Ansible playbooks to deploy and maintain Mekom's infrastructure
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
environments
roles
.gitignore
README.md
ansible.cfg
playbook.yml

README.md

Ansible playbooks to deploy and maintain MKS infrastructure

Automatically deploy and maintain MKS servers using a set of roles and server groups.

Supported platforms are:

  • CentOS 7

Basic use with the test environment

By default the playbook will automatically create its own testing environment using a Terraform project (embedded in the playbook) and will dynamically create the inventory file using the new servers just created.

This testing environment is described in ./roles/terraform/files/aws.tf. Note that the AWS credentials will be fetched from the Vault server so you will need to export a valid Vault Token (more on that later). If you do not want to let Ansible and Terraform create a testing infrastructure and rather want to use existing servers, you should manually fill out the inventory file.

Some of the configuration needed for the playbooks is obtained via Consul. So the first thing to do will be to run a local Consul agent within the MKS Consul cluster.

0/ Clone the repo

cd ~/repos
git clone https://github.com/mekomsolutions/mks-playbooks
cd mks-playbooks

1/ Start the Consul agent

To retrieve a series of configuration information, you would need to run a Consul agent locally.

Make sure to export the Consul server address beforehand. ASK MKS TECH TEAM TO PROVIDE YOU THIS ADDRESS

export CONSUL_SERVER_ADDR=***.***.***.***

Now run the Consul agent locally:

docker run --rm --net=host --label type=prod --name consul-ui -e 'CONSUL_LOCAL_CONFIG={"leave_on_terminate": true}' consul:1.2.2 agent -join=$CONSUL_SERVER_ADDR -bind='{{ GetInterfaceIP "tun0"}}' -ui

This assumes that you access to the Consul cluster via the network interface tun0.

2/ Retrieve the inventory file

Export your environment as a variable to fetch the correct inventory file:

export ansible_envtype="test"

or

export ansible_envtype="prod"

Fetch the inventory file from Consul:

curl -s "http://localhost:8500/v1/kv/config/mks-playbooks/inventory/$ansible_envtype" | jq .[0].Value | tr -d '"' | base64 --decode >  ./environments/$ansible_envtype/hosts.yml

Note that the 'test' inventory file does not contain any host information (they are created via the Terraform role) but you still need to fetch it because it creates the hosts groups

3/ Retrieve a Vault token (Optional - based on the host group used or if you are using Terraform)

Some host groups will require to login to Vault (to fetch TLS certifactes or application passwords...) and therefore need to first obtain AppRole credentials from the Vault server. To do so, you need to initially provide a valid Vault token that has access to the AppRole auth backend and the appropriate AppRole role, such as set in the group vars (for instance in openmrs_cd_host.yml#L2 vault_role: openmrs_cd)

So with whatever login method suits to your case (Userpass or GitHub), login in Vault, retrieve your token and export it as VAULT_TOKEN envvar.

4/ Run the playbook

Test env: let Ansible + Terraform create the testing infrastructure

ansible-playbook playbook.yml --extra-vars "vault_token=$VAULT_TOKEN"

Note that at the end of the playbook, if successful, the testing infrastructure just created will be destroyed. If you want to keep it running, add --skip-tags "destroy_servers"

ansible-playbook playbook.yml --extra-vars "vault_token=$VAULT_TOKEN" --skip-tags "destroy_servers"

Prod env: use the inventory file

ansible-playbook playbook.yml -i ./environments/prod/hosts.yml --extra-vars "vault_token=$VAULT_TOKEN" --skip-tags "terraform"

If you want to apply the playbooks to only one specific host, use the -l option:

ansible-playbook playbook.yml -i ./environments/prod/hosts.yml -l "localhost, cd04" --extra-vars "vault_token=$VAULT_TOKEN" --skip-tags "terraform"

Note that you always need to have localhost at least