This addresses #38

This change will make it possible to break out the passwords to an external file that can be easily encrypted, and is broken up into a GI part & a DB part.

GI:
- default_gipass: This will be the default password if either of the 2 following are not defined
- sysasmpassword: Password for the sysasm user
- asmmonitorpassword:  Password for the asmsnmp account

DB:
- default_dbpass: This will be the default/fallback password if DB specific passwords are not defined

The following is the password lookup-structure that can be defined per database:
dbpasswords:
       db1:                    <- This defines the passwords for the db1 database. If omitted all passwords falls back to default_dbpass
         sys: Oracle_456
         system: Oracle_456
         dbsnmp: Oracle_456
         pdbadmin: Oracle_456
       db2:                    <- This defines the passwords for the db2 database. If omitted all passwords falls back to default_dbpass
         sys: Oracle_789
         system: Oracle_789
         dbsnmp: Oracle_789
         pdbadmin: Oracle_789

As an interim solution to provide some backwards compatibility, the default passwords: default_dbpass & default_gipass, will look for the
passwords in the old structure and use that (if they are defined).

default_gipass: "{% if oracle_password is defined %}{{ oracle_password }}{% else %}Oracle123{% endif%}"
sysasmpassword: "{% if oracle_password is defined %}{{ oracle_password }}{% else %}Oracle123{% endif%}"
asmmonitorpassword: "{% if oracle_password is defined %}{{ oracle_password }}{% else %}Oracle123{% endif%}"
default_dbpass: "{% if item.0.oracle_db_passwd is defined %}{{ item.0.oracle_db_passwd}}{% else %}Oracle123{% endif%}"

However, as this is only set in the defaults/main.yml, the are overridden as soon as the new structure is used.
This check will also be removed at a later stage.

Author: oravirt

roles/oradb-create/defaults/main.yml

@@ -37,6 +37,27 @@
   listener_port: 1521
   autostartup_service: false
 
+# Everything between the lines START-OF-PASSWORDS & END-OF-PASSWORDS can be 
+# put in an external passwords.yml file and be encrypted by Vault.
+# The file should be put in 'group_vars/<your-config>/passwords.yml'
+# This example will be broken out to a passwords.yml as soon as is allowed in ansible
+
+## START-OF-PASSWORDS
+  # GI
+  default_gipass: "{% if oracle_password is defined %}{{ oracle_password }}{% else %}Oracle123{% endif%}" # The check for the old passwords are there for backwards compatibility and only temporary, will be removed
+  sysasmpassword: "{% if oracle_password is defined %}{{ oracle_password }}{% else %}Oracle123{% endif%}" # The check for the old passwords are there for backwards compatibility and only temporary, will be removed
+  asmmonitorpassword: "{% if oracle_password is defined %}{{ oracle_password }}{% else %}Oracle123{% endif%}" # The check for the old passwords are there for backwards compatibility and only temporary, will be removed
+  # DB
+  default_dbpass: "{% if item.0.oracle_db_passwd is defined %}{{ item.0.oracle_db_passwd}}{% else %}Oracle123{% endif%}" # The check for the old passwords are there for  backwards compatibility and only temporary, will be removed
+  dbpasswords:
+         orcl:
+           sys: Oracle_456
+           system: Oracle_456
+           dbsnmp: Oracle_456
+           pdbadmin: Oracle_456
+
+## END-OF-PASSWORDS
+
   dbca_templatename: General_Purpose.dbc
   dbca_initParams: "{% if '12.2' in item.0.oracle_version_db %} -initParams db_name={{item.0.oracle_db_name}}{% if item.0.oracle_db_unique_name is defined %},db_unique_name={{item.0.oracle_db_unique_name}}{% endif %}{% endif %}"
 
@@ -46,7 +67,6 @@
           oracle_version_db: 12.2.0.1                          # Oracle versiono
           oracle_edition: EE                                   # The edition of database-server (EE,SE,SEONE)
           oracle_db_name: orcl                                 # Database name
-          oracle_db_passwd: Oracle123                          # Passwords (sys/system/dbsnm etc)
           oracle_db_type: SI                                   # Type of database (RAC,RACONENODE,SI)
           is_container: False                                  # (true/false) Is the database a container database
           pdb_prefix: pdb

roles/oradb-create/tasks/main.yml

@@ -21,7 +21,7 @@
     template: src={{ item.0.dbca_templatename }} dest={{ oracle_home_db }}/assistants/dbca/templates/{{ item.0.dbca_templatename }} owner={{ oracle_user }} group={{ oracle_group }} mode=640
     with_together:
        - "{{oracle_databases}}"
-    when: item.0.dbca_templatename is defined and item.0.dbca_templatename not in('New_Database.dbt','General_Purpose.dbc','New_Database.dbt')
+    when: item.0.dbca_templatename is defined and item.0.dbca_templatename not in('New_Database.dbt','General_Purpose.dbc')
     tags:
       - customdbcatemplate
 
@@ -35,6 +35,11 @@
     tags:
     - dbcaresponse
 
+  # - debug: var="{{ oracle_home_db }}/bin/dbca -createDatabase -responseFile {{ oracle_rsp_stage }}/{{ oracle_dbca_rsp }} -silent -redoLogFileSize {{ item.0.redolog_size_in_mb }} {{ dbca_initParams }}"
+  #   with_together:
+  #    - "{{oracle_databases}}"
+  #    - "{{checkdbexist.results}}"
+  # 
   - name: Create database(s)
     shell: "time {{ oracle_home_db }}/bin/dbca -createDatabase -responseFile {{ oracle_rsp_stage }}/{{ oracle_dbca_rsp }} -silent -redoLogFileSize {{ item.0.redolog_size_in_mb }} {{ dbca_initParams }}"
     with_together:
@@ -59,6 +64,7 @@
     shell:  ps -ef | grep -w "ora_pmon_{{ item.oracle_db_name }}" |grep -v grep | sed 's/^.*pmon_//g'
     with_items: "{{oracle_databases}}"
     register: dbs
+    changed_when: False
     tags:
       - dotprofile_db
       - update_oratab

roles/oradb-create/templates/dbca-create-db.rsp.11.2.0.3.j2

@@ -228,8 +228,11 @@ TEMPLATENAME = "{{dbca_templatename}}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
-
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['sys'] is defined%}
+SYSPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['sys']}}"
+{% else %}
+SYSPASSWORD = "{{default_dbpass }}"
+{% endif %}
 #-----------------------------------------------------------------------------
 # Name          : SYSTEMPASSWORD
 # Datatype      : String
@@ -238,7 +241,11 @@ SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSTEMPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['system'] is defined %}
+SYSTEMPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['system']}}"
+{% else %}
+SYSTEMPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : EMCONFIGURATION
@@ -279,7 +286,11 @@ EMCONFIGURATION = "NONE"
 # Default value : None
 # Mandatory     : Yes, if EMCONFIGURATION is specified
 #-----------------------------------------------------------------------------
-DBSNMPPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['dbsnmp'] is defined %}
+DBSNMPPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['dbsnmp']}}"
+{% else %}
+DBSNMPPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : CENTRALAGENT

roles/oradb-create/templates/dbca-create-db.rsp.11.2.0.4.j2

@@ -230,8 +230,11 @@ TEMPLATENAME = "{{dbca_templatename}}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
-
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['sys'] is defined%}
+SYSPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['sys']}}"
+{% else %}
+SYSPASSWORD = "{{default_dbpass }}"
+{% endif %}
 #-----------------------------------------------------------------------------
 # Name          : SYSTEMPASSWORD
 # Datatype      : String
@@ -240,7 +243,11 @@ SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSTEMPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['system'] is defined %}
+SYSTEMPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['system']}}"
+{% else %}
+SYSTEMPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : EMCONFIGURATION
@@ -281,8 +288,11 @@ EMCONFIGURATION = "NONE"
 # Default value : None
 # Mandatory     : Yes, if EMCONFIGURATION is specified
 #-----------------------------------------------------------------------------
-DBSNMPPASSWORD = "{{ item.0.oracle_db_passwd }}"
-
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['dbsnmp'] is defined %}
+DBSNMPPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['dbsnmp']}}"
+{% else %}
+DBSNMPPASSWORD = "{{default_dbpass }}"
+{% endif %}
 #-----------------------------------------------------------------------------
 # Name          : CENTRALAGENT
 # Datatype      : String
@@ -433,7 +443,7 @@ DISKGROUPNAME={{ datafile_dest.lstrip('+') }}
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-ASMSNMP_PASSWORD="{{ item.0.oracle_db_passwd }}"
+ASMSNMP_PASSWORD={%if asmmonitorpassword is defined %}{{asmmonitorpassword}}{% else %}{{default_gipass}}{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : RECOVERYGROUPNAME

roles/oradb-create/templates/dbca-create-db.rsp.12.1.0.1.j2

@@ -216,7 +216,7 @@ SID = "{{ item.0.oracle_db_name }}"
 # Default value : false
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-CREATEASCONTAINERDATABASE = "{{ item.0.is_container }}"
+CREATEASCONTAINERDATABASE = {% if item.0.is_container is defined %}{{ item.0.is_container }}{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : NUMBEROFPDBS
@@ -226,7 +226,7 @@ CREATEASCONTAINERDATABASE = "{{ item.0.is_container }}"
 # Default value : 0
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-NUMBEROFPDBS = "{{ item.0.num_pdbs }}"
+NUMBEROFPDBS = {% if item.0.is_container and item.0.num_pdbs is defined %}{{ item.0.num_pdbs }}{%endif%}
 
 #-----------------------------------------------------------------------------
 # Name          : PDBNAME
@@ -236,7 +236,7 @@ NUMBEROFPDBS = "{{ item.0.num_pdbs }}"
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-PDBNAME = "{{ item.0.pdb_prefix }}"
+PDBNAME = {% if item.0.is_container and item.0.pdb_prefix is defined %}{{ item.0.pdb_prefix }}{%endif%}
 
 #-----------------------------------------------------------------------------
 # Name          : PDBADMINPASSWORD
@@ -246,7 +246,12 @@ PDBNAME = "{{ item.0.pdb_prefix }}"
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-PDBADMINPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['pdbadmin'] is defined %}
+PDBADMINPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['pdbadmin']}}"
+{% else %}
+PDBADMINPASSWORD = "{{default_dbpass }}"
+{% endif %}
+
 
 #-----------------------------------------------------------------------------
 # Name          : NODELIST
@@ -297,8 +302,11 @@ TEMPLATENAME = "{{dbca_templatename}}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
-
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['sys'] is defined%}
+SYSPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['sys']}}"
+{% else %}
+SYSPASSWORD = "{{default_dbpass }}"
+{% endif %}
 #-----------------------------------------------------------------------------
 # Name          : SYSTEMPASSWORD
 # Datatype      : String
@@ -307,7 +315,11 @@ SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSTEMPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['system'] is defined %}
+SYSTEMPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['system']}}"
+{% else %}
+SYSTEMPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : SERVICEUSERPASSWORD
@@ -361,7 +373,11 @@ EMCONFIGURATION = "NONE"
 # Mandatory     : Yes, if EMCONFIGURATION is specified or
 #                 the value of RUNCVUCHECKS is TRUE
 #-----------------------------------------------------------------------------
-DBSNMPPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['dbsnmp'] is defined %}
+DBSNMPPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['dbsnmp']}}"
+{% else %}
+DBSNMPPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : OMSHOST
@@ -527,7 +543,7 @@ DISKGROUPNAME={{ datafile_dest }}
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-ASMSNMP_PASSWORD="{{ item.0.oracle_db_passwd }}"
+ASMSNMP_PASSWORD={%if asmmonitorpassword is defined %}{{asmmonitorpassword}}{% else %}{{default_gipass}}{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : RECOVERYGROUPNAME

roles/oradb-create/templates/dbca-create-db.rsp.12.1.0.2.j2

@@ -217,7 +217,7 @@ SID = "{{ item.0.oracle_db_name }}"
 # Default value : false
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-CREATEASCONTAINERDATABASE = "{{ item.0.is_container }}"
+CREATEASCONTAINERDATABASE = {% if item.0.is_container is defined %}{{ item.0.is_container }}{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : NUMBEROFPDBS
@@ -227,7 +227,7 @@ CREATEASCONTAINERDATABASE = "{{ item.0.is_container }}"
 # Default value : 0
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-NUMBEROFPDBS = "{{ item.0.num_pdbs }}"
+NUMBEROFPDBS = {% if item.0.is_container and item.0.num_pdbs is defined %}{{ item.0.num_pdbs }}{%endif%}
 
 #-----------------------------------------------------------------------------
 # Name          : PDBNAME
@@ -237,7 +237,7 @@ NUMBEROFPDBS = "{{ item.0.num_pdbs }}"
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-PDBNAME = "{{ item.0.pdb_prefix }}"
+PDBNAME = {% if item.0.is_container and item.0.pdb_prefix is defined %}{{ item.0.pdb_prefix }}{%endif%}
 
 #-----------------------------------------------------------------------------
 # Name          : PDBADMINPASSWORD
@@ -247,7 +247,11 @@ PDBNAME = "{{ item.0.pdb_prefix }}"
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-PDBADMINPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['pdbadmin'] is defined %}
+PDBADMINPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['pdbadmin']}}"
+{% else %}
+PDBADMINPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : NODELIST
@@ -298,8 +302,11 @@ TEMPLATENAME = "{{dbca_templatename}}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
-
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['sys'] is defined%}
+SYSPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['sys']}}"
+{% else %}
+SYSPASSWORD = "{{default_dbpass }}"
+{% endif %}
 #-----------------------------------------------------------------------------
 # Name          : SYSTEMPASSWORD
 # Datatype      : String
@@ -308,7 +315,11 @@ SYSPASSWORD = "{{ item.0.oracle_db_passwd }}"
 # Default value : None
 # Mandatory     : Yes
 #-----------------------------------------------------------------------------
-SYSTEMPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['system'] is defined %}
+SYSTEMPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['system']}}"
+{% else %}
+SYSTEMPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : SERVICEUSERPASSWORD
@@ -362,7 +373,11 @@ EMCONFIGURATION = "NONE"
 # Mandatory     : Yes, if EMCONFIGURATION is specified or
 #                 the value of RUNCVUCHECKS is TRUE
 #-----------------------------------------------------------------------------
-DBSNMPPASSWORD = "{{ item.0.oracle_db_passwd }}"
+{% if dbpasswords is defined and dbpasswords[item.0.oracle_db_name] is defined and dbpasswords[item.0.oracle_db_name]['dbsnmp'] is defined %}
+DBSNMPPASSWORD = "{{dbpasswords[item.0.oracle_db_name]['dbsnmp']}}"
+{% else %}
+DBSNMPPASSWORD = "{{default_dbpass }}"
+{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : OMSHOST
@@ -528,7 +543,7 @@ DISKGROUPNAME={{ datafile_dest }}
 # Default value : None
 # Mandatory     : No
 #-----------------------------------------------------------------------------
-ASMSNMP_PASSWORD="{{ item.0.oracle_db_passwd }}"
+ASMSNMP_PASSWORD={%if asmmonitorpassword is defined %}{{asmmonitorpassword}}{% else %}{{default_gipass}}{% endif %}
 
 #-----------------------------------------------------------------------------
 # Name          : RECOVERYGROUPNAME