Merge pull request #74 from threatstack/disable-service-flag

olhado · web-flow · commit e13efe32a502 · 2020-11-20T13:38:20.000-05:00
Add flag to explicitly disable the threatstack service.
diff --git a/README.md b/README.md
@@ -22,20 +22,21 @@ Role Variables
 --------------
 The following variables are available for override.
 
-| Variable                      | Type    | Default                     | Required  | Description                                                                                                                                       |
-|-------------------------------|---------|-----------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------|
-| threatstack_deploy_key        | String  |                             | Yes       | Your TS deploy key.                                                                                                                               |
-| threatstack_feature_plan      | String  |                             | Yes if 1x | (Agent 1.x only) TS Feature Plan. "i" for investigate/"m" for montior.                                                                            |
-| threatstack_ruleset           | Array   | ["Base Rule Set"]           |           | Array of rulesets to apply to hosts.                                                                                                              |
-| threatstack_pkg_url           | String  | Depends on version          |           | Location of package repo. Only change if you mirror your own.                                                                                     |
-| threatstack_pkg               | String  | threatstack-agent           |           | Name of package. Specify package version using `"threatstack-agent=X.Y.Z"` (Debian/Ubuntu) or `"threatstack-agent-X.Y.Z"` (RedHat/CentOS/Amazon). |
-| threatstack_pkg_version       | String  |                             |           | If defined, pins specific threatstack package version
+| Variable                          | Type    | Default                     | Required  | Description                                                                                                                                       |
+|-----------------------------------|---------|-----------------------------|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------|
+| threatstack_deploy_key            | String  |                             | Yes       | Your TS deploy key.                                                                                                                               |
+| threatstack_feature_plan          | String  |                             | Yes if 1x | (Agent 1.x only) TS Feature Plan. "i" for investigate/"m" for montior.                                                                            |
+| threatstack_ruleset               | Array   | ["Base Rule Set"]           |           | Array of rulesets to apply to hosts.                                                                                                              |
+| threatstack_pkg_url               | String  | Depends on version          |           | Location of package repo. Only change if you mirror your own.                                                                                     |
+| threatstack_pkg                   | String  | threatstack-agent           |           | Name of package. Specify package version using `"threatstack-agent=X.Y.Z"` (Debian/Ubuntu) or `"threatstack-agent-X.Y.Z"` (RedHat/CentOS/Amazon). |
+| threatstack_pkg_version           | String  |                             |           | If defined, pins specific threatstack package version
 | threatstack_pkg_validate      | Boolean | yes                         |           | Should packages be validated? We default to yes, but if you repackage anything you may need to change this.                                       |
-| threatstack_url               | String  | https://app.threatstack.com |           | The URL endpoint for Threat Stack. This should not change.                                                                                        |
-| threatstack_hostname          | String  |                             |           | The display hostname in the Threat Stack UI. Defaults to hostname.                                                                                |
-| threatstack_configure_agent   | Boolean | true                        |           | Set to false to not configure the host, just install the package.                                                                                 |
-| threatstack_agent_extra_args  | String  |                             |           | Pass optional arguments during agent registration.                                                                                                |
-| threatstack_agent_config_args | String  |                             |           | Pass optional configuration arguments after agent registration.                                                                                   |
+| threatstack_url                   | String  | https://app.threatstack.com |           | The URL endpoint for Threat Stack. This should not change.                                                                                        |
+| threatstack_hostname              | String  |                             |           | The display hostname in the Threat Stack UI. Defaults to hostname.                                                                                |
+| threatstack_configure_agent       | Boolean | true                        |           | Set to false to not configure the host, just install the package.                                                                                 |
+| threatstack_agent_extra_args      | String  |                             |           | Pass optional arguments during agent registration.                                                                                                |
+| threatstack_agent_config_args     | String  |                             |           | Pass optional configuration arguments after agent registration.                                                                                   |
+| threatstack_agent_disable_service | Boolean  | false                       |           | Make sure agent service is disabled and not running after installation                                                                         |
 
 Install
 ----------------
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -15,6 +15,7 @@ threatstack_config: "{{ threatstack_config_dir }}/tsconfig.json"
 threatstack_configure_agent: true
 threatstack_agent_extra_args:
 threatstack_agent_config_args:
+threatstack_agent_disable_service: false
 
 # Set according to feature plan. https://www.threatstack.com/plans
 # * agent_type="i" - Investigate, Legacy (Basic, Pro, Advanced)
diff --git a/tasks/apt_install.yml b/tasks/apt_install.yml
@@ -37,4 +37,13 @@
   apt:
     name: "{{ threatstack_pkg }}={{threatstack_pkg_version}}"
     state: "{{ threatstack_pkg_state }}"
-  when: threatstack_pkg_version is defined 
+  when: threatstack_pkg_version is defined
+
+- name: Stop and disable ThreatStack if not configured
+  become: yes
+  service:
+    name: threatstack
+    state: stopped
+    enabled: no
+  when:
+    - threatstack_agent_disable_service | bool
diff --git a/tasks/facts.yml b/tasks/facts.yml
@@ -5,7 +5,7 @@
 
 - name: Define v1 variable
   set_fact:
-    threatstack_v1: "{{ threatstack_v1_string != '' }}"
+    threatstack_v1: "{{ (threatstack_v1_string != '') | bool }}"
 
 - name: Ensure agent_type is defined
   fail:
diff --git a/tasks/tsagent_setup.yml b/tasks/tsagent_setup.yml
@@ -70,7 +70,7 @@
 
 - name: Restart tsagent
   service: name=threatstack state=restarted
-  when: setup_file.changed or config_file.changed
+  when: (setup_file.changed or config_file.changed) and not threatstack_agent_disable_service | bool
 
 - name: Wait 5 seconds
   pause:
@@ -93,3 +93,4 @@
     name: threatstack
     state: started
     enabled: yes
+  when: not threatstack_agent_disable_service | bool
diff --git a/tasks/yum_install.yml b/tasks/yum_install.yml
@@ -32,4 +32,13 @@
     name: "{{ threatstack_pkg }}-{{threatstack_pkg_version}}"
     state: "{{ threatstack_pkg_state }}"
     update_cache: yes
-  when: threatstack_pkg_version is defined 
+  when: threatstack_pkg_version is defined
+
+- name: Stop and disable ThreatStack if not configured
+  become: yes
+  service:
+    name: threatstack
+    state: stopped
+    enabled: no
+  when:
+    - threatstack_agent_disable_service | bool
