diff --git a/roles/confluence_config/molecule/default/playbook.yml b/roles/confluence_config/molecule/default/playbook.yml
index 93c91ec..89f5a68 100644
--- a/roles/confluence_config/molecule/default/playbook.yml
+++ b/roles/confluence_config/molecule/default/playbook.yml
@@ -10,6 +10,7 @@
atl_db_host: "postgres-db.ap-southeast-2.rds.amazonaws.com"
atl_jdbc_db_name: "confluence"
atl_jdbc_user: 'confluence'
+ atl_jdbc_password: 'molecule_password'
atl_jvm_heap: 'PLACEHOLDER'
atl_cluster_node_id: 'FAKEID'
atl_autologin_cookie_age: "COOKIEAGE"
diff --git a/roles/confluence_config/molecule/default/tests/test_default.py b/roles/confluence_config/molecule/default/tests/test_default.py
index 1d994ab..b574a0c 100644
--- a/roles/confluence_config/molecule/default/tests/test_default.py
+++ b/roles/confluence_config/molecule/default/tests/test_default.py
@@ -76,3 +76,4 @@ def test_confluence_config_file(host):
assert f.contains('org.postgresql.Driver')
assert f.contains('ec2.amazonaws.com')
assert f.contains('jdbc:postgresql://postgres-db.ap-southeast-2.rds.amazonaws.com:5432/confluence')
+ assert f.contains('molecule_password')
\ No newline at end of file
diff --git a/roles/confluence_config/molecule/password_char_escaping/Dockerfile.j2 b/roles/confluence_config/molecule/password_char_escaping/Dockerfile.j2
new file mode 100644
index 0000000..e6aa95d
--- /dev/null
+++ b/roles/confluence_config/molecule/password_char_escaping/Dockerfile.j2
@@ -0,0 +1,14 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+ elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
+ elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+ elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
+ elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+ elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi
diff --git a/roles/confluence_config/molecule/password_char_escaping/molecule.yml b/roles/confluence_config/molecule/password_char_escaping/molecule.yml
new file mode 100644
index 0000000..33c377c
--- /dev/null
+++ b/roles/confluence_config/molecule/password_char_escaping/molecule.yml
@@ -0,0 +1,32 @@
+---
+dependency:
+ name: galaxy
+driver:
+ name: docker
+lint:
+ name: yamllint
+platforms:
+ - name: amazon_linux2
+ image: amazonlinux:2
+ groups:
+ - aws_node_local
+ - name: ubuntu_lts
+ image: ubuntu:bionic
+ groups:
+ - aws_node_local
+provisioner:
+ name: ansible
+ options:
+ skip-tags: runtime_pkg
+ lint:
+ name: ansible-lint
+ options:
+ x: ["701"]
+ inventory:
+ links:
+ group_vars: ../../../../group_vars/
+verifier:
+ name: testinfra
+ lint:
+ name: flake8
+ enabled: false
diff --git a/roles/confluence_config/molecule/password_char_escaping/playbook.yml b/roles/confluence_config/molecule/password_char_escaping/playbook.yml
new file mode 100644
index 0000000..c186bb9
--- /dev/null
+++ b/roles/confluence_config/molecule/password_char_escaping/playbook.yml
@@ -0,0 +1,27 @@
+---
+- name: Converge
+ hosts: all
+ vars:
+ atl_product_family: "confluence"
+ atl_product_edition: "confluence"
+ atl_product_user: "confluence"
+ atl_product_version: "latest"
+ atl_db_engine: "postgres"
+ atl_db_host: "postgres-db.ap-southeast-2.rds.amazonaws.com"
+ atl_jdbc_db_name: "confluence"
+ atl_jdbc_user: 'confluence'
+ atl_jdbc_password: 'passwords_with_ampersands_&_should_be_escaped'
+ atl_jvm_heap: 'PLACEHOLDER'
+ atl_cluster_node_id: 'FAKEID'
+ atl_autologin_cookie_age: "COOKIEAGE"
+ atl_local_ipv4: "1.1.1.1"
+ atl_tomcat_scheme: "http"
+ atl_proxy_name: "localhost"
+ atl_proxy_port: "80"
+
+ roles:
+ - role: linux_common
+ - role: product_common
+ - role: product_install
+ - role: confluence_common
+ - role: confluence_config
diff --git a/roles/confluence_config/molecule/password_char_escaping/tests/test_default.py b/roles/confluence_config/molecule/password_char_escaping/tests/test_default.py
new file mode 100644
index 0000000..47c0e9d
--- /dev/null
+++ b/roles/confluence_config/molecule/password_char_escaping/tests/test_default.py
@@ -0,0 +1,12 @@
+import os
+import pytest
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+ os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+def test_confluence_config_file_for_escaped_ampersand_chars(host):
+ f = host.file('/var/atlassian/application-data/confluence/confluence.cfg.xml')
+ assert f.exists
+ assert f.contains('passwords_with_ampersands_&_should_be_escaped')
\ No newline at end of file
diff --git a/roles/confluence_config/templates/confluence.cfg.xml.j2 b/roles/confluence_config/templates/confluence.cfg.xml.j2
index 10495e1..b6e78ba 100644
--- a/roles/confluence_config/templates/confluence.cfg.xml.j2
+++ b/roles/confluence_config/templates/confluence.cfg.xml.j2
@@ -16,7 +16,6 @@
{{ atl_db_driver }}
{{ atl_jdbc_url }}
{{ atl_jdbc_user }}
- {{ atl_jdbc_password }}
{{ atl_jdbc_password | replace("&", "&") }}
{{ atl_db_poolminsize }}
{{ atl_db_poolmaxsize }}
diff --git a/roles/jira_config/molecule/password_char_escaping/Dockerfile.j2 b/roles/jira_config/molecule/password_char_escaping/Dockerfile.j2
new file mode 100644
index 0000000..e6aa95d
--- /dev/null
+++ b/roles/jira_config/molecule/password_char_escaping/Dockerfile.j2
@@ -0,0 +1,14 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+ elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
+ elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+ elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
+ elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+ elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi
diff --git a/roles/jira_config/molecule/password_char_escaping/molecule.yml b/roles/jira_config/molecule/password_char_escaping/molecule.yml
new file mode 100644
index 0000000..7f082f6
--- /dev/null
+++ b/roles/jira_config/molecule/password_char_escaping/molecule.yml
@@ -0,0 +1,36 @@
+---
+dependency:
+ name: galaxy
+driver:
+ name: docker
+lint:
+ name: yamllint
+platforms:
+ - name: amazon_linux2
+ image: amazonlinux:2
+ groups:
+ - aws_node_local
+ ulimits:
+ - nofile:262144:262144
+ - name: ubuntu_lts
+ image: ubuntu:bionic
+ groups:
+ - aws_node_local
+ ulimits:
+ - nofile:262144:262144
+provisioner:
+ name: ansible
+ options:
+ skip-tags: runtime_pkg
+ lint:
+ name: ansible-lint
+ options:
+ x: ["701"]
+ inventory:
+ links:
+ group_vars: ../../../../group_vars/
+verifier:
+ name: testinfra
+ lint:
+ name: flake8
+ enabled: false
diff --git a/roles/jira_config/molecule/password_char_escaping/playbook.yml b/roles/jira_config/molecule/password_char_escaping/playbook.yml
new file mode 100644
index 0000000..2aa0e9c
--- /dev/null
+++ b/roles/jira_config/molecule/password_char_escaping/playbook.yml
@@ -0,0 +1,33 @@
+---
+- name: Converge
+ hosts: all
+ vars:
+ atl_product_family: "jira"
+ atl_product_edition: "jira-software"
+ atl_product_user: "jira"
+ atl_product_version: "7.13.2"
+
+ # dbconfig.xml variables
+ atl_jdbc_user: 'atljira'
+ atl_jdbc_password: 'passwords_with_ampersands_&_should_be_escaped'
+ atl_jvm_heap: 'PLACEHOLDER'
+ atl_jvm_opts: 'PLACEHOLDER'
+ atl_cluster_node_id: 'FAKEID'
+ atl_db_poolminsize: 1111
+ atl_db_poolmaxsize: 1111
+ atl_db_minidle: 1111
+ atl_db_maxidle: 1111
+ atl_db_maxwaitmillis: 1111
+ atl_db_minevictableidletimemillis: 1111
+ atl_db_timebetweenevictionrunsmillis: 1111
+ atl_db_removeabandoned: 'false'
+ atl_db_removeabandonedtimeout: 1111
+ atl_db_testwhileidle: 'false'
+ atl_db_testonborrow: 'true'
+ atl_db_engine: 'rds_postgres'
+
+ roles:
+ - role: linux_common
+ - role: product_common
+ - role: product_install
+ - role: jira_config
diff --git a/roles/jira_config/molecule/password_char_escaping/tests/test_default.py b/roles/jira_config/molecule/password_char_escaping/tests/test_default.py
new file mode 100644
index 0000000..b068414
--- /dev/null
+++ b/roles/jira_config/molecule/password_char_escaping/tests/test_default.py
@@ -0,0 +1,12 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+ os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_dbconfig_file_for_escaped_ampersand_chars(host):
+ f = host.file('/var/atlassian/application-data/jira/dbconfig.xml')
+ assert f.exists
+ assert f.contains("passwords_with_ampersands_&_should_be_escaped")
\ No newline at end of file