Skip to content

Commit

Permalink
feat: obfuscate ansible logs (#62)
Browse files Browse the repository at this point in the history
  • Loading branch information
moroine authored Jul 24, 2024
1 parent ce33cb7 commit d196432
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 23 deletions.
4 changes: 2 additions & 2 deletions .bin/commands.sh
Original file line number Diff line number Diff line change
Expand Up @@ -79,10 +79,10 @@ function seed:apply() {
}

function deploy:log:encrypt() {
"${SCRIPT_DIR}/deploy-log-encrypt.sh" "$@"
(cd "$ROOT_DIR" && "${SCRIPT_DIR}/deploy-log-encrypt.sh" "$@")
}

function deploy:log:decrypt() {
"${SCRIPT_DIR}/deploy-log-decrypt.sh" "$@"
(cd "$ROOT_DIR" && "${SCRIPT_DIR}/deploy-log-decrypt.sh" "$@")
}

13 changes: 10 additions & 3 deletions .bin/scripts/deploy-log-decrypt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ else
shift
fi

if [ -z "${1:-}" ]; then
read -p "Veuillez renseigner l'ID du job: " JOB_ID
else
readonly JOB_ID="$1"
shift
fi

if [[ -z "${ANSIBLE_VAULT_PASSWORD_FILE:-}" ]]; then
ansible_extra_opts+=("--vault-password-file" "${SCRIPT_DIR}/get-vault-password-client.sh")
else
Expand All @@ -24,10 +31,10 @@ delete_cleartext() {
trap delete_cleartext EXIT


rm -f /tmp/deploy_error.log.gpg
rm -f /tmp/deploy.log.gpg

gh run download "$RUN_ID" -n error-logs -D /tmp
gh run download "$RUN_ID" -n "logs-$JOB_ID" -D /tmp

ansible-vault view "${ansible_extra_opts[@]}" "$VAULT_FILE" | yq '.vault.SEED_GPG_PASSPHRASE' > "$PASSPHRASE"

gpg -d --batch --passphrase-file "$PASSPHRASE" /tmp/deploy_error.log.gpg
gpg -d --batch --passphrase-file "$PASSPHRASE" /tmp/deploy.log.gpg
4 changes: 2 additions & 2 deletions .bin/scripts/deploy-log-encrypt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ trap delete_cleartext EXIT
ansible-vault view "${ansible_extra_opts[@]}" "$VAULT_FILE" | yq '.vault.SEED_GPG_PASSPHRASE' > "$PASSPHRASE"

# Make sur the file exists
touch /tmp/deploy_error.log
gpg -c --cipher-algo twofish --batch --passphrase-file "$PASSPHRASE" -o /tmp/deploy_error.log.gpg /tmp/deploy_error.log
touch /tmp/deploy.log
gpg -c --cipher-algo twofish --batch --passphrase-file "$PASSPHRASE" -o /tmp/deploy.log.gpg /tmp/deploy.log
2 changes: 1 addition & 1 deletion .bin/scripts/run-playbook.sh
Original file line number Diff line number Diff line change
Expand Up @@ -61,5 +61,5 @@ function runPlaybook() {
if [[ -z "${CI:-}" ]]; then
runPlaybook "$@"
else
runPlaybook "$@" 2> /tmp/deploy_error.log
runPlaybook "$@" &> /tmp/deploy.log
fi;
20 changes: 12 additions & 8 deletions .github/workflows/_deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,26 +77,30 @@ jobs:
ANSIBLE_REMOTE_USER: deploy
ANSIBLE_BECOME_PASS: ${{ secrets.DEPLOY_PASS }}

- name: Encrypt Error log on failure
- name: Encrypt logs
run: .bin/mna deploy:log:encrypt
if: failure()
if: always()
env:
ANSIBLE_VAULT_PASSWORD_FILE: .infra/.vault_pwd.txt

- name: Upload failure artifacts on failure
if: failure()
uses: actions/upload-artifact@v3
- name: Upload logs artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: error-logs
path: /tmp/deploy_error.log.gpg
name: logs-${{ inputs.environment }}
path: /tmp/deploy.log.gpg

- name: Add Job summary
if: always()
run: echo 'You can get logs using `.bin/mna deploy:log:decrypt ${{ github.run_id }} ${{ inputs.environment }}`' >> $GITHUB_STEP_SUMMARY

- name: Notify failure on Slack
uses: ravsamhq/notify-slack-action@v2
if: always()
with:
status: ${{ job.status }}
notification_title: "Le déploiement ${{ inputs.app_version }} en ${{ inputs.environment }} a échoué"
message_format: "{emoji} *[${{ inputs.environment }}]* *{workflow}* {status_message} in <{repo_url}|{branch}> on <{commit_url}|{commit_sha}>. You can get error logs using `.bin/mna deploy:log:decrypt ${{ github.run_id }}`"
message_format: "{emoji} *[${{ inputs.environment }}]* *{workflow}* {status_message} in <{repo_url}|{branch}> on <{commit_url}|{commit_sha}>. You can get error logs using `.bin/mna deploy:log:decrypt ${{ github.run_id }} ${{ inputs.environment }}`"
notify_when: "failure"
mention_groups: "!channel"
env:
Expand Down
18 changes: 11 additions & 7 deletions .github/workflows/deploy_preview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,18 +91,22 @@ jobs:
ANSIBLE_REMOTE_USER: deploy
ANSIBLE_BECOME_PASS: ${{ secrets.DEPLOY_PASS }}

- name: Encrypt Error log on failure
- name: Encrypt logs
run: .bin/mna deploy:log:encrypt
if: failure()
if: always()
env:
ANSIBLE_VAULT_PASSWORD_FILE: .infra/.vault_pwd.txt

- name: Upload failure artifacts on failure
if: failure()
uses: actions/upload-artifact@v3
- name: Upload logs artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: error-logs
path: /tmp/deploy_error.log.gpg
name: logs-${{ github.event.issue.number }}
path: /tmp/deploy.log.gpg

- name: Add Job summary
if: always()
run: echo 'You can get logs using `.bin/mna deploy:log:decrypt ${{ github.run_id }} ${{ github.event.issue.number }}`' >> $GITHUB_STEP_SUMMARY

- name: Preview Summary when failed
if: failure()
Expand Down

0 comments on commit d196432

Please sign in to comment.