feat: Add playbooks to manage supabase
This commit is contained in:
58
playbooks/provision_supabase_project.yml
Normal file
58
playbooks/provision_supabase_project.yml
Normal file
@@ -0,0 +1,58 @@
|
||||
---
|
||||
# Provision BAB project secrets in Vault from the toallab Supabase admin instance.
|
||||
#
|
||||
# Reads admin-level secrets from supabase_admin_vault_path (kv/data/toallab/supabase),
|
||||
# constructs the per-project Postgres URL, and writes the full set of app-facing secrets
|
||||
# to supabase_vault_path (per-environment, e.g. kv/data/oys/dev/supabase).
|
||||
#
|
||||
# ASSUMED: kv/data/toallab/supabase contains keys: anon_key, service_key, db_password
|
||||
# ASSUMED: supabase_api_url, supabase_db_host, supabase_db_port, supabase_db_name
|
||||
# are set in host_vars for each supabase logical host.
|
||||
#
|
||||
# Usage:
|
||||
# ansible-navigator run playbooks/provision_supabase_project.yml --mode stdout --limit supabase-dev
|
||||
# ansible-navigator run playbooks/provision_supabase_project.yml --mode stdout --limit supabase-prod
|
||||
|
||||
- name: Provision Supabase project secrets in Vault
|
||||
hosts: supabase
|
||||
connection: local
|
||||
gather_facts: false
|
||||
|
||||
tasks:
|
||||
- name: Read Supabase admin secrets from Vault
|
||||
community.hashi_vault.vault_kv2_get:
|
||||
path: "{{ supabase_admin_vault_path | regex_replace('^kv/data/', '') }}"
|
||||
engine_mount_point: kv
|
||||
url: "{{ vault_addr }}"
|
||||
register: _admin
|
||||
no_log: true
|
||||
|
||||
- name: Verify required keys are present in admin vault
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- _admin.secret.anon_key | default('') | length > 0
|
||||
- _admin.secret.service_key | default('') | length > 0
|
||||
- _admin.secret.db_password | default('') | length > 0
|
||||
fail_msg: >-
|
||||
Missing required keys in {{ supabase_admin_vault_path }}.
|
||||
Expected: anon_key, service_key, db_password.
|
||||
no_log: true
|
||||
|
||||
- name: Write project secrets to Vault
|
||||
community.hashi_vault.vault_kv2_write:
|
||||
path: "{{ supabase_vault_path | regex_replace('^kv/data/', '') }}"
|
||||
engine_mount_point: kv
|
||||
url: "{{ vault_addr }}"
|
||||
data:
|
||||
url: "{{ supabase_api_url }}"
|
||||
anon_key: "{{ _admin.secret.anon_key }}"
|
||||
service_key: "{{ _admin.secret.service_key }}"
|
||||
postgres_url: >-
|
||||
postgresql://postgres:{{ _admin.secret.db_password }}@{{ supabase_db_host }}:{{ supabase_db_port }}/{{ supabase_db_name }}
|
||||
no_log: true
|
||||
|
||||
- name: Report result
|
||||
ansible.builtin.debug:
|
||||
msg: >-
|
||||
Project secrets written to {{ supabase_vault_path }}
|
||||
(url, anon_key, service_key, postgres_url)
|
||||
Reference in New Issue
Block a user