+- name: "Create DNS entry for <{{ record_name }}> if necessary"
  uri:
    method: POST
    url: "https://api.digitalocean.com/v2/domains/{{ domain }}/records"
--- a/roles/awx/tasks/awx-config-get-typ-id.yml
+++ b/roles/awx/tasks/awx-config-get-typ-id.yml
@ -30,6 +30,7 @@
  debug:
    msg: "{{ awx_type_info_json }}"
  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug
  tags:
@ -48,6 +49,7 @@
  debug:
    msg: "{{ awx_type_id }}"
  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug
  tags:
--- a/roles/awx/tasks/awx-config-job-template-credential.yml
+++ b/roles/awx/tasks/awx-config-job-template-credential.yml
@ -29,6 +29,7 @@
  debug:
    msg: "{{ awx_job_template_info_json }}"
  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug
  tags:
@ -47,6 +48,7 @@
  debug:
    msg: "{{ awx_type_id }}"
  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug
   - awx_type_id is defined
--- a/roles/awx/tasks/awx-config.yml
+++ b/roles/awx/tasks/awx-config.yml
@ -12,6 +12,7 @@
  debug:
    msg: "{{ ansible_ssh_key_private }}"
  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug
  tags:
--- a/roles/connect/tasks/main.yml
+++ b/roles/connect/tasks/main.yml
@ -56,9 +56,9 @@
    name: _deploy
    tasks_from: templates
  vars:
-    current_config: "elastic-certs/{{ stage}}-certs"
+    current_config: "elastic-certs/{{ stage}}-certs/ca"
    current_base_path: "{{ service_base_path }}"
-    current_destination: "{{ connect_id }}/certs"
+    current_destination: "{{ connect_id }}/certs/ca"
    current_owner: "{{ docker_owner }}"
    current_group: "{{ docker_group }}"
    cleanup_destination: "true"
--- a/roles/connect/vars/main.yml
+++ b/roles/connect/vars/main.yml
@ -93,7 +93,7 @@ connect_environment: [
  "LOG_LEVEL_WORKFLOW_INDEX: \"{{ connect_loglevel_workflow_index | default('INFO') }}\"",
  "LOG_LEVEL_WORKFLOW_ANALYSIS: \"{{ connect_loglevel_workflow_analysis | default('INFO') }}\"",
  
-  "WORKFLOW_ENV: \"{{ connect_workflow_env | default('{}') }}\"",
+  "WORKFLOW_ENV: \"{{ connect_workflow_env | default('') }}\"",
 ]

 connect_docker: {
--- a/roles/hcloud/tasks/_read_server_infos.yml
+++ b/roles/hcloud/tasks/_read_server_infos.yml
@ -28,4 +28,4 @@
  tags:
    - update_config
  when:
-   - debug
+   - debug
--- a/roles/hcloud/tasks/_read_server_names.yml
+++ b/roles/hcloud/tasks/_read_server_names.yml
@ -28,4 +28,4 @@
  tags:
    - update_config
  when:
-   - debug
+   - debug
--- a/roles/hcloud/tasks/_set_server_state.yml
+++ b/roles/hcloud/tasks/_set_server_state.yml
@ -11,4 +11,4 @@
    location: nbg1
    state: "{{ server_state }}"
  delegate_to: 127.0.0.1
-  become: false
+  become: false
--- a/roles/hcloud/tasks/configure-firewall.yml
+++ b/roles/hcloud/tasks/configure-firewall.yml
@ -29,6 +29,7 @@
    status_code: 201
  when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 0
  delegate_to: 127.0.0.1
+  become: false
  tags:
    - update_networks

@ -46,5 +47,6 @@
    status_code: 200
  when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 1
  delegate_to: 127.0.0.1
+  become: false
  tags:
    - update_networks
--- a/roles/hetzner-state/tasks/main.yml
+++ b/roles/hetzner-state/tasks/main.yml
@ -9,3 +9,4 @@
    name: "{{ inventory_hostname }}"
    state: "{{ hetzner_state }}"
  delegate_to: 127.0.0.1
+  become: false
--- a/roles/keycloak/tasks/_authenticate.yml
+++ b/roles/keycloak/tasks/_authenticate.yml
@ -8,6 +8,7 @@
    body: 'username={{ keycloak_admin_username }}&password={{ keycloak_admin_password }}&client_id=admin-cli&grant_type=password'
  register: keycloak_authentication
  delegate_to: 127.0.0.1
+  become: false
  retries: 5
  delay: 5

@ -18,5 +19,7 @@
 - name: "Printing access_token for keycloak server"
  debug:
    msg: "{{ access_token }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug
--- a/roles/keycloak/tasks/_configure_client.yml
+++ b/roles/keycloak/tasks/_configure_client.yml
@ -3,6 +3,8 @@
 - name: Print client {{ client_id }} for realm {{ realm_name }}
  debug:
    msg: "{{ lookup('template','keycloak-realm-create-client.json.j2') }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

@ -18,3 +20,4 @@
  changed_when: True
  when: realm_client_ids | selectattr('clientId', 'equalto', client_id) | list | length == 0
  delegate_to: 127.0.0.1
+  become: false
--- a/roles/keycloak/tasks/_configure_realm.yml
+++ b/roles/keycloak/tasks/_configure_realm.yml
@ -9,20 +9,27 @@
    status_code: [200]
  register: realms
  delegate_to: 127.0.0.1
+  become: false

 - name: Save realms as variable (fact)
  set_fact: 
    realms_json: "{{ realms.json }}"
+  delegate_to: 127.0.0.1
+  become: false

 - name: Read realm ids
  set_fact:  
    realm_ids: "{{ realms_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].id'
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Printing realm ids"
  debug:
    msg: "{{ realm_ids }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

@ -37,6 +44,7 @@
    status_code: [201]
  when: current_realm_name not in realm_ids
  delegate_to: 127.0.0.1
+  become: false

 - name: Read clients from realm {{ current_realm_name }}
  uri:
@ -47,20 +55,27 @@
    status_code: [200]
  register: realm_clients
  delegate_to: 127.0.0.1
+  become: false

 - name: Save clients from realm as variable (fact)
  set_fact: 
    realm_clients_json: "{{ realm_clients.json }}"
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Save client ids from realm {{ current_realm_name }}"
  set_fact:  
    realm_client_ids: "{{ realm_clients_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].{id: id, clientId: clientId}'
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Printing client ids from realm {{ current_realm_name }}"
  debug:
    msg: "{{ realm_client_ids }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

--- a/roles/keycloak/tasks/_configure_realm_admin_users.yml
+++ b/roles/keycloak/tasks/_configure_realm_admin_users.yml
@ -0,0 +1,109 @@
+---
+
+- name: "Reading users of realm {{ current_realm_name }}"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ access_token}} "
+    status_code: [200]
+  register: realm_users
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
+  set_fact: 
+    realm_users_json: "{{ realm_users.json }}"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Reading realm admin user id for <{{ current_realm_admin_user.username }}>"
+  set_fact:  
+    realm_admin_user_id: "{{ realm_users_json | json_query(jmesquery) | first | default('None') }}"
+  vars:
+    jmesquery: "[?username==`{{ current_realm_admin_user.username }}`].id"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Printing realm admin user id for <{{ current_realm_admin_user.username }}>"
+  debug:
+    msg: "{{ realm_admin_user_id }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+   - debug
+
+- name: "Reading realm clients"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/clients"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ access_token}} "
+    status_code: [200]
+  register: realm_clients
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Saving clients of realm {{ current_realm_name }} as variable (fact)"
+  set_fact: 
+    realm_clients_json: "{{ realm_clients.json }}"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Reading realm management client id"
+  set_fact:  
+     realm_management_client_id:  "{{ realm_clients_json | json_query(jmesquery) | first | default('None') }}"
+  vars:
+    jmesquery: "[?clientId=='realm-management'].id"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Printing realm management client id"
+  debug:
+    msg: "{{ realm_management_client_id }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+   - debug
+
+- name: "Reading available role mappings for realm management client"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}/available"
+    method: GET
+    headers:
+      Authorization: "Bearer {{ access_token}} "
+    status_code: [200]
+  register: realm_admin_user_client_available_roles_response
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Reading realm admin role id for management client"
+  set_fact:  
+     realm_admin_role_id:  "{{ realm_admin_user_client_available_roles_response.json | json_query(jmesquery) | first | default('None') }}"
+  vars:
+    jmesquery: "[?name=='realm-admin'].id"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Printing realm admin role id for management client"
+  debug:
+    msg: "{{ realm_admin_role_id }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+   - debug
+
+- name: "Adding realm admin role to user {{ realm_admin_user_id }}"
+  uri:
+    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}"
+    method: POST
+    body_format: json
+    body: "{{ lookup('template','keycloak-become-realm-admin-user.json.j2') }}"
+    headers:
+      Content-Type: "application/json"
+      Authorization: "Bearer {{ access_token }}"
+    status_code: [204]
+  changed_when: True
+  when: realm_admin_role_id != 'None'
+  delegate_to: 127.0.0.1
+  become: false
--- a/roles/keycloak/tasks/_create_realm_admin.yml
+++ b/roles/keycloak/tasks/_create_realm_admin.yml
@ -8,26 +8,35 @@
    status_code: [200]
  register: realm_users
  delegate_to: 127.0.0.1
+  become: false

 - name: "Printing realm users"
  debug:
    msg: "{{ realm_users }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

 - name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
  set_fact: 
    realm_users_json: "{{ realm_users.json }}"
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Reading user ids of realm {{ current_realm_name }}"
  set_fact:  
    realm_user_usernames:  "{{ realm_users_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].username'
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Printing usernames of realm {{ current_realm_name }}"
  debug:
    msg: "{{ realm_user_usernames }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

@ -41,102 +50,16 @@
      Content-Type: "application/json"
      Authorization: "Bearer {{ access_token }}"
    status_code: [201]
-  with_items: [
-    {
-      "username": "{{ connect_realm_admin_username }}",
-      "password": "{{ connect_realm_admin_password }}",
-    }
-  ]
+  with_items: "{{ current_realm_admin_users }}"
  when: current_realm_user.username not in realm_user_usernames
  changed_when: True
  loop_control:
    loop_var: current_realm_user
  delegate_to: 127.0.0.1
-  
- name: "Reading users of realm {{ current_realm_name }}"
-  uri:
-    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users"
-    method: GET
-    headers:
-      Authorization: "Bearer {{ access_token}} "
-    status_code: [200]
-  register: realm_users
-  delegate_to: 127.0.0.1
-
- name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
-  set_fact: 
-    realm_users_json: "{{ realm_users.json }}"
-
- name: "Reading realm admin user id"
-  set_fact:  
-    realm_admin_user_id:  "{{ realm_users_json | json_query(jmesquery) | first | default('None') }}"
-  vars:
-    jmesquery: "[?username==`{{ connect_realm_admin_username }}`].id"
-
- name: "Printing realm admin user id"
-  debug:
-    msg: "{{ realm_admin_user_id }}"
-  when:
-   - debug
-
- name: "Reading realm clients"
-  uri:
-    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/clients"
-    method: GET
-    headers:
-      Authorization: "Bearer {{ access_token}} "
-    status_code: [200]
-  register: realm_clients
-  delegate_to: 127.0.0.1
+  become: false

- name: "Saving clients of realm {{ current_realm_name }} as variable (fact)"
-  set_fact: 
-    realm_clients_json: "{{ realm_clients.json }}"
-
- name: "Reading realm management client id"
-  set_fact:  
-     realm_management_client_id:  "{{ realm_clients_json | json_query(jmesquery) | first | default('None') }}"
-  vars:
-    jmesquery: "[?clientId=='realm-management'].id"
-
- name: "Printing realm management client id"
-  debug:
-    msg: "{{ realm_management_client_id }}"
-  when:
-   - debug
-
- name: "Reading available role mappings for realm management client"
-  uri:
-    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}/available"
-    method: GET
-    headers:
-      Authorization: "Bearer {{ access_token}} "
-    status_code: [200]
-  register: realm_admin_user_client_available_roles_response
-  delegate_to: 127.0.0.1
-
- name: "Reading realm admin role id for management client"
-  set_fact:  
-     realm_admin_role_id:  "{{ realm_admin_user_client_available_roles_response.json | json_query(jmesquery) | first | default('None') }}"
-  vars:
-    jmesquery: "[?name=='realm-admin'].id"
-
- name: "Printing realm admin role id for management client"
-  debug:
-    msg: "{{ realm_admin_role_id }}"
-  when:
-   - debug
-
- name: "Adding realm admin role to user {{ realm_admin_user_id }}"
-  uri:
-    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ current_realm_name }}/users/{{ realm_admin_user_id }}/role-mappings/clients/{{ realm_management_client_id }}"
-    method: POST
-    body_format: json
-    body: "{{ lookup('template','keycloak-become-realm-admin-user.json.j2') }}"
-    headers:
-      Content-Type: "application/json"
-      Authorization: "Bearer {{ access_token }}"
-    status_code: [204]
-  changed_when: True
-  when: realm_admin_role_id != 'None'
-  delegate_to: 127.0.0.1
+- name: "Adding admin users from realm {{ current_realm_name }}"
+  include_tasks: _configure_realm_admin_users.yml
+  with_items: "{{ current_realm_admin_users }}"
+  loop_control:
+    loop_var: current_realm_admin_user
--- a/roles/keycloak/tasks/_create_realm_users.yml
+++ b/roles/keycloak/tasks/_create_realm_users.yml
@ -9,26 +9,35 @@
    status_code: [200]
  register: realm_users
  delegate_to: 127.0.0.1
+  become: false

 - name: "Printing realm users"
  debug:
    msg: "{{ realm_users }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

 - name: "Saving users of realm {{ current_realm_name }} as variable (fact)"
  set_fact: 
    realm_users_json: "{{ realm_users.json }}"
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Reading user ids of realm {{ current_realm_name }}"
  set_fact:  
    realm_user_usernames:  "{{ realm_users_json | json_query(jmesquery) }}"
  vars:
    jmesquery: '[*].username'
+  delegate_to: 127.0.0.1
+  become: false

 - name: "Printing usernames of realm {{ current_realm_name }}"
  debug:
    msg: "{{ realm_user_usernames }}"
+  delegate_to: 127.0.0.1
+  become: false
  when:
   - debug

@ -48,3 +57,4 @@
  loop_control:
    loop_var: current_realm_user
  delegate_to: 127.0.0.1
+  become: false
--- a/roles/management-connect-postgres/defaults/main.yml
+++ b/roles/management-connect-postgres/defaults/main.yml
@ -1,6 +0,0 @@
---
-
-postgres_acls:
-  - name: "{{ management_connect_postgres_database }}"
-    password: "{{ management_connect_postgres_password }}"
-    trusted_cidr_entry: "{{ shared_service_network }}"
--- a/roles/management-connect-postgres/tasks/main.yml
+++ b/roles/management-connect-postgres/tasks/main.yml
@ -1,8 +0,0 @@
---
-
-### tags:
-
- name: "Setup postgres for {{ inventory_hostname }}"
-  include_role:
-    name: postgres
-    tasks_from: _postgres-acls
--- a/roles/management/defaults/main.yml
+++ b/roles/management/defaults/main.yml
@ -0,0 +1 @@
+---
--- a/roles/management/handlers/main.yml
+++ b/roles/management/handlers/main.yml
@ -0,0 +1 @@
+---
--- a/roles/management/meta/main.yml
+++ b/roles/management/meta/main.yml
@ -0,0 +1 @@
+---
--- a/roles/management/tasks/main.yaml
+++ b/roles/management/tasks/main.yaml
@ -0,0 +1,17 @@
+---
+
+### tags:
+
+- name: "Create database for <{{ inventory_hostname }}> if necessary"
+  include_role:
+    name: connect-postgres
+  vars:
+    inventory_hostname: "{{ stage }}-postgres-01"
+
+- name: "Create realm for <{{ inventory_hostname }}> if necessary"
+  include_role:
+    name: connect-realm
+
+- name: "Create connect for <{{ inventory_hostname }}> if necessary"
+  include_role:
+    name: connect
--- a/roles/management/vars/main.yml
+++ b/roles/management/vars/main.yml
@ -0,0 +1 @@
+---
--- a/smardigo.yml
+++ b/smardigo.yml
@ -52,5 +52,5 @@
      when: "'iam' in group_names"
    - role: webdav
      when: "'webdav' in group_names"
-    - role: connect
-      when: "'connect' in group_names"
+    - role: management
+      when: "'management' in group_names"
--- a/smardigo/provisioning/script/create-teams-message.groovy
+++ b/smardigo/provisioning/script/create-teams-message.groovy
@ -1,5 +1,5 @@
-def smardigoUrl = "https://" + cluster.stage + "-management-smardigo-01-connect.smardigo.digital/api/redirect/process/" + contextScopeId + "/dossier/simple-connect/" + contextProcessId
-def smardigoMessageUrl = "https://" + cluster.stage + "-management-smardigo-01-connect.smardigo.digital/api/v1/scopes/" + contextScopeId + "/processes/" + contextProcessId + "/messages"
+def smardigoUrl = "https://" + cluster.stage + "-management-01-connect.smardigo.digital/api/redirect/process/" + contextScopeId + "/dossier/simple-connect/" + contextProcessId
+def smardigoMessageUrl = "https://" + cluster.stage + "-management-01-connect.smardigo.digital/api/v1/scopes/" + contextScopeId + "/processes/" + contextProcessId + "/messages"

 def message = [:]
 message["@type"] = "MessageCard"
--- a/6
+++ b/6
@ -2,7 +2,7 @@
 dev-awx-01

 [connect]
-dev-management-smardigo-01
+dev-management-01

 [elastic]
 dev-elastic-stack-elastic-01
@ -24,6 +24,9 @@ dev-elastic-stack-kibana-01
 [logstash]
 dev-elastic-stack-logstash-01

+[management]
+dev-management-01
+
 [maria]
 dev-maria-01

@ -52,6 +55,7 @@ iam
 keycloak
 kibana
 logstash
+management
 maria
 pgadmin4
 postfix
--- a/6
+++ b/6
@ -2,7 +2,7 @@
 qa-awx-01

 [connect]
-qa-management-smardigo-01
+dev-management-01

 [elastic]
 qa-elastic-stack-elastic-01
@ -24,6 +24,9 @@ qa-elastic-stack-kibana-01
 [logstash]
 qa-elastic-stack-logstash-01

+[management]
+dev-management-01
+
 [maria]
 qa-maria-01

@ -52,6 +55,7 @@ iam
 keycloak
 kibana
 logstash
+management
 maria
 pgadmin4
 postfix