GuyBarros/Ansible - Vault SSH-CA

## Ansible - Vault SSH-CA
-
    hosts: localhost
    gather_facts: false
    vars:
        secret_token: '${option.vault_token}'
        role_id: '${option.approle_id}'
    tasks:
        -
            name: 'Get secret id from role_id'
            uri: {url: 'http://active.vault.service.consul:8200/v1/auth/approle/role/my-role/secret-id', method: POST, headers: {X-Vault-Token: '{{ secret_token }}'}, body_format: json, status_code: 200}
            register: secret_id_response
        -
            name: 'Get token from Vault'
            uri: {url: 'http://active.vault.service.consul:8200/v1/auth/approle/login', method: POST, body_format: json, body: {role_id: '{{ role_id }}', secret_id: '{{ secret_id_response.json.data.secret_id }}'}, status_code: 200}
            register: client_token
        -
            name: 'Debug Vault token'
            debug: {var: client_token.json.auth.client_token}
        -
            name: 'generate new private key'
            raw: 'yes y | ssh-keygen -f /root/id_rsa -t rsa -N '''''
        -
            name: 'Read SSH public key'
            set_fact: {public_key: '{{ lookup(''file'', ''/root/id_rsa.pub'') }}'}
        -
            name: 'Read SSH private key'
            set_fact: {private_key: '{{ lookup(''file'', ''/root/id_rsa'') }}'}
        -
            name: 'Sign SSH key'
            uri: {url: 'http://active.vault.service.consul:8200/v1/ssh/sign/my-role', method: POST, body_format: json, headers: {X-Vault-Token: '{{ client_token.json.auth.client_token }}'}, body: {public_key: '{{ public_key }}'}, status_code: 200}
            register: signed_key
        -
            name: 'Save key locally'
            local_action: 'copy content={{ signed_key.json.data.signed_key }} dest=/root/ssh.key'
        -
            name: 'Debug Signed Key'
            debug: {var: signed_key.json.data.signed_key}
        -
            name: 'SSH login'
            shell: 'ssh -i /root/id_rsa -i /root/id_rsa.pub -i /root/ssh.key root@sshd.service.consul ls'
            register: output
        -
            name: 'Debug SSH output'
            debug: {var: output}
        -
            name: 'delete key'
            raw: 'rm /root/*'
	-
	hosts: localhost
	gather_facts: false
	vars:
	secret_token: '${option.vault_token}'
	role_id: '${option.approle_id}'
	tasks:
	-
	name: 'Get secret id from role_id'
	uri: {url: 'http://active.vault.service.consul:8200/v1/auth/approle/role/my-role/secret-id', method: POST, headers: {X-Vault-Token: '{{ secret_token }}'}, body_format: json, status_code: 200}
	register: secret_id_response
	-
	name: 'Get token from Vault'
	uri: {url: 'http://active.vault.service.consul:8200/v1/auth/approle/login', method: POST, body_format: json, body: {role_id: '{{ role_id }}', secret_id: '{{ secret_id_response.json.data.secret_id }}'}, status_code: 200}
	register: client_token
	-
	name: 'Debug Vault token'
	debug: {var: client_token.json.auth.client_token}
	-
	name: 'generate new private key'
	raw: 'yes y \| ssh-keygen -f /root/id_rsa -t rsa -N '''''
	-
	name: 'Read SSH public key'
	set_fact: {public_key: '{{ lookup(''file'', ''/root/id_rsa.pub'') }}'}
	-
	name: 'Read SSH private key'
	set_fact: {private_key: '{{ lookup(''file'', ''/root/id_rsa'') }}'}
	-
	name: 'Sign SSH key'
	uri: {url: 'http://active.vault.service.consul:8200/v1/ssh/sign/my-role', method: POST, body_format: json, headers: {X-Vault-Token: '{{ client_token.json.auth.client_token }}'}, body: {public_key: '{{ public_key }}'}, status_code: 200}
	register: signed_key
	-
	name: 'Save key locally'
	local_action: 'copy content={{ signed_key.json.data.signed_key }} dest=/root/ssh.key'
	-
	name: 'Debug Signed Key'
	debug: {var: signed_key.json.data.signed_key}
	-
	name: 'SSH login'
	shell: 'ssh -i /root/id_rsa -i /root/id_rsa.pub -i /root/ssh.key root@sshd.service.consul ls'
	register: output
	-
	name: 'Debug SSH output'
	debug: {var: output}
	-
	name: 'delete key'
	raw: 'rm /root/*'