Separate ansible workflow from terraform check

ooni · Mar 13, 2024 · bbceba4 · bbceba4
1 parent 6262f33
commit bbceba4
Show file tree

Hide file tree

Showing 11 changed files with 107 additions and 83 deletions.
diff --git a/.github/workflows/check_ansible.yml b/.github/workflows/check_ansible.yml
@@ -0,0 +1,95 @@
+# For docs on this see:
+# * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+# * https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
+# * https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=synchronize#pull_request
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize # when commits are pushed to the PR
+      - reopened
+      - edited # title or body of a pull request was edited, or the base branch of a pull request was changed
+
+jobs:
+  ansible:
+    strategy:
+      matrix:
+        environment: ["dev"]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ansible/
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Ansible
+        run: |
+          sudo apt update
+          sudo apt install software-properties-common
+          sudo add-apt-repository --yes --update ppa:ansible/ansible-9
+          sudo apt install -y ansible
+
+      - name: Write devops ssh key to .ssh
+        run: |
+          mkdir -p ~/.ssh/
+          chmod 700 ~/.ssh/
+          echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem
+          chmod 600 ~/.ssh/ooni-devops-prod.pem
+
+      - name: Run Ansible Playbook
+        id: playbook
+        env:
+          ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts"
+          INVENTORY_FILE_PATH: "tf/modules/ansible_inventory/inventories/inventory-${{ matrix.environment }}.ini"
+        run: |
+          echo "ansible_playbook<<EOF" >> "$GITHUB_OUTPUT"
+          echo "\$ ansible-playbook playbook.yml --check --diff -i $INVENTORY_FILE_PATH" >> "$GITHUB_OUTPUT"
+          ansible-playbook playbook.yml --check --diff -i  $INVENTORY_FILE_PATH \
+            --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+        continue-on-error: true
+
+      # This can be uncommmented to make it possible to ssh into the container to debug the run
+      #- name: Setup tmate session
+      #  uses: mxschmitt/action-tmate@v3
+
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const commentTitle = "Ansible Run Output";
+            const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`;
+            const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/);
+            const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : '';
+
+            const commentBody = `
+            #### Ansible Playbook Recap 🔍
+
+            \`\`\`\n
+            ${ansiblePlaybookRecap}
+            \`\`\`
+
+            #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\`
+
+            <details><summary>Show Execution</summary>
+
+            \`\`\`\n
+            ${ansiblePlaybookOutput}
+            \`\`\`
+
+            </details>
+
+            |                   |                                    |
+            |-------------------|------------------------------------|
+            | Pusher            | @${{ github.actor }}               |
+            | Action            |  ${{ github.event_name }}          |
+            | Working Directory |  ${{ env.tf_actions_working_dir }} |
+            | Workflow          |  ${{ github.workflow }}            |
+            | Last updated      |  ${(new Date()).toUTCString()}     |
+            `;
+
+            // Call the script to write the comment
+            const script = require('./scripts/ghactions/comment-on-pr.js');
+            await script({github, context, core, commentTitle, commentBody});
diff --git a/.github/workflows/check_deploy.yml → .github/workflows/check_terraform.yml b/.github/workflows/check_deploy.yml → .github/workflows/check_terraform.yml
@@ -134,83 +134,3 @@ jobs:
             // Call the script to write the comment
             const script = require('./scripts/ghactions/comment-on-pr.js');
             await script({github, context, core, commentTitle, commentBody});
-
-  # Temporarily disabled
-  # ansible:
-  #   needs: terraform
-  #   runs-on: ubuntu-latest
-  #   defaults:
-  #     run:
-  #       working-directory: ${{ env.tf_actions_working_dir }}/ansible
-  #   permissions:
-  #     pull-requests: write
-  #   steps:
-  #     - uses: actions/checkout@v4
-
-  #     - name: Install Ansible
-  #       run: |
-  #         sudo apt update
-  #         sudo apt install software-properties-common
-  #         sudo add-apt-repository --yes --update ppa:ansible/ansible-9
-  #         sudo apt install -y ansible
-
-  #     - name: Write devops ssh key to .ssh
-  #       run: |
-  #         mkdir -p ~/.ssh/
-  #         chmod 700 ~/.ssh/
-  #         echo "${{ secrets.AWS_SSH_KEY }}" > ~/.ssh/ooni-devops-prod.pem
-  #         chmod 600 ~/.ssh/ooni-devops-prod.pem
-
-  #     - name: Run Ansible Playbook
-  #       id: playbook
-  #       env:
-  #         ANSIBLE_SSH_ARGS: "-o UserKnownHostsFile=known_hosts"
-  #       run: |
-  #         echo "ansible_playbook<<EOF" >> "$GITHUB_OUTPUT"
-  #         echo "\$ ansible-playbook playbook.yml --check --diff -i inventory.ini" >> "$GITHUB_OUTPUT"
-  #         ansible-playbook playbook.yml --check --diff -i inventory.ini --key-file ~/.ssh/ooni-devops-prod.pem 2>&1 | tee -a "$GITHUB_OUTPUT"
-  #         echo "EOF" >> "$GITHUB_OUTPUT"
-  #       continue-on-error: true
-
-  #     # This can be uncommmented to make it possible to ssh into the container to debug the run
-  #     #- name: Setup tmate session
-  #     #  uses: mxschmitt/action-tmate@v3
-
-  #     - uses: actions/github-script@v6
-  #       with:
-  #         github-token: ${{ secrets.GITHUB_TOKEN }}
-  #         script: |
-  #           const commentTitle = "Ansible Run Output";
-  #           const ansiblePlaybookOutput = `${{ steps.playbook.outputs.ansible_playbook}}`;
-  #           const parts = ansiblePlaybookOutput.split(/PLAY RECAP \*+/);
-  #           const ansiblePlaybookRecap = parts.length > 1 ? parts[1].trim() : '';
-
-  #           const commentBody = `
-  #           #### Ansible Playbook Recap 🔍
-
-  #           \`\`\`\n
-  #           ${ansiblePlaybookRecap}
-  #           \`\`\`
-
-  #           #### Ansible playbook output 📖\`${{ steps.playbook.outcome }}\`
-
-  #           <details><summary>Show Execution</summary>
-
-  #           \`\`\`\n
-  #           ${ansiblePlaybookOutput}
-  #           \`\`\`
-
-  #           </details>
-
-  #           |                   |                                    |
-  #           |-------------------|------------------------------------|
-  #           | Pusher            | @${{ github.actor }}               |
-  #           | Action            |  ${{ github.event_name }}          |
-  #           | Working Directory |  ${{ env.tf_actions_working_dir }} |
-  #           | Workflow          |  ${{ github.workflow }}            |
-  #           | Last updated      |  ${(new Date()).toUTCString()}     |
-  #           `;
-
-  #           // Call the script to write the comment
-  #           const script = require('./scripts/ghactions/comment-on-pr.js');
-  #           await script({github, context, core, commentTitle, commentBody});
diff --git a/...les/ansible_inventory/ansible/known_hosts → ansible/known_hosts b/...les/ansible_inventory/ansible/known_hosts → ansible/known_hosts
diff --git a/...es/ansible_inventory/ansible/playbook.yml → ansible/playbook.yml b/...es/ansible_inventory/ansible/playbook.yml → ansible/playbook.yml
diff --git a/...y/ansible/roles/clickhouse/tasks/main.yml → ansible/roles/clickhouse/tasks/main.yml b/...y/ansible/roles/clickhouse/tasks/main.yml → ansible/roles/clickhouse/tasks/main.yml
diff --git a/...roles/clickhouse/templates/ooni_users.xml → ...roles/clickhouse/templates/ooni_users.xml b/...roles/clickhouse/templates/ooni_users.xml → ...roles/clickhouse/templates/ooni_users.xml
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -95,6 +95,8 @@ module "ansible_inventory" {
     ## "all" has special meaning and is reserved
     "mygroup" = []
   }
+
+  environment = local.environment
 }
 
 module "network" {

diff --git a/...s/ansible_inventory/ansible/inventory.ini → ...e_inventory/inventories/inventory-dev.ini b/...s/ansible_inventory/ansible/inventory.ini → ...e_inventory/inventories/inventory-dev.ini
diff --git a/tf/modules/ansible_inventory/main.tf b/tf/modules/ansible_inventory/main.tf
@@ -7,7 +7,7 @@ resource "local_file" "ansible_inventory" {
   content = templatefile("${path.module}/templates/ansible-inventory.tpl",
     { server_groups = var.server_groups }
   )
-  filename = "${path.module}/ansible/inventory.ini"
+  filename = "${path.module}/inventories/inventory-${var.environment}.ini"
 }
 
 resource "null_resource" "ansible_update_known_hosts" {

diff --git a/tf/modules/ansible_inventory/variables.tf b/tf/modules/ansible_inventory/variables.tf
@@ -1,3 +1,7 @@
 variable "server_groups" {
   type = map(list(string))
 }
+
+variable "environment" {
+  type = string
+}
diff --git a/tf/modules/oonidevops_github_user/main.tf b/tf/modules/oonidevops_github_user/main.tf
@@ -27,6 +27,9 @@ resource "aws_secretsmanager_secret" "oonidevops_github" {
 }
 
 resource "aws_secretsmanager_secret_version" "oonidevops_github" {
-  secret_id     = aws_secretsmanager_secret.oonidevops_github.id
-  secret_string = jsonencode({ "AccessKey" : aws_iam_access_key.oonidevops_github.id, "SecretAccessKey" = aws_iam_access_key.oonidevops_github.secret })
+  secret_id = aws_secretsmanager_secret.oonidevops_github.id
+  secret_string = jsonencode({
+    "AccessKey"       = aws_iam_access_key.oonidevops_github.id,
+    "SecretAccessKey" = aws_iam_access_key.oonidevops_github.secret
+  })
 }