@@ -100,24 +100,71 @@ get_playbook_name() {
100100 esac
101101}
102102
103+ # Function to check if the MSI has the correct permissions on the Key Vault
104+ check_msi_permissions () {
105+ local key_vault_name=$1
106+ local required_permission=" Get"
107+
108+ # FOR TESTING
109+ log " INFO" " Checking MSI permissions on Key Vault: $key_vault_name ..."
110+
111+ # Get the MSI object ID
112+ msi_object_id=$( az identity show --name " $MSI_NAME " " $RESOURCE_GROUP " " principalId" )
113+ if [[ -z " $msi_object_id " ; then
114+ log " ERROR" " Failed to retrieve MSI object ID for $MSI_NAME in resource group $RESOURCE_GROUP ."
115+ exit 1
116+ fi
117+
118+ # Check Key Vault permissions
119+ permissions=$( az keyvault show --name " $key_vault_name " " properties.accessPolicies[?objectId=='$msi_object_id '].permissions.secrets" )
120+ if [[ " $permissions " != * " $required_permission " * ]]; then
121+ log " ERROR" " MSI $MSI_NAME does not have '$required_permission ' permission on Key Vault $key_vault_name ."
122+ exit 1
123+ fi
124+
125+ log " INFO" " MSI $MSI_NAME has the required permissions on Key Vault $key_vault_name ."
126+ }
127+
103128# Function to run the ansible playbook
104129run_ansible_playbook () {
105130 local playbook_name=$1
106131 local system_hosts=$2
107132 local system_params=$3
108133 local auth_type=$4
109134 local system_config_folder=$5
135+ local key_vault_name=$6
136+ local secret_name=$7
137+ local secret_value
110138
111139 if [[ " $auth_type " == " SSHKEY" ; then
112140 local ssh_key=" ${cmd_dir} /../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME /ssh_key.ppk"
113141 log " INFO" " Using SSH key: $ssh_key ."
114142 command=" ansible-playbook ${cmd_dir} /../src/$playbook_name .yml -i $system_hosts --private-key $ssh_key \
115143 -e @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder '"
116- else
144+ elif [[ " $auth_type " == " PASSWORD " ]] ; then
117145 log " INFO" " Using password authentication."
118146 command=" ansible-playbook ${cmd_dir} /../src/$playbook_name .yml -i $system_hosts \
119147 --extra-vars \" ansible_ssh_pass=$( cat ${cmd_dir} /../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME /password) \" \
120148 --extra-vars @$VARS_FILE -e @$system_params -e '_workspace_directory=$system_config_folder '"
149+ elif [[ " $auth_type " == " KEYVAULT" ; then
150+ log " INFO" " Using Key Vault for authentication."
151+ # Retrieve the secret from the Key Vault
152+ log " INFO" " Retrieving secret '$secret_name ' from Key Vault '$key_vault_name '..."
153+
154+ secret_value=$( az keyvault secret show --vault-name " $key_vault_name " " $secret_name " " value" )
155+
156+ if [[ -z " $secret_value " ; then
157+ log " ERROR" " Failed to retrieve secret '$secret_name ' from Key Vault '$key_vault_name '."
158+ exit 1
159+ fi
160+
161+ log " INFO" " Successfully retrieved secret from Key Vault."
162+ command=" ansible-playbook ${cmd_dir} /../src/$playbook_name .yml -i $system_hosts \
163+ --extra-vars \" ansible_ssh_pass=$secret_value \" --extra-vars @$VARS_FILE -e @$system_params \
164+ -e '_workspace_directory=$system_config_folder '"
165+ else
166+ log " ERROR" " Unknown authentication type: $auth_type "
167+ exit 1
121168 fi
122169
123170 log " INFO" " Running ansible playbook..."
@@ -156,9 +203,11 @@ main() {
156203 if [[ " $AUTHENTICATION_TYPE " == " SSHKEY" ; then
157204 check_file_exists " ${cmd_dir} /../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME /ssh_key.ppk"
158205 " ssh_key.ppk not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
159- else
206+ elif [[ " $AUTHENTICATION_TYPE " == " PASSWORD " ]] ; then
160207 check_file_exists " ${cmd_dir} /../WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME /password"
161208 " password file not found in WORKSPACES/SYSTEM/$SYSTEM_CONFIG_NAME directory."
209+ elif [[ " $AUTHENTICATION_TYPE " == " KEYVAULT" ; then
210+ log " INFO" " Key Vault authentication selected. Ensure Key Vault parameters are set."
162211 fi
163212
164213 playbook_name=$( get_playbook_name " $sap_functional_test_type " )
0 commit comments