ansible: add cloudflare-deploy role

Author: MoLow

ansible/playbooks/jenkins/worker/create.yml

@@ -55,6 +55,23 @@
 
   environment: '{{remote_env}}'
 
+
+- hosts:
+  - release
+  gather_facts: yes
+
+  roles:
+    - role: cloudflare-deploy
+      release_home_dir: "{{ home }}/{{ server_user }}"
+
+  pre_tasks:
+    - name: release check if secret is properly set
+      fail:
+      failed_when: not secret
+
+  environment: '{{remote_env}}'
+
+
 #
 # Set up Jenkins Workspace servers
 #

ansible/roles/cloudflare-deploy/files/worker_config

@@ -0,0 +1 @@
+[profile worker]

ansible/roles/cloudflare-deploy/meta/argument_specs.yml

@@ -0,0 +1,10 @@
+---
+
+argument_specs:
+  main:
+    short_description: Set up specific to hosts that build releases.
+    options:
+      release_home_dir:
+        description: The user's HOME directory.
+        required: yes
+        type: str

ansible/roles/cloudflare-deploy/meta/main.yml

@@ -0,0 +1,6 @@
+---
+
+dependencies:
+  - role: read-secrets
+  - role: user-create
+    when: not os|startswith("win")

ansible/roles/cloudflare-deploy/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+
+# Set up release hosts to be able to upload to clouflare.
+# Requires access to the secrets repository. User should have already
+# been prompted for GPG credentials during the inventory load.
+
+- name: run os-specific deploy
+  include: "{{ deploy_include }}"
+  loop_control:
+    loop_var: deploy_include
+  with_first_found:
+    - files:
+      - "{{ role_path }}/tasks/partials/{{ os|stripversion }}.yml"
+      - "{{ role_path }}/tasks/partials/default.yml"
+      skip: true

ansible/roles/cloudflare-deploy/tasks/partials/default.yml

@@ -0,0 +1,46 @@
+---
+
+- name: create .aws directory
+  ansible.builtin.file:
+    dest: "{{ release_home_dir }}/.aws"
+    owner: "{{ server_user }}"
+    group: "{{ server_user }}"
+    state: directory
+  
+- name: copy credentials to deploy release artifacts
+  ansible.builtin.copy:
+    content: "{{ secrets.worker_credentials }}"
+    dest: "{{ release_home_dir }}/.aws/credentials"
+    owner: "{{ server_user }}"
+    group: "{{ server_user }}"
+
+- name: write worker_config
+  ansible.builtin.copy:
+    dest: "{{ release_home_dir }}/.aws/config"
+    src: "{{ role_path }}/files/worker_config"
+    owner: "{{ server_user }}"
+    group: "{{ server_user }}"
+  when: not os|startswith("win")
+
+
+# https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
+- name: Download awscliv2 installer
+  unarchive:
+    src: "https://awscli.amazonaws.com/awscli-exe-linux-{{ ansible_architecture }}.zip"
+    dest: "/tmp"
+    remote_src: true
+    creates: '/tmp/aws'
+    mode: 0755
+
+- name: Run awscliv2 installer
+  command:
+  args:
+    cmd: "/tmp/aws/install"
+    creates: /usr/local/bin/aws
+  become: true
+  register: aws_install
+
+- name: "Show awscliv2 installer output"
+  debug:
+    var: aws_install
+    verbosity: 2

ansible/roles/cloudflare-deploy/tasks/partials/macos.yml

@@ -0,0 +1,28 @@
+---
+
+- name: create .aws directory
+  ansible.builtin.file:
+    dest: "{{ release_home_dir }}/.aws"
+    owner: "{{ server_user }}"
+    group: "{{ server_user }}"
+    state: directory
+  
+- name: copy credentials to deploy release artifacts
+  ansible.builtin.copy:
+    content: "{{ secrets.worker_credentials }}"
+    dest: "{{ release_home_dir }}/.aws/credentials"
+    owner: "{{ server_user }}"
+    group: "{{ server_user }}"
+
+- name: write worker_config
+  ansible.builtin.copy:
+    dest: "{{ release_home_dir }}/.aws/config"
+    src: "{{ role_path }}/files/worker_config"
+    owner: "{{ server_user }}"
+    group: "{{ server_user }}"
+  when: not os|startswith("win")
+
+
+- name: install awscli
+  community.general.homebrew: name="awscli" state=present
+  become_user: "{{ ansible_user }}"

ansible/roles/cloudflare-deploy/tasks/partials/win.yml

@@ -0,0 +1,19 @@
+---
+
+- name: create .aws directory
+  win_file:
+    path: '{{ansible_facts["env"]["USERPROFILE"]}}\.aws'
+    state: directory
+
+- name: copy credentials to deploy release artifacts
+  win_copy:
+    content: "{{ secrets.worker_credentials }}"
+    dest: '{{ansible_facts["env"]["USERPROFILE"]}}\.aws\credentials'
+
+- name: write worker_config
+  win_copy:
+    dest: '{{ansible_facts["env"]["USERPROFILE"]}}\.aws\config'
+    src: "{{ role_path }}/files/worker_config"
+
+- name: install AWS CLI
+  win_chocolatey: name=awscli

ansible/roles/read-secrets/tasks/partials/release.yml

@@ -12,3 +12,4 @@
   with_items:
     - { 'key': 'staging_key', 'file': "staging_id_rsa_private.key" }
     - { 'key': 'known_hosts', 'file': "known_hosts" }
+    - { 'key': 'worker_credentials', 'file': "release-cloudflare-worker-credentials" }