1
0
Fork 0
mirror of https://github.com/dawidd6/action-ansible-playbook.git synced 2024-11-22 15:32:18 +00:00

Add support for SSH Host Key Checking

By default it seems that SSH host key checking has been disabled. This
patch makes it optional. If a variable named known_hosts is passed in,
the key checking will be enabled. The variable should contain the
complete contents of the known_hosts file, which must contain the public
key(s) of the host(s) in the inventory.
This commit is contained in:
Scott Rubin 2021-04-04 14:51:37 -04:00
parent aad578fcdd
commit d45b74f42d
4 changed files with 32 additions and 2 deletions

View file

@ -65,11 +65,15 @@ jobs:
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
EOF EOF
sudo systemctl restart sshd sudo systemctl restart sshd
echo 'SSH_KNOWN_HOSTS<<EOF' >> $GITHUB_ENV
echo $(ssh-keyscan localhost) >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
- name: With everything - name: With everything
uses: ./ uses: ./
with: with:
playbook: playbook.yml playbook: playbook.yml
key: ${{env.SSH_PRIVATE_KEY}} key: ${{env.SSH_PRIVATE_KEY}}
known_hosts: ${{env.SSH_KNOWN_HOSTS}}
directory: test directory: test
vault_password: test vault_password: test
requirements: requirements.yml requirements: requirements.yml

View file

@ -22,6 +22,9 @@ inputs:
vault_password: vault_password:
description: The password used for decrypting vaulted files description: The password used for decrypting vaulted files
required: false required: false
known_hosts:
description: Contents of SSH known_hosts file
required: false
options: options:
description: Extra options that should be passed to ansible-playbook command description: Extra options that should be passed to ansible-playbook command
required: false required: false

20
main.js
View file

@ -12,6 +12,7 @@ async function main() {
const key = core.getInput("key") const key = core.getInput("key")
const inventory = core.getInput("inventory") const inventory = core.getInput("inventory")
const vaultPassword = core.getInput("vault_password") const vaultPassword = core.getInput("vault_password")
const knownHosts = core.getInput("known_hosts")
const options = core.getInput("options") const options = core.getInput("options")
let cmd = ["ansible-playbook", playbook] let cmd = ["ansible-playbook", playbook]
@ -63,10 +64,27 @@ async function main() {
cmd.push(vaultPasswordFile) cmd.push(vaultPasswordFile)
} }
if (knownHosts) {
const knownHostsFile = ".ansible_known_hosts"
fs.writeFileSync(knownHostsFile, knownHosts, { mode: 0600 })
core.saveState("knownHostsFile", knownHostsFile)
let known_hosts_param = [
"--ssh-common-args=",
"\"",
"-o UserKnownHostsFile=",
knownHostsFile,
"\""
].join('')
cmd.push(known_hosts_param)
process.env.ANSIBLE_HOST_KEY_CHECKING = "True"
} else {
process.env.ANSIBLE_HOST_KEY_CHECKING = "False" process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
}
process.env.ANSIBLE_FORCE_COLOR = "True" process.env.ANSIBLE_FORCE_COLOR = "True"
await exec.exec(cmd.join(" ")) await exec.exec(cmd.join(' '))
} catch (error) { } catch (error) {
core.setFailed(error.message) core.setFailed(error.message)
} }

View file

@ -14,6 +14,7 @@ async function main() {
const keyFile = core.getState("keyFile") const keyFile = core.getState("keyFile")
const inventoryFile = core.getState("inventoryFile") const inventoryFile = core.getState("inventoryFile")
const vaultPasswordFile = core.getState("vaultPasswordFile") const vaultPasswordFile = core.getState("vaultPasswordFile")
const knownHostsFile = core.getState("knownHostsFile")
if (directory) if (directory)
process.chdir(directory) process.chdir(directory)
@ -26,6 +27,10 @@ async function main() {
if (vaultPasswordFile) if (vaultPasswordFile)
rm(vaultPasswordFile) rm(vaultPasswordFile)
if (knownHostsFile)
rm(knownHostsFile)
} catch (error) { } catch (error) {
core.setFailed(error.message) core.setFailed(error.message)
} }