GithubHelp home page GithubHelp logo

ministryofjustice / ansible-playbook-with-keyvault-action Goto Github PK

View Code? Open in Web Editor NEW
8.0 10.0 2.0 378 KB

GitHub Action for running ansible-playbook with credentials retrieved from Azure KeyVault

License: Other

TypeScript 100.00%

ansible-playbook-with-keyvault-action's Introduction

ansible-playbook-with-keyvault

Github Action for deploying ansible with credentials stored in Azure KeyVault

Build

Typescript code is under src/. Use npm to compile into javascript + commit resulting dist/

npm install
npm run build

The code for logging into azure and retrieving keyvault secrets is based on the following repos:

Pipelines

The github "build" pipeline verifies the build.

Usage

Flexible action to allow execution of ansible-playbook with credentials stored in Azure KeyVault.

Logging into Azure

If not already logged into Azure, add service principal credentials to azure_creds input. Same format as used here https://github.com/Azure/login. The subscription must be the same as the Azure KeyVault holding the ansible credentials.

Ansible Vault Password

Store the ansible vault password in an Azure KeyVault:

  • Set keyvault_name to the name of the Azure KeyVault.
  • Set keyvault_secret_name_vault_password to the name of the secret containing the vault password.

The action will write the password to the filename set in the vault_password_filename option. Then either:

  • Reference this filename directly in the ansible configuration using vault_password_file option.
  • Add using a temporary yaml file via --extra-vars cmdline option by including vault_password_file in the ansible_vars option. The action will append the filename.
  • Add via command line by including --vault-password-file or --vault-pass-file in the ansible_args option. The action will append the filename.

Ansible SSH Username

This doesn't need to be held in Azure KeyVault. Either:

  • Set the ansible username directly within the ansible configuration file.
  • Set ansible_user option and then either:
    • Add via command line by including -u or --user to the ansible_args option. The action will append the username.
    • Add using a temporary yaml file via --extra-vars cmdline option by including remote_user or ansible_user to the ansible_vars option. The action will append the username.

Ansible SSH Private Key

Store the ansible ssh unencrypted private key in an Azure KeyVault:

  • Set keyvault_name to the name of the Azure KeyVault.
  • Set keyvault_secret_name_ssh_privkey to the name of the secret containing the unencrypted private key.

The action will write the key to the filename set in the ssh_privkey_filename option. Then either:

  • Reference this directly within the ssh_connection settings of the ansible configuration file.
  • Add via command line by including --key-file or --private-key in the ansible_args option. The action will append the filename.

Ansible SSH Password

Store the ansible ssh password in an Azure KeyVault.

  • Set keyvault_name to the name of the Azure KeyVault.
  • Set keyvault_secret_name_ssh_password to the name of the secret containing the ssh password.

Then:

  • Store in plain text in a temporary file and reference using sshpass within the ssh_connection settings of the ansible configuration file. The filename is set by the ssh_password_txt_filename option.
  • Add using a temporary yaml file via --extra-vars cmdline option by including ansible_password or ansible_ssh_pass within ansible_vars option. The action will append the password.

Input Reference

Variable Description
azure_creds Optional. If not already logged into azure, specify credentials here (same format as azure login action)
keyvault_name Optional. Name of the azure KeyVault containing ansible credentials
keyvault_secret_name_ssh_password Optional. The name of the KeyVault secret that holds the ssh password
keyvault_secret_name_vault_password Optional. The name of the KeyVault secret that holds the ansible vault password
keyvault_secret_name_ssh_privkey Optional. The name of the KeyVault secret that holds the ssh private key
ssh_password_txt_filename Optional. Write the ssh password to this temporary text file [ansible_pass]
ssh_privkey_filename Optional. Write the private key to this filename [ansible_key]
vault_password_filename Optional The filename to write the vault password to [.vault.txt]
extra_vars_yaml_filename Optional. The yaml filename to write extra variables specified in ansible_vars to [extravars.yaml]
ansible_dir Directory containing ansible code
ansible_playbook Location of ansible playbook, e.g. site.yml
ansible_inventory Optional. Location of ansible inventory
ansible_user Optional. Set ansible username
ansible_vars Optional. Pipe separated list of additional vars for --extra-vars, e.g. 'ansible_user|ansible_password'
ansible_args Optional. Pipe separated list of command line args, e.g. '--verbose|--check|-u|--limit testserver'
ansible_config Optional. Location of ansible configuration file
action_settings Optional. Pipe separated list of debug options, e.g. showCliOutput|hideAnsibleOutput|noCleanup|noAnsible

For ansible_vars, parameters will automatically get appended as necessary. for example

  • ansible_user is added to remote_user or ansible_user
  • ssh password is added to ansible_password or ansible_ssh_pass
  • vault_password_filename is added to vault_password_file

For ansible_args, paramteres will automatically get appended as necessary, for example

  • ansible_user added to -u or --user
  • ssh_privkey_filename added to --key-file or --private-key
  • vault_password_filename added to --vault-password-file or --vault-pass-file

Example Pipelines

name: sample-pipeline

on: [push]

jobs:

  check-ansible:
    runs-on: 
      - self-hosted
      - my-label
    steps:
    - name: Clone ansible repo
      uses: actions/checkout@2

    - name: Run ansible playbook
      uses: ministryofjustice/[email protected]
      with:
        ansible_creds: '${{ secrets.AZURE_CREDENTIALS }}'
        keyvault_name: my-keyvault-name
        keyvault_secret_name_ssh_password: 'ansible-ssh-password'
        keyvault_secret_name_vault_password: 'ansible-vault-password'
        keyvault_secret_name_ssh_privkey: 'ansible-ssh-privkey'
        ssh_password_txt_filename: 'ansible_pass'
        ssh_privkey_filename: 'ansible_key'
        vault_password_filename: '.vault.txt'
        extra_vars_yaml_filename: 'extra_vars.yaml'
        ansible_dir: ${{ github.workspace }}
        ansible_playbook: sites.yml
        ansible_inventory: inventory.yml
        ansible_user: 'myuser'
        ansible_args: '--verbose|--check|-u|--limit testserver'
        ansible_vars: 'ansible_user|ansible_password'

ansible-playbook-with-keyvault-action's People

Contributors

dependabot[bot] avatar drobinson-moj avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

uk-gov-mirror isweluiz

ansible-playbook-with-keyvault-action's Issues

A branch protection setting is not enabled: requires approving reviews

Hi there
The default branch protection setting called requires approving reviews is not enabled for this repository
See repository settings/Branches/Branch protection rules
Either add a new Branch protection rule or edit the existing branch protection rule and select the Require approvals option
See the repository standards: https://github.com/ministryofjustice/github-repository-standards
See the report: https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/github_repositories
Please contact Operations Engineering on Slack #ask-operations-engineering, if you need any assistance

User access removed, access is now via a team

Hi there

The user hmpps-dso-automation had Direct Member access to this repository and access via a team.

Access is now only via a team.

You may have less access it is dependant upon the teams access to the repo.

If you have any questions, please post in #ask-operations-engineering on Slack.

This issue can be closed.

A branch protection setting is not enabled: Include administrators

Hi there
The default branch protection setting called Include administrators is not enabled for this repository
See repository settings/Branches/Branch protection rules
Either add a new Branch protection rule or edit the existing branch protection rule and select the Include administrators option
This will enable the branch protection rules to admin uses as well
See the repository standards: https://github.com/ministryofjustice/github-repository-standards
See the report: https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/github_repositories
Please contact Operations Engineering on Slack #ask-operations-engineering, if you need any assistance

A branch protection setting is not enabled: administrators require review

Hi there
The default branch protection setting called administrators require review is not enabled for this repository
See repository settings/Branches/Branch protection rules
Either add a new Branch protection rule or edit the existing branch protection rule and select the Require a pull request before merging option
See the repository standards: https://github.com/ministryofjustice/github-repository-standards
See the report: https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/github_repositories
Please contact Operations Engineering on Slack #ask-operations-engineering, if you need any assistance

A branch protection setting is not enabled: codeowners require reviews

Hi there
The default branch protection setting called codeowners require review is not enabled for this repository
This option affects a pull request, i.e a PR will need to be reviewed and approved by a CODEOWNER before it can be merged.
See repository settings/Branches/Branch protection rules
Either add a new Branch protection rule or edit the existing branch protection rule and select the Require review from Code Owners option
Create a .github/CODEOWNERS file
Add a or multiple entries of @ministryofjustice/team_name to the CODEOWNERS file
The team_name shall be a team from within the MoJ teams: https://github.com/orgs/ministryofjustice/teams
See GH Codeowners documentation: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
See the repository standards: https://github.com/ministryofjustice/github-repository-standards
See the report: https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/github_repositories
Please contact Operations Engineering on Slack #ask-operations-engineering, if you need any assistance

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.