Updated sed tpm vars and play logic

dhananjay-s10 · dhananjay-s10 · commit f98ad6678ab6 · 2025-09-26T10:38:33.000+05:30
Signed-off-by: Dhananjay Sonawane &lt;dhananjay.sonawane1@ibm.com&gt;
diff --git a/.ansible/.lock b/.ansible/.lock
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "ansible.python.interpreterPath": "/Users/dhananjay/.pyenv/versions/3.11.8/bin/python"
+}
diff --git a/roles/sed_configure/README.md b/roles/sed_configure/README.md
@@ -4,7 +4,7 @@ Role Definition
 - Definition:
   - The self-encrypting drives (SED) support protects data at rest on IBM Storage Scale System drives.
   - TPM is a specialized hardware security chip that provides secure cryptographic functions.
-  - mmvdisk tpm , esstpm and esstpm key provides options to setup the tpm ,generate keys, enroll drives with the generated keys in the IBM Storage Scale cluster.
+  - mmvdisk tpm , esstpm and esstpmkey provides options to setup the tpm ,generate keys, enroll drives with the generated keys in the IBM Storage Scale cluster.
   - These operations are performed on the I/O nodes and the keys generated are also backed up on the utility node.  
 
 
diff --git a/roles/sed_configure/defaults/main.yml b/roles/sed_configure/defaults/main.yml
@@ -3,13 +3,18 @@ new_tpm_password_file: "/path/to/newpassword.txt"
 disable_clear: true
 change_password: false
 nv_slot_id: "0x01500000"
-nv_slot_count: 2
+nv_slot_count: 4
 recovery_group: "RecoveryGroupName"
 enroll_drive: true
 rekey_drive: false
 generate: true
 migrate: true
 backup_key: true
-restore_key: true
-
-
+restore_key: false
+io_nodes:
+    - ionode1
+    - ionode2
+utility_nodes:
+    - utilitynode
+emsvm:
+    - emsvmnode
diff --git a/roles/sed_configure/meta/main.yml b/roles/sed_configure/meta/main.yml
@@ -11,9 +11,8 @@ galaxy_info:
   platforms:
     - name: EL
       versions:
-        - 7
-        - 8
+        - 9
 
   galaxy_tags: []
 
-dependencies:
+dependencies: []
diff --git a/roles/sed_configure/tasks/check_prereq.yml b/roles/sed_configure/tasks/check_prereq.yml
@@ -1,53 +1,50 @@
---- 
-    - block: 
-         # Check the OpenSSL version and fail if the version is < 3
-        - name: Check OpenSSL version
-          command: openssl version
-          register: openssl_version_output
-          changed_when: false
-          failed_when: openssl_version_output.stdout | regex_search('OpenSSL\s([0-2]\\.[0-9]+)')
-
-        - debug:
-            msg: "{{(openssl_version_output.rc == 0) | ternary(openssl_version_output.stdout.split('\n'),  openssl_version_output.stderr.split('\n')) }}"
-
-        # Check the OS version and fail if the version is < RHEL 9
-        - name: Check OS version
-          command: cat /etc/redhat-release
-          register: os_version_output
-          changed_when: false
-          failed_when: os_version_output.stdout | regex_search('release\s([0-8])')
-
-        - debug:
-            msg: "{{(os_version_output.rc == 0) | ternary(os_version_output.stdout.split('\n'),  os_version_output.stderr.split('\n')) }}"
-      when: inventory_hostname == 'localhost' or inventory_hostname in scale_io_nodes_list
- 
-    - block:
-        - name: Check TPM presence
-          stat:
-            path: /dev/tpm0
-          register: tpm_device
-      
-        - debug:
-              msg: "TPM device present"
-          when: tpm_device.stat.exists
-
-        - fail:
-            msg: "TPM is not enabled in BIOS. Please enable it manually before proceeding."
-          when: not tpm_device.stat.exists
-
-        - name: Check if tpm2-tools is installed
-          command: rpm -q tpm2-tools
-          register: tpm2_tools_check
-          ignore_errors: true
-          changed_when: false
-
-        - name: Install tpm2-tools if not present
-          yum:
-            name: tpm2-tools
-            state: present
-          when: tpm2_tools_check.rc != 0
-      when: inventory_hostname in scale_io_nodes_list
-
-
-
-
+---
+- block:
+      # Check the OpenSSL version and fail if the version is < 3
+    - name: Check OpenSSL version
+      command: openssl version
+      register: openssl_version_output
+      changed_when: false
+      failed_when: openssl_version_output.stdout | regex_search('OpenSSL\s([0-2]\\.[0-9]+)')
+
+    - debug:
+        msg: "{{(openssl_version_output.rc == 0) | ternary(openssl_version_output.stdout.split('\n'),  openssl_version_output.stderr.split('\n')) }}"
+
+    # Check the OS version and fail if the version is < RHEL 9
+    - name: Check OS version
+      command: cat /etc/redhat-release
+      register: os_version_output
+      changed_when: false
+      failed_when: os_version_output.stdout | regex_search('release\s([0-8])')
+
+    - debug:
+        msg: "{{(os_version_output.rc == 0) | ternary(os_version_output.stdout.split('\n'),  os_version_output.stderr.split('\n')) }}"
+  delegate_to: "{{ item }}"
+
+- block:
+    - name: Check TPM presence
+      stat:
+        path: /dev/tpm0
+      register: tpm_device
+
+    - debug:
+          msg: "TPM device present"
+      when: tpm_device.stat.exists
+
+    - fail:
+        msg: "TPM is not enabled in BIOS. Please enable it manually before proceeding."
+      when: not tpm_device.stat.exists
+
+    - name: Check if tpm2-tools is installed
+      command: rpm -q tpm2-tools
+      register: tpm2_tools_check
+      ignore_errors: true
+      changed_when: false
+
+    - name: Install tpm2-tools if not present
+      yum:
+        name: tpm2-tools
+        state: present
+      when: tpm2_tools_check.rc != 0
+  delegate_to: "{{ item }}"
+  when: item in io_nodes
diff --git a/roles/sed_configure/tasks/create_nv_slot.yml b/roles/sed_configure/tasks/create_nv_slot.yml
@@ -1,5 +1,5 @@
 ---
-- block: 
+- block:
     # Creation of NV slots on IO nodes
     - name: Create NV slots
       command: mmvdisk tpm createSlots --number-of-slots {{ nv_slot_count }} --nv-slot-id {{ nv_slot_id }} --password-file {{ tpm_password_file }}
@@ -8,9 +8,10 @@
 
     - debug:
         msg: "{{(nv_slot_creation_io.rc == 0) |  ternary(nv_slot_creation_io.stdout.split('\n'), nv_slot_creation_io.stderr.split('\n')) }}"
-  when: inventory_hostname in hostvars[groups['emsvm'][0]]['scale_io_nodes_list']
-  
-- block: 
+  delegate_to: "{{ item }}"
+  when: item in io_nodes
+
+- block:
     # Creation of NV slots on utility nodes
     - name: Create NV slots on utility node
       command: /opt/ibm/ess/tools/bin/.TPM/./esstpm createslot --nv-slot-id {{nv_slot_id}} --password-file {{ tpm_password_file }}
@@ -19,4 +20,5 @@
 
     - debug:
         msg: "{{(nv_slot_creation_utility.rc == 0) |  ternary(nv_slot_creation_utility.stdout.split('\n'), nv_slot_creation_utility.stderr.split('\n')) }}"
-  when: inventory_hostname in hostvars[groups['emsvm'][0]]['scale_utility_nodes_list']
+  delegate_to: "{{ item }}"
+  when: item in utility_nodes
diff --git a/roles/sed_configure/tasks/enroll_sed_drive.yml b/roles/sed_configure/tasks/enroll_sed_drive.yml
@@ -2,23 +2,25 @@
 - block:
     # Enrolling the SED with the generated TPM key 
     - name: Enroll drives with TPM key
-      command: mmvdisk sed enroll --recovery-group {{ recovery_group }} --tpm-slot-id {{ nv_slot_id }}
+      command: mmvdisk sed enroll --recovery-group {{ recovery_group }} --tpm-slot-id {{ nv_slot_id }} --confirm
       register: drive_enrollment
 
     - debug:
         msg: "{{(drive_enrollment.rc == 0) |  ternary(drive_enrollment.stdout.split('\n'), drive_enrollment.stderr.split('\n')) }}"
       failed_when: drive_enrollment.rc != 0
-  when: enroll_drive and inventory_hostname in hostvars[groups['emsvm'][0]]['scale_io_nodes_list']
+  delegate_to: "{{ item }}"
   run_once: true
+  when: enroll_drive
 
 - block:
       # Rekeying the SED with the a new TPM key 
       - name: Rekey drives with new TPM key
-        command: mmvdisk sed rekey --recovery-group {{ recovery_group }} --tpm-slot-id {{ nv_slot_id }}
+        command: mmvdisk sed rekey --recovery-group {{ recovery_group }} --tpm-slot-id {{ nv_slot_id }} --confirm
         register: drive_rekey
       
       - debug:
           msg: "{{(drive_rekey.rc == 0) |  ternary(drive_rekey.stdout.split('\n'), drive_rekey.stderr.split('\n')) }}"
         failed_when: drive_rekey.rc != 0
-  when: rekey_drives and inventory_hostname in hostvars[groups['emsvm'][0]]['scale_io_nodes_list']
-  run_once: true
+  delegate_to: "{{ item }}"
+  run_once: true
+  when: rekey_drive
diff --git a/roles/sed_configure/tasks/generate_tpm_key.yml b/roles/sed_configure/tasks/generate_tpm_key.yml
@@ -1,29 +1,28 @@
 ---
-# Generate only on one node. migrate to others. 
-# Run both commands only on one single io node. 
-
 - block:
-    # Generate a TPM key 
+  #  Generate a TPM key
     - name: Generate TPM key
       command: mmvdisk tpm genkey --nv-slot-id {{ nv_slot_id }} --password-file {{ tpm_password_file }}
       register: tpm_key_generate
-
+        
     - debug:
         msg: "{{(tpm_key_generate.rc == 0) | ternary(tpm_key_generate.stdout.split('\n'),  tpm_key_generate.stderr.split('\n')) }}"
-      failed_when: tpm_key_generate.rc != 0
-  when: generate and inventory_hostname in hostvars[groups['emsvm'][0]]['scale_io_nodes_list']
+        failed_when: tpm_key_generate.rc != 0
+  delegate_to: "{{ item }}"
+  when: generate
   run_once: true
-  
-- block: 
+
+- block:
     # Migrate the generated TPM key to other io nodes
     - name: Migrate TPM key to other nodes
-      command: mmvdisk tpm migratekey --nv-slot-id {{ nv_slot_id }} -s {{ inventory_hostname }} -N {{ target_nodes | join(',') }}
-      vars: 
-          target_nodes: "{{ (hostvars[groups['emsvm'][0]]['scale_io_nodes_list'])[1:]}}"
+      command: mmvdisk tpm migratekey --nv-slot-id {{ nv_slot_id }} -s {{ io_nodes.0 }} -N {{ target_nodes | join(',') }}
+      vars:
+          target_nodes: "{{ io_nodes[1:] }}"
       register: tpm_key_migrate
 
     - debug:
         msg: "{{ (tpm_key_migrate.rc == 0) | ternary(tpm_key_migrate.stdout.split('\n'),tpm_key_migrate.stderr.split('\n')) }}"
       failed_when: tpm_key_migrate.rc != 0
-  when: migrate and inventory_hostname in hostvars[groups['emsvm'][0]]['scale_io_nodes_list']
+  delegate_to: "{{ io_nodes.0 }}"
+  when: migrate
   run_once: true
diff --git a/roles/sed_configure/tasks/main.yml b/roles/sed_configure/tasks/main.yml
@@ -1,21 +1,22 @@
 ---
-- import_tasks: check_prereq.yml
+- include_tasks: check_prereq.yml
   tags: check prerequisites
+  loop: "{{ io_nodes + utility_nodes }}"
   
-- import_tasks: tpm_ownership.yml
+- include_tasks: tpm_ownership.yml
   tags: tpm ownership
+  loop: "{{ io_nodes + utility_nodes }}"
 
-- import_tasks: create_nv_slot.yml
+- include_tasks: create_nv_slot.yml
   tags: create nv slot
+  loop: "{{ io_nodes + utility_nodes }}"
 
-- import_tasks: generate_tpm_key.yml
-  tags: generate tpm key 
+- include_tasks: generate_tpm_key.yml
+  tags: generate tpm key
 
-- import_tasks: enroll_sed_drive.yml
+- include_tasks: enroll_sed_drive.yml
   tags: enroll sed drive
 
-- import_tasks: manage_key.yml
+- include_tasks: manage_key.yml
   tags: restore and backup key
-
-
-
+  loop: "{{ emsvm }}"
diff --git a/roles/sed_configure/tasks/manage_key.yml b/roles/sed_configure/tasks/manage_key.yml
@@ -1,26 +1,25 @@
 ---
 - block:
     - name: Backup TPM key
-      command: /opt/ibm/ess/tools/bin/.TPM/./esstpmkey backup --source-node {{ source_node }} --destination-node {{ dest_node }} --tpm-slot-id {{ nv_slot_id }} --password-file {{ tpm_password_file}}
+      command: /opt/ibm/ess/tools/bin/.TPM/./esstpmkey backup --source-node {{ source_node }} --destination-node {{ dest_node }} --tpm-slot-id {{ nv_slot_id }} --destination-node-password-file {{ tpm_password_file}}
       vars: 
-        source_node: "{{ hostvars[groups['emsvm'][0]]['scale_io_nodes_list'][0] }}"
-        dest_node: "{{ hostvars[groups['emsvm'][0]]['scale_utility_nodes_list'][0] }}"
+        source_node: "{{ io_nodes[0]}}"
+        dest_node: "{{ utility_nodes[0] }}"
       register: backup_key
       when: backup
 
     - debug:
         msg: "{{(backup_key.rc == 0) |  ternary(backup_key.stdout.split('\n'), backup_key.stderr.split('\n')) }}"
 
     - name: Restore TPM key from backup
-      command: /opt/ibm/ess/tools/bin/.TPM/./esstpmkey restore --source-node {{ source_node }} --destination-node {{ dest_node }} --tpm-slot-id {{ nv_slot_id }} --password-file {{ tpm_password_file}}
+      command: /opt/ibm/ess/tools/bin/.TPM/./esstpmkey restore --source-node {{ source_node }} --destination-node {{ dest_node }} --tpm-slot-id {{ nv_slot_id }} --source-node-password-file {{ tpm_password_file}}
       vars: 
-        source_node: "{{hostvars[groups['emsvm'][0]]['scale_utility_nodes_list'][0] }}"
-        dest_node: "{{ hostvars[groups['emsvm'][0]]['scale_io_nodes_list'][0] }}"
+        source_node: "{{ utility_nodes[0] }}"
+        dest_node: "{{ io_nodes[0] }}"
       register: restore_key
       when: restore
 
     - debug:
         msg: "{{(restore_key.rc == 0) |  ternary(restore_key.stdout.split('\n'), restore_key.stderr.split('\n')) }}"
-  when: inventory_hostname in scale_ems_vm_nodes_list
-
-
+  delegate_to: "{{ item }}"
+  run_once: true
diff --git a/roles/sed_configure/tasks/tpm_ownership.yml b/roles/sed_configure/tasks/tpm_ownership.yml
diff --git a/samples/playbook_sed_tpm.yml b/samples/playbook_sed_tpm.yml
diff --git a/samples/vars/sed_tpm_vars.yml b/samples/vars/sed_tpm_vars.yml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "ansible.python.interpreterPath": "/Users/dhananjay/.pyenv/versions/3.11.8/bin/python"`
	`3`	`+}`