From ff72dc30aa78512cf97e806c6cb16f118ae21ad1 Mon Sep 17 00:00:00 2001 From: Dhruv Aggarwal Date: Thu, 27 Mar 2025 23:53:37 +0100 Subject: [PATCH 1/3] added functionality for key-vault authentication --- .../DEV-WEEU-SAP01-X00/sap-parameters.yaml | 8 +++ scripts/sap_automation_qa.sh | 53 ++++++++++++++++++- 2 files changed, 59 insertions(+), 2 deletions(-) diff --git a/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml b/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml index 2221c9fc..ccbd1410 100644 --- a/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml +++ b/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml @@ -27,3 +27,11 @@ database_cluster_type: AFA # Storage Profile # ############################################################################# NFS_provider: AFS + +############################################################################# +# Fetch Secret Connection # +############################################################################# +key_vault_name: key-vault-testing1 +secret_name: test-secret +msi_name: SDAF +resource_group: DHRUVAGGARWAL \ No newline at end of file diff --git a/scripts/sap_automation_qa.sh b/scripts/sap_automation_qa.sh index 2d83de28..8f682b46 100755 --- a/scripts/sap_automation_qa.sh +++ b/scripts/sap_automation_qa.sh @@ -100,6 +100,31 @@ get_playbook_name() { esac } +# Function to check if the MSI has the correct permissions on the Key Vault +check_msi_permissions() { + local key_vault_name=$1 + local required_permission="Get" + +#FOR TESTING + log "INFO" "Checking MSI permissions on Key Vault: $key_vault_name..." + + # Get the MSI object ID + msi_object_id=$(az identity show --name "$MSI_NAME" --resource-group "$RESOURCE_GROUP" --query "principalId" -o tsv) + if [[ -z "$msi_object_id" ]]; then + log "ERROR" "Failed to retrieve MSI object ID for $MSI_NAME in resource group $RESOURCE_GROUP." + exit 1 + fi + + # Check Key Vault permissions + permissions=$(az keyvault show --name "$key_vault_name" --query "properties.accessPolicies[?objectId=='$msi_object_id'].permissions.secrets" -o tsv) + if [[ "$permissions" != *"$required_permission"* ]]; then + log "ERROR" "MSI $MSI_NAME does not have '$required_permission' permission on Key Vault $key_vault_name." + exit 1 + fi + + log "INFO" "MSI $MSI_NAME has the required permissions on Key Vault $key_vault_name." +} + # Function to run the ansible playbook run_ansible_playbook() { local playbook_name=$1 @@ -107,17 +132,39 @@ run_ansible_playbook() { local system_params=$3 local auth_type=$4 local system_config_folder=$5 + local key_vault_name=$6 + local secret_name=$7 + local secret_value if [[ "$auth_type" == "SSHKEY" ]]; then local ssh_key="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk" log "INFO" "Using SSH key: $ssh_key." command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $ssh_key \ -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'" - else + elif [[ "$auth_type" == "PASSWORD" ]]; then log "INFO" "Using password authentication." command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \ --extra-vars \"ansible_ssh_pass=$(cat ${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password)\" \ --extra-vars @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'" + elif [[ "$auth_type" == "KEYVAULT" ]]; then + log "INFO" "Using Key Vault for authentication." + # Retrieve the secret from the Key Vault + log "INFO" "Retrieving secret '$secret_name' from Key Vault '$key_vault_name'..." + + secret_value=$(az keyvault secret show --vault-name "$key_vault_name" --name "$secret_name" --query "value" -o tsv) + + if [[ -z "$secret_value" ]]; then + log "ERROR" "Failed to retrieve secret '$secret_name' from Key Vault '$key_vault_name'." + exit 1 + fi + + log "INFO" "Successfully retrieved secret from Key Vault." + command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \ + --extra-vars \"ansible_ssh_pass=$secret_value\" --extra-vars @$VARS_FILE -e @$system_params \ + -e '_workspace_directory=$system_config_folder'" + else + log "ERROR" "Unknown authentication type: $auth_type" + exit 1 fi log "INFO" "Running ansible playbook..." @@ -156,9 +203,11 @@ main() { if [[ "$AUTHENTICATION_TYPE" == "SSHKEY" ]]; then check_file_exists "${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk" \ "ssh_key.ppk not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory." - else + elif [[ "$AUTHENTICATION_TYPE" == "PASSWORD" ]]; then check_file_exists "${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password" \ "password file not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory." + elif [[ "$AUTHENTICATION_TYPE" == "KEYVAULT" ]]; then + log "INFO" "Key Vault authentication selected. Ensure Key Vault parameters are set." fi playbook_name=$(get_playbook_name "$sap_functional_test_type") From f807e87afe7d702417e192def4d13a2aa724e3bf Mon Sep 17 00:00:00 2001 From: Dhruv Aggarwal Date: Fri, 28 Mar 2025 01:44:14 +0100 Subject: [PATCH 2/3] added more updates --- .../DEV-WEEU-SAP01-X00/sap-parameters.yaml | 3 +- scripts/sap_automation_qa.sh | 100 ++++++++++++------ 2 files changed, 71 insertions(+), 32 deletions(-) diff --git a/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml b/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml index ccbd1410..98ced48a 100644 --- a/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml +++ b/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml @@ -31,7 +31,6 @@ NFS_provider: AFS ############################################################################# # Fetch Secret Connection # ############################################################################# -key_vault_name: key-vault-testing1 +key_vault_id: /subscriptions/e663cc2d-722b-4be1-b636-bbd9e4c60fd9/resourceGroups/DhruvAggarwal/providers/Microsoft.KeyVault/vaults/key-vault-testing1 secret_name: test-secret -msi_name: SDAF resource_group: DHRUVAGGARWAL \ No newline at end of file diff --git a/scripts/sap_automation_qa.sh b/scripts/sap_automation_qa.sh index 8f682b46..a0fa707b 100755 --- a/scripts/sap_automation_qa.sh +++ b/scripts/sap_automation_qa.sh @@ -102,12 +102,26 @@ get_playbook_name() { # Function to check if the MSI has the correct permissions on the Key Vault check_msi_permissions() { - local key_vault_name=$1 + local key_vault_id=$1 local required_permission="Get" -#FOR TESTING + # Extract resource group name and key vault name from the key_vault_id + resource_group_name=$(echo "$key_vault_id" | awk -F'/' '{for(i=1;i<=NF;i++){if($i=="resourceGroups"){print $(i+1)}}}') + key_vault_name=$(echo "$key_vault_id" | awk -F'/' '{for(i=1;i<=NF;i++){if($i=="vaults"){print $(i+1)}}}') + + if [[ -z "$resource_group_name" || -z "$key_vault_name" ]]; then + log "ERROR" "Failed to extract resource group name or key vault name from key_vault_id: $key_vault_id" + exit 1 + fi + + log "INFO" "Extracted resource group name: $resource_group_name" + log "INFO" "Extracted key vault name: $key_vault_name" + log "INFO" "Checking MSI permissions on Key Vault: $key_vault_name..." + # Get the MSI name dynamically + MSI_NAME=$(az vm identity show --resource-group "$RESOURCE_GROUP" --name "$(az vm list --query "[?identity.type=='UserAssigned'].name" -o tsv)" --query "userAssignedIdentities | keys(@)[0]" -o tsv) + # Get the MSI object ID msi_object_id=$(az identity show --name "$MSI_NAME" --resource-group "$RESOURCE_GROUP" --query "principalId" -o tsv) if [[ -z "$msi_object_id" ]]; then @@ -117,8 +131,8 @@ check_msi_permissions() { # Check Key Vault permissions permissions=$(az keyvault show --name "$key_vault_name" --query "properties.accessPolicies[?objectId=='$msi_object_id'].permissions.secrets" -o tsv) - if [[ "$permissions" != *"$required_permission"* ]]; then - log "ERROR" "MSI $MSI_NAME does not have '$required_permission' permission on Key Vault $key_vault_name." + if [[ ! "$permissions" =~ (^|[[:space:]])"$required_permission"($|[[:space:]]) ]]; then + log "ERROR" "MSI $MSI_NAME does not have the required '$required_permission' permission on Key Vault $key_vault_name." exit 1 fi @@ -134,34 +148,48 @@ run_ansible_playbook() { local system_config_folder=$5 local key_vault_name=$6 local secret_name=$7 - local secret_value + local temp_file if [[ "$auth_type" == "SSHKEY" ]]; then - local ssh_key="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk" - log "INFO" "Using SSH key: $ssh_key." - command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $ssh_key \ - -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'" - elif [[ "$auth_type" == "PASSWORD" ]]; then - log "INFO" "Using password authentication." - command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \ - --extra-vars \"ansible_ssh_pass=$(cat ${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password)\" \ - --extra-vars @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'" - elif [[ "$auth_type" == "KEYVAULT" ]]; then - log "INFO" "Using Key Vault for authentication." - # Retrieve the secret from the Key Vault - log "INFO" "Retrieving secret '$secret_name' from Key Vault '$key_vault_name'..." - - secret_value=$(az keyvault secret show --vault-name "$key_vault_name" --name "$secret_name" --query "value" -o tsv) - - if [[ -z "$secret_value" ]]; then - log "ERROR" "Failed to retrieve secret '$secret_name' from Key Vault '$key_vault_name'." - exit 1 + if [[ -n "$key_vault_name" && -n "$secret_name" ]]; then + log "INFO" "Using Key Vault for SSH key retrieval." + secret_value=$(az keyvault secret show --vault-name "$key_vault_name" --name "$secret_name" --query "value" -o tsv) + if [[ -z "$secret_value" ]]; then + log "ERROR" "Failed to retrieve secret '$secret_name' from Key Vault '$key_vault_name'." + exit 1 + fi + temp_file=$(mktemp --suffix=.ppk) + echo "$secret_value" > "$temp_file" + log "INFO" "Temporary SSH key file created: $temp_file" + command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $temp_file \ + -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'" + else + local ssh_key="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk" + log "INFO" "Using local SSH key: $ssh_key." + command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $ssh_key \ + -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'" + fi + elif [[ "$auth_type" == "VMPASSWORD" ]]; then + if [[ -n "$key_vault_name" && -n "$secret_name" ]]; then + log "INFO" "Using Key Vault for password retrieval." + secret_value=$(az keyvault secret show --vault-name "$key_vault_name" --name "$secret_name" --query "value" -o tsv) + if [[ -z "$secret_value" ]]; then + log "ERROR" "Failed to retrieve secret '$secret_name' from Key Vault '$key_vault_name'." + exit 1 + fi + temp_file=$(mktemp --suffix=.password) + echo "$secret_value" > "$temp_file" + log "INFO" "Temporary password file created: $temp_file" + command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \ + --extra-vars \"ansible_ssh_pass=$(cat $temp_file)\" --extra-vars @$VARS_FILE -e @$system_params \ + -e '_workspace_directory=$system_config_folder'" + else + local password_file="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password" + log "INFO" "Using local password file: $password_file." + command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \ + --extra-vars \"ansible_ssh_pass=$(cat $password_file)\" --extra-vars @$VARS_FILE -e @$system_params \ + -e '_workspace_directory=$system_config_folder'" fi - - log "INFO" "Successfully retrieved secret from Key Vault." - command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \ - --extra-vars \"ansible_ssh_pass=$secret_value\" --extra-vars @$VARS_FILE -e @$system_params \ - -e '_workspace_directory=$system_config_folder'" else log "ERROR" "Unknown authentication type: $auth_type" exit 1 @@ -173,6 +201,12 @@ run_ansible_playbook() { return_code=$? log "INFO" "Ansible playbook execution completed with return code: $return_code" + # Clean up temporary file if it exists + if [[ -n "$temp_file" && -f "$temp_file" ]]; then + rm -f "$temp_file" + log "INFO" "Temporary file deleted: $temp_file" + fi + exit $return_code } @@ -203,7 +237,7 @@ main() { if [[ "$AUTHENTICATION_TYPE" == "SSHKEY" ]]; then check_file_exists "${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk" \ "ssh_key.ppk not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory." - elif [[ "$AUTHENTICATION_TYPE" == "PASSWORD" ]]; then + elif [[ "$AUTHENTICATION_TYPE" == "VMPASSWORD" ]]; then check_file_exists "${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password" \ "password file not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory." elif [[ "$AUTHENTICATION_TYPE" == "KEYVAULT" ]]; then @@ -214,6 +248,12 @@ main() { log "INFO" "Using playbook: $playbook_name." run_ansible_playbook "$playbook_name" "$SYSTEM_HOSTS" "$SYSTEM_PARAMS" "$AUTHENTICATION_TYPE" "$SYSTEM_CONFIG_FOLDER" + + # Clean up any remaining temporary files + if [[ -n "$temp_file" && -f "$temp_file" ]]; then + rm -f "$temp_file" + log "INFO" "Temporary file deleted: $temp_file" + fi } # Execute the main function From c79b8ea95bec0ed9eb79dd4b11d9ddb8f457bbff Mon Sep 17 00:00:00 2001 From: hdamecharla <71097261+hdamecharla@users.noreply.github.com> Date: Fri, 28 Mar 2025 07:32:31 +0530 Subject: [PATCH 3/3] Update key_vault_id in sap-parameters.yaml masking subid from the file with `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` --- WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml b/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml index 98ced48a..27e499ee 100644 --- a/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml +++ b/WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml @@ -31,6 +31,6 @@ NFS_provider: AFS ############################################################################# # Fetch Secret Connection # ############################################################################# -key_vault_id: /subscriptions/e663cc2d-722b-4be1-b636-bbd9e4c60fd9/resourceGroups/DhruvAggarwal/providers/Microsoft.KeyVault/vaults/key-vault-testing1 +key_vault_id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/DhruvAggarwal/providers/Microsoft.KeyVault/vaults/key-vault-testing1 secret_name: test-secret resource_group: DHRUVAGGARWAL \ No newline at end of file