add shell var for directory of opensearch security config

cloud-gov · Dec 13, 2024 · 4534502 · 4534502
1 parent 52dba7f
commit 4534502
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/jobs/opensearch/templates/bin/pre-start.erb b/jobs/opensearch/templates/bin/pre-start.erb
@@ -6,6 +6,7 @@ export JOB_DIR=/var/vcap/jobs/$JOB_NAME
 export OPENSEARCH_PATH_CONF=${JOB_DIR}/config
 export YQ_PACKAGE_DIR=/var/vcap/packages/yq
 export PATH=$YQ_PACKAGE_DIR/bin:$PATH
+export OPENSEARCH_SECURITY_CONFIG_PATH=${OPENSEARCH_PATH_CONF}/opensearch-security
 
 sysctl -q -w vm.max_map_count=262144
 mkdir -p ${OPENSEARCH_HOME}/plugins
@@ -17,7 +18,7 @@ source /var/vcap/packages/openjdk-17/bosh/runtime.env
 
 # Copy default security config if it doesn't already exist
 # Have to copy files that don't exist otherwise securityadmin.sh invocation will fail
-cp -u ${OPENSEARCH_HOME}/config/opensearch-security/*.yml ${OPENSEARCH_PATH_CONF}/opensearch-security
+cp -u ${OPENSEARCH_HOME}/config/opensearch-security/*.yml "$OPENSEARCH_SECURITY_CONFIG_PATH"
 
 <%
   api = p("opensearch.cf.domain")
@@ -29,17 +30,17 @@ cf auth "<%= client %>" "<%= password %>" --client-credentials
 
 cd ${OPENSEARCH_HOME}
 chown -R vcap:vcap config plugins
-chown -R vcap:vcap ${OPENSEARCH_PATH_CONF}/opensearch-security
+chown -R vcap:vcap "$OPENSEARCH_SECURITY_CONFIG_PATH"
 
 # Prepare tenants, roles, and role mappings so that they don't get overridden by securityadmin.sh
 # script invocation in post-start
 for org in $(cf orgs | tail -n +4); do
   ORG_GUID=$(cf org "$org" --guid)
   ROLE_NAME="$org-tenant"
 
-  yq -i ".\"$org\"={\"description\":\"tenant for $org\"}" "$OPENSEARCH_PATH_CONF/opensearch-security/tenants.yml"
-  yq -i ".\"$ROLE_NAME\"={\"tenant_permissions\":[{\"tenant_patterns\": [\"$org\"],\"allowed_actions\": [\"kibana_all_write\"]}]}" "$OPENSEARCH_PATH_CONF/opensearch-security/roles.yml"
-  yq -i ".\"$ROLE_NAME\"={\"backend_roles\": [\"$ORG_GUID\"]}" "$OPENSEARCH_PATH_CONF/opensearch-security/roles_mapping.yml"
+  yq -i ".\"$org\"={\"description\":\"tenant for $org\"}" "$OPENSEARCH_SECURITY_CONFIG_PATH/tenants.yml"
+  yq -i ".\"$ROLE_NAME\"={\"tenant_permissions\":[{\"tenant_patterns\": [\"$org\"],\"allowed_actions\": [\"kibana_all_write\"]}]}" "$OPENSEARCH_SECURITY_CONFIG_PATH/roles.yml"
+  yq -i ".\"$ROLE_NAME\"={\"backend_roles\": [\"$ORG_GUID\"]}" "$OPENSEARCH_SECURITY_CONFIG_PATH/roles_mapping.yml"
 done
 
 # leaving all plugin files and plugins installed for now