1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
#!/usr/bin/env -S deno run --allow-env --allow-net --allow-run --allow-read --allow-write
import {
BitwardenSession,
getRequiredEnv,
getStdout,
type SecureNote,
} from "@liz-ci/utils";
import type { AnsiblePlaybookJobProps } from "@liz-ci/model";
const args: AnsiblePlaybookJobProps = {
path: getRequiredEnv("path"),
playbooks: getRequiredEnv("playbooks"),
};
const tempKeyFile = await Deno.makeTempFile();
const cwd = Deno.cwd();
const bitwardenSession = new BitwardenSession();
try {
Deno.chdir(args.path);
const { notes: ansibleSecrets } = await bitwardenSession.getItem<SecureNote>(
"ansible_secrets",
);
await Deno.writeTextFile("secrets.yml", ansibleSecrets);
const { notes: privateKey } = await bitwardenSession.getItem<SecureNote>(
"ssh_key",
);
// Create a temporary file for the SSH key
await Deno.writeTextFile(tempKeyFile, privateKey);
await getStdout(["chmod", "600", tempKeyFile]);
// Start ssh-agent and add the key
const sshAgent = await getStdout(["ssh-agent", "-s"]);
const [SSH_AGENT_PID, SSH_AUTH_SOCK] = [
/SSH_AGENT_PID=(\d+)/,
/SSH_AUTH_SOCK=([^;]+)/,
]
.map((regex) => sshAgent.match(regex)?.[1])
.map((val) => {
if (!val) throw new Error("Failed to start ssh-agent");
return val;
});
const sshEnv = {
SSH_AGENT_PID,
SSH_AUTH_SOCK,
};
await getStdout(["ssh-add", tempKeyFile], {
env: sshEnv,
});
await getStdout([
"ansible-playbook",
"-e",
"@secrets.yml",
...args.playbooks.split(" "),
], { env: sshEnv });
} finally {
await Promise.allSettled([
Deno.chdir.bind(null, cwd),
Deno.remove(tempKeyFile),
getStdout(["ssh-agent", "-k"]),
]);
}
|
