Skip to content

Commit

Permalink
Fixed encrypted playbook not running issue
Browse files Browse the repository at this point in the history
  • Loading branch information
jaisejose1123 committed Jul 12, 2024
1 parent 0937672 commit 9b49494
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 2 deletions.
28 changes: 26 additions & 2 deletions lib/ansible/runner.rb
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,18 @@ def run(env_vars, extra_vars, playbook_path, tags: nil, hosts: ["localhost"], cr
:become_enabled => become_enabled)
end

def run_vault(env_vars, extra_vars, playbook_path, tags: nil, hosts: ["localhost"], credentials: [], verbosity: 0, become_enabled: false)
run_via_cli(hosts,
credentials,
env_vars,
extra_vars,
:tags => tags,
:playbook => playbook_path,
:test_vault => true,
:verbosity => verbosity,
:become_enabled => become_enabled)
end

# Runs a role directly via ansible-runner, a simple playbook is then automatically created,
# see: https://ansible-runner.readthedocs.io/en/latest/standalone.html#running-roles-directly
#
Expand Down Expand Up @@ -194,7 +206,7 @@ def run_in_queue(method_name, user_id, queue_opts, args)
# @param verbosity [Integer] ansible-runner verbosity level 0-5
# @param playbook_or_role_args [Hash] Hash that includes the :playbook key or :role keys
# @return [Ansible::Runner::Response] Response object with all details about the ansible run
def run_via_cli(hosts, credentials, env_vars, extra_vars, tags: nil, ansible_runner_method: "run", verbosity: 0, become_enabled: false, **playbook_or_role_args)
def run_via_cli(hosts, credentials, env_vars, extra_vars, tags: nil, ansible_runner_method: "run", test_vault: false, verbosity: 0, become_enabled: false, **playbook_or_role_args)
# If we are running against only localhost and no other value is set for ansible_connection
# then assume we don't want to ssh locally
extra_vars["ansible_connection"] ||= "local" if hosts == ["localhost"]
Expand All @@ -204,7 +216,13 @@ def run_via_cli(hosts, credentials, env_vars, extra_vars, tags: nil, ansible_run
base_dir = Pathname.new(Dir.mktmpdir("ansible-runner")).realpath
debug = verbosity.to_i >= 5 || env_vars["ANSIBLE_KEEP_REMOTE_FILES"]

cred_command_line, cred_env_vars, cred_extra_vars = credentials_info(credentials, base_dir)
if test_vault
cred_command_line = {}
cred_extra_vars = {}
cred_env_vars = {"ANSIBLE_VAULT_PASSWORD_FILE" => File.join(File.dirname(playbook_or_role_args[:playbook]), "password.yml")}
else
cred_command_line, cred_env_vars, cred_extra_vars = credentials_info(credentials, base_dir)
end

command_line_hash = tags.present? ? {:tags => tags} : {}
if become_enabled
Expand All @@ -231,6 +249,12 @@ def run_via_cli(hosts, credentials, env_vars, extra_vars, tags: nil, ansible_run
end

res = response(base_dir, ansible_runner_method, result, debug)
if !cred_env_vars.empty?
command_line = res.instance_variable_get(:@command_line)
new_command = "export #{cred_env_vars['ANSIBLE_VAULT_PASSWORD_FILE']} ; #{command_line}"
res.instance_variable_set(:@command_line, new_command)
end
res
ensure
# Clean up the tmp dir for the sync method, for async we will clean it up after the job is finished and we've
# read the output, that will be written into this directory.
Expand Down
41 changes: 41 additions & 0 deletions spec/lib/ansible/runner/data/hello_world_vault_encrypted.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Note: The password for `encrypted_msg` is just 'vault'
#
# This playbook is just used for testing vault integration, so when provided
# with the correct password the message displayed should be:
#
# "Hello World! (NOTE: This message has been encrypted with ansible-vault)"
#
# This var was generated by running the following:
#
# $ ansible-vault encrypt_string --ask-vault-pass --stdin-name "encrypted_msg"
# New Vault password:
# Confirm New Vault password:
# Reading plaintext input from stdin. (ctrl-d to end input)
# Hello World!
# encrypted_msg: !vault |
# $ANSIBLE_VAULT;1.1;AES256
# 66383635373066393337333631383930366166656134653935663164636636623239333861643936
# 3664613065666439303135323331616666383030383839310a303461623264646233623037313363
# 63626562616166353466366232363562353461366162396262363461666439386165663565643832
# 3239396633396466630a616463393237303338633562656664653433633437383161353933303737
# 3764
# Encryption successful
#
# (NOTE: When running the above, Ctrl-D was required twice for `ansible-vault`
# to respond. Most likely due to the '!' character in the base string.)
#
- name: Hello World Sample (Vault Encrypted)
hosts: localhost
vars:
encrypted_msg: !vault |
$ANSIBLE_VAULT;1.1;AES256
66383635373066393337333631383930366166656134653935663164636636623239333861643936
3664613065666439303135323331616666383030383839310a303461623264646233623037313363
63626562616166353466366232363562353461366162396262363461666439386165663565643832
3239396633396466630a616463393237303338633562656664653433633437383161353933303737
3764
tasks:
- name: Hello Message
debug:
msg: "{{encrypted_msg}} (NOTE: This message has been encrypted with ansible-vault)"

1 change: 1 addition & 0 deletions spec/lib/ansible/runner/data/password.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
vault
6 changes: 6 additions & 0 deletions spec/lib/ansible/runner_execution_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,11 @@
expect(response.return_code).to eq(0), "ansible-runner failed with:\n#{response.stderr}"
expect(response.human_stdout).to include('"msg": "Hello, world!"')
end
it "runs a hello-world-vault-encrypted playbook" do
response = Ansible::Runner.run_vault(env_vars, extra_vars, File.join(__dir__, "runner/data/hello_world_vault_encrypted.yml"))

expect(response.return_code).to eq(0), "ansible-runner failed with:\n#{response.stderr}"
expect(response.human_stdout).to include('"msg": "Hello World! (NOTE: This message has been encrypted with ansible-vault)"')
end
end
end

0 comments on commit 9b49494

Please sign in to comment.