Teleport upgrade playbook

teleport-update-playbook.yml

# This playbook is used to upgrade teleport in place, it will deploy the apt repo using facts.
#
# Invocation,
# $ ansible-playbook -i ~/projects/teleport-inventory.py ~/projects/teleport-playbook.yml -e ansible_user=debian --limit '!teleport-server'
#
# NOTE: This playbook book exectuion is using dynamic inventory and a limit which is ensuring that the playbook is not executed against
#       the teleport server. The playbook can be used on the teleport server, it just has to be done in isolation; a restart of the server
#       will impact client connectivity.
---
- name: Teleport updates
  hosts: all
  become: true
  vars:
    teleport_release: stable/v11
  tasks:
    - name: Get the teleport gpg key
      ansible.builtin.get_url:
        url: https://apt.releases.teleport.dev/gpg
        dest: /usr/share/keyrings/teleport-archive-keyring.asc
        mode: '0644'

    - name: Update teleport apt repo
      ansible.builtin.apt_repository:
        repo: "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/{{ ansible_distribution | lower }} {{ ansible_distribution_release | lower }} {{ teleport_release }}"
        state: present
        filename: teleport

    - name: Update packages
      ansible.builtin.apt:
        name: teleport
        state: latest
        update_cache: true

    # NOTE: Fire and forget restart, connections can be recreated during this process.
    - name: Restart the teleport service
      ansible.builtin.systemd:
        name: teleport
        daemon_reload: true
        state: restarted
      async: 45
      poll: 0

    # NOTE: we wait for 10 minutes for the node to come back after a restart.
    - name: Wait 300 seconds
      ansible.builtin.wait_for_connection:
        timeout: 300