Example Conjur Policy files using the Conjur Ansible plugin

ansible_sample_policy.yml

# config_management/ansible.yml
- !policy
  id: ansible
  body: 
  - !layer

  - !host-factory
    layer: [ !layer ]


# Even though applications don't have layers, hosts, and host factory tokens, 
# defining a policy for each application allows organization, and makes it simple
# to assign read and update permissions to various groups

# applications/foo.yml
- !policy
  id: foo
  body:
    - &variables
      - !variable database/username
      - !variable database/password

  - !group secrets-users
  - !group secrets-managers

  # secrets-users can read and execute
  - !permit
    resource: *variables
    privileges: [ read, execute ]
    role: !group secrets-users

  # secrets-managers can update (and read and execute, via role grant)
  - !permit
    resource: *variables
    privileges: [ update ]
    role: !group secrets-managers

  # secrets-managers has role secrets-users
  - !grant
    member: !group secrets-managers
    role: !group secrets-users


# Here we create prduction and staging namespaces.

# policy.yml
- !policy staging
- !policy production  


# applications/bar.yml
- !policy
  id: foo
  body:
    - &variables
      - !variable database/username
      - !variable database/password
      - !variable redis/username
      - !variable redis/password

  - !group secrets-users
  - !group secrets-managers

  # secrets-users can read and execute
  - !permit
    resource: *variables
    privileges: [ read, execute ]
    role: !group secrets-users

  # secrets-managers can update (and read and execute, via role grant)
  - !permit
    resource: *variables
    privileges: [ update ]
    role: !group secrets-managers

  # secrets-managers has role secrets-users
  - !grant
    member: !group secrets-managers
    role: !group secrets-users


# Create a security admin type group and add a single person to insure we
# have a person who can set secret values.

# users.yml 
- !group security_ops

- !user
  id: marcel.calisto
  annotations:
    first_name: Marcel
    last_name: Calisto
    email: [email protected]

- !grant
  role: !group security_ops
  members:
    - !user marcel.calisto


# Give permission for Ansible to retrieve all secrets.  Give permission for the
# security ops team to set secret values.

# ansible_grants.yml
- !grant
  member: !layer ansible
  roles: 
    - !group staging/foo/secrets-users
    - !group production/foo/secrets-users
    - !group staging/bar/secrets-users
    - !group production/bar/secrets-users

- !grant
  member: !group security_ops
  roles: 
    - !group staging/foo/secrets-managers
    - !group production/foo/secrets-managers
    - !group staging/bar/secrets-managers
    - !group production/bar/secrets-managers


The above would be loaded as follows:

$ conjur policy load --replace root policy.yml # load namespaces, replacing the current ones
$ conjur policy load  root users.yml # load root users & groups
$ conjur policy load staging applications/foo.yml # load application Foo into staging
$ conjur policy load production applications/foo.yml # load application Foo into production
$ conjur policy load staging applications/bar.yml # load application Bar into staging
$ conjur policy load production applications/bar.yml # load application Bar into production
$ conjur policy load root ansible_grants.yml # empower ansible to retrieve credentials and security to update.