tools/docker-compose/ansible/roles/vault/tasks/initialize.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

---
- name: Set vault_addr
  include_tasks: set_vault_addr.yml

- block:
    - name: Start the vault
      community.docker.docker_compose:
        state: present
        services: vault
        project_src: "{{ sources_dest }}"
      register: vault_start

    - name: Run the initialization
      community.docker.docker_container_exec:
        command: vault operator init
        container: tools_vault_1
        env:
          VAULT_ADDR: "{{ vault_addr }}"
          VAULT_SKIP_VERIFY: "true"
      register: vault_initialization
      failed_when:
        - vault_initialization.rc != 0
        - vault_initialization.stderr.find("Vault is already initialized") == -1
      changed_when:
        - vault_initialization.rc == 0
      retries: 5
      delay: 5

    - name: Write out initialization file
      copy:
        # lines 1-4 are the keys, 6 is the root token
        content: |
          {{ vault_initialization.stdout_lines[0] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[1] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[2] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[3] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[4] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[6] | regex_replace('Initial Root Token', 'Initial_Root_Token') }}
        dest: "{{ vault_file }}"
      when: (vault_initialization.stdout_lines | length) > 0

    - name: Unlock the vault
      include_role:
        name: vault
        tasks_from: unseal.yml

    - name: Configure the vault with cert auth
      block:
        - name: Create a cert auth mount
          flowerysong.hvault.write:
            path: "sys/auth/cert"
            vault_addr: "{{ vault_addr_from_host }}"
            validate_certs: false
            token: "{{ Initial_Root_Token }}"
            data:
              type: "cert"
          register: vault_auth_cert
          failed_when:
            - vault_auth_cert.result.errors | default([]) | length > 0
            - "'path is already in use at cert/' not in vault_auth_cert.result.errors | default([])"
          changed_when:
            - vault_auth_cert.result.errors | default([]) | length == 0

        - name: Configure client certificate
          flowerysong.hvault.write:
            path: "auth/cert/certs/awx-client"
            vault_addr: "{{ vault_addr_from_host }}"
            validate_certs: false
            token: "{{ Initial_Root_Token }}"
            data:
              name: awx-client
              certificate: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}') }}"
              policies:
                - root
      when: vault_tls | bool

    - name: Create an engine
      flowerysong.hvault.engine:
        path: "my_engine"
        type: "kv"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

    - name: Create a demo secret
      flowerysong.hvault.kv:
        mount_point: "my_engine/my_root"
        key: "my_folder"
        value:
          my_key: "this_is_the_secret_value"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

  always:
    - name: Stop the vault
      community.docker.docker_compose:
        state: absent
        project_src: "{{ sources_dest }}"
      when: vault_start is defined and vault_start.changed