Merge pull request #1263 from edx/jarv/manage-ssh-keys

Jarv/manage ssh keys

Merge pull request #1263 from edx/jarv/manage-ssh-keys
Jarv/manage ssh keys
61f5653e · John Jarvis · 154a6a78 · 5fbfb302 · 61f5653e · 61f5653e
Commit 61f5653e authored Jul 01, 2014 by John Jarvis
Hide whitespace changes
Inline Side-by-side

Showing with 74 additions and 8 deletions

playbooks/ec2.py
+8 -4

playbooks/edx-east/add-ubuntu-key.yml
+8 -3

playbooks/edx-east/remove-ubuntu-key.yml
+10 -1

util/jenkins/manage-ssh-keys.sh
+48 -0

No files found.
--- a/playbooks/ec2.py
+++ b/playbooks/ec2.py
@@ -225,12 +225,16 @@ class Ec2Inventory(object):
            cache_path = config.get('ec2', 'cache_path')
        if not os.path.exists(cache_path):
            os.makedirs(cache_path)
-        self.cache_path_cache = cache_path + "/ansible-ec2.cache"
-        self.cache_path_tags = cache_path + "/ansible-ec2.tags.cache"
-        self.cache_path_index = cache_path + "/ansible-ec2.index"
-        self.cache_max_age = config.getint('ec2', 'cache_max_age')

+        if 'AWS_PROFILE' in os.environ:
+            aws_profile = "{}-".format(os.environ.get('AWS_PROFILE'))
+        else:
+            aws_profile = ""

+        self.cache_path_cache = cache_path + "/{}ansible-ec2.cache".format(aws_profile)
+        self.cache_path_tags = cache_path + "/{}ansible-ec2.tags.cache".format(aws_profile)
+        self.cache_path_index = cache_path + "/{}ansible-ec2.index".format(aws_profile)
+        self.cache_max_age = config.getint('ec2', 'cache_max_age')

    def parse_cli_args(self):
        ''' Command line argument processing '''

--- a/playbooks/edx-east/add-ubuntu-key.yml
+++ b/playbooks/edx-east/add-ubuntu-key.yml
@@ -2,21 +2,26 @@
 # file for the ubuntu user.
 # You must pass in the entire line that you are adding.
 # Example: ansible-playbook add-ubuntu-key.yml -c local -i 127.0.0.1, \
-#                              -e "public_key='ssh-rsa SOME_PUBLIC_KEY deployment-201407'" \
+#                              -e "public_key=deployment-201407" \
 #                              -e owner=jarv  -e keyfile=/home/jarv/.ssh/authorized_keys

 - hosts: all
  vars:
+    # Number of instances to operate on at a time
+    serial_count: 1
    owner: ubuntu
    keyfile: "/home/{{ owner }}/.ssh/authorized_keys"
+  serial: "{{ serial_count }}"
  tasks:
    - fail: msg="You must pass in a public_key"
      when: public_key is not defined
+    - fail: msg="public does not exist in secrets"
+      when: ubuntu_public_keys[public_key] is not defined
    - command: mktemp
      register: mktemp
    - name: Validate the public key before we add it to authorized_keys
      copy: >
-        content="{{ public_key }}"
+        content="{{ ubuntu_public_keys[public_key] }}"
        dest={{ mktemp.stdout }}
    # This tests the public key and will not continue if it does not look valid
    - command: ssh-keygen -l -f {{ mktemp.stdout }}
@@ -25,7 +30,7 @@
        state=absent
    - lineinfile: >
        dest={{ keyfile }}
-        line="{{ public_key }}"
+        line="{{ ubuntu_public_keys[public_key] }}"
    - file: >
        path={{ keyfile }}
        owner={{ owner }}

--- a/playbooks/edx-east/remove-ubuntu-key.yml
+++ b/playbooks/edx-east/remove-ubuntu-key.yml
@@ -3,17 +3,22 @@
 # You must pass in the entire line that you are adding
 - hosts: all
  vars:
+    # Number of instances to operate on at a time
+    serial_count: 1
    owner: ubuntu
    keyfile: "/home/{{ owner }}/.ssh/authorized_keys"
+  serial: "{{ serial_count }}"
  tasks:
    - fail: msg="You must pass in a public_key"
      when: public_key is not defined
+    - fail: msg="public does not exist in secrets"
+      when: ubuntu_public_keys[public_key] is not defined
    - command: mktemp
      register: mktemp
    # This command will fail if this returns zero lines which will prevent
    # the last key from being removed
    - shell: >
-        grep -Fv '{{ public_key }}' {{ keyfile }} > {{ mktemp.stdout }}
+        grep -Fv '{{ ubuntu_public_keys[public_key] }}' {{ keyfile }} > {{ mktemp.stdout }}
    - shell: >
        while read line; do ssh-keygen -lf /dev/stdin <<<$line; done <{{ mktemp.stdout }}
        executable=/bin/bash
@@ -28,3 +33,7 @@
    - file: >
          path={{ mktemp.stdout }}
          state=absent
+    - shell: wc -l  < {{ keyfile }}
+      register: line_count
+    - fail: msg="There should only be one line in ubuntu's authorized_keys"
+      when: line_count.stdout|int != 1
--- a/util/jenkins/manage-ssh-keys.sh
+++ b/util/jenkins/manage-ssh-keys.sh
+#!/usr/bin/env bash
+
+# A simple wrapper to add ssh keys from 
+# This assumes that you will be running on one or more servers
+# that are tagged with Name: <environment>-<deployment>-<play>
+
+if [[
+        -z $WORKSPACE           ||
+        -z $environment_tag     ||
+        -z $deployment_tag      ||
+        -z $play                ||
+        -z $first_in            ||
+        -z $public_key          ||
+        -z $serial_count
+    ]]; then
+    echo "Environment incorrect for this wrapper script"
+    env
+    exit 1
+fi
+
+cd $WORKSPACE/configuration/playbooks/edx-east
+export AWS_PROFILE=$deployment_tag
+
+ansible_extra_vars+=" -e serial_count=$serial_count -e elb_pre_post=$elb_pre_post"
+
+if [[ ! -z "$extra_vars" ]]; then
+      ansible_extra_vars+=" -e $extra_vars"
+fi
+
+if [[ $check_mode == "true" ]]; then
+      ansible_extra_vars+=" --check"
+fi
+
+if [[ ! -z "$run_on_single_ip" ]]; then
+    ansible_limit+="$run_on_single_ip"
+else
+    if [[ $first_in == "true" ]]; then
+        ansible_limit+="first_in_"
+    fi
+    ansible_limit+="tag_environment_${environment_tag}:&tag_deployment_${deployment_tag}"
+fi
+
+ansible_extra_vars+=" -e public_key=$public_key"
+
+export PYTHONUNBUFFERED=1
+env
+ansible-playbook -v -D -u ubuntu $play -i ./ec2.py $ansible_task_tags --limit $ansible_limit -e@"$WORKSPACE/configuration-secure/ansible/vars/ubuntu-public-keys.yml" $ansible_extra_vars 
+rm -f $extra_vars_file