feat: encrypt ocp config when not in use

Author: ludwig-mueller

solutions/standard-openshift/ansible/README.md

@@ -27,12 +27,13 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ansible_host_or_ip"></a> [ansible\_host\_or\_ip](#input\_ansible\_host\_or\_ip) | Private IP of virtual server instance running RHEL OS on which ansible will be installed and configured to act as central ansible node. | `string` | n/a | yes |
-| <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | `null` | no |
+| <a name="input_ansible_vault_password"></a> [ansible\_vault\_password](#input\_ansible\_vault\_password) | Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]\_{\|}~. | `string` | n/a | yes |
 | <a name="input_bastion_host_ip"></a> [bastion\_host\_ip](#input\_bastion\_host\_ip) | Jump/Bastion server public IP address to reach the ansible host which has private IP. | `string` | n/a | yes |
 | <a name="input_configure_ansible_host"></a> [configure\_ansible\_host](#input\_configure\_ansible\_host) | If set to true, bash script will be executed to install and configure the collections and packages on ansible node. | `bool` | n/a | yes |
 | <a name="input_dst_inventory_file_name"></a> [dst\_inventory\_file\_name](#input\_dst\_inventory\_file\_name) | Name for the inventory file to be generated on the Ansible host. | `string` | n/a | yes |
 | <a name="input_dst_playbook_file_name"></a> [dst\_playbook\_file\_name](#input\_dst\_playbook\_file\_name) | Name for the playbook file to be generated on the Ansible host. | `string` | n/a | yes |
 | <a name="input_dst_script_file_name"></a> [dst\_script\_file\_name](#input\_dst\_script\_file\_name) | Name for the bash file to be generated on the Ansible host. | `string` | n/a | yes |
+| <a name="input_encrypt_playbook"></a> [encrypt\_playbook](#input\_encrypt\_playbook) | Whether to encrypt the playbook using ansible vault. The ocp configuration will always be encrypted, this only applies to the playbooks. | `bool` | n/a | yes |
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud platform API key needed to deploy IAM enabled resources. | `string` | `null` | no |
 | <a name="input_inventory_template_vars"></a> [inventory\_template\_vars](#input\_inventory\_template\_vars) | Map values for the inventory template. | `map(any)` | n/a | yes |
 | <a name="input_playbook_template_vars"></a> [playbook\_template\_vars](#input\_playbook\_template\_vars) | Map values for the ansible playbook template. | `map(any)` | n/a | yes |

solutions/standard-openshift/ansible/main.tf

@@ -66,7 +66,7 @@ resource "terraform_data" "trigger_ansible_vars" {
 
 resource "terraform_data" "execute_playbooks" {
   depends_on = [terraform_data.setup_ansible_host]
-  count      = var.ansible_vault_password != null ? 0 : 1
+  count      = var.encrypt_playbook ? 0 : 1
 
   connection {
     type         = "ssh"
@@ -119,6 +119,15 @@ resource "terraform_data" "execute_playbooks" {
     ]
   }
 
+  # Decrypt ocp config if it already exists
+  provisioner "remote-exec" {
+    inline = [
+      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file",
+      "rm -f password_file"
+    ]
+  }
+
   # Execute bash shell script to run ansible playbooks
   provisioner "remote-exec" {
     inline = [
@@ -134,6 +143,15 @@ resource "terraform_data" "execute_playbooks" {
     ]
   }
 
+  # Encrypt ocp config if it already exists
+  provisioner "remote-exec" {
+    inline = [
+      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file",
+      "rm -f password_file"
+    ]
+  }
+
   # print output of openshift installation if applicable, else do nothing
   provisioner "remote-exec" {
     inline = [
@@ -145,7 +163,7 @@ resource "terraform_data" "execute_playbooks" {
 
 resource "terraform_data" "execute_playbooks_with_vault" {
   depends_on = [terraform_data.setup_ansible_host]
-  count      = var.ansible_vault_password != null ? 1 : 0
+  count      = var.encrypt_playbook ? 1 : 0
 
   connection {
     type         = "ssh"
@@ -206,6 +224,15 @@ resource "terraform_data" "execute_playbooks_with_vault" {
     ]
   }
 
+  # Decrypt ocp config if it already exists
+  provisioner "remote-exec" {
+    inline = [
+      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file",
+      "rm -f password_file"
+    ]
+  }
+
   # Execute bash shell script to run ansible playbooks
   provisioner "remote-exec" {
     inline = [
@@ -222,6 +249,15 @@ resource "terraform_data" "execute_playbooks_with_vault" {
       "rm -rf ${local.private_key_file}"
     ]
   }
+
+  # Encrypt ocp config if it already exists
+  provisioner "remote-exec" {
+    inline = [
+      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file",
+      "rm -f password_file"
+    ]
+  }
 }
 
 

solutions/standard-openshift/ansible/variables.tf

@@ -63,33 +63,37 @@ variable "ansible_vault_password" {
   description = "Vault password to encrypt ansible playbooks that contain sensitive information. Password requirements: 15-100 characters and at least one uppercase letter, one lowercase letter, one number, and one special character. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]_{|}~."
   type        = string
   sensitive   = true
-  default     = null
   validation {
-    condition     = var.ansible_vault_password == null ? true : (length(var.ansible_vault_password) >= 15 && length(var.ansible_vault_password) <= 100)
+    condition     = (length(var.ansible_vault_password) >= 15 && length(var.ansible_vault_password) <= 100)
     error_message = "ansible_vault_password needs to be between 15 and 100 characters in length."
   }
   validation {
-    condition     = var.ansible_vault_password == null ? true : can(regex("[A-Z]", var.ansible_vault_password))
+    condition     = can(regex("[A-Z]", var.ansible_vault_password))
     error_message = "ansible_vault_password needs to contain at least one uppercase character (A-Z)."
   }
   validation {
-    condition     = var.ansible_vault_password == null ? true : can(regex("[a-z]", var.ansible_vault_password))
+    condition     = can(regex("[a-z]", var.ansible_vault_password))
     error_message = "ansible_vault_password needs to contain at least one lowercase character (a-z)."
   }
   validation {
-    condition     = var.ansible_vault_password == null ? true : can(regex("[0-9]", var.ansible_vault_password))
+    condition     = can(regex("[0-9]", var.ansible_vault_password))
     error_message = "ansible_vault_password needs to contain at least one number (0-9)."
   }
   validation {
-    condition     = var.ansible_vault_password == null ? true : can(regex("[!#$%&()*+\\-.:;<=>?@[\\]_{|}~]", var.ansible_vault_password))
+    condition     = can(regex("[!#$%&()*+\\-.:;<=>?@[\\]_{|}~]", var.ansible_vault_password))
     error_message = "ansible_vault_password needs to contain at least one of the following special characters: !#$%&()*+-.:;<=>?@[]_{|}~"
   }
   validation {
-    condition     = var.ansible_vault_password == null ? true : can(regex("^[A-Za-z0-9!#$%&()*+\\-.:;<=>?@[\\]_{|}~]+$", var.ansible_vault_password))
+    condition     = can(regex("^[A-Za-z0-9!#$%&()*+\\-.:;<=>?@[\\]_{|}~]+$", var.ansible_vault_password))
     error_message = "ansible_vault_password contains illegal characters. Allowed characters: A-Z, a-z, 0-9, !#$%&()*+-.:;<=>?@[]_{|}~"
   }
 }
 
+variable "encrypt_playbook" {
+  description = "Whether to encrypt the playbook using ansible vault. The ocp configuration will always be encrypted, this only applies to the playbooks."
+  type        = bool
+}
+
 variable "ibmcloud_api_key" {
   description = "IBM Cloud platform API key needed to deploy IAM enabled resources."
   type        = string

solutions/standard-openshift/main.tf

@@ -71,6 +71,7 @@ module "ocp_cluster_install_configuration" {
   ansible_host_or_ip     = module.standard.ansible_host_or_ip
   ssh_private_key        = var.ssh_private_key
   ansible_vault_password = var.ansible_vault_password
+  encrypt_playbook       = true
   configure_ansible_host = false
 
   src_script_template_name = "deploy-openshift-cluster/ansible_exec_vault.sh.tftpl"
@@ -120,6 +121,8 @@ module "ocp_cluster_manifest_creation" {
   bastion_host_ip        = module.standard.access_host_or_ip
   ansible_host_or_ip     = module.standard.ansible_host_or_ip
   ssh_private_key        = var.ssh_private_key
+  ansible_vault_password = var.ansible_vault_password
+  encrypt_playbook       = false
   configure_ansible_host = false
   ibmcloud_api_key       = var.ibmcloud_api_key
 
@@ -148,6 +151,8 @@ module "ocp_cluster_deployment" {
   bastion_host_ip        = module.standard.access_host_or_ip
   ansible_host_or_ip     = module.standard.ansible_host_or_ip
   ssh_private_key        = var.ssh_private_key
+  ansible_vault_password = var.ansible_vault_password
+  encrypt_playbook       = false
   configure_ansible_host = false
   ibmcloud_api_key       = var.ibmcloud_api_key