Lab 06: Advanced Ansible & CI/CD

.github/workflows/ansible-deploy.yml

@@ -0,0 +1,86 @@
+name: Ansible Deployment
+
+on:
+  push:
+    branches: [ master, lab06 ]
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+  pull_request:
+    branches: [ master, lab06 ]
+    paths:
+      - 'ansible/**'
+      - '.github/workflows/ansible-deploy.yml'
+  workflow_dispatch:  # Позволяет запускать вручную
+
+jobs:
+  lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible and ansible-lint
+        run: |
+          pip install ansible ansible-lint
+
+      - name: Run ansible-lint
+        run: |
+          cd ansible
+          ansible-lint playbooks/*.yml roles/*/tasks/*.yml || true
+        continue-on-error: true
+
+  deploy:
+    name: Deploy Application
+    needs: lint
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install Ansible and dependencies
+        run: |
+          pip install ansible
+          ansible-galaxy collection install community.docker
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -H ${{ secrets.VM_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Test SSH connection
+        run: |
+          ssh -i ~/.ssh/id_rsa ${{ secrets.VM_USER }}@${{ secrets.VM_HOST }} "echo 'SSH connection successful'"
+
+      - name: Deploy with Ansible
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: 'False'
+        run: |
+          cd ansible
+          echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > /tmp/vault_pass
+          ansible-playbook playbooks/deploy.yml \
+            -i inventory/hosts.ini \
+            --vault-password-file /tmp/vault_pass
+          rm /tmp/vault_pass
+
+      - name: Verify deployment
+        run: |
+          sleep 10
+          curl -f http://${{ secrets.VM_HOST }}:5000/health || exit 1
+          echo "✅ Application is healthy!"

.github/workflows/python-ci.yml

@@ -0,0 +1,86 @@
+name:  CI 
+
+on:
+  push:
+    branches:
+      - master
+      - lab03
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+  pull_request:
+    branches:
+      - master
+    paths:
+      - 'app_python/**'
+      - '.github/workflows/python-ci.yml'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+          cache: "pip"
+
+      - name: Install dependencies
+        run: |
+          pip install -r app_python/requirements.txt
+          pip install -r app_python/requirements-dev.txt
+
+      - name: Run linter
+        run: |
+          cd app_python
+          flake8 app.py
+
+      - name: Run tests
+        run: |
+          cd app_python
+          pytest -v
+
+      - name: Install Snyk CLI
+        run: |
+          npm install -g snyk
+
+      - name: Authenticate Snyk
+        run: |
+          snyk auth ${{ secrets.SYNK_TOKEN }}
+
+      - name: Run Snyk security scan
+        run: |
+          cd app_python
+          snyk test --severity-threshold=high
+
+
+
+
+  docker:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Generate version
+        run: echo "VERSION=$(date +%Y.%m)" >> $GITHUB_ENV
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: app_python
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/devops-info-service:${{ env.VERSION }}
+            ${{ secrets.DOCKERHUB_USERNAME }}/devops-info-service:latest

.github/workflows/terraform-ci.yml

@@ -0,0 +1,124 @@
+name: Terraform CI/CD
+
+on:
+  push:
+    branches:
+      - master
+      - lab04
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/terraform-ci.yml'
+  pull_request:
+    branches:
+      - master
+      - lab04
+    paths:
+      - 'terraform/**'
+      - '.github/workflows/terraform-ci.yml'
+
+jobs:
+  terraform-validation:
+    name: Terraform Validation
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        working-directory: ./terraform
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: latest
+
+      - name: Terraform Format Check
+        id: fmt
+        run: terraform fmt -check -recursive
+        continue-on-error: true
+
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend=false
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Setup TFLint
+        uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: v0.61.0
+
+      - name: Show TFLint version
+        run: tflint --version
+
+      - name: Initialize TFLint
+        run: tflint --init
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run TFLint
+        id: tflint
+        run: tflint --format compact --recursive
+        continue-on-error: true
+
+      - name: Comment PR with Results
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform CI Results 🔍
+
+            | Check | Status |
+            |-------|--------|
+            | **Terraform Format** | \`${{ steps.fmt.outcome }}\` |
+            | **Terraform Init** | \`${{ steps.init.outcome }}\` |
+            | **Terraform Validate** | \`${{ steps.validate.outcome }}\` |
+            | **TFLint** | \`${{ steps.tflint.outcome }}\` |
+
+            <details><summary>📋 Show Details</summary>
+
+            #### Terraform Format Check
+            ${{ steps.fmt.outcome == 'success' && '✅ All files are properly formatted' || '❌ Some files need formatting. Run: `terraform fmt -recursive`' }}
+
+            #### Terraform Init
+            ${{ steps.init.outcome == 'success' && '✅ Initialization successful' || '❌ Initialization failed' }}
+
+            #### Terraform Validate
+            ${{ steps.validate.outcome == 'success' && '✅ Configuration is valid' || '❌ Configuration has syntax errors' }}
+
+            #### TFLint
+            ${{ steps.tflint.outcome == 'success' && '✅ No linting issues found' || '⚠️ Linting issues detected (see logs)' }}
+
+            </details>
+
+            ---
+            *Pusher: @${{ github.actor }} | Workflow: \`${{ github.workflow }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });
+
+
+      - name: Fail workflow if critical validation fails
+        if: steps.init.outcome == 'failure' || steps.validate.outcome == 'failure'
+        run: |
+          echo "❌ Critical validation failed!"
+          echo "Init status: ${{ steps.init.outcome }}"
+          echo "Validate status: ${{ steps.validate.outcome }}"
+          exit 1
+
+      - name: Warning if format or lint fails
+        if: steps.fmt.outcome == 'failure' || steps.tflint.outcome == 'failure'
+        run: |
+          echo "⚠️ Non-critical checks failed (format or lint)"
+          echo "Format status: ${{ steps.fmt.outcome }}"
+          echo "TFLint status: ${{ steps.tflint.outcome }}"
+          echo "Please fix these issues, but workflow will not fail."

.gitignore

@@ -1 +1,19 @@
-test
+test
+
+# Terraform
+terraform/.terraform/
+terraform/.terraform.lock.hcl
+terraform/terraform.tfstate
+terraform/terraform.tfstate.backup
+terraform/key.json
+terraform/*.tfvars
+
+# Pulumi
+.pulumi/
+venv/
+__pycache__/
+*.pyc
+.env
+key.json
+Pulumi.*.yaml
+!Pulumi.yaml

ansible/ansible.cfg

@@ -0,0 +1,11 @@
+[defaults]
+inventory = inventory/hosts.ini
+roles_path = roles
+host_key_checking = False
+retry_files_enabled = False
+remote_user = ubuntu
+
+[privilege_escalation]
+become = True
+become_method = sudo
+become_user = root