From 20de3a02794b4d01459038cdeff3dfe370078c26 Mon Sep 17 00:00:00 2001 From: swapnil Date: Thu, 31 Mar 2022 18:08:20 +0530 Subject: [PATCH] Playbook to install and setup vault --- playbook/install_vault.yml | 142 +++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 playbook/install_vault.yml diff --git a/playbook/install_vault.yml b/playbook/install_vault.yml new file mode 100644 index 0000000..c665101 --- /dev/null +++ b/playbook/install_vault.yml @@ -0,0 +1,142 @@ +- hosts: all + become_user: root + + environment: + VAULT_ADDR: "{{ VAULT_ADDR_ENV }}" + + tasks: + - name: Install Dependencies | pip install ply version 3.8 for hvac[parser] + pip: + name: ply + version: "3.8" + extra_args: --user + + - name: Install Dependencies | Install python packages + pip: + name: + - hvac + - hvac[parser] + extra_args: --user + +##Install Hashicorp Vault + + - name: Install Vault | Add GPG Key + shell: + cmd: "curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -" + + - name: Install Vault | Get release codename + shell: + cmd: "lsb_release -cs" + register: codename + + - name: Install Vault | Add repository + apt_repository: + repo: "sudo apt-add-repository 'deb [arch=amd64] https://apt.releases.hashicorp.com {{ codename }} main'" + + - name: Install Vault | install Hashicorp Vault + apt: + name: vault + state: latest + update_cache: yes + + - name: Install Vault | Create a directory if it does not exist + file: + path: + - "{{ vaultdata }}" + state: directory + recurse: yes + owner: vault + group: vault + mode: '0777' + + - name: Install Vault | Remove file vault.hcl (delete file) + file: + path: /etc/vault.d/vault.hcl + state: absent + + - name: Install Vault | Copy Config file + template: + dest: /etc/vault.d/vault.hcl + src: config.hcl.j2 + owner: vault + group: vault + mode: '0644' + + - name: Install Vault | Start vault service + systemd: + state: restarted + name: vault + enabled: yes + daemon_reload: yes + + - name: Install Vault | Open port 8200 + ansible.posix.firewalld: + port: 8200/tcp + permanent: yes + state: enabled + + - name: Install Vault | reload service firewalld + systemd: + name: firewalld + state: reloaded + +## Create Hashicorp Vault keys and token + + - name: Vault Keys/tokens | Create unseal directories + file: + path: "{{ unseal_keys_dir_output }}" + state: directory + + - name: Vault Keys/tokens | Create root key directories + file: + path: "{{ root_token_dir_output }}" + state: directory + + - name: Vault Keys/tokens | Initialise Vault operator + shell: vault operator init -key-shares=5 -key-threshold=3 -format json + environment: + VAULT_ADDR: "{{ VAULT_ADDR_ENV }}" + register: vault_init_results + + - name: Vault Keys/tokens | Parse output of vault init + set_fact: + vault_init_parsed: "{{ vault_init_results.stdout | from_json }}" + + - name: Vault Keys/tokens | Write unseal keys to files + copy: + dest: "{{ unseal_keys_dir_output }}/unseal_key_{{ item.0 }}" + content: "{{ item.1 }}" + with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}" + + - name: Vault Keys/tokens | Write root token to file + copy: + content: "{{ vault_init_parsed.root_token }}" + dest: "{{root_token_dir_output}}/rootkey" + + - name: Vault Keys/tokens | set root token as fact + set_fact: + vault_token: "{{ vault_init_parsed.root_token }}" + cacheable: yes + + - debug: msg="{{ vault_token }}" + + - name: Vault Keys/tokens | Add environmental vars + blockinfile: + path: /etc/environment + block: | + export VAULT_ADDR="{{ VAULT_ADDR_ENV }}" + export VAULT_TOKEN="{{ vault_token }}" + + ## unseal vault + + - name: Vault Keys/tokens | Reading unseal key contents + command: cat {{item}} + register: unseal_keys + with_fileglob: "{{ unseal_keys_dir_output }}/*" + + - name: Vault Keys/tokens | Unseal vault with unseal keys + shell: | + vault operator unseal {{ item.stdout }} + environment: + VAULT_ADDR: "{{ VAULT_ADDR_ENV }}" + with_items: "{{unseal_keys.results}}"