---

- name: APT https transport is enabled
  apt:
    name: apt-transport-https
    state: present
  tags:
    - filebeat
    - packages

- name: Look for legacy apt keyring
  stat:
    path: /etc/apt/trusted.gpg
  register: _trusted_gpg_keyring
  tags:
    - filebeat
    - packages

- name: Elastic embedded GPG key is absent
  apt_key:
    id: "D88E42B4"
    keyring: /etc/apt/trusted.gpg
    state: absent
  when: _trusted_gpg_keyring.stat.exists
  tags:
    - filebeat
    - packages

- name: Elastic GPG key is installed
  copy:
    src: elastic.asc
    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
    group: root
  tags:
    - filebeat
    - packages

- name: Elastic sources list is available
  apt_repository:
    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: present
    update_cache: yes
  tags:
    - filebeat
    - packages

- name: Unsigned Elastic sources list is not available
  apt_repository:
    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: absent
    update_cache: yes
  tags:
    - filebeat
    - packages

- name: Filebeat is installed
  apt:
    name: filebeat
    state: "{% if filebeat_upgrade_package %}latest{% else %}present{% endif %}"
  notify: restart filebeat
  tags:
    - filebeat
    - packages

- name: Filebeat service is enabled
  systemd:
    name: filebeat
    enabled: yes
  notify: restart filebeat
  when: not ansible_check_mode

- name: is logstash-plugin available?
  stat:
    path: /usr/share/logstash/bin/logstash-plugin
  check_mode: no
  register: logstash_plugin

- name: is logstash-input-beats installed?
  command: grep logstash-input-beats /usr/share/logstash/Gemfile
  check_mode: no
  register: logstash_plugin_installed
  failed_when: False
  changed_when: False
  when:
    - filebeat_logstash_plugin | bool
    - logstash_plugin.stat.exists

- name: Logstash plugin is installed
  block:
    - include_role:
        name: evolix/remount-usr

    - name: logstash-plugin install logstash-input-beats
      command: /usr/share/logstash/bin/logstash-plugin install logstash-input-beats
  when:
    - filebeat_logstash_plugin | bool
    - logstash_plugin.stat.exists
    - not (logstash_plugin_installed | success)

# When we don't use a config template (default)
- block:
  - name: cloud_metadata processor is disabled
    replace:
      dest: /etc/filebeat/filebeat.yml
      regexp: '^(\s+)(- add_cloud_metadata:)'
      replace: '\1# \2'
    notify: restart filebeat
    when: not (filebeat_processors_cloud_metadata | bool)

  - name: cloud_metadata processor is disabled
    lineinfile:
      dest: /etc/filebeat/filebeat.yml
      line: "  - add_cloud_metadata: ~"
      insert_after: '^processors:'
    notify: restart filebeat
    when: filebeat_processors_cloud_metadata | bool

  - name: Filebeat knows where to find Elasticsearch
    lineinfile:
      dest: /etc/filebeat/filebeat.yml
      regexp: '^  hosts: .*'
      line: "  hosts: [\"{{ filebeat_elasticsearch_hosts | join('\", \"') }}\"]"
      insertafter: "output.elasticsearch:"
    notify: restart filebeat
    when: filebeat_elasticsearch_hosts | length > 0

  - name: Filebeat protocol for Elasticsearch
    lineinfile:
      dest: /etc/filebeat/filebeat.yml
      regexp: '^  #?protocol: .*'
      line: "  protocol: \"{{ filebeat_elasticsearch_protocol }}\""
      insertafter: "output.elasticsearch:"
    notify: restart filebeat
    when: filebeat_elasticsearch_protocol == "http" or filebeat_elasticsearch_protocol == "https"

  - name: Filebeat auth/username for Elasticsearch are configured
    lineinfile:
      dest: /etc/filebeat/filebeat.yml
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
      insertafter: "output.elasticsearch:"
    loop:
      - { regexp: '^  #?username: .*', line: '  username: "{{ filebeat_elasticsearch_auth_username }}"' }
      - { regexp: '^  #?password: .*', line: '  password: "{{ filebeat_elasticsearch_auth_password }}"' }
    notify: restart filebeat
    when:
      - filebeat_elasticsearch_auth_username | length > 0
      - filebeat_elasticsearch_auth_password | length > 0
  when:
    - not (filebeat_use_config_template | bool)
    - not ansible_check_mode

- name: Filebeat api_key for Elasticsearch are configured
  lineinfile:
    dest: /etc/filebeat/filebeat.yml
    regexp: '^  #?api_key: .*'
    line: '  api_key: "{{ filebeat_elasticsearch_auth_api_key }}"'
    insertafter: "output.elasticsearch:"
  notify: restart filebeat
  when: filebeat_elasticsearch_auth_api_key | length > 0

# When we use a config template
- block:
  - name: Configuration is up-to-date
    template:
      src: "{{ item }}"
      dest: /etc/filebeat/filebeat.yml
      force: "{{ filebeat_force_config }}"
    loop: "{{ query('first_found', templates) }}"
    vars:
      templates:
        - "templates/filebeat/filebeat.{{ inventory_hostname }}.yml.j2"
        - "templates/filebeat/filebeat.{{ host_group | default('all') }}.yml.j2"
        - "templates/filebeat/filebeat.default.yml.j2"
        - "templates/filebeat.default.yml.j2"
    notify: restart filebeat
    when: filebeat_update_config | bool
  when: filebeat_use_config_template | bool