Last active
March 28, 2017 07:34
-
-
Save MiLk/8a7f7aef8b0a389e906a181944724f0a to your computer and use it in GitHub Desktop.
Vault HA init
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: "Waiting for the Vault to be unsealed" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/seal-status' | |
| return_content: yes | |
| register: vault_seal_status | |
| until: vault_seal_status.json.sealed == false | |
| retries: 90 | |
| delay: 10 | |
| changed_when: false | |
| - name: "List the mounted audit backends" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/audit' | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| register: vault_audit_backends | |
| run_once: yes | |
| - name: "Enable the syslog audit backend" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/audit/syslog' | |
| method: PUT | |
| body_format: json | |
| body: | |
| type: syslog | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| when: vault_audit_backends.json.data['syslog/'] is not defined | |
| run_once: yes | |
| - name: "Configure simple policies" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/policy/{{ item }}' | |
| method: PUT | |
| body_format: json | |
| body: | |
| rules: "{{ lookup('template', 'policies/simple.hcl') }}" | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| changed_when: yes | |
| run_once: yes | |
| with_items: "{{ vault_policies }}" | |
| - name: "Configure complex policies" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/policy/devops-policy' | |
| method: PUT | |
| body_format: json | |
| body: | |
| rules: "{{ lookup('template', 'policies/devops.hcl.j2') }}" | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| changed_when: yes | |
| run_once: yes | |
| - name: "List the mounted auth backends" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/auth' | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| register: vault_auth_backends | |
| run_once: yes | |
| - name: "Enable the github auth backend" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/auth/github' | |
| method: PUT | |
| body_format: json | |
| body: | |
| type: github | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| changed_when: yes | |
| when: vault_auth_backends.json.data['github/'] is not defined | |
| run_once: yes | |
| - name: "Configure the github auth backend" | |
| uri: | |
| url: '{{ vault_api_url}}/v1/{{ item.endpoint }}' | |
| method: PUT | |
| body_format: json | |
| body: '{{ item.body }}' | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| changed_when: yes | |
| run_once: yes | |
| with_items: | |
| - endpoint: 'auth/github/config' | |
| body: | |
| organization: '{{ vault_auth_github_organization }}' | |
| ttl: '{{ vault_auth_github_ttl }}' | |
| max_ttl: '{{ vault_auth_github_max_ttl }}' | |
| - endpoint: 'auth/github/map/teams/devops' | |
| body: | |
| value: devops-policy | |
| - name: "Enable the aws ec2 auth backend" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/auth/aws-ec2' | |
| method: PUT | |
| body_format: json | |
| body: | |
| type: aws-ec2 | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| changed_when: yes | |
| when: vault_auth_backends.json.data['aws-ec2/'] is not defined | |
| run_once: yes | |
| - name: "Configure the aws-ec2 auth backend roles" | |
| uri: | |
| url: '{{ vault_api_url}}/v1/auth/aws-ec2/role/{{ item.role }}' | |
| method: PUT | |
| body_format: json | |
| body: '{{ item }}' | |
| headers: | |
| X-Vault-Token: '{{ vault_root_token }}' | |
| status_code: 204 | |
| changed_when: yes | |
| run_once: yes | |
| with_items: '{{ vault_auth_aws_ec2_roles }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: "Get Vault status" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/init' | |
| return_content: yes | |
| register: vault_status | |
| - name: "Initialize the vault" | |
| uri: | |
| url: '{{ vault_api_url }}/v1/sys/init' | |
| method: PUT | |
| body_format: json | |
| body: | |
| secret_shares: '{{ vault_init_secret_shares }}' | |
| secret_threshold: '{{ vault_init_secret_threshold }}' | |
| pgp_keys: '{{ vault_init_pgp_keys }}' | |
| register: vault_init | |
| changed_when: vault_init.json.keys_base64 is defined | |
| when: vault_status.json.initialized == False | |
| run_once: yes | |
| - name: "Define a temporary variable containing the keys" | |
| set_fact: | |
| vault_keys_base64: '{{ vault_init.json.keys_base64 }}' | |
| run_once: yes | |
| when: vault_init is defined and not vault_init|skipped and vault_init.json is defined and vault_init.json.keys_base64 is defined | |
| - name: "Send keys by email" | |
| shell: "echo '{{ lookup('template', 'keys.txt') }}' | mail -s 'Your Vault key' {{ vault_init_email_addresses[item.0] }}" | |
| with_indexed_items: "{{ vault_keys_base64|default([]) }}" | |
| run_once: yes | |
| when: vault_init is defined and not vault_init|skipped and vault_keys_base64 is defined | |
| - name: "Define a temporary variable containing the root token" | |
| set_fact: | |
| vault_root_token: '{{ vault_init.json.root_token }}' | |
| run_once: yes | |
| when: vault_init is defined and not vault_init|skipped and vault_init.json is defined and vault_init.json.root_token is defined | |
| - name: "Send the root token by email" | |
| shell: "echo '{{ lookup('template', 'token.txt') }}' | mail -s 'Your Vault root token' {{ vault_init_email_addresses[0] }}" | |
| run_once: yes | |
| when: vault_init is defined and not vault_init|skipped and vault_root_token is defined |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment