From 52a7d465ea81cd4f06bbb2b75467ed67f09aa8b8 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 7 Aug 2024 15:33:21 -0400 Subject: [PATCH 1/7] fix(falcon_install): add support for provisioning token for master image --- .../falcon_configure_remove_aid/converge.yml | 1 + .../falcon_configure_remove_aid/molecule.yml | 2 -- .../falcon_configure_remove_aid/verify.yml | 18 ++++++++++++++++++ roles/falcon_configure/defaults/main.yml | 2 +- roles/falcon_configure/tasks/configure.yml | 12 +++++++++++- roles/falcon_configure/tasks/remove_aid.yml | 2 +- 6 files changed, 32 insertions(+), 5 deletions(-) diff --git a/molecule/falcon_configure_remove_aid/converge.yml b/molecule/falcon_configure_remove_aid/converge.yml index 1a89d5ba..5c1596b0 100644 --- a/molecule/falcon_configure_remove_aid/converge.yml +++ b/molecule/falcon_configure_remove_aid/converge.yml @@ -10,6 +10,7 @@ vars: falcon_option_set: yes falcon_cid: "{{ lookup('env', 'FALCON_CID') }}" + falcon_provisioning_token: "{{ lookup('env', 'FALCON_PROV_TOKEN') }}" falcon_tags: 'molecule,testing' falcon_backend: 'bpf' falcon_remove_aid: yes diff --git a/molecule/falcon_configure_remove_aid/molecule.yml b/molecule/falcon_configure_remove_aid/molecule.yml index 1f825c41..e7b2d172 100644 --- a/molecule/falcon_configure_remove_aid/molecule.yml +++ b/molecule/falcon_configure_remove_aid/molecule.yml @@ -29,7 +29,5 @@ scenario: - create - prepare - converge - - idempotence - - side_effect - verify - destroy diff --git a/molecule/falcon_configure_remove_aid/verify.yml b/molecule/falcon_configure_remove_aid/verify.yml index 4f6a0bc7..0b31362e 100644 --- a/molecule/falcon_configure_remove_aid/verify.yml +++ b/molecule/falcon_configure_remove_aid/verify.yml @@ -19,3 +19,21 @@ ansible.builtin.assert: that: - not info_verify.falconctl_info.aid + + - name: Reboot system to force AID generation + ansible.builtin.reboot: + + - name: Get new list of Falcon Sensor Options + crowdstrike.falcon.falconctl_info: + register: new_info_verify + + - name: Validate a new AID is present + ansible.builtin.assert: + that: + - new_info_verify.falconctl_info.aid + + - name: Validate CID and Tags are still present + ansible.builtin.assert: + that: + - new_info_verify.falconctl_info.cid + - new_info_verify.falconctl_info.tags diff --git a/roles/falcon_configure/defaults/main.yml b/roles/falcon_configure/defaults/main.yml index 8cbe48bd..4d197606 100644 --- a/roles/falcon_configure/defaults/main.yml +++ b/roles/falcon_configure/defaults/main.yml @@ -40,7 +40,7 @@ falcon_client_secret: # Installation tokens prevent unauthorized hosts from being accidentally or maliciously added # to your Customer ID (CID). Installation tokens are an optional security # measure for your CID. For more details: -# https://falcon.crowdstrike.com/support/documentation/20/falcon-sensor-for-linux#optional:-installing-to-a-cid-that-requires-installation-tokens +# https://falcon.crowdstrike.com/support/documentation/page/f4d593ca/installation-options-for-falcon-sensor-for-linux#l086f14c # falcon_provisioning_token: diff --git a/roles/falcon_configure/tasks/configure.yml b/roles/falcon_configure/tasks/configure.yml index e3e4969d..73cc72f4 100644 --- a/roles/falcon_configure/tasks/configure.yml +++ b/roles/falcon_configure/tasks/configure.yml @@ -47,13 +47,23 @@ - falconctl_result.changed # noqa no-handler - - name: CrowdStrike Falcon | Remove Falcon Agent ID (AID) If Building A Primary Image + # Handle Master Image steps + - name: CrowdStrike Falcon | Master Image Prep | Removing AID crowdstrike.falcon.falconctl: aid: yes state: absent when: - falcon_remove_aid + - name: CrowdStrike Falcon | Master Image Prep | Set Provisioning Token (if applicable) + crowdstrike.falcon.falconctl: + cid: "{{ options.cid }}" + provisioning_token: "{{ options.provisioning_token }}" + state: present + when: + - falcon_remove_aid + - options.provisioning_token + # Start of MacOSX Configuration - name: CrowdStrike Falcon | Stat Falcon Sensor (macOS) ansible.builtin.stat: diff --git a/roles/falcon_configure/tasks/remove_aid.yml b/roles/falcon_configure/tasks/remove_aid.yml index 2b3e1ff9..8308d32d 100644 --- a/roles/falcon_configure/tasks/remove_aid.yml +++ b/roles/falcon_configure/tasks/remove_aid.yml @@ -1,5 +1,5 @@ --- -- name: CrowdStrike Falcon | Remove Falcon Agent ID (AID) If Building A Primary Image +- name: CrowdStrike Falcon | Remove Falcon Agent ID (AID) crowdstrike.falcon.falconctl: aid: yes state: absent From 57f6eacf7a30ccd93267436ef1d903952b7b46e5 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 7 Aug 2024 15:40:44 -0400 Subject: [PATCH 2/7] ci: update to use prov token for env --- .github/workflows/falcon_configure_remove_aid.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/falcon_configure_remove_aid.yml b/.github/workflows/falcon_configure_remove_aid.yml index 612095ff..f129b3e1 100644 --- a/.github/workflows/falcon_configure_remove_aid.yml +++ b/.github/workflows/falcon_configure_remove_aid.yml @@ -27,6 +27,7 @@ jobs: ANSIBLE_FORCE_COLOR: 1 FALCON_CLIENT_ID: ${{ secrets.FALCON_CLIENT_ID }} FALCON_CLIENT_SECRET: ${{ secrets.FALCON_CLIENT_SECRET }} + FALCON_PROV_TOKEN: ${{ secrets.FALCON_PROV_TOKEN }} FALCON_CID: ${{ secrets.FALCON_CID }} AWS_REGION: "us-west-2" MOLECULE_VPC_SUBNET_ID: ${{ secrets.MOLECULE_VPC_SUBNET_ID }} From 167e6ab205e04666fc6c8be5f2d94fb6bd9072df Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 7 Aug 2024 19:53:30 -0400 Subject: [PATCH 3/7] fix(falconctl): add ability to query provisioning_token --- plugins/module_utils/falconctl_utils.py | 2 +- plugins/modules/falconctl_info.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/module_utils/falconctl_utils.py b/plugins/module_utils/falconctl_utils.py index 82cacbc2..5b75b5e1 100644 --- a/plugins/module_utils/falconctl_utils.py +++ b/plugins/module_utils/falconctl_utils.py @@ -29,7 +29,7 @@ "message_log", "billing", "tags", - # 'provisioning_token', # Taking it out since this does not seem to be a perm option + 'provisioning_token', "version", "rfm_state", "rfm_reason", diff --git a/plugins/modules/falconctl_info.py b/plugins/modules/falconctl_info.py index b9eb5b90..9e17c086 100644 --- a/plugins/modules/falconctl_info.py +++ b/plugins/modules/falconctl_info.py @@ -38,6 +38,7 @@ 'message_log', 'billing', 'tags', + 'provisioning_token', 'version', 'rfm_state', 'rfm_reason', From 2915067d2be04a41699c39f17642f78845af4766 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 7 Aug 2024 19:53:59 -0400 Subject: [PATCH 4/7] ci: ensure we wait for new aid to generate in verify --- molecule/falcon_configure_remove_aid/verify.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/molecule/falcon_configure_remove_aid/verify.yml b/molecule/falcon_configure_remove_aid/verify.yml index 0b31362e..977667de 100644 --- a/molecule/falcon_configure_remove_aid/verify.yml +++ b/molecule/falcon_configure_remove_aid/verify.yml @@ -13,6 +13,7 @@ ansible.builtin.assert: that: - info_verify.falconctl_info.cid + - info_verify.falconctl_info.provisioning_token - info_verify.falconctl_info.tags - name: Verify AID is not present @@ -23,6 +24,16 @@ - name: Reboot system to force AID generation ansible.builtin.reboot: + # Wait for aid to be generated + - name: Wait for Falcon Sensor to Generate AID + crowdstrike.falcon.falconctl_info: + name: + - aid + register: aid_info + retries: 6 + delay: 10 + until: aid_info.falconctl_info.aid + - name: Get new list of Falcon Sensor Options crowdstrike.falcon.falconctl_info: register: new_info_verify @@ -32,6 +43,11 @@ that: - new_info_verify.falconctl_info.aid + - name: Validate Provisioning Token is not present + ansible.builtin.assert: + that: + - not new_info_verify.falconctl_info.provisioning_token + - name: Validate CID and Tags are still present ansible.builtin.assert: that: From ce00984af8d4d687ae7be25955989460e43cd934 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 8 Aug 2024 10:31:27 -0400 Subject: [PATCH 5/7] chore: add changelog fragment --- changelogs/fragments/master-image-update.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelogs/fragments/master-image-update.yml diff --git a/changelogs/fragments/master-image-update.yml b/changelogs/fragments/master-image-update.yml new file mode 100644 index 00000000..0c0cf9e5 --- /dev/null +++ b/changelogs/fragments/master-image-update.yml @@ -0,0 +1,3 @@ +bugfixes: +- falcon_configure - fixed issue with master image and provisioning tokens (https://github.com/CrowdStrike/ansible_collection_falcon/pull/546) +- falconct_info - added support for querying provisioning tokens (https://github.com/CrowdStrike/ansible_collection_falcon/pull/546) From 12b90d5ecfb0bd72b871f659bd4228a05c2d01a1 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 8 Aug 2024 14:53:45 -0400 Subject: [PATCH 6/7] chore(falconctl): remove provisioning_token, not needed After testing some more, realized that the reason we didn't get this option is because it doesn't make sense due to the way it behaves. --- molecule/falcon_configure_remove_aid/molecule.yml | 1 + molecule/falcon_configure_remove_aid/verify.yml | 6 ------ plugins/module_utils/falconctl_utils.py | 1 - plugins/modules/falconctl.py | 2 +- plugins/modules/falconctl_info.py | 1 - 5 files changed, 2 insertions(+), 9 deletions(-) diff --git a/molecule/falcon_configure_remove_aid/molecule.yml b/molecule/falcon_configure_remove_aid/molecule.yml index e7b2d172..72f1b485 100644 --- a/molecule/falcon_configure_remove_aid/molecule.yml +++ b/molecule/falcon_configure_remove_aid/molecule.yml @@ -29,5 +29,6 @@ scenario: - create - prepare - converge + - idempotence - verify - destroy diff --git a/molecule/falcon_configure_remove_aid/verify.yml b/molecule/falcon_configure_remove_aid/verify.yml index 977667de..8284ea6c 100644 --- a/molecule/falcon_configure_remove_aid/verify.yml +++ b/molecule/falcon_configure_remove_aid/verify.yml @@ -13,7 +13,6 @@ ansible.builtin.assert: that: - info_verify.falconctl_info.cid - - info_verify.falconctl_info.provisioning_token - info_verify.falconctl_info.tags - name: Verify AID is not present @@ -43,11 +42,6 @@ that: - new_info_verify.falconctl_info.aid - - name: Validate Provisioning Token is not present - ansible.builtin.assert: - that: - - not new_info_verify.falconctl_info.provisioning_token - - name: Validate CID and Tags are still present ansible.builtin.assert: that: diff --git a/plugins/module_utils/falconctl_utils.py b/plugins/module_utils/falconctl_utils.py index 5b75b5e1..0940fbc9 100644 --- a/plugins/module_utils/falconctl_utils.py +++ b/plugins/module_utils/falconctl_utils.py @@ -29,7 +29,6 @@ "message_log", "billing", "tags", - 'provisioning_token', "version", "rfm_state", "rfm_reason", diff --git a/plugins/modules/falconctl.py b/plugins/modules/falconctl.py index 392f01be..2cd46b61 100644 --- a/plugins/modules/falconctl.py +++ b/plugins/modules/falconctl.py @@ -351,7 +351,7 @@ def main(): # pylint: disable=missing-function-docstring module_args = dict( state=dict(required=True, choices=["absent", "present"], type="str"), cid=dict(required=False, type="str"), - provisioning_token=dict(required=False, no_log=True, type="str"), + provisioning_token=dict(required=False, type="str"), aid=dict(required=False, type="bool"), apd=dict(required=False, type="str"), aph=dict(required=False, type="str"), diff --git a/plugins/modules/falconctl_info.py b/plugins/modules/falconctl_info.py index 9e17c086..b9eb5b90 100644 --- a/plugins/modules/falconctl_info.py +++ b/plugins/modules/falconctl_info.py @@ -38,7 +38,6 @@ 'message_log', 'billing', 'tags', - 'provisioning_token', 'version', 'rfm_state', 'rfm_reason', From 2ac6bf85178601d463f95bb5dd8e889899e30143 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Thu, 8 Aug 2024 14:58:13 -0400 Subject: [PATCH 7/7] lint: fix no-log for prov token --- plugins/modules/falconctl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/falconctl.py b/plugins/modules/falconctl.py index 2cd46b61..57d89654 100644 --- a/plugins/modules/falconctl.py +++ b/plugins/modules/falconctl.py @@ -351,7 +351,7 @@ def main(): # pylint: disable=missing-function-docstring module_args = dict( state=dict(required=True, choices=["absent", "present"], type="str"), cid=dict(required=False, type="str"), - provisioning_token=dict(required=False, type="str"), + provisioning_token=dict(required=False, no_log=False, type="str"), aid=dict(required=False, type="bool"), apd=dict(required=False, type="str"), aph=dict(required=False, type="str"),