Playbook to install and setup vault
This commit is contained in:
parent
4fe19fecac
commit
20de3a0279
142
playbook/install_vault.yml
Normal file
142
playbook/install_vault.yml
Normal file
|
@ -0,0 +1,142 @@
|
|||
- hosts: all
|
||||
become_user: root
|
||||
|
||||
environment:
|
||||
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
|
||||
|
||||
tasks:
|
||||
- name: Install Dependencies | pip install ply version 3.8 for hvac[parser]
|
||||
pip:
|
||||
name: ply
|
||||
version: "3.8"
|
||||
extra_args: --user
|
||||
|
||||
- name: Install Dependencies | Install python packages
|
||||
pip:
|
||||
name:
|
||||
- hvac
|
||||
- hvac[parser]
|
||||
extra_args: --user
|
||||
|
||||
##Install Hashicorp Vault
|
||||
|
||||
- name: Install Vault | Add GPG Key
|
||||
shell:
|
||||
cmd: "curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -"
|
||||
|
||||
- name: Install Vault | Get release codename
|
||||
shell:
|
||||
cmd: "lsb_release -cs"
|
||||
register: codename
|
||||
|
||||
- name: Install Vault | Add repository
|
||||
apt_repository:
|
||||
repo: "sudo apt-add-repository 'deb [arch=amd64] https://apt.releases.hashicorp.com {{ codename }} main'"
|
||||
|
||||
- name: Install Vault | install Hashicorp Vault
|
||||
apt:
|
||||
name: vault
|
||||
state: latest
|
||||
update_cache: yes
|
||||
|
||||
- name: Install Vault | Create a directory if it does not exist
|
||||
file:
|
||||
path:
|
||||
- "{{ vaultdata }}"
|
||||
state: directory
|
||||
recurse: yes
|
||||
owner: vault
|
||||
group: vault
|
||||
mode: '0777'
|
||||
|
||||
- name: Install Vault | Remove file vault.hcl (delete file)
|
||||
file:
|
||||
path: /etc/vault.d/vault.hcl
|
||||
state: absent
|
||||
|
||||
- name: Install Vault | Copy Config file
|
||||
template:
|
||||
dest: /etc/vault.d/vault.hcl
|
||||
src: config.hcl.j2
|
||||
owner: vault
|
||||
group: vault
|
||||
mode: '0644'
|
||||
|
||||
- name: Install Vault | Start vault service
|
||||
systemd:
|
||||
state: restarted
|
||||
name: vault
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
|
||||
- name: Install Vault | Open port 8200
|
||||
ansible.posix.firewalld:
|
||||
port: 8200/tcp
|
||||
permanent: yes
|
||||
state: enabled
|
||||
|
||||
- name: Install Vault | reload service firewalld
|
||||
systemd:
|
||||
name: firewalld
|
||||
state: reloaded
|
||||
|
||||
## Create Hashicorp Vault keys and token
|
||||
|
||||
- name: Vault Keys/tokens | Create unseal directories
|
||||
file:
|
||||
path: "{{ unseal_keys_dir_output }}"
|
||||
state: directory
|
||||
|
||||
- name: Vault Keys/tokens | Create root key directories
|
||||
file:
|
||||
path: "{{ root_token_dir_output }}"
|
||||
state: directory
|
||||
|
||||
- name: Vault Keys/tokens | Initialise Vault operator
|
||||
shell: vault operator init -key-shares=5 -key-threshold=3 -format json
|
||||
environment:
|
||||
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
|
||||
register: vault_init_results
|
||||
|
||||
- name: Vault Keys/tokens | Parse output of vault init
|
||||
set_fact:
|
||||
vault_init_parsed: "{{ vault_init_results.stdout | from_json }}"
|
||||
|
||||
- name: Vault Keys/tokens | Write unseal keys to files
|
||||
copy:
|
||||
dest: "{{ unseal_keys_dir_output }}/unseal_key_{{ item.0 }}"
|
||||
content: "{{ item.1 }}"
|
||||
with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}"
|
||||
|
||||
- name: Vault Keys/tokens | Write root token to file
|
||||
copy:
|
||||
content: "{{ vault_init_parsed.root_token }}"
|
||||
dest: "{{root_token_dir_output}}/rootkey"
|
||||
|
||||
- name: Vault Keys/tokens | set root token as fact
|
||||
set_fact:
|
||||
vault_token: "{{ vault_init_parsed.root_token }}"
|
||||
cacheable: yes
|
||||
|
||||
- debug: msg="{{ vault_token }}"
|
||||
|
||||
- name: Vault Keys/tokens | Add environmental vars
|
||||
blockinfile:
|
||||
path: /etc/environment
|
||||
block: |
|
||||
export VAULT_ADDR="{{ VAULT_ADDR_ENV }}"
|
||||
export VAULT_TOKEN="{{ vault_token }}"
|
||||
|
||||
## unseal vault
|
||||
|
||||
- name: Vault Keys/tokens | Reading unseal key contents
|
||||
command: cat {{item}}
|
||||
register: unseal_keys
|
||||
with_fileglob: "{{ unseal_keys_dir_output }}/*"
|
||||
|
||||
- name: Vault Keys/tokens | Unseal vault with unseal keys
|
||||
shell: |
|
||||
vault operator unseal {{ item.stdout }}
|
||||
environment:
|
||||
VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
|
||||
with_items: "{{unseal_keys.results}}"
|
Loading…
Reference in New Issue
Block a user