-
Notifications
You must be signed in to change notification settings - Fork 0
/
runansible
executable file
·286 lines (247 loc) · 7.47 KB
/
runansible
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
#!/bin/bash
# Runs a playbook in a project (for cron)
# Add ARA to PYTHONPATH
export PYTHONPATH=$PYTHONPATH:/opt/ansible/tools/ara
# Set ANSIBLEUTILSDIR
ANSIBLEUTILSDIR="$(dirname `readlink -f $(which $0)`)"
# Load GPG agent's soocket if it isn't there
[ -z "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
# Defaults
PROJECTDIR=/opt/ansible/projects
PLAYBOOKDIR=playbooks
UPDATE_ROLES=false
OLD_ANSIBLE=true
UPDATE_GIT=false
SWITCH_BRANCHES=false
IGNORE_LOCK=false
CLEAR_CACHE=false
SPARSE=false
VERIFY_ROLES=false
DISABLE_EXTENDED_ARA_INFO=false
INVENTORY=""
DEFAULT_BRANCH=master
ANSIBLE_VAULT_PASSWORD_FILE=.ansible-vault
ARA_MAIL=root@localhost
ARA_REPORT_URL=""
SEND_MAIL=false
USE_NAVIGATOR=false
BW_SERVER=https://bitwarden.com
# Override any defaults that are set by the user
test -f $HOME/.runansible.conf && . $HOME/.runansible.conf
usage="Usage: $0 [-p project] [-i inventory] [-s] playbook.yml [ansible-playbook args]
-A Disable ARA logging
-b branch Run on specific git branch
When using this option, the script will check out the specified
git branch, run Ansible and then check out $DEFAULT_BRANCH
-c Tell ansible-galaxy to ignore SSL errors when downloading
roles/collections
-C Clear the inventory/facts cache before starting
-g Update git checkout before running
-i file Name of the inventory to use, can be provided multiple times
-l Ignore locks and allow for multiple instances of $(basename $0)
-m email Send a e-mail with the ARA report to $ARA_MAIL
This uses 'mail' on the Ansible controller to send the message
-n Utilize Ansible Navigator with a Execution Environment to execute the playbook
-p project Name of the project to run the playbook from
-r Search for requirements.yml and update roles/collections
-s Make Ansible's output sparse
-v Verify Ansible roles before running playbook, see README.md
-h This text
By default, this script will attempt to exclusively lock the playbook that is executed.
This is to prevent multiple runs of the same playbook at once.
The script supports Bitwarden/Vaultwarden, see README for more details.
NOTE: You can override the scripts default settings in ~/.runansible.conf
"
BRANCH=$DEFAULT_BRANCH
GALAXY_OPTS=''
while getopts "Ab:cCghi:lmnp:rsv" opt; do
case ${opt} in
A)
DISABLE_EXTENDED_ARA_INFO=true
ARA_API_SERVER=http://noara.example.com
;;
b)
BRANCH="$OPTARG"
SWITCH_BRANCHES=true
;;
c)
GALAXY_OPTS='-c'
;;
C)
CLEAR_CACHE=true
;;
g)
UPDATE_GIT=true
;;
h)
echo -e "$usage"
exit 0
;;
i)
INVENTORY="${INVENTORY} -i $OPTARG"
;;
l)
IGNORE_LOCK=true
;;
m)
SEND_MAIL=true
;;
n)
USE_NAVIGATOR=true
;;
p)
PROJECT="$OPTARG"
;;
r)
UPDATE_ROLES=true
;;
s)
export ANSIBLE_DISPLAY_FAILED_STDERR=true
export ANSIBLE_DISPLAY_OK_HOSTS=false
export ANSIBLE_DISPLAY_SKIPPED_HOSTS=false
export SPARSE=true
;;
v)
export VERIFY_ROLES=true
;;
esac
done
shift $[$OPTIND -1]
PLAYBOOK=$1
shift 1
[ -z "$PROJECT" ] || [ -z "$PLAYBOOK" ] && echo "$usage" && exit 1
if [ ! -d "$PROJECTDIR/$PROJECT" ]
then
echo "ERROR: Project does not exist!"
exit 1
fi
cd $PROJECTDIR/$PROJECT
if test -f .bitwarden.gpg
then
# Export bitwarden envvars
$(cat .bitwarden.gpg | gpg -qd)
bw config server $BW_SERVER
bw login --apikey
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
test -f $ANSIBLE_VAULT_PASSWORD_FILE && export ANSIBLE_VAULT_PASSWORD_FILE
if $CLEAR_CACHE
then
rm -f $PROJECTDIR/$PROJECT/cache/*
fi
# check for update_checkout and use that if it's present
if $UPDATE_GIT
then
if ! $SWITCH_BRANCHES
then
unset BRANCH
fi
if [ -x scripts/update_checkout.sh ]
then
if $SPARSE
then
scripts/update_checkout.sh $BRANCH > /dev/null 2>&1
else
scripts/update_checkout.sh $BRANCH
fi
else
if $SPARSE
then
git pull >/dev/null 2>&1
else
git pull
fi
fi
fi
# Check if we can run with navigator when requested
if $USE_NAVIGATOR && test ! -f ansible-navigator.yml
then
echo 'ERROR: Requested the use of ansible-navigator, but no configuration was found!'
echo 'Please configure ansible-navigator.yml'
exit 1
fi
if [ ! -f "$PLAYBOOKDIR/$PLAYBOOK" ]
then
echo "ERROR: Playbook does not exist!"
exit 1
fi
if $UPDATE_ROLES
then
ANSIBLE_VER=$(ansible --version | head -n1 | cut -d' ' -f2)
if [ "$(printf "2.10.0\n$ANSIBLE_VER" | sort -V | head -n 1)" == "2.10.0" ]
then
OLD_ANSIBLE=false
fi
REQUIREMENTS=$(find . -name requirements.yml -not -path './collections/*' -not -path './roles/*/*' -print | sed 's/^/-r /' | xargs)
if [ -n "$REQUIREMENTS" ]
then
if $SPARSE
then
ansible-galaxy install $GALAXY_OPTS --ignore-errors -f $REQUIREMENTS >/dev/null 2>&1
$OLD_ANSIBLE && ansible-galaxy collection install $GALAXY_OPTS --ignore-errors -f $REQUIREMENTS >/dev/null 2>&1
else
ansible-galaxy install $GALAXY_OPTS --ignore-errors -f $REQUIREMENTS | grep -Ev '[Dd]ownloading|changing|extracting|Installing|Process'
$OLD_ANSIBLE && ansible-galaxy collection install $GALAXY_OPTS --ignore-errors -f $REQUIREMENTS | grep -Ev '[Dd]ownloading|changing|extracting|Installing|Process'
fi
fi
fi
if $SWITCH_BRANCHES
then
git checkout $BRANCH >/dev/null 2>&1
fi
if $IGNORE_LOCK
then
echo "WARNING: Ignoring locking and starting concurrent run
Current active branch: $(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')
"
LOCK_CMD=""
fi
# Generate temporary ephemeral playbook, add extra plays and execute
> $PLAYBOOKDIR/.$$.$PLAYBOOK
if $VERIFY_ROLES
then
cat $ANSIBLEUTILSDIR/role_verify.yml >> $PLAYBOOKDIR/.$$.$PLAYBOOK
fi
if ! $DISABLE_EXTENDED_ARA_INFO
then
cat $ANSIBLEUTILSDIR/ara_info.yml >> $PLAYBOOKDIR/.$$.$PLAYBOOK
fi
cat $PLAYBOOKDIR/$PLAYBOOK >> $PLAYBOOKDIR/.$$.$PLAYBOOK
if $SEND_MAIL -a ! $DISABLE_EXTENDED_ARA_INFO
then
cat $ANSIBLEUTILSDIR/ara_report.yml >> $PLAYBOOKDIR/.$$.$PLAYBOOK
fi
sed -i 's/^---$//' $PLAYBOOKDIR/.$$.$PLAYBOOK
# Prepare for using navigator
if $USE_NAVIGATOR
then
if test -x $ANSIBLE_VAULT_PASSWORD_FILE
then
export ANSIBLE_VAULT_PASSWORD=$(./$ANSIBLE_VAULT_PASSWORD_FILE)
else
export ANSIBLE_VAULT_PASSWORD=$(cat $ANSIBLE_VAULT_PASSWORD_FILE)
fi
ANSIBLE_COMMAND="ansible-navigator run"
else
ANSIBLE_COMMAND="ansible-playbook"
fi
if ! $DISABLE_EXTENDED_ARA_INFO
then
ARA_PLAYBOOK_NAME="'$PROJECT - $(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/') - $PLAYBOOK'"
$LOCK_CMD $ANSIBLE_COMMAND $PLAYBOOKDIR/.$$.$PLAYBOOK $INVENTORY -e ara_report_url="$ARA_REPORT_URL" -e ara_report_mail="$ARA_MAIL" -e ara_report_location="/tmp/$$_report" -e ara_playbook_dir="$PROJECTDIR/$PROJECT/$PLAYBOOKDIR" -e ara_playbook_name="$ARA_PLAYBOOK_NAME" --diff "$@"
else
$LOCK_CMD $ANSIBLE_COMMAND $INVENTORY --diff $PLAYBOOKDIR/.$$.$PLAYBOOK "$@"
fi
rm $PLAYBOOKDIR/.$$.$PLAYBOOK
if [ $? -eq 66 ]
then
echo "ERROR: Unable to acquire lock
Project: $PROJECT
Playbook: $PLAYBOOK
Current active branch: $(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')
Please try again later..."
fi
if $SWITCH_BRANCHES
then
git checkout $DEFAULT_BRANCH >/dev/null 2>&1
fi