Encrypt using ansible-vault with packer - ansible

I have jenkins pipeline which does:
jenkins --> packer --> ansible configs--> create AWS AMI .
In ansible var files, i have artifactory api key. When i create jenkins pipeline how i can encrypt this?

Related

How to do ssh to an ec2 server using Jenkins pipeline with pem file

I am trying to do ssh to an ec2 instance through Jenkins pipeline,using a pem file present on my local system, but I am unable to connect to ec2 instance.
ssh command
ssh -i test.pem -o StrictHostKeyChecking=no ubuntu#ip -p22
I am to able to connect to aws instance through my local machine. I am running jenkins pipeline on master node only. is there any issue with the user of pem file as the username is ubuntu for the pem file not as jenkins?
I am able to resolve this issue by installing the ssh agent plugin in jenkins. After installing ssh agent plugin we need to configure server details under Manage Jenkins -> Manage Credential. Here we need to give the host name, user and passkey which would be your pem file.
While adding the ssh agent into your jenkins pipeline script, one can follow the below approach.
sshagent(credentials : ['id_name_added_underManageCredential']){
sh "ssh command"
}

Can ansible vault encrypt values in plugin configuration files?

I'm writing a dynamic inventory plugin for ansible which pulls off device info from an API and adds it to the inventory. To configure my plugin, I need a username and password for the service which I retrieve from my plugin configuration yaml file
plugin_conf.yaml:
plugin: my_inventory_plugin
host_location: api.example.com
port: 443
user: some_user
password: some_pass
Since storing credentials in a file under version control is bad, does ansible vault support capabilities to encrypt values stored in a plugin configuration file?
i.e can the user of my plugin do something like
plugin: my_inventory_plugin
host_location: api.example.com
port: 443
user: !vault|
$FOO;1.1;AES256
blah blah
password: !vault|
$BAR;1.1;AES256
something else
and regardless if they use insecure plaintext or the ansible vault, my plugin can still get the values using the self.get_option('user') method?
I tested it out myself and the answer is yes.
If the user encrypts a string using ansible vault setting the name of the secret using -n, they can use the variable name into my config file. There are no special handling cases required in my plugin to handle plaintext credentials or ansible vault credentials.

Running ansible on ec2 instance from gitlab runner without SSH key?

I have a git lab runner whose job it is to:
a) Create IaC using Terraform. (7 ec2 instances with a defined keypair)
b) Run an ansible playbook that will need to SSH to all 7 instances and configure Kafka.
At the moment, I have automated part a. I then ssh to one of the instances using a private key. copy the ansible code and the private key to the instance and then execute the following cmd to run the ansible:
ansible-playbook --private-key=/home/ec2-user/keyname.pem hosts.yml all.yml
This all works fine but obviously, I want to automate the running of the ansible in a gitlab runner without having to store my private key on the docker container or in the git repo.
I have briefly investigated SSM but don't really understand how that all works.
Note: I need the key for two purposes.
ssh into the first instance
referenced in the host.yml so that the ansible playbook can connect to all other instances
Thanks in advance everyone.
Cheers
Adam

Jenkins pipeline Docker agent from AWS ECR

I need to execute Jenkins pipeline in Docker as an agent,
Docker image is located in AWS ECR,
How can I auth over AWS ECR to pull image for agent?
agent {
docker {
alwaysPull true
image '<aws-account-Id>.dkr.ecr.us-west-2.amazonaws.com/<ecr-repo>:<tag>'
registryUrl 'https://<aws-account-Id>.dkr.ecr.us-west-2.amazonaws.com'
registryCredentialsId 'ecr:us-west-2:<Jenkins Credential ID>'
}
}
To use image from AWS ECR repo as agent in jenkins first you need to Add Credentials of Kind AWS Credentials.
Now just use above code to in agent block in your pipeline code.
Make sure to replace
<aws-account> with AWS Account Id.
<ecr-repo> with the ECR repo name
<tag> with ECR image tag you want to use.
<Jenkins Credential ID> with Jenkins credentials Id you got when you save the credentials in Jenkins.
us-west-2 replace with your ecr repo region
You can use https://<jenkins.url>/directive-generator/ to get this code generated for you.
You can try this:
agent {
docker {
label "buildDockerNode"
image "nodejs10-test-v1"
alwaysPull true
registryUrl "*aws_account_id*.dkr.ecr.us-west-2.amazonaws.com/*project*"
registryCredentialsId "ecr:us-west-2:*cred_id*"
}
}
According to this page https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/ something like the following should work:
sh """#!/bin/bash
docker login -u=${USER} -p=${PASS} https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com
"""
Means you need to Authorization token before pulling the image from ECR it's mean you also need to install AWS-CLI on Jenkins server. The best way is to assign role and run the below command in your pipeline to get authorization token, if it is complicated then use ECR plugin below.
Before it can push and pull images Docker client must authenticate to Amazon ECR registries as an AWS user. The AWS CLI get-login command provides you with authentication credentials to pass to Docker. For more information, see Registry Authentication.
use JENKINS/Amazon+ECR
Note: For create token automatically based on AWS registery or you can run in jenkins file this command before pull
$(aws ecr get-login --no-include-email --region us-west-2)
And for go need to execute Jenkins pipeline in Docker as an agent
Prefer this link.

Ansible - ELB - EC2

I am new to ansible - I am using ansible to add the instances created by ELB ( my AWS will create instances for ELB) to ansible hosts file and access the instances from ansible server. From a linux machine, i use jumpbox and .pem key to access the ec2instance. How will I do in ansible ?
You should be able to pass in the flag --private-key=. You will probably also want to use -u ec2user to instruct Ansible to login as the correct user.

Resources