chore: clean packer user

Cosmian · Jun 16, 2024 · cc02588 · cc02588
1 parent 43dcb23
commit cc02588
Show file tree

Hide file tree

Showing 9 changed files with 58 additions and 3 deletions.
diff --git a/.github/scripts/azure-new-instance.sh b/.github/scripts/azure-new-instance.sh
@@ -37,6 +37,8 @@ else
     IMAGE_NAME="redhat:rhel-cvm:9_3_cvm_sev_snp:latest"
   fi
 
+  IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/base-image-${DISTRIB}-${TECHNO}/versions/0.1.5"
+
   az vm create -g packer-snp -n "$NAME" \
     --image "$IMAGE_NAME" \
     --security-type ConfidentialVM \

diff --git a/.github/workflows/aws_ansible.yml b/.github/workflows/aws_ansible.yml
@@ -114,7 +114,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete AWS instance

diff --git a/.github/workflows/azure_ansible.yml b/.github/workflows/azure_ansible.yml
@@ -110,7 +110,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete Azure instance

diff --git a/.github/workflows/gcp_ansible.yml b/.github/workflows/gcp_ansible.yml
@@ -146,7 +146,7 @@ jobs:
           for i in {1..1}
           do
             echo "Iteration: $i"
-            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }}
+            ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup
           done
 
       - name: Stop and delete GCP instance

diff --git a/ansible/ai-runner-packer-playbook.yml b/ansible/ai-runner-packer-playbook.yml
@@ -7,3 +7,5 @@
   become: true
   roles:
     - ai_runner
+    - role: cleanup
+      tags: role-cleanup
diff --git a/ansible/base-image-packer-playbook.yml b/ansible/base-image-packer-playbook.yml
@@ -44,3 +44,10 @@
         - name: Display Security updates
           ansible.builtin.debug:
             var: dnf_security_update
+
+- name: Clean base image
+  hosts: all
+  become: true
+  roles:
+    - role: cleanup
+      tags: role-cleanup
diff --git a/ansible/cosmian-vm-packer-playbook.yml b/ansible/cosmian-vm-packer-playbook.yml
@@ -6,3 +6,5 @@
     - check_cpu
     - role: cosmian_vm_agent
       tags: role_cosmian_vm_agent
+    - role: cleanup
+      tags: role-cleanup
diff --git a/ansible/kms-packer-playbook.yml b/ansible/kms-packer-playbook.yml
@@ -7,3 +7,5 @@
   become: true
   roles:
     - kms
+    - role: cleanup
+      tags: role-cleanup
diff --git a/ansible/roles/cleanup/tasks/main.yml b/ansible/roles/cleanup/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+# tasks file for ansible/roles/cleanup
+
+- name: Find all authorized_keys files
+  ansible.builtin.find:
+    paths:
+      - /home
+      - /root
+    recurse: true
+    patterns: authorized_keys
+  register: authorized_keys
+
+- name: Display authorized_keys
+  ansible.builtin.debug:
+    var: authorized_keys
+
+- name: Remove found authorized_keys files
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ authorized_keys.files }}"
+  when: authorized_keys.matched > 0
+
+- name: Find all authorized_keys files
+  ansible.builtin.find:
+    paths:
+      - /home
+      - /root
+    recurse: true
+    patterns: authorized_keys
+  register: authorized_keys
+
+- name: Display authorized_keys authorized_keys
+  ansible.builtin.debug:
+    var: authorized_keys
+
+- name: Fail if authorized_keys files are found
+  ansible.builtin.fail:
+    msg: "authorized_keys files found in the system!"
+  when: authorized_keys.matched > 0