Github Action for deploying ansible with credentials stored in Azure KeyVault
Typescript code is under src/. Use npm to compile into javascript + commit resulting dist/
npm install
npm run build
The code for logging into azure and retrieving keyvault secrets is based on the following repos:
The github "build" pipeline verifies the build.
Flexible action to allow execution of ansible-playbook with credentials stored in Azure KeyVault.
If not already logged into Azure, add service principal credentials to azure_creds input. Same format as used here https://github.com/Azure/login.
The subscription must be the same as the Azure KeyVault holding the ansible credentials.
Store the ansible vault password in an Azure KeyVault:
- Set
keyvault_nameto the name of the Azure KeyVault. - Set
keyvault_secret_name_vault_passwordto the name of the secret containing the vault password.
The action will write the password to the filename set in the vault_password_filename option. Then either:
- Reference this filename directly in the ansible configuration using
vault_password_fileoption. - Add using a temporary yaml file via --extra-vars cmdline option by including
vault_password_filein theansible_varsoption. The action will append the filename. - Add via command line by including
--vault-password-fileor--vault-pass-filein theansible_argsoption. The action will append the filename.
This doesn't need to be held in Azure KeyVault. Either:
- Set the ansible username directly within the ansible configuration file.
- Set
ansible_useroption and then either:- Add via command line by including
-uor--userto theansible_argsoption. The action will append the username. - Add using a temporary yaml file via --extra-vars cmdline option by including
remote_useroransible_userto theansible_varsoption. The action will append the username.
- Add via command line by including
Store the ansible ssh unencrypted private key in an Azure KeyVault:
- Set
keyvault_nameto the name of the Azure KeyVault. - Set
keyvault_secret_name_ssh_privkeyto the name of the secret containing the unencrypted private key.
The action will write the key to the filename set in the ssh_privkey_filename option. Then either:
- Reference this directly within the ssh_connection settings of the ansible configuration file.
- Add via command line by including
--key-fileor--private-keyin theansible_argsoption. The action will append the filename.
Store the ansible ssh password in an Azure KeyVault.
- Set
keyvault_nameto the name of the Azure KeyVault. - Set
keyvault_secret_name_ssh_passwordto the name of the secret containing the ssh password.
Then:
- Store in plain text in a temporary file and reference using sshpass within the ssh_connection settings of the ansible configuration file. The filename is set by the
ssh_password_txt_filenameoption. - Add using a temporary yaml file via --extra-vars cmdline option by including
ansible_passwordoransible_ssh_passwithinansible_varsoption. The action will append the password.
| Variable | Description |
|---|---|
| azure_creds | Optional. If not already logged into azure, specify credentials here (same format as azure login action) |
| keyvault_name | Optional. Name of the azure KeyVault containing ansible credentials |
| keyvault_secret_name_ssh_password | Optional. The name of the KeyVault secret that holds the ssh password |
| keyvault_secret_name_vault_password | Optional. The name of the KeyVault secret that holds the ansible vault password |
| keyvault_secret_name_ssh_privkey | Optional. The name of the KeyVault secret that holds the ssh private key |
| ssh_password_txt_filename | Optional. Write the ssh password to this temporary text file [ansible_pass] |
| ssh_privkey_filename | Optional. Write the private key to this filename [ansible_key] |
| vault_password_filename | Optional The filename to write the vault password to [.vault.txt] |
| extra_vars_yaml_filename | Optional. The yaml filename to write extra variables specified in ansible_vars to [extravars.yaml] |
| ansible_dir | Directory containing ansible code |
| ansible_playbook | Location of ansible playbook, e.g. site.yml |
| ansible_inventory | Optional. Location of ansible inventory |
| ansible_user | Optional. Set ansible username |
| ansible_vars | Optional. Pipe separated list of additional vars for --extra-vars, e.g. 'ansible_user|ansible_password' |
| ansible_args | Optional. Pipe separated list of command line args, e.g. '--verbose|--check|-u|--limit testserver' |
| ansible_config | Optional. Location of ansible configuration file |
| action_settings | Optional. Pipe separated list of debug options, e.g. showCliOutput|hideAnsibleOutput|noCleanup|noAnsible |
For ansible_vars, parameters will automatically get appended as necessary. for example
ansible_useris added toremote_useroransible_user- ssh password is added to
ansible_passwordoransible_ssh_pass vault_password_filenameis added tovault_password_file
For ansible_args, paramteres will automatically get appended as necessary, for example
ansible_useradded to-uor--userssh_privkey_filenameadded to--key-fileor--private-keyvault_password_filenameadded to--vault-password-fileor--vault-pass-file
name: sample-pipeline
on: [push]
jobs:
check-ansible:
runs-on:
- self-hosted
- my-label
steps:
- name: Clone ansible repo
uses: actions/checkout@2
- name: Run ansible playbook
uses: ministryofjustice/ansible-playbook-with-keyvault-action@v1.0
with:
ansible_creds: '${{ secrets.AZURE_CREDENTIALS }}'
keyvault_name: my-keyvault-name
keyvault_secret_name_ssh_password: 'ansible-ssh-password'
keyvault_secret_name_vault_password: 'ansible-vault-password'
keyvault_secret_name_ssh_privkey: 'ansible-ssh-privkey'
ssh_password_txt_filename: 'ansible_pass'
ssh_privkey_filename: 'ansible_key'
vault_password_filename: '.vault.txt'
extra_vars_yaml_filename: 'extra_vars.yaml'
ansible_dir: ${{ github.workspace }}
ansible_playbook: sites.yml
ansible_inventory: inventory.yml
ansible_user: 'myuser'
ansible_args: '--verbose|--check|-u|--limit testserver'
ansible_vars: 'ansible_user|ansible_password'