setup-vault/playbook/install_vault.yml

143 lines
3.9 KiB
YAML
Raw Normal View History

2022-03-31 14:38:20 +02:00
- hosts: all
become_user: root
environment:
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
tasks:
- name: Install Dependencies | pip install ply version 3.8 for hvac[parser]
pip:
name: ply
version: "3.8"
extra_args: --user
- name: Install Dependencies | Install python packages
pip:
name:
- hvac
- hvac[parser]
extra_args: --user
##Install Hashicorp Vault
- name: Install Vault | Add GPG Key
shell:
cmd: "curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -"
- name: Install Vault | Get release codename
shell:
cmd: "lsb_release -cs"
register: codename
- name: Install Vault | Add repository
apt_repository:
repo: "sudo apt-add-repository 'deb [arch=amd64] https://apt.releases.hashicorp.com {{ codename }} main'"
- name: Install Vault | install Hashicorp Vault
apt:
name: vault
state: latest
update_cache: yes
- name: Install Vault | Create a directory if it does not exist
file:
path:
- "{{ vaultdata }}"
state: directory
recurse: yes
owner: vault
group: vault
mode: '0777'
- name: Install Vault | Remove file vault.hcl (delete file)
file:
path: /etc/vault.d/vault.hcl
state: absent
- name: Install Vault | Copy Config file
template:
dest: /etc/vault.d/vault.hcl
src: config.hcl.j2
owner: vault
group: vault
mode: '0644'
- name: Install Vault | Start vault service
systemd:
state: restarted
name: vault
enabled: yes
daemon_reload: yes
- name: Install Vault | Open port 8200
ansible.posix.firewalld:
port: 8200/tcp
permanent: yes
state: enabled
- name: Install Vault | reload service firewalld
systemd:
name: firewalld
state: reloaded
## Create Hashicorp Vault keys and token
- name: Vault Keys/tokens | Create unseal directories
file:
path: "{{ unseal_keys_dir_output }}"
state: directory
- name: Vault Keys/tokens | Create root key directories
file:
path: "{{ root_token_dir_output }}"
state: directory
- name: Vault Keys/tokens | Initialise Vault operator
shell: vault operator init -key-shares=5 -key-threshold=3 -format json
environment:
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
register: vault_init_results
- name: Vault Keys/tokens | Parse output of vault init
set_fact:
vault_init_parsed: "{{ vault_init_results.stdout | from_json }}"
- name: Vault Keys/tokens | Write unseal keys to files
copy:
dest: "{{ unseal_keys_dir_output }}/unseal_key_{{ item.0 }}"
content: "{{ item.1 }}"
with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}"
- name: Vault Keys/tokens | Write root token to file
copy:
content: "{{ vault_init_parsed.root_token }}"
dest: "{{root_token_dir_output}}/rootkey"
- name: Vault Keys/tokens | set root token as fact
set_fact:
vault_token: "{{ vault_init_parsed.root_token }}"
cacheable: yes
- debug: msg="{{ vault_token }}"
- name: Vault Keys/tokens | Add environmental vars
blockinfile:
path: /etc/environment
block: |
export VAULT_ADDR="{{ VAULT_ADDR_ENV }}"
export VAULT_TOKEN="{{ vault_token }}"
## unseal vault
- name: Vault Keys/tokens | Reading unseal key contents
command: cat {{item}}
register: unseal_keys
with_fileglob: "{{ unseal_keys_dir_output }}/*"
- name: Vault Keys/tokens | Unseal vault with unseal keys
shell: |
vault operator unseal {{ item.stdout }}
environment:
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
with_items: "{{unseal_keys.results}}"