MiLk/config.yml

## config.yml
- name: "Waiting for the Vault to be unsealed"
  uri:
    url: '{{ vault_api_url }}/v1/sys/seal-status'
    return_content: yes
  register: vault_seal_status
  until: vault_seal_status.json.sealed == false
  retries: 90
  delay: 10
  changed_when: false

- name: "List the mounted audit backends"
  uri:
    url: '{{ vault_api_url }}/v1/sys/audit'
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
  register: vault_audit_backends
  run_once: yes

- name: "Enable the syslog audit backend"
  uri:
    url: '{{ vault_api_url }}/v1/sys/audit/syslog'
    method: PUT
    body_format: json
    body:
      type: syslog
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  when: vault_audit_backends.json.data['syslog/'] is not defined
  run_once: yes

- name: "Configure simple policies"
  uri:
    url: '{{ vault_api_url }}/v1/sys/policy/{{ item }}'
    method: PUT
    body_format: json
    body:
      rules: "{{ lookup('template', 'policies/simple.hcl') }}"
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  changed_when: yes
  run_once: yes
  with_items: "{{ vault_policies }}"

- name: "Configure complex policies"
  uri:
    url: '{{ vault_api_url }}/v1/sys/policy/devops-policy'
    method: PUT
    body_format: json
    body:
      rules: "{{ lookup('template', 'policies/devops.hcl.j2') }}"
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  changed_when: yes
  run_once: yes

- name: "List the mounted auth backends"
  uri:
    url: '{{ vault_api_url }}/v1/sys/auth'
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
  register: vault_auth_backends
  run_once: yes

- name: "Enable the github auth backend"
  uri:
    url: '{{ vault_api_url }}/v1/sys/auth/github'
    method: PUT
    body_format: json
    body:
      type: github
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  changed_when: yes
  when: vault_auth_backends.json.data['github/'] is not defined
  run_once: yes

- name: "Configure the github auth backend"
  uri:
    url: '{{ vault_api_url}}/v1/{{ item.endpoint }}'
    method: PUT
    body_format: json
    body: '{{ item.body }}'
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  changed_when: yes
  run_once: yes
  with_items:
    - endpoint: 'auth/github/config'
      body:
        organization: '{{ vault_auth_github_organization }}'
        ttl: '{{ vault_auth_github_ttl }}'
        max_ttl: '{{ vault_auth_github_max_ttl }}'
    - endpoint: 'auth/github/map/teams/devops'
      body:
        value: devops-policy

- name: "Enable the aws ec2 auth backend"
  uri:
    url: '{{ vault_api_url }}/v1/sys/auth/aws-ec2'
    method: PUT
    body_format: json
    body:
      type: aws-ec2
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  changed_when: yes
  when: vault_auth_backends.json.data['aws-ec2/'] is not defined
  run_once: yes

- name: "Configure the aws-ec2 auth backend roles"
  uri:
    url: '{{ vault_api_url}}/v1/auth/aws-ec2/role/{{ item.role }}'
    method: PUT
    body_format: json
    body: '{{ item }}'
    headers:
      X-Vault-Token: '{{ vault_root_token }}'
    status_code: 204
  changed_when: yes
  run_once: yes
  with_items: '{{ vault_auth_aws_ec2_roles }}'

## ini.yml
- name: "Get Vault status"
  uri:
    url: '{{ vault_api_url }}/v1/sys/init'
    return_content: yes
  register: vault_status

- name: "Initialize the vault"
  uri:
    url: '{{ vault_api_url }}/v1/sys/init'
    method: PUT
    body_format: json
    body:
      secret_shares: '{{ vault_init_secret_shares }}'
      secret_threshold: '{{ vault_init_secret_threshold }}'
      pgp_keys: '{{ vault_init_pgp_keys }}'
  register: vault_init
  changed_when: vault_init.json.keys_base64 is defined
  when: vault_status.json.initialized == False
  run_once: yes

- name: "Define a temporary variable containing the keys"
  set_fact:
    vault_keys_base64: '{{ vault_init.json.keys_base64 }}'
  run_once: yes
  when: vault_init is defined and not vault_init|skipped and vault_init.json is defined and vault_init.json.keys_base64 is defined

- name: "Send keys by email"
  shell: "echo '{{ lookup('template', 'keys.txt') }}' | mail -s 'Your Vault key' {{ vault_init_email_addresses[item.0] }}"
  with_indexed_items: "{{ vault_keys_base64|default([]) }}"
  run_once: yes
  when: vault_init is defined and not vault_init|skipped and vault_keys_base64 is defined

- name: "Define a temporary variable containing the root token"
  set_fact:
    vault_root_token: '{{ vault_init.json.root_token }}'
  run_once: yes
  when: vault_init is defined and not vault_init|skipped and vault_init.json is defined and vault_init.json.root_token is defined

- name: "Send the root token by email"
  shell: "echo '{{ lookup('template', 'token.txt') }}' | mail -s 'Your Vault root token' {{ vault_init_email_addresses[0] }}"
  run_once: yes
  when: vault_init is defined and not vault_init|skipped and vault_root_token is defined
	- name: "Waiting for the Vault to be unsealed"
	uri:
	url: '{{ vault_api_url }}/v1/sys/seal-status'
	return_content: yes
	register: vault_seal_status
	until: vault_seal_status.json.sealed == false
	retries: 90
	delay: 10
	changed_when: false

	- name: "List the mounted audit backends"
	uri:
	url: '{{ vault_api_url }}/v1/sys/audit'
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	register: vault_audit_backends
	run_once: yes

	- name: "Enable the syslog audit backend"
	uri:
	url: '{{ vault_api_url }}/v1/sys/audit/syslog'
	method: PUT
	body_format: json
	body:
	type: syslog
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	when: vault_audit_backends.json.data['syslog/'] is not defined
	run_once: yes

	- name: "Configure simple policies"
	uri:
	url: '{{ vault_api_url }}/v1/sys/policy/{{ item }}'
	method: PUT
	body_format: json
	body:
	rules: "{{ lookup('template', 'policies/simple.hcl') }}"
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	changed_when: yes
	run_once: yes
	with_items: "{{ vault_policies }}"

	- name: "Configure complex policies"
	uri:
	url: '{{ vault_api_url }}/v1/sys/policy/devops-policy'
	method: PUT
	body_format: json
	body:
	rules: "{{ lookup('template', 'policies/devops.hcl.j2') }}"
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	changed_when: yes
	run_once: yes

	- name: "List the mounted auth backends"
	uri:
	url: '{{ vault_api_url }}/v1/sys/auth'
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	register: vault_auth_backends
	run_once: yes

	- name: "Enable the github auth backend"
	uri:
	url: '{{ vault_api_url }}/v1/sys/auth/github'
	method: PUT
	body_format: json
	body:
	type: github
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	changed_when: yes
	when: vault_auth_backends.json.data['github/'] is not defined
	run_once: yes

	- name: "Configure the github auth backend"
	uri:
	url: '{{ vault_api_url}}/v1/{{ item.endpoint }}'
	method: PUT
	body_format: json
	body: '{{ item.body }}'
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	changed_when: yes
	run_once: yes
	with_items:
	- endpoint: 'auth/github/config'
	body:
	organization: '{{ vault_auth_github_organization }}'
	ttl: '{{ vault_auth_github_ttl }}'
	max_ttl: '{{ vault_auth_github_max_ttl }}'
	- endpoint: 'auth/github/map/teams/devops'
	body:
	value: devops-policy

	- name: "Enable the aws ec2 auth backend"
	uri:
	url: '{{ vault_api_url }}/v1/sys/auth/aws-ec2'
	method: PUT
	body_format: json
	body:
	type: aws-ec2
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	changed_when: yes
	when: vault_auth_backends.json.data['aws-ec2/'] is not defined
	run_once: yes

	- name: "Configure the aws-ec2 auth backend roles"
	uri:
	url: '{{ vault_api_url}}/v1/auth/aws-ec2/role/{{ item.role }}'
	method: PUT
	body_format: json
	body: '{{ item }}'
	headers:
	X-Vault-Token: '{{ vault_root_token }}'
	status_code: 204
	changed_when: yes
	run_once: yes
	with_items: '{{ vault_auth_aws_ec2_roles }}'
	- name: "Get Vault status"
	uri:
	url: '{{ vault_api_url }}/v1/sys/init'
	return_content: yes
	register: vault_status

	- name: "Initialize the vault"
	uri:
	url: '{{ vault_api_url }}/v1/sys/init'
	method: PUT
	body_format: json
	body:
	secret_shares: '{{ vault_init_secret_shares }}'
	secret_threshold: '{{ vault_init_secret_threshold }}'
	pgp_keys: '{{ vault_init_pgp_keys }}'
	register: vault_init
	changed_when: vault_init.json.keys_base64 is defined
	when: vault_status.json.initialized == False
	run_once: yes

	- name: "Define a temporary variable containing the keys"
	set_fact:
	vault_keys_base64: '{{ vault_init.json.keys_base64 }}'
	run_once: yes
	when: vault_init is defined and not vault_init\|skipped and vault_init.json is defined and vault_init.json.keys_base64 is defined

	- name: "Send keys by email"
	shell: "echo '{{ lookup('template', 'keys.txt') }}' \| mail -s 'Your Vault key' {{ vault_init_email_addresses[item.0] }}"
	with_indexed_items: "{{ vault_keys_base64\|default([]) }}"
	run_once: yes
	when: vault_init is defined and not vault_init\|skipped and vault_keys_base64 is defined

	- name: "Define a temporary variable containing the root token"
	set_fact:
	vault_root_token: '{{ vault_init.json.root_token }}'
	run_once: yes
	when: vault_init is defined and not vault_init\|skipped and vault_init.json is defined and vault_init.json.root_token is defined

	- name: "Send the root token by email"
	shell: "echo '{{ lookup('template', 'token.txt') }}' \| mail -s 'Your Vault root token' {{ vault_init_email_addresses[0] }}"
	run_once: yes
	when: vault_init is defined and not vault_init\|skipped and vault_root_token is defined