Merge pull request #3915 from edx/jmulloy/ops-1433_ssh_keys

Add option to fail/halt Ansible when github user is missing ssh keys

Merge pull request #3915 from edx/jmulloy/ops-1433_ssh_keys
Add option to fail/halt Ansible when github user is missing ssh keys
e451aa38 · Joseph Mulloy · GitHub · d4f48e27 · 8f1de21f · e451aa38
Commit e451aa38 authored Jun 14, 2017 by Joseph Mulloy Committed by GitHub Jun 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 3 deletions

playbooks/roles/user/defaults/main.yml
+10 -0

playbooks/roles/user/tasks/main.yml
+12 -3

No files found.
--- a/playbooks/roles/user/defaults/main.yml
+++ b/playbooks/roles/user/defaults/main.yml
@@ -38,3 +38,13 @@ user_info: []
 user_debian_pkgs:
  # This is needed for the uri module to work correctly.
  - python-httplib2
+
+# Boolean variable that will cause the user module to stop Ansible with a
+# failure if a user that has been configured to have their keys pulled from
+# GitHub does not have any ssh keys configured on GitHub. This is set to
+# false by default as we normally do not wish to interrupt Ansible, but
+# we wish to selectively enable it for a particular Jenkins job that adds
+# users. In the default false state this playbook will only print a warning
+# message, but not halt.
+#
+USER_FAIL_MISSING_KEYS: false
--- a/playbooks/roles/user/tasks/main.yml
+++ b/playbooks/roles/user/tasks/main.yml
@@ -124,16 +124,25 @@
 - name: Check the ssh key(s) for user(s) over github
  uri:
    url: "https://github.com/{{ item.name }}.keys"
+    return_content: true
  # We don't care if absent users lack ssh keys
  when: item.get('state', 'present') == 'present'
  with_items: "{{ user_info }}"
  register: github_users_return

- debug:
-    msg: "User {{ item.item.name }} doesn't have an SSH key associated with their account"
+- name: Print warning if github user(s) missing ssh key
+  debug:
+    msg: "User {{ item.item.name }} doesn't have an SSH key associated with their github account"
  with_items: "{{ github_users_return.results | default([]) }}"
  # We skip users in the previous task, and they end up with no content_length
-  when: item.get('content_length') and item.content_length == "0"
+  when: ('content' in item and item.content == "")
+
+- name: Halt if USER_FAIL_MISSING_KEYS is true and github user(s) missing ssh key
+  fail:
+    msg: "User {{ item.item.name }} doesn't have an SSH key associated with their github account"
+  with_items: "{{ github_users_return.results | default([]) }}"
+  # We skip users in the previous task, and they end up with no content_length
+  when: (USER_FAIL_MISSING_KEYS and 'content' in item and item.content == "")

 - name: Get github key(s) and update the authorized_keys file
  authorized_key: