{"id":19963753,"url":"https://github.com/cyberark/pas-orchestrator","last_synced_at":"2025-05-03T22:33:04.066Z","repository":{"id":46814912,"uuid":"158565938","full_name":"cyberark/pas-orchestrator","owner":"cyberark","description":"CyberArk Privileged Access Security automatic deployment using Ansible","archived":false,"fork":false,"pushed_at":"2023-08-01T23:02:18.000Z","size":336,"stargazers_count":37,"open_issues_count":19,"forks_count":18,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-06-12T04:52:49.735Z","etag":null,"topics":["ansible","ansible-playbook","core-pas","cyberark","security"],"latest_commit_sha":null,"homepage":"https://www.cyberark.com/products/privileged-account-security-solution/core-privileged-account-security/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-11-21T15:07:03.000Z","updated_at":"2024-05-02T12:27:34.000Z","dependencies_parsed_at":"2023-01-30T22:15:36.421Z","dependency_job_id":null,"html_url":"https://github.com/cyberark/pas-orchestrator","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fpas-orchestrator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fpas-orchestrator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fpas-orchestrator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fpas-orchestrator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/pas-orchestrator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224374775,"owners_count":17300714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-playbook","core-pas","cyberark","security"],"created_at":"2024-11-13T02:17:18.599Z","updated_at":"2024-11-13T02:17:19.479Z","avatar_url":"https://github.com/cyberark.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PAS-Orchestrator\n\nIn today’s modern infrastructure, organizations are moving towards hybrid environments, which consist of multiple public clouds, private clouds and on-premises platforms.\n\nCyberArk has created a tailored installation and deployment method for each platform to enable easy implementation. For example, CloudFormation templates enable easy deployment on AWS, while Azure Resource Manager (ARM) templates enable easy deployment on Azure. However, it is difficult to combine the different methods to orchestrate and automate a hybrid deployment.\n\nPAS Orchestrator is a set of Ansible roles which provides a holistic solution to deploying CyberArk Core PAS components simultaneously in multiple environments, regardless of the environment’s location.\n\nThe Ansible roles are responsible for the entire deployment process, and can be integrated with the organization’s CI/CD pipeline.\n\nEach PAS component’s Ansible role is responsible for the component end-2-end deployment, which includes the following stages for each component:\n- Copy the installation package to the target server\n- Installing prerequisites\n - Silent installation of the component\n- Post installation procedure and hardening\n- Registration in the Vault\n\nAnsible Roles for PVWA, CPM and PSM can be found in the following links:\n - PSM: [https://github.com/cyberark/psm](https://github.com/cyberark/psm)\n - CPM: [https://github.com/cyberark/cpm](https://github.com/cyberark/cpm)\n - PVWA: [https://github.com/cyberark/pvwa](https://github.com/cyberark/pvwa)\n\nThe PAS Orchestrator role is an example of how to use the component roles\ndemonstrating paralel installation on multiple remote servers\n\n## Requirements\n\n- IP addresses / hosts to execute the playbook against with Windows 2016 installed on the remote hosts\n- WinRM open on port 5986 (**not 5985**) on the remote host\n- Pywinrm is installed on the workstation running the playbook\n- The workstation running the playbook must have network connectivity to the remote host\n- The remote host must have Network connectivity to the CyberArk vault and the repository server\n  - 443 port outbound\n  - 443 port outbound (for PVWA only)\n  - 1858 port outbound\n- Administrator access to the remote host\n- CyberArk components CD image on the workstation running the playbook\n\n## Environment setup\n\n- Get the PAS Orchestrator Playbook\n    ```\n    git clone https://github.com/cyberark/pas-orchestrator.git\n    cd pas-orchestrator\n    ```\n- Install Python requirements\n    ```\n    pip install -r requirements.txt\n    ```\n- Get the components roles\n    ```\n    ansible-galaxy install --roles-path ./roles --role-file requirements.yml\n    ```\n- Update the inventories hosts file with the remote hosts IPs\n\n## Role Variables\n\nThese are the variables used in this playbook\n\n**Deployment Variables**\n\n| Variable                         | Required     | Default                                                                        | Comments                                 |\n|----------------------------------|--------------|--------------------------------------------------------------------------------|------------------------------------------|\n| vault_ip                         | yes          | None                                                                           | Vault ip to perform registration         |\n| dr_vault_ip                      | no           | None                                                                           | vault dr ip to perform registration      |\n| vault_port                       | no           | 1858                                                                           | vault port                               |\n| vault_username                   | no           | \"administrator\"                                                                | vault username to perform registration   |\n| vault_password                   | yes          | None                                                                           | vault password to perform registration   |\n| accept_eula                      | yes          | \"No\"                                                                           | Accepting EULA condition                 |\n| cpm_zip_file_path                | yes          | None                                                                           | Path to zipped CPM image                 |\n| pvwa_zip_file_path               | yes          | None                                                                           | Path to zipped PVWA image                |\n| psm_zip_file_path                | yes          | None                                                                           | Path to zipped PSM image                 |\n| cpm_username                     | no           | \"PasswordManager\"                                                              | Vault Component's username               |\n\nVariables related to the components can be found on the Components README\n\n## Usage\n\nThe Role consists of two parts, each part runs independently:\n\n**Part 1 - Components Deployment**\n\nThe task will trigger the components main roles, each role will trigger it's sub tasks (prerequisities/installation, etc.)\nby default, all tasks are set to true except registration.\nThis process executes tasks on all hosts in parallel, reducing deployment time\n\n*IMPORTANT: Component Registration should be always set to false in this phase\n\n**Part 2 - Components Registration**\n\nThis task will execute the registration process of the components, all the previous tasks are set to false and only registration is enabled\nThis process executes the registration of each component in serial\n\n## Inventory\n\nPrior to running pas-orchestrator hosts file should be \"updated\" [https://github.com/cyberark/pas-orchestrator/blob/master/inventories/production/hosts] with relevant hosts data.\n\n    # file: production\n    # TODO: Add description how to add hosts\n\n    [pvwa]\n    # Add here list of hosts or ip adresses of pvwa dedicated machines\n    # pvwa01.example.com\n    # pvwa02.example.com\n    10.2.0.155\n\n\n    [cpm]\n    # Add here list of hosts or ip adresses of cpm dedicated machines\n    # cpm01.example.com\n    # cpm02.example.com\n    10.2.0.155\n    # Add cpm with custom component user name (default is PasswordManager)\n    10.2.0.156 cpm_username=LinuxManager\n\n    [psm]\n    # Add here list of hosts or ip adresses of psm dedicated machines\n    # psm01.example.com\n    # psm02.example.com\n    10.2.0.155\n\n\n    [psmp]\n    # Add here list of hosts or ip adresses of psmp dedicated machines\n    # psmp01.example.com\n    # psmp02.example.com\n\n\n    # DO NOT EDIT BELOW!!!\n    [windows:children]\n    pvwa\n    cpm\n    psm\n\n## Pulling specific version example :\n\n  ````\n  git clone -b v12.0 -s https://github.com/cyberark/pas-orchestrator.git\n  ````\n  \n  Note : using the -s it saves about 10M of diskspace and doesn’t download the unnecessary stuff.\n\n## Running the  playbook:\n\n To run the above playbook, execute the following command example :\n\n    ansible-playbook -i ./inventories/production pas-orchestrator.yml -e \"vault_ip=VAULT_IP ansible_user=DOMAIN\\USER cpm_zip_file_path=/tmp/pas_packages/cpm.zip pvwa_zip_file_path=/tmp/pas_packages/pvwa.zip psm_zip_file_path=/tmp/pas_packages/psm.zip  connect_with_rdp=Yes accept_eula=Yes\"\n\nCommand example for out of Domain , no hardening deployment in drive D with custom component username for cpm:\n\n    ansible-playbook -i ./inventories/production pas-orchestrator.yml -e \"vault_ip=VAULT_IP ansible_user=DOMAIN\\USER cpm_zip_file_path=/tmp/pas_packages/cpm.zip pvwa_zip_file_path=/tmp/pas_packages/pvwa.zip psm_zip_file_path=/tmp/pas_packages/psm.zip {psm_out_of_domain:true} connect_with_rdp=Yes accept_eula=Yes psm_installation_drive=D: cpm_installation_drive=D: pvwa_installation_drive=D: {psm_hardening:false} {cpm_hardening:false} {pvwa_hardening:false} cpm_username=WinManager\"\n\n ** *Vault and remote host passwords are entered via Prompt*\n\n## Troubleshooting\n\nIn case of a failure, a Log folder with be created on the Ansible workstation with the relevant logs copied from the remote host machine.\nThe logs are available under  - pas-orchestrator/tasks/logs\n\n## Idempotence\nEvery stage in the roles contains validation and can be run multiple times without error in case of success or any ansible related error.This does not apply to a component installation error for which in some cases a second execution will not assist in recovery and There might be left over artifacts (i.e. app users in the vault)\n\n## Limitations\n- Only single component per server is supported\n- There is a check sum verification to the CD image zip file , it must be the original CyberArk release\n\n## License\n\nApache License, Version 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fpas-orchestrator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2Fpas-orchestrator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fpas-orchestrator/lists"}