diff --git a/.github/workflows/check_ansible.yml b/.github/workflows/check_ansible.yml new file mode 100644 index 00000000..4c137a2a --- /dev/null +++ b/.github/workflows/check_ansible.yml @@ -0,0 +1,95 @@ +# For docs on this see: +# * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions +# * https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request +# * https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=synchronize#pull_request +on: + pull_request: + types: + - opened + - synchronize # when commits are pushed to the PR + - reopened + - edited # title or body of a pull request was edited, or the base branch of a pull request was changed + +jobs: + ansible: + strategy: + matrix: + environment: ["dev"] + runs-on: ubuntu-latest + defaults: + run: + working-directory: ansible/ + permissions: + pull-requests: write + steps: + - uses: actions/checkout@v4 + + - name: Install Ansible + run: | + sudo apt update + sudo apt install software-properties-common + sudo add-apt-repository --yes --update ppa:ansible/ansible-9 + sudo apt install -y ansible + + - name: Write devops ssh key to .ssh + run: | + mkdir -p ~/.ssh/ + chmod 700 ~/.ssh/ + echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem + chmod 600 ~/.ssh/ooni-devops-prod.pem + + - name: Run Ansible Playbook + id: playbook + env: + ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts" + INVENTORY_FILE_PATH: "tf/modules/ansible_inventory/inventories/inventory-${{ matrix.environment }}.ini" + run: | + echo "ansible_playbook<> "$GITHUB_OUTPUT" + echo "\$ ansible-playbook playbook.yml --check --diff -i $INVENTORY_FILE_PATH" >> "$GITHUB_OUTPUT" + ansible-playbook playbook.yml --check --diff -i $INVENTORY_FILE_PATH \ + --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + continue-on-error: true + + # This can be uncommmented to make it possible to ssh into the container to debug the run + #- name: Setup tmate session + # uses: mxschmitt/action-tmate@v3 + + - uses: actions/github-script@v6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const commentTitle = "Ansible Run Output"; + const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`; + const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/); + const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : ''; + + const commentBody = ` + #### Ansible Playbook Recap 🔍 + + \`\`\`\n + ${ansiblePlaybookRecap} + \`\`\` + + #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\` + +
Show Execution + + \`\`\`\n + ${ansiblePlaybookOutput} + \`\`\` + +
+ + | | | + |-------------------|------------------------------------| + | Pusher | @${{ github.actor }} | + | Action | ${{ github.event_name }} | + | Working Directory | ${{ env.tf_actions_working_dir }} | + | Workflow | ${{ github.workflow }} | + | Last updated | ${(new Date()).toUTCString()} | + `; + + // Call the script to write the comment + const script = require('./scripts/ghactions/comment-on-pr.js'); + await script({github, context, core, commentTitle, commentBody}); diff --git a/.github/workflows/check_deploy.yml b/.github/workflows/check_terraform.yml similarity index 64% rename from .github/workflows/check_deploy.yml rename to .github/workflows/check_terraform.yml index e11b8a19..32a669c8 100644 --- a/.github/workflows/check_deploy.yml +++ b/.github/workflows/check_terraform.yml @@ -134,83 +134,3 @@ jobs: // Call the script to write the comment const script = require('./scripts/ghactions/comment-on-pr.js'); await script({github, context, core, commentTitle, commentBody}); - - # Temporarily disabled - # ansible: - # needs: terraform - # runs-on: ubuntu-latest - # defaults: - # run: - # working-directory: ${{ env.tf_actions_working_dir }}/ansible - # permissions: - # pull-requests: write - # steps: - # - uses: actions/checkout@v4 - - # - name: Install Ansible - # run: | - # sudo apt update - # sudo apt install software-properties-common - # sudo add-apt-repository --yes --update ppa:ansible/ansible-9 - # sudo apt install -y ansible - - # - name: Write devops ssh key to .ssh - # run: | - # mkdir -p ~/.ssh/ - # chmod 700 ~/.ssh/ - # echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem - # chmod 600 ~/.ssh/ooni-devops-prod.pem - - # - name: Run Ansible Playbook - # id: playbook - # env: - # ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts" - # run: | - # echo "ansible_playbook<> "$GITHUB_OUTPUT" - # echo "\$ ansible-playbook playbook.yml --check --diff -i inventory.ini" >> "$GITHUB_OUTPUT" - # ansible-playbook playbook.yml --check --diff -i inventory.ini --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT" - # echo "EOF" >> "$GITHUB_OUTPUT" - # continue-on-error: true - - # # This can be uncommmented to make it possible to ssh into the container to debug the run - # #- name: Setup tmate session - # # uses: mxschmitt/action-tmate@v3 - - # - uses: actions/github-script@v6 - # with: - # github-token: ${{ secrets.GITHUB_TOKEN }} - # script: | - # const commentTitle = "Ansible Run Output"; - # const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`; - # const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/); - # const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : ''; - - # const commentBody = ` - # #### Ansible Playbook Recap 🔍 - - # \`\`\`\n - # ${ansiblePlaybookRecap} - # \`\`\` - - # #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\` - - #
Show Execution - - # \`\`\`\n - # ${ansiblePlaybookOutput} - # \`\`\` - - #
- - # | | | - # |-------------------|------------------------------------| - # | Pusher | @${{ github.actor }} | - # | Action | ${{ github.event_name }} | - # | Working Directory | ${{ env.tf_actions_working_dir }} | - # | Workflow | ${{ github.workflow }} | - # | Last updated | ${(new Date()).toUTCString()} | - # `; - - # // Call the script to write the comment - # const script = require('./scripts/ghactions/comment-on-pr.js'); - # await script({github, context, core, commentTitle, commentBody}); diff --git a/tf/modules/ansible_inventory/ansible/known_hosts b/ansible/known_hosts similarity index 100% rename from tf/modules/ansible_inventory/ansible/known_hosts rename to ansible/known_hosts diff --git a/tf/modules/ansible_inventory/ansible/playbook.yml b/ansible/playbook.yml similarity index 100% rename from tf/modules/ansible_inventory/ansible/playbook.yml rename to ansible/playbook.yml diff --git a/tf/modules/ansible_inventory/ansible/roles/clickhouse/tasks/main.yml b/ansible/roles/clickhouse/tasks/main.yml similarity index 100% rename from tf/modules/ansible_inventory/ansible/roles/clickhouse/tasks/main.yml rename to ansible/roles/clickhouse/tasks/main.yml diff --git a/tf/modules/ansible_inventory/ansible/roles/clickhouse/templates/ooni_users.xml b/ansible/roles/clickhouse/templates/ooni_users.xml similarity index 100% rename from tf/modules/ansible_inventory/ansible/roles/clickhouse/templates/ooni_users.xml rename to ansible/roles/clickhouse/templates/ooni_users.xml diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 255e646c..8aa72f1e 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -95,6 +95,8 @@ module "ansible_inventory" { ## "all" has special meaning and is reserved "mygroup" = [] } + + environment = local.environment } module "network" { diff --git a/tf/modules/ansible_inventory/ansible/inventory.ini b/tf/modules/ansible_inventory/inventories/inventory-dev.ini similarity index 100% rename from tf/modules/ansible_inventory/ansible/inventory.ini rename to tf/modules/ansible_inventory/inventories/inventory-dev.ini diff --git a/tf/modules/ansible_inventory/main.tf b/tf/modules/ansible_inventory/main.tf index f9bac1a2..51a937a6 100644 --- a/tf/modules/ansible_inventory/main.tf +++ b/tf/modules/ansible_inventory/main.tf @@ -7,7 +7,7 @@ resource "local_file" "ansible_inventory" { content = templatefile("${path.module}/templates/ansible-inventory.tpl", { server_groups = var.server_groups } ) - filename = "${path.module}/ansible/inventory.ini" + filename = "${path.module}/inventories/inventory-${var.environment}.ini" } resource "null_resource" "ansible_update_known_hosts" { diff --git a/tf/modules/ansible_inventory/variables.tf b/tf/modules/ansible_inventory/variables.tf index ce517012..be73a408 100644 --- a/tf/modules/ansible_inventory/variables.tf +++ b/tf/modules/ansible_inventory/variables.tf @@ -1,3 +1,7 @@ variable "server_groups" { type = map(list(string)) } + +variable "environment" { + type = string +} diff --git a/tf/modules/oonidevops_github_user/main.tf b/tf/modules/oonidevops_github_user/main.tf index 186674da..ee1de56d 100644 --- a/tf/modules/oonidevops_github_user/main.tf +++ b/tf/modules/oonidevops_github_user/main.tf @@ -27,6 +27,9 @@ resource "aws_secretsmanager_secret" "oonidevops_github" { } resource "aws_secretsmanager_secret_version" "oonidevops_github" { - secret_id = aws_secretsmanager_secret.oonidevops_github.id - secret_string = jsonencode({ "AccessKey" : aws_iam_access_key.oonidevops_github.id, "SecretAccessKey" = aws_iam_access_key.oonidevops_github.secret }) + secret_id = aws_secretsmanager_secret.oonidevops_github.id + secret_string = jsonencode({ + "AccessKey" = aws_iam_access_key.oonidevops_github.id, + "SecretAccessKey" = aws_iam_access_key.oonidevops_github.secret + }) }