From c1f679df892f2d537e9d42b0b8d1df10bf4ed3a7 Mon Sep 17 00:00:00 2001 From: Moshe Atlow Date: Wed, 27 Sep 2023 02:56:27 +0300 Subject: [PATCH] ansible: add cloudflare-deploy role --- ansible/playbooks/jenkins/worker/create.yml | 17 +++++++ .../cloudflare-deploy/files/worker_config | 1 + .../cloudflare-deploy/meta/argument_specs.yml | 10 ++++ ansible/roles/cloudflare-deploy/meta/main.yml | 6 +++ .../roles/cloudflare-deploy/tasks/main.yml | 15 ++++++ .../tasks/partials/default.yml | 46 +++++++++++++++++++ .../tasks/partials/macos.yml | 28 +++++++++++ .../cloudflare-deploy/tasks/partials/win.yml | 19 ++++++++ .../read-secrets/tasks/partials/release.yml | 1 + 9 files changed, 143 insertions(+) create mode 100644 ansible/roles/cloudflare-deploy/files/worker_config create mode 100644 ansible/roles/cloudflare-deploy/meta/argument_specs.yml create mode 100644 ansible/roles/cloudflare-deploy/meta/main.yml create mode 100644 ansible/roles/cloudflare-deploy/tasks/main.yml create mode 100644 ansible/roles/cloudflare-deploy/tasks/partials/default.yml create mode 100644 ansible/roles/cloudflare-deploy/tasks/partials/macos.yml create mode 100644 ansible/roles/cloudflare-deploy/tasks/partials/win.yml diff --git a/ansible/playbooks/jenkins/worker/create.yml b/ansible/playbooks/jenkins/worker/create.yml index 8d4f862d9..82c58c500 100644 --- a/ansible/playbooks/jenkins/worker/create.yml +++ b/ansible/playbooks/jenkins/worker/create.yml @@ -55,6 +55,23 @@ environment: '{{remote_env}}' + +- hosts: + - release + gather_facts: yes + + roles: + - role: cloudflare-deploy + release_home_dir: "{{ home }}/{{ server_user }}" + + pre_tasks: + - name: release check if secret is properly set + fail: + failed_when: not secret + + environment: '{{remote_env}}' + + # # Set up Jenkins Workspace servers # diff --git a/ansible/roles/cloudflare-deploy/files/worker_config b/ansible/roles/cloudflare-deploy/files/worker_config new file mode 100644 index 000000000..f4df8b09c --- /dev/null +++ b/ansible/roles/cloudflare-deploy/files/worker_config @@ -0,0 +1 @@ +[profile worker] diff --git a/ansible/roles/cloudflare-deploy/meta/argument_specs.yml b/ansible/roles/cloudflare-deploy/meta/argument_specs.yml new file mode 100644 index 000000000..e5b37cd2f --- /dev/null +++ b/ansible/roles/cloudflare-deploy/meta/argument_specs.yml @@ -0,0 +1,10 @@ +--- + +argument_specs: + main: + short_description: Set up specific to hosts that build releases. + options: + release_home_dir: + description: The user's HOME directory. + required: yes + type: str diff --git a/ansible/roles/cloudflare-deploy/meta/main.yml b/ansible/roles/cloudflare-deploy/meta/main.yml new file mode 100644 index 000000000..5ace5b4e8 --- /dev/null +++ b/ansible/roles/cloudflare-deploy/meta/main.yml @@ -0,0 +1,6 @@ +--- + +dependencies: + - role: read-secrets + - role: user-create + when: not os|startswith("win") diff --git a/ansible/roles/cloudflare-deploy/tasks/main.yml b/ansible/roles/cloudflare-deploy/tasks/main.yml new file mode 100644 index 000000000..334e244a1 --- /dev/null +++ b/ansible/roles/cloudflare-deploy/tasks/main.yml @@ -0,0 +1,15 @@ +--- + +# Set up release hosts to be able to upload to clouflare. +# Requires access to the secrets repository. User should have already +# been prompted for GPG credentials during the inventory load. + +- name: run os-specific deploy + include: "{{ deploy_include }}" + loop_control: + loop_var: deploy_include + with_first_found: + - files: + - "{{ role_path }}/tasks/partials/{{ os|stripversion }}.yml" + - "{{ role_path }}/tasks/partials/default.yml" + skip: true diff --git a/ansible/roles/cloudflare-deploy/tasks/partials/default.yml b/ansible/roles/cloudflare-deploy/tasks/partials/default.yml new file mode 100644 index 000000000..06abe12df --- /dev/null +++ b/ansible/roles/cloudflare-deploy/tasks/partials/default.yml @@ -0,0 +1,46 @@ +--- + +- name: create .aws directory + ansible.builtin.file: + dest: "{{ release_home_dir }}/.aws" + owner: "{{ server_user }}" + group: "{{ server_user }}" + state: directory + +- name: copy credentials to deploy release artifacts + ansible.builtin.copy: + content: "{{ secrets.worker_credentials }}" + dest: "{{ release_home_dir }}/.aws/credentials" + owner: "{{ server_user }}" + group: "{{ server_user }}" + +- name: write worker_config + ansible.builtin.copy: + dest: "{{ release_home_dir }}/.aws/config" + src: "{{ role_path }}/files/worker_config" + owner: "{{ server_user }}" + group: "{{ server_user }}" + when: not os|startswith("win") + + +# https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html +- name: Download awscliv2 installer + unarchive: + src: "https://awscli.amazonaws.com/awscli-exe-linux-{{ ansible_architecture }}.zip" + dest: "/tmp" + remote_src: true + creates: '/tmp/aws' + mode: 0755 + +- name: Run awscliv2 installer + command: + args: + cmd: "/tmp/aws/install" + creates: /usr/local/bin/aws + become: true + register: aws_install + +- name: "Show awscliv2 installer output" + debug: + var: aws_install + verbosity: 2 \ No newline at end of file diff --git a/ansible/roles/cloudflare-deploy/tasks/partials/macos.yml b/ansible/roles/cloudflare-deploy/tasks/partials/macos.yml new file mode 100644 index 000000000..09c685c79 --- /dev/null +++ b/ansible/roles/cloudflare-deploy/tasks/partials/macos.yml @@ -0,0 +1,28 @@ +--- + +- name: create .aws directory + ansible.builtin.file: + dest: "{{ release_home_dir }}/.aws" + owner: "{{ server_user }}" + group: "{{ server_user }}" + state: directory + +- name: copy credentials to deploy release artifacts + ansible.builtin.copy: + content: "{{ secrets.worker_credentials }}" + dest: "{{ release_home_dir }}/.aws/credentials" + owner: "{{ server_user }}" + group: "{{ server_user }}" + +- name: write worker_config + ansible.builtin.copy: + dest: "{{ release_home_dir }}/.aws/config" + src: "{{ role_path }}/files/worker_config" + owner: "{{ server_user }}" + group: "{{ server_user }}" + when: not os|startswith("win") + + +- name: install awscli + community.general.homebrew: name="awscli" state=present + become_user: "{{ ansible_user }}" \ No newline at end of file diff --git a/ansible/roles/cloudflare-deploy/tasks/partials/win.yml b/ansible/roles/cloudflare-deploy/tasks/partials/win.yml new file mode 100644 index 000000000..e222c41a3 --- /dev/null +++ b/ansible/roles/cloudflare-deploy/tasks/partials/win.yml @@ -0,0 +1,19 @@ +--- + +- name: create .aws directory + win_file: + path: '{{ansible_facts["env"]["USERPROFILE"]}}\.aws' + state: directory + +- name: copy credentials to deploy release artifacts + win_copy: + content: "{{ secrets.worker_credentials }}" + dest: '{{ansible_facts["env"]["USERPROFILE"]}}\.aws\credentials' + +- name: write worker_config + win_copy: + dest: '{{ansible_facts["env"]["USERPROFILE"]}}\.aws\config' + src: "{{ role_path }}/files/worker_config" + +- name: install AWS CLI + win_chocolatey: name=awscli diff --git a/ansible/roles/read-secrets/tasks/partials/release.yml b/ansible/roles/read-secrets/tasks/partials/release.yml index 59d5d2196..dae1ee2e6 100644 --- a/ansible/roles/read-secrets/tasks/partials/release.yml +++ b/ansible/roles/read-secrets/tasks/partials/release.yml @@ -12,3 +12,4 @@ with_items: - { 'key': 'staging_key', 'file': "staging_id_rsa_private.key" } - { 'key': 'known_hosts', 'file': "known_hosts" } + - { 'key': 'worker_credentials', 'file': "release-cloudflare-worker-credentials" }