tools/docker-compose/ansible/roles/vault/tasks/initialize.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

---
- name: Set vault_addr
  include_tasks: set_vault_addr.yml

- block:
    - name: Start the vault
      community.docker.docker_compose_v2:
        state: present
        services: vault
        project_src: "{{ sources_dest }}"
      register: vault_start

    - name: Run the initialization
      community.docker.docker_container_exec:
        command: vault operator init
        container: tools_vault_1
        env:
          VAULT_ADDR: "{{ vault_addr }}"
          VAULT_SKIP_VERIFY: "true"
      register: vault_initialization
      failed_when:
        - vault_initialization.rc != 0
        - vault_initialization.stderr.find("Vault is already initialized") == -1
      changed_when:
        - vault_initialization.rc == 0
      retries: 5
      delay: 5

    - name: Write out initialization file
      copy:
        # lines 1-4 are the keys, 6 is the root token
        content: |
          {{ vault_initialization.stdout_lines[0] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[1] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[2] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[3] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[4] | regex_replace('Unseal Key ', 'Unseal_Key_') }}
          {{ vault_initialization.stdout_lines[6] | regex_replace('Initial Root Token', 'Initial_Root_Token') }}
        dest: "{{ vault_file }}"
      when: (vault_initialization.stdout_lines | length) > 0

    - name: Unlock the vault
      include_role:
        name: vault
        tasks_from: unseal.yml

    - name: Configure the vault with cert auth
      block:
        - name: Create a cert auth mount
          flowerysong.hvault.write:
            path: "sys/auth/cert"
            vault_addr: "{{ vault_addr_from_host }}"
            validate_certs: false
            token: "{{ Initial_Root_Token }}"
            data:
              type: "cert"
          register: vault_auth_cert
          failed_when:
            - vault_auth_cert.result.errors | default([]) | length > 0
            - "'path is already in use at cert/' not in vault_auth_cert.result.errors | default([])"
          changed_when:
            - vault_auth_cert.result.errors | default([]) | length == 0

        - name: Configure client certificate
          flowerysong.hvault.write:
            path: "auth/cert/certs/awx-client"
            vault_addr: "{{ vault_addr_from_host }}"
            validate_certs: false
            token: "{{ Initial_Root_Token }}"
            data:
              name: awx-client
              certificate: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}') }}"
              policies:
                - root
      when: vault_tls | bool

    - name: Create an engine
      flowerysong.hvault.engine:
        path: "my_engine"
        type: "kv"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

    - name: Create a demo secret
      flowerysong.hvault.kv:
        mount_point: "my_engine/my_root"
        key: "my_folder"
        value:
          my_key: "this_is_the_secret_value"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

    - name: Create userpass engine
      flowerysong.hvault.engine:
        path: "userpass_engine"
        type: "kv"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

    - name: Create a userpass secret
      flowerysong.hvault.kv:
        mount_point: "userpass_engine/userpass_root"
        key: "userpass_secret"
        value:
          my_key: "this_is_the_userpass_secret_value"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

    - name: Create userpass access policy
      flowerysong.hvault.policy:
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"
        name: "userpass_engine"
        policy:
          userpass_engine/*: [create, read, update, delete, list]
          sys/mounts:/*: [create, read, update, delete, list]
          sys/mounts: [read]

    - name: Create userpass auth mount
      flowerysong.hvault.write:
        path: "sys/auth/userpass"
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"
        data:
          type: "userpass"
      register: vault_auth_userpass
      changed_when: vault_auth_userpass.result.errors | default([]) | length == 0
      failed_when:
        - vault_auth_userpass.result.errors | default([]) | length > 0
        - "'path is already in use at userpass/' not in vault_auth_userpass.result.errors | default([])"

    - name: Add awx_userpass_admin user to auth_method
      flowerysong.hvault.write:
        vault_addr: "{{ vault_addr_from_host }}"
        validate_certs: false
        token: "{{ Initial_Root_Token }}"
        path: "auth/userpass/users/{{ vault_userpass_username }}"
        data:
          password: "{{ vault_userpass_password }}"
          policies:
            - "userpass_engine"

  always:
    - name: Stop the vault
      community.docker.docker_compose_v2:
        state: absent
        project_src: "{{ sources_dest }}"
      when: vault_start is defined and vault_start.changed