added functionality for key-vault authentication

WORKSPACES/SYSTEM/DEV-WEEU-SAP01-X00/sap-parameters.yaml

@@ -27,3 +27,10 @@ database_cluster_type:         AFA
 #                              Storage Profile                              #
 #############################################################################
 NFS_provider:                  AFS
+
+#############################################################################
+#                              Fetch Secret Connection                      # 
+#############################################################################
+key_vault_id:                 /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/DhruvAggarwal/providers/Microsoft.KeyVault/vaults/key-vault-testing1
+secret_name:                  test-secret
+resource_group:               DHRUVAGGARWAL

scripts/sap_automation_qa.sh

@@ -100,24 +100,99 @@ get_playbook_name() {
     esac
 }
 
+# Function to check if the MSI has the correct permissions on the Key Vault
+check_msi_permissions() {
+    local key_vault_id=$1
+    local required_permission="Get"
+
+    # Extract resource group name and key vault name from the key_vault_id
+    resource_group_name=$(echo "$key_vault_id" | awk -F'/' '{for(i=1;i<=NF;i++){if($i=="resourceGroups"){print $(i+1)}}}')
+    key_vault_name=$(echo "$key_vault_id" | awk -F'/' '{for(i=1;i<=NF;i++){if($i=="vaults"){print $(i+1)}}}')
+
+    if [[ -z "$resource_group_name" || -z "$key_vault_name" ]]; then
+        log "ERROR" "Failed to extract resource group name or key vault name from key_vault_id: $key_vault_id"
+        exit 1
+    fi
+
+    log "INFO" "Extracted resource group name: $resource_group_name"
+    log "INFO" "Extracted key vault name: $key_vault_name"
+
+    log "INFO" "Checking MSI permissions on Key Vault: $key_vault_name..."
+
+    # Get the MSI name dynamically
+    MSI_NAME=$(az vm identity show --resource-group "$RESOURCE_GROUP" --name "$(az vm list --query "[?identity.type=='UserAssigned'].name" -o tsv)" --query "userAssignedIdentities | keys(@)[0]" -o tsv)
+
+    # Get the MSI object ID
+    msi_object_id=$(az identity show --name "$MSI_NAME" --resource-group "$RESOURCE_GROUP" --query "principalId" -o tsv)
+    if [[ -z "$msi_object_id" ]]; then
+        log "ERROR" "Failed to retrieve MSI object ID for $MSI_NAME in resource group $RESOURCE_GROUP."
+        exit 1
+    fi
+
+    # Check Key Vault permissions
+    permissions=$(az keyvault show --name "$key_vault_name" --query "properties.accessPolicies[?objectId=='$msi_object_id'].permissions.secrets" -o tsv)
+    if [[ ! "$permissions" =~ (^|[[:space:]])"$required_permission"($|[[:space:]]) ]]; then
+        log "ERROR" "MSI $MSI_NAME does not have the required '$required_permission' permission on Key Vault $key_vault_name."
+        exit 1
+    fi
+
+    log "INFO" "MSI $MSI_NAME has the required permissions on Key Vault $key_vault_name."
+}
+
 # Function to run the ansible playbook
 run_ansible_playbook() {
     local playbook_name=$1
     local system_hosts=$2
     local system_params=$3
     local auth_type=$4
     local system_config_folder=$5
+    local key_vault_name=$6
+    local secret_name=$7
+    local temp_file
 
     if [[ "$auth_type" == "SSHKEY" ]]; then
-        local ssh_key="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk"
-        log "INFO" "Using SSH key: $ssh_key."
-        command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $ssh_key \
-        -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'"
+        if [[ -n "$key_vault_name" && -n "$secret_name" ]]; then
+            log "INFO" "Using Key Vault for SSH key retrieval."
+            secret_value=$(az keyvault secret show --vault-name "$key_vault_name" --name "$secret_name" --query "value" -o tsv)
+            if [[ -z "$secret_value" ]]; then
+                log "ERROR" "Failed to retrieve secret '$secret_name' from Key Vault '$key_vault_name'."
+                exit 1
+            fi
+            temp_file=$(mktemp --suffix=.ppk)
+            echo "$secret_value" > "$temp_file"
+            log "INFO" "Temporary SSH key file created: $temp_file"
+            command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $temp_file \
+            -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'"
+        else
+            local ssh_key="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk"
+            log "INFO" "Using local SSH key: $ssh_key."
+            command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts --private-key $ssh_key \
+            -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'"
+        fi
+    elif [[ "$auth_type" == "VMPASSWORD" ]]; then
+        if [[ -n "$key_vault_name" && -n "$secret_name" ]]; then
+            log "INFO" "Using Key Vault for password retrieval."
+            secret_value=$(az keyvault secret show --vault-name "$key_vault_name" --name "$secret_name" --query "value" -o tsv)
+            if [[ -z "$secret_value" ]]; then
+                log "ERROR" "Failed to retrieve secret '$secret_name' from Key Vault '$key_vault_name'."
+                exit 1
+            fi
+            temp_file=$(mktemp --suffix=.password)
+            echo "$secret_value" > "$temp_file"
+            log "INFO" "Temporary password file created: $temp_file"
+            command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \
+            --extra-vars \"ansible_ssh_pass=$(cat $temp_file)\" --extra-vars @$VARS_FILE -e @$system_params \
+            -e '_workspace_directory=$system_config_folder'"
+        else
+            local password_file="${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password"
+            log "INFO" "Using local password file: $password_file."
+            command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \
+            --extra-vars \"ansible_ssh_pass=$(cat $password_file)\" --extra-vars @$VARS_FILE -e @$system_params \
+            -e '_workspace_directory=$system_config_folder'"
+        fi
     else
-        log "INFO" "Using password authentication."
-        command="ansible-playbook ${cmd_dir}/../src/$playbook_name.yml -i $system_hosts \
-        --extra-vars \"ansible_ssh_pass=$(cat ${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password)\" \
-        --extra-vars @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder'"
+        log "ERROR" "Unknown authentication type: $auth_type"
+        exit 1
     fi
 
     log "INFO" "Running ansible playbook..."
@@ -126,6 +201,12 @@ run_ansible_playbook() {
     return_code=$?
     log "INFO" "Ansible playbook execution completed with return code: $return_code"
 
+    # Clean up temporary file if it exists
+    if [[ -n "$temp_file" && -f "$temp_file" ]]; then
+        rm -f "$temp_file"
+        log "INFO" "Temporary file deleted: $temp_file"
+    fi
+
     exit $return_code
 }
 
@@ -156,15 +237,23 @@ main() {
     if [[ "$AUTHENTICATION_TYPE" == "SSHKEY" ]]; then
         check_file_exists "${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/ssh_key.ppk" \
             "ssh_key.ppk not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
-    else
+    elif [[ "$AUTHENTICATION_TYPE" == "VMPASSWORD" ]]; then
         check_file_exists "${cmd_dir}/../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME/password" \
             "password file not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
+    elif [[ "$AUTHENTICATION_TYPE" == "KEYVAULT" ]]; then
+        log "INFO" "Key Vault authentication selected. Ensure Key Vault parameters are set."
     fi
 
     playbook_name=$(get_playbook_name "$sap_functional_test_type")
     log "INFO" "Using playbook: $playbook_name."
 
     run_ansible_playbook "$playbook_name" "$SYSTEM_HOSTS" "$SYSTEM_PARAMS" "$AUTHENTICATION_TYPE" "$SYSTEM_CONFIG_FOLDER"
+
+    # Clean up any remaining temporary files
+    if [[ -n "$temp_file" && -f "$temp_file" ]]; then
+        rm -f "$temp_file"
+        log "INFO" "Temporary file deleted: $temp_file"
+    fi
 }
 
 # Execute the main function