Skip to content

Instantly share code, notes, and snippets.

@MiLk
Last active March 28, 2017 07:34
Show Gist options
  • Save MiLk/8a7f7aef8b0a389e906a181944724f0a to your computer and use it in GitHub Desktop.
Save MiLk/8a7f7aef8b0a389e906a181944724f0a to your computer and use it in GitHub Desktop.
Vault HA init
- name: "Waiting for the Vault to be unsealed"
uri:
url: '{{ vault_api_url }}/v1/sys/seal-status'
return_content: yes
register: vault_seal_status
until: vault_seal_status.json.sealed == false
retries: 90
delay: 10
changed_when: false
- name: "List the mounted audit backends"
uri:
url: '{{ vault_api_url }}/v1/sys/audit'
headers:
X-Vault-Token: '{{ vault_root_token }}'
register: vault_audit_backends
run_once: yes
- name: "Enable the syslog audit backend"
uri:
url: '{{ vault_api_url }}/v1/sys/audit/syslog'
method: PUT
body_format: json
body:
type: syslog
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
when: vault_audit_backends.json.data['syslog/'] is not defined
run_once: yes
- name: "Configure simple policies"
uri:
url: '{{ vault_api_url }}/v1/sys/policy/{{ item }}'
method: PUT
body_format: json
body:
rules: "{{ lookup('template', 'policies/simple.hcl') }}"
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
changed_when: yes
run_once: yes
with_items: "{{ vault_policies }}"
- name: "Configure complex policies"
uri:
url: '{{ vault_api_url }}/v1/sys/policy/devops-policy'
method: PUT
body_format: json
body:
rules: "{{ lookup('template', 'policies/devops.hcl.j2') }}"
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
changed_when: yes
run_once: yes
- name: "List the mounted auth backends"
uri:
url: '{{ vault_api_url }}/v1/sys/auth'
headers:
X-Vault-Token: '{{ vault_root_token }}'
register: vault_auth_backends
run_once: yes
- name: "Enable the github auth backend"
uri:
url: '{{ vault_api_url }}/v1/sys/auth/github'
method: PUT
body_format: json
body:
type: github
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
changed_when: yes
when: vault_auth_backends.json.data['github/'] is not defined
run_once: yes
- name: "Configure the github auth backend"
uri:
url: '{{ vault_api_url}}/v1/{{ item.endpoint }}'
method: PUT
body_format: json
body: '{{ item.body }}'
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
changed_when: yes
run_once: yes
with_items:
- endpoint: 'auth/github/config'
body:
organization: '{{ vault_auth_github_organization }}'
ttl: '{{ vault_auth_github_ttl }}'
max_ttl: '{{ vault_auth_github_max_ttl }}'
- endpoint: 'auth/github/map/teams/devops'
body:
value: devops-policy
- name: "Enable the aws ec2 auth backend"
uri:
url: '{{ vault_api_url }}/v1/sys/auth/aws-ec2'
method: PUT
body_format: json
body:
type: aws-ec2
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
changed_when: yes
when: vault_auth_backends.json.data['aws-ec2/'] is not defined
run_once: yes
- name: "Configure the aws-ec2 auth backend roles"
uri:
url: '{{ vault_api_url}}/v1/auth/aws-ec2/role/{{ item.role }}'
method: PUT
body_format: json
body: '{{ item }}'
headers:
X-Vault-Token: '{{ vault_root_token }}'
status_code: 204
changed_when: yes
run_once: yes
with_items: '{{ vault_auth_aws_ec2_roles }}'
- name: "Get Vault status"
uri:
url: '{{ vault_api_url }}/v1/sys/init'
return_content: yes
register: vault_status
- name: "Initialize the vault"
uri:
url: '{{ vault_api_url }}/v1/sys/init'
method: PUT
body_format: json
body:
secret_shares: '{{ vault_init_secret_shares }}'
secret_threshold: '{{ vault_init_secret_threshold }}'
pgp_keys: '{{ vault_init_pgp_keys }}'
register: vault_init
changed_when: vault_init.json.keys_base64 is defined
when: vault_status.json.initialized == False
run_once: yes
- name: "Define a temporary variable containing the keys"
set_fact:
vault_keys_base64: '{{ vault_init.json.keys_base64 }}'
run_once: yes
when: vault_init is defined and not vault_init|skipped and vault_init.json is defined and vault_init.json.keys_base64 is defined
- name: "Send keys by email"
shell: "echo '{{ lookup('template', 'keys.txt') }}' | mail -s 'Your Vault key' {{ vault_init_email_addresses[item.0] }}"
with_indexed_items: "{{ vault_keys_base64|default([]) }}"
run_once: yes
when: vault_init is defined and not vault_init|skipped and vault_keys_base64 is defined
- name: "Define a temporary variable containing the root token"
set_fact:
vault_root_token: '{{ vault_init.json.root_token }}'
run_once: yes
when: vault_init is defined and not vault_init|skipped and vault_init.json is defined and vault_init.json.root_token is defined
- name: "Send the root token by email"
shell: "echo '{{ lookup('template', 'token.txt') }}' | mail -s 'Your Vault root token' {{ vault_init_email_addresses[0] }}"
run_once: yes
when: vault_init is defined and not vault_init|skipped and vault_root_token is defined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment