From f0b987ce6254482bce7cd9d2e30d06b51d70e669 Mon Sep 17 00:00:00 2001 From: Emmanuel Coste Date: Sun, 16 Jun 2024 06:58:33 +0200 Subject: [PATCH] ci: let packer remove ssh authorized keys --- .github/workflows/aws_ansible.yml | 2 +- .github/workflows/azure_ansible.yml | 2 +- .github/workflows/gcp_ansible.yml | 2 +- ansible/ai-runner-packer-playbook.yml | 2 - ansible/base-image-packer-playbook.yml | 7 --- ansible/cosmian-vm-packer-playbook.yml | 2 - ansible/kms-packer-playbook.yml | 2 - ansible/roles/cleanup/tasks/main.yml | 78 -------------------------- packer/aws.pkr.hcl | 21 +++---- packer/azure.pkr.hcl | 3 + packer/gcp.pkr.hcl | 27 ++++----- 11 files changed, 31 insertions(+), 117 deletions(-) delete mode 100644 ansible/roles/cleanup/tasks/main.yml diff --git a/.github/workflows/aws_ansible.yml b/.github/workflows/aws_ansible.yml index 9c2433d9..90d60bfc 100644 --- a/.github/workflows/aws_ansible.yml +++ b/.github/workflows/aws_ansible.yml @@ -114,7 +114,7 @@ jobs: for i in {1..1} do echo "Iteration: $i" - ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} --skip-tags role-cleanup + ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} done - name: Stop and delete AWS instance diff --git a/.github/workflows/azure_ansible.yml b/.github/workflows/azure_ansible.yml index 2ea7925c..452947a0 100644 --- a/.github/workflows/azure_ansible.yml +++ b/.github/workflows/azure_ansible.yml @@ -110,7 +110,7 @@ jobs: for i in {1..1} do echo "Iteration: $i" - ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup + ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} done - name: Stop and delete Azure instance diff --git a/.github/workflows/gcp_ansible.yml b/.github/workflows/gcp_ansible.yml index 35954045..1270ad49 100644 --- a/.github/workflows/gcp_ansible.yml +++ b/.github/workflows/gcp_ansible.yml @@ -146,7 +146,7 @@ jobs: for i in {1..1} do echo "Iteration: $i" - ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup + ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} done - name: Stop and delete GCP instance diff --git a/ansible/ai-runner-packer-playbook.yml b/ansible/ai-runner-packer-playbook.yml index 9cf7df25..335ae057 100644 --- a/ansible/ai-runner-packer-playbook.yml +++ b/ansible/ai-runner-packer-playbook.yml @@ -7,5 +7,3 @@ become: true roles: - ai_runner - - role: cleanup - tags: role-cleanup diff --git a/ansible/base-image-packer-playbook.yml b/ansible/base-image-packer-playbook.yml index 9590e8b7..7a6d7a24 100644 --- a/ansible/base-image-packer-playbook.yml +++ b/ansible/base-image-packer-playbook.yml @@ -44,10 +44,3 @@ - name: Display Security updates ansible.builtin.debug: var: dnf_security_update - -- name: Clean base image - hosts: all - become: true - roles: - - role: cleanup - tags: role-cleanup diff --git a/ansible/cosmian-vm-packer-playbook.yml b/ansible/cosmian-vm-packer-playbook.yml index 1a3da22f..751ec37e 100644 --- a/ansible/cosmian-vm-packer-playbook.yml +++ b/ansible/cosmian-vm-packer-playbook.yml @@ -6,5 +6,3 @@ - check_cpu - role: cosmian_vm_agent tags: role_cosmian_vm_agent - - role: cleanup - tags: role-cleanup diff --git a/ansible/kms-packer-playbook.yml b/ansible/kms-packer-playbook.yml index 3ab19af1..bc1601bb 100644 --- a/ansible/kms-packer-playbook.yml +++ b/ansible/kms-packer-playbook.yml @@ -7,5 +7,3 @@ become: true roles: - kms - - role: cleanup - tags: role-cleanup diff --git a/ansible/roles/cleanup/tasks/main.yml b/ansible/roles/cleanup/tasks/main.yml deleted file mode 100644 index ef18e9aa..00000000 --- a/ansible/roles/cleanup/tasks/main.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -# tasks file for ansible/roles/kms - -- name: Check OS distribution - ansible.builtin.debug: - var: ansible_distribution - -- name: Find all authorized_keys files - ansible.builtin.find: - paths: - - /home - - /root - recurse: true - patterns: authorized_keys - register: authorized_keys - -- name: Display authorized_keys - ansible.builtin.debug: - var: authorized_keys - -- name: Remove found authorized_keys files - ansible.builtin.file: - path: "{{ item.path }}" - state: absent - loop: "{{ authorized_keys.files }}" - when: authorized_keys.matched > 0 - -- name: Find all authorized_keys files - ansible.builtin.find: - paths: - - /home - - /root - recurse: true - patterns: authorized_keys - register: authorized_keys - -- name: Display authorized_keys authorized_keys - ansible.builtin.debug: - var: authorized_keys - -- name: Find immediate subdirectories in /home - ansible.builtin.find: - paths: /home - file_type: directory - recurse: false - register: home_subdirs - -- name: Display usernames with home directories - ansible.legacy.debug: - var: users_with_home_dirs - -- name: Extract usernames from home directories - ansible.builtin.set_fact: - users_with_home_dirs: "{{ home_subdirs.files | map(attribute='path') | map('basename') | list }}" - -- name: Display usernames with home directories - ansible.legacy.debug: - var: users_with_home_dirs - -- name: Remove non-essential users - ansible.builtin.user: - name: "{{ item }}" - state: absent - remove: true - force: true - with_items: "{{ users_with_home_dirs }}" - -- name: Check immediate subdirectories in /home - ansible.builtin.find: - paths: /home - file_type: directory - recurse: false - register: home_subdirs - changed_when: home_subdirs != 0 - -- name: Display usernames with home directories - ansible.legacy.debug: - var: users_with_home_dirs diff --git a/packer/aws.pkr.hcl b/packer/aws.pkr.hcl index bb4fe3b0..0847afa7 100644 --- a/packer/aws.pkr.hcl +++ b/packer/aws.pkr.hcl @@ -12,16 +12,17 @@ packer { } source "amazon-ebssurrogate" "TEMPLATE_DISTRIBUTION" { - source_ami = "TEMPLATE_SOURCE_AMI" - region = "eu-west-1" - ssh_username = "TEMPLATE_SSH_USERNAME" - ami_name = "TEMPLATE_IMAGE_NAME" - instance_type = "c6a.2xlarge" - ssh_timeout = "5m" - ami_virtualization_type = "hvm" - ena_support = true - tpm_support = "TEMPLATE_SUPPORT" - boot_mode = "uefi" + ssh_username = "TEMPLATE_SSH_USERNAME" + ssh_timeout = "5m" + ssh_clear_authorized_keys = true + source_ami = "TEMPLATE_SOURCE_AMI" + region = "eu-west-1" + ami_name = "TEMPLATE_IMAGE_NAME" + instance_type = "c6a.2xlarge" + ami_virtualization_type = "hvm" + ena_support = true + tpm_support = "TEMPLATE_SUPPORT" + boot_mode = "uefi" launch_block_device_mappings { volume_type = "gp3" diff --git a/packer/azure.pkr.hcl b/packer/azure.pkr.hcl index 3297b161..6f9eff20 100644 --- a/packer/azure.pkr.hcl +++ b/packer/azure.pkr.hcl @@ -12,6 +12,9 @@ packer { } source "azure-arm" "TEMPLATE_DISTRIBUTION" { + ssh_username = "root" + ssh_timeout = "5m" + ssh_clear_authorized_keys = true client_id = "TEMPLATE_CLIENT_ID" tenant_id = "TEMPLATE_TENANT_ID" subscription_id = "TEMPLATE_SUBSCRIPTION_ID" diff --git a/packer/gcp.pkr.hcl b/packer/gcp.pkr.hcl index 79ff0ef9..1bf073fd 100644 --- a/packer/gcp.pkr.hcl +++ b/packer/gcp.pkr.hcl @@ -12,19 +12,20 @@ packer { } source "googlecompute" "TEMPLATE_GOOGLE_COMPUTE" { - project_id = "cosmian-dev" - source_image = "TEMPLATE_SOURCE_IMAGE" - source_image_family = "TEMPLATE_SOURCE_FAMILY" - zone = "europe-west4-a" - ssh_username = "root" - ssh_timeout = "5m" - image_name = "TEMPLATE_IMAGE_NAME" - image_guest_os_features = ["TEMPLATE_OS_FEATURES"] - network = "default" - subnetwork = "default" - tags = ["ssh"] - use_os_login = true - wait_to_add_ssh_keys = "60s" + ssh_username = "root" + ssh_timeout = "5m" + ssh_clear_authorized_keys = true + project_id = "cosmian-dev" + source_image = "TEMPLATE_SOURCE_IMAGE" + source_image_family = "TEMPLATE_SOURCE_FAMILY" + zone = "europe-west4-a" + image_name = "TEMPLATE_IMAGE_NAME" + image_guest_os_features = ["TEMPLATE_OS_FEATURES"] + network = "default" + subnetwork = "default" + tags = ["ssh"] + use_os_login = true + wait_to_add_ssh_keys = "60s" } build {