kraussnet-ansible-action/entrypoint.sh

#!/bin/bash
#
# KraussNet Ansible Playbook Runner Action Entrypoint

set -euo pipefail

if [ -z "${INPUT_PKI_CA_URL:-}" ] ; then
    echo "Missing required input parameter 'pki_ca_url'"
    exit 1
fi
if [ -z "${INPUT_PKI_FINGERPRINT:-}" ] ; then
    echo "Missing required input parameter 'pki_fingerprint'"
    exit 1
fi
if [ -z "${INPUT_PKI_PROVISIONER_PASSWORD:-}" ] ; then
    echo "Missing required input parameter 'pki_provisioner_password'"
    exit 1
fi
if [ -z "${INPUT_PLAYBOOK:-}" ] ; then
    echo "Missing required input parameter 'playbook'"
    exit 1
fi
if [ -z "${INPUT_INVENTORY:-}" ] ; then
    echo "Missing required input parameter 'inventory'"
    exit 1
fi

# Set Debug Mode Helper
input_debug="${INPUT_DEBUG:-false}"
debug=${input_debug,,}

# Setup Provisioner Variables
provisioner_name=${INPUT_PKI_PROVISIONER_NAME:-"ansible"}
provisioner_password=${INPUT_PKI_PROVISIONER_PASSWORD}
default_cert_subject="ansible-kraussnet-action-runner@$(hostname -f)"
user_cert_subject=${INPUT_SUBJECT:-"$default_cert_subject"}

# Bootstrap the PKI Certificate Authority
step ca bootstrap \
    --ca-url "${INPUT_PKI_CA_URL}" \
    --fingerprint "${INPUT_PKI_FINGERPRINT}"
echo "Bootstrapped PKI at ${INPUT_PKI_CA_URL}"

# Obtain the Host Certificate
[ ! -d ~/.ssh ] && mkdir ~/.ssh
host_ca_cert=$(step ssh config --host --roots)
echo "@cert-authority *.kraussnet.com ${host_ca_cert}" > ~/.ssh/known_hosts
if [ ! -z "${INPUT_PKI_ADDITIONAL_HOSTS:-}" ] ; then
    for host in $(echo ${INPUT_PKI_ADDITIONAL_HOSTS}) ; do
        echo "@cert-authority ${host} ${host_ca_cert}" >> ~/.ssh/known_hosts
        echo "Registered ${host} to use KraussNet SSH @cert-authority"
    done
fi
if [ ! -z "${INPUT_KNOWN_HOSTS:-}" ] ; then
    echo "${INPUT_KNOWN_HOSTS}" >> ~/.ssh/known_hosts
fi
echo "Registered SSH Host Certificate Authority"
[ ${debug} == "true" ] && cat ~/.ssh/known_hosts

# Obtain a User Certificate for Ansible
token=$(step ca token "${user_cert_subject}" --ssh --provisioner "${provisioner_name}" --provisioner-password-file <(printf "${provisioner_password}"))
echo "Obtained User Token from CA"
[ ${debug} == "true" ] && echo $token | step crypto jwt inspect --insecure

[ ! -f ~/.ssh/id_ecdsa ] && ssh-keygen -t ecdsa -f ~/.ssh/id_ecdsa -N ''
[ -f ~/.ssh/id_ecdsa-cert.pub ] && rm ~/.ssh/id_ecdsa-cert.pub
step ssh certificate "${user_cert_subject}" ~/.ssh/id_ecdsa.pub --sign --provisioner "${provisioner_name}" --token $token
echo "Obtained User Certificate from CA"
[ ${debug} == "true" ] && ssh-keygen -L -f ~/.ssh/id_ecdsa-cert.pub

# Process the inventory parameter
inventory=""
if [[ "${INPUT_INVENTORY}" =~ $'\n' ]] ; then
    echo "${INPUT_INVENTORY}" > /tmp/inventory
    inventory="/tmp/inventory"
else
    inventory="${INPUT_INVENTORY}"
fi
echo "Using inventory ${inventory}"

# Process Ansible Galaxy requirements
if [ ! -z "${INPUT_REQUIREMENTS:-}" ] ; then
    ansible-galaxy install -r "${INPUT_REQUIREMENTS}"
    echo "Installed Galaxy Dependencies"
fi

# Change the working directory
if [ ! -z "${INPUT_DIRECTORY:-}" ] ; then
    cd "${INPUT_DIRECTORY}"
    echo "Changed working directory to $(pwd)"
fi

# Process Ansible Configuration
if [ ! -z "${INPUT_CONFIGURATION:-}" ] ; then
    if [ -f ./ansible.cfg ] ; then
        echo "An existing ansible.cfg file is in the current working directory"
        exit 1
    fi

    echo "${INPUT_CONFIGURATION}" > ./ansible.cfg
    echo "Created $(pwd)/ansible.cfg"
fi

# Setup and Run Ansible Playbook
become="${INPUT_BECOME:-false}"
check_mode="${INPUT_CHECK_MODE:-false}"
remote_user="${INPUT_REMOTE_USER:-ansible}"

cmd="-u ${remote_user}"
if [ "${become,,}" == "true" ] ; then
    cmd="${cmd} -b"
fi

if [ "${check_mode,,}" == "true" ] ; then
    cmd="${cmd} --check"
fi

if [ ! -z "${INPUT_VAULT_PASSWORD:-}" ] ; then
    echo "${INPUT_VAULT_PASSWORD}" > /tmp/vault_password
    cmd="${cmd} --vault-password-file /tmp/vault_password"
fi

cmd="${cmd} --inventory ${inventory} ${INPUT_PLAYBOOK}"
echo "Ansible Command: ansible-playbook ${cmd}"

ansible-playbook $cmd