New role to detect env_authorized_key path

ansible/cloud_providers/ec2_infrastructure_deployment.yml

@@ -37,6 +37,10 @@
         name: create_ssh_provision_key
       when: instances | default([]) | length > 0
 
+    - name: Locate environment SSH key
+      include_role:
+        name: locate_env_authorized_key
+
     - name: Create keypair in ec2
       include_role:
         name: infra-ec2-ssh-key

ansible/cloud_providers/osp_infrastructure_deployment.yml

@@ -23,6 +23,10 @@
       import_role:
         name: infra-osp-template-create
 
+    - name: Locate environment SSH key
+      include_role:
+        name: locate_env_authorized_key
+
 - name: Step 001.2 Create Inventory and SSH config setup
   hosts: localhost
   connection: local

ansible/roles/bastion-student-user/defaults/main.yml

@@ -9,15 +9,4 @@ student_sudo: true
 # to the other nodes in the environment without first becoming root
 # (avoiding to have to use Ansible as root)
 bastion_student_user_ansible: false
-
-## Provision SSH key
-# Use provision ssh key if possible
-env_authorized_key_path: >-
-  {%- if hostvars.localhost.ssh_provision_key_path is defined -%}
-  {{ hostvars.localhost.ssh_provision_key_path }}
-  {%- else -%}
-  {{ output_dir }}/{{ env_authorized_key }}
-  {%- endif -%}
-
-env_authorized_key_path_pub: "{{ env_authorized_key_path }}.pub"
 ...

ansible/roles/bastion-student-user/tasks/main.yml

@@ -42,7 +42,7 @@
   authorized_key:
     user: "{{ student_name }}"
     state: present
-    key: "{{ lookup('file', env_authorized_key_path_pub) }}"
+    key: "{{ hostvars.localhost.env_authorized_key_content_pub }}"
   when:
     - set_env_authorized_key | bool
     - student_name is defined

ansible/roles/bastion/tasks/prepuser.yml

@@ -15,7 +15,7 @@
 - name: prepuser | copy the environment .pem key
   become: true
   copy:
-    src: "{{output_dir}}/{{ env_authorized_key }}"
+    src: "{{ hostvars.localhost.env_authorized_key_path }}"
     dest: "~{{ bastion_prepared_user }}/.ssh/{{env_authorized_key}}.pem"
     owner: "{{ bastion_prepared_user }}"
     group: "{{ bastion_prepared_group }}"

ansible/roles/control-user/defaults/main.yml

@@ -7,15 +7,4 @@ control_user_skel_files:                # list of user skel files
 ## User's variable used in tasks/create-user.yml
 control_user_name: devops               # User name
 control_user_private_group: users       # User's private group name
-
-## Provision SSH key
-# Use provision ssh key if possible
-env_authorized_key_path: >-
-  {%- if hostvars.localhost.ssh_provision_key_path is defined -%}
-  {{ hostvars.localhost.ssh_provision_key_path }}
-  {%- else -%}
-  {{ output_dir }}/{{ env_authorized_key }}
-  {%- endif -%}
-
-env_authorized_key_path_pub: "{{ env_authorized_key_path }}.pub"
 ...

ansible/roles/control-user/tasks/ssh-config.yml

@@ -12,15 +12,15 @@
   block:
     - name: copy the environment .pem key
       copy:
-        src: "{{ env_authorized_key_path }}"
+        src: "{{ hostvars.localhost.env_authorized_key_path }}"
         dest: "/home/{{ control_user_name }}/.ssh/{{env_authorized_key}}.pem"
         owner: "{{ control_user_name }}"
         group: "{{ control_user_private_group }}"
         mode: 0400
 
     - name: copy the environment .pub key
       copy:
-        src: "{{ env_authorized_key_path_pub }}"
+        src: "{{ hostvars.localhost.env_authorized_key_path_pub }}"
         dest: "/home/{{ control_user_name }}/.ssh/{{env_authorized_key}}.pub"
         owner: "{{ control_user_name }}"
         group: "{{ control_user_private_group }}"

ansible/roles/locate_env_authorized_key/readme.adoc

@@ -0,0 +1,23 @@
+= `locate_env_authorized_key` role =
+
+This role is used to detect where the env_authorized_key key is located on the provisioning host (localhost).
+
+The main reason is to facilitate the transition of all configs and roles to a common `ssh_provision_key` created by the `create_ssh_provision_key` role that creates also the necessary facts on localhost.
+
+This role, `locate_env_authorized_key`, will use the available keys if found, in order:
+
+* `ssh_provision_key` - created by `create_ssh_provision_key`
+* `infra_ssh_key` - created by OSP heat template
+* defaults to `{{ output_dir }}/{{ env_authorized_key }}`
+** generally the key is created directly in the config
+
+
+The role can be included from any host, it will always delegate to the provisioning host (localhost).
+
+== output facts ==
+
+All facts are set on the provisioning host (localhost):
+
+* `env_authorized_key_path`
+* `env_authorized_key_path_pub`
+* `env_authorized_key_content_pub`

ansible/roles/locate_env_authorized_key/tasks/main.yaml

@@ -0,0 +1,40 @@
+---
+- name: Set env_authorized_key_path
+  delegate_to: localhost
+  become: false
+  delegate_facts: true
+  set_fact:
+    env_authorized_key_path: >-
+      {%- if hostvars.localhost.ssh_provision_key_path is defined -%}
+      {{ hostvars.localhost.ssh_provision_key_path }}
+      {%- elif hostvars.localhost.infra_ssh_key is defined -%}
+      {{ hostvars.localhost.infra_ssh_key }}
+      {%- else -%}
+      {{ output_dir }}/{{ env_authorized_key }}
+      {%- endif -%}
+
+- name: Set env_authorized_key_path_pub
+  delegate_to: localhost
+  become: false
+  delegate_facts: true
+  set_fact:
+    env_authorized_key_path_pub: >-
+      {{ hostvars.localhost.env_authorized_key_path
+      | regex_replace('\.pem$', '') }}.pub
+
+- name: Generate SSH pub key content if it doesn't exist
+  shell: >-
+    ssh-keygen -y -f {{ hostvars.localhost.env_authorized_key_path | quote }}
+    > {{ hostvars.localhost.env_authorized_key_path_pub | quote }}
+  args:
+    creates: "{{ hostvars.localhost.env_authorized_key_path_pub }}"
+  delegate_to: localhost
+  become: false
+
+- name: Save SSH pub key content as fact
+  delegate_to: localhost
+  delegate_facts: true
+  become: false
+  set_fact:
+    env_authorized_key_content_pub: >-
+      {{ lookup('file', hostvars.localhost.env_authorized_key_path_pub) }}

ansible/roles/set_env_authorized_key/defaults/main.yaml

@@ -1,14 +1,2 @@
 ---
 output_dir: /tmp/output_dir
-# Use provision ssh key if possible
-env_authorized_key_path: >-
-  {%- if hostvars.localhost.ssh_provision_key_path is defined -%}
-  {{ hostvars.localhost.ssh_provision_key_path }}
-  {%- elif hostvars.localhost.infra_ssh_key is defined -%}
-  {{ hostvars.localhost.infra_ssh_key }}
-  {%- else -%}
-  {{ output_dir }}/{{ env_authorized_key }}
-  {%- endif -%}
-
-env_authorized_key_path_pub: >-
-  {{ env_authorized_key_path | regex_replace('\.pem$', '') }}.pub

ansible/roles/set_env_authorized_key/tasks/main.yml

@@ -8,26 +8,17 @@
 - name: copy the environment .pem key
   become: true
   copy:
-    src: "{{ env_authorized_key_path }}"
+    src: "{{ hostvars.localhost.env_authorized_key_path }}"
     dest: "/root/.ssh/{{ env_authorized_key }}.pem"
     owner: root
     group: root
     mode: 0400
   when: set_env_authorized_key|bool
 
-- name: Generate pub key if it doesn't exist
-  shell: >-
-    ssh-keygen -y -f {{ env_authorized_key_path | quote }}
-    > {{ env_authorized_key_path_pub | quote }}
-  args:
-    creates: "{{ env_authorized_key_path_pub }}"
-  delegate_to: localhost
-  become: false
-
 - name: copy the environment .pub key
   become: true
   copy:
-    src: "{{ env_authorized_key_path_pub }}"
+    src: "{{ hostvars.localhost.env_authorized_key_path_pub }}"
     dest: "/root/.ssh/{{ env_authorized_key }}.pub"
     owner: root
     group: root
@@ -38,7 +29,7 @@
   authorized_key:
     user: "{{ ansible_user }}"
     state: present
-    key: "{{ lookup('file', env_authorized_key_path_pub) }}"
+    key: "{{ hostvars.localhost.env_authorized_key_content_pub }}"
 
 - name: Generate host .ssh/config Template
   become: false