Skip to content

Instantly share code, notes, and snippets.

@cmclaughlin

cmclaughlin/policies.sls

Created October 20, 2017 18:07
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cmclaughlin/500fba42eb26e8091c1c20cdbe5e094d to your computer and use it in GitHub Desktop.
Save cmclaughlin/500fba42eb26e8091c1c20cdbe5e094d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
policies.sls
# Write policies from Pillar data
/etc/vault.d/policies.d:
file.directory:
- mode: 0700
{% for name, policy in salt['pillar.get']('vault:policies').iteritems() %}
/etc/vault.d/policies.d/{{ name }}.json:
file.managed:
- source: salt://shopstyle-vault/files/policy.json
- mode: 0600
- template: jinja
- context:
policy: {{ policy }}
# Updates the policy if the Pillar data changes
vault-policy-wait-{{ name }}:
cmd.wait:
- name: vault policy-write {{ name }} /etc/vault.d/policies.d/{{ name }}.json
- env:
- VAULT_ADDR: {{ salt['pillar.get']('vault:vault_addr') }}
- VAULT_TOKEN: {{ salt['pillar.get']('vault:tokens:initial_root_token') }}
- watch:
- file: /etc/vault.d/policies.d/{{ name }}.json
# Ensure the policy will be written if a previous wait/watch fails, etc.
vault-policy-run-{{ name }}:
cmd.run:
- name: vault policy-write {{ name }} /etc/vault.d/policies.d/{{ name }}.json
- env:
- VAULT_ADDR: {{ salt['pillar.get']('vault:vault_addr') }}
- VAULT_TOKEN: {{ salt['pillar.get']('vault:tokens:initial_root_token') }}
- unless: vault policies | grep {{ name }}
{% endfor %}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment