From e5348e35892aa9efab7a7b536b71c92fceb8506b Mon Sep 17 00:00:00 2001 From: Sorin Sbarnea Date: Thu, 14 Sep 2023 15:12:36 +0100 Subject: [PATCH] Add playbook to deploy github environment secrets --- .gitignore | 1 + playbooks/ansible.cfg | 0 playbooks/deploy-bot-pat.yml | 21 +++++++++++++++++++++ playbooks/host_vars/localhost.yml | 10 ++++++++++ playbooks/tasks/gh-set-env-secrets.yml | 12 ++++++++++++ playbooks/tasks/gh-set-secret.yml | 6 ++++++ 6 files changed, 50 insertions(+) create mode 100644 playbooks/ansible.cfg create mode 100644 playbooks/deploy-bot-pat.yml create mode 100644 playbooks/host_vars/localhost.yml create mode 100644 playbooks/tasks/gh-set-env-secrets.yml create mode 100644 playbooks/tasks/gh-set-secret.yml diff --git a/.gitignore b/.gitignore index 99efc91..6cac982 100644 --- a/.gitignore +++ b/.gitignore @@ -128,3 +128,4 @@ dmypy.json # Pyre type checker .pyre/ .DS_Store +.envrc diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/deploy-bot-pat.yml b/playbooks/deploy-bot-pat.yml new file mode 100644 index 0000000..f843381 --- /dev/null +++ b/playbooks/deploy-bot-pat.yml @@ -0,0 +1,21 @@ +- name: Deploy BOT_PAT secret + hosts: localhost + gather_facts: false + tasks: + + - name: Load repositories + ansible.builtin.include_vars: + file: ../config/devtools.yml + name: devtools + + - debug: + msg: "{{ item }}" + loop: "{{ env_secrets | dict2items(key_name='env_name', value_name='env_secrets') }}" + + - name: Loop over repositories + ansible.builtin.include_tasks: tasks/gh-set-env-secrets.yml + loop: "{{ devtools.repos }}" + loop_control: + label: "{{ repo }}" + loop_var: repo + diff --git a/playbooks/host_vars/localhost.yml b/playbooks/host_vars/localhost.yml new file mode 100644 index 0000000..e133bdc --- /dev/null +++ b/playbooks/host_vars/localhost.yml @@ -0,0 +1,10 @@ +env_secrets: + ack: # github environment name + BOT_PAT: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39316132336366663432646530316462373436646132633437363032613335626263616564663437 + 3739303161373964643437623663393663343666326564660a633637383631386433373633383736 + 38656339306634363737656530333531313638313865666232306238626230326365373063363133 + 6464643330333332320a633631663661616532356262363034386664316339306463306264393636 + 37386663626565386362626133623538343264353363613164373662306335343038376237313566 + 6564643761366534643538666532386339353238656237313532 diff --git a/playbooks/tasks/gh-set-env-secrets.yml b/playbooks/tasks/gh-set-env-secrets.yml new file mode 100644 index 0000000..b220587 --- /dev/null +++ b/playbooks/tasks/gh-set-env-secrets.yml @@ -0,0 +1,12 @@ +- name: Create github environment + ansible.builtin.shell: > + gh api --method PUT -H "Accept: application/vnd.github+json" repos/{{ repo }}/environments/{{ env.env_name }} + loop: "{{ env_secrets | dict2items(key_name='env_name', value_name='env_secrets') }}" + loop_control: + loop_var: env + +- name: For each secret in environment + ansible.builtin.include_tasks: gh-set-secret.yml + loop: "{{ env_secrets | dict2items(key_name='env_name', value_name='env_secrets') }}" + loop_control: + loop_var: env diff --git a/playbooks/tasks/gh-set-secret.yml b/playbooks/tasks/gh-set-secret.yml new file mode 100644 index 0000000..5a0b795 --- /dev/null +++ b/playbooks/tasks/gh-set-secret.yml @@ -0,0 +1,6 @@ +- name: Configure secret + ansible.builtin.shell: > + gh secret --repo {{ repo }} set --env {{ env.env_name }} {{ item.gh_secret_name }} --body {{ item.gh_secret_value }} + no_log: false + loop: "{{ env.env_secrets | dict2items('gh_secret_name', 'gh_secret_value') }}" +