Skip to content

Instantly share code, notes, and snippets.

@virtualhobbit

virtualhobbit/vault-agentinux.yml

Last active January 11, 2022 19:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save virtualhobbit/0356311b3ebe23b59e973c008170e1ab to your computer and use it in GitHub Desktop.
Save virtualhobbit/0356311b3ebe23b59e973c008170e1ab to your computer and use it in GitHub Desktop.
Download ZIP
Raw
vault-agentinux.yml
---
- hosts: Linux
tasks:
- name: Add repository
yum_repository:
name: hashicorp
file: hashicorp
description: Hashicorp Stable - $basearch
baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
enabled: yes
gpgcheck: yes
gpgkey: https://rpm.releases.hashicorp.com/gpg
become: true
- name: Install HashiCorp Vault
yum:
name: vault
state: latest
become: true
- name: Grant Vault user a login shell
user:
name: vault
shell: /bin/bash
become: true
- name: Create Vault Agent directory
file:
state: directory
path: /vault-agent
owner: vault
group: vault
mode: 0755
become: true
- name: Get Vault token
uri:
url: "{{ vault_server }}/v1/auth/approle/login"
method: POST
headers:
Content-Type: application/json
body:
role_id: << insert sa_ansible role ID here >>
secret_id: << insert sa_ansible secret ID here>>
body_format: json
validate_certs: false
register: authResponse
- name: Get role ID
uri:
url: "{{ vault_server }}/v1/auth/approle/role/sa_vault-agent/role-id"
method: GET
headers:
X-Vault-Token: "{{ authResponse.json.auth.client_token }}"
validate_certs: false
register: response
- name: Output role ID to file
copy:
content: "{{ response.json.data.role_id }}"
dest: /vault-agent/agent-role-id
remote_src: yes
become: true
- name: Get secret ID
uri:
url: "{{ vault_server }}/v1/auth/approle/role/sa_vault-agent/secret-id"
method: POST
headers:
X-Vault-Token: "{{ authResponse.json.auth.client_token }}"
validate_certs: false
register: response
- name: Output secret ID to file
copy:
content: "{{ response.json.data.secret_id }}"
dest: /vault-agent/agent-secret-id
remote_src: yes
become: true
- name: Copy Vault config to server
template:
src: vault-agent.hcl.j2
dest: /vault-agent/vault-agent.hcl
owner: vault
group: vault
mode: 0644
become: true
- name: Copy server certificate template
template:
src: vault-agentCert.ctmpl.j2
dest: /vault-agent/vault-agentCert.ctmpl
owner: vault
group: vault
mode: 0644
become: true
- name: Copy server key template
template:
src: vault-agentKey.ctmpl.j2
dest: /vault-agent/vault-agentKey.ctmpl
owner: vault
group: vault
mode: 0644
become: true
- name: Output CA chain
get_url:
url: '{{ vault_server }}/v1/pki/ca_chain'
validate_certs: false
dest: /etc/pki/tls/certs/chain.pem
owner: root
group: root
mode: 0644
become: true
- name: Copy agent script to server
template:
src: "agent-script-{{ ansible_fqdn }}.sh.j2"
dest: /vault-agent/agent-script.sh
owner: vault
group: vault
mode: 0755
become: true
- name: Allow vault user to run this one command without a password
lineinfile:
dest: /etc/sudoers
line: 'vault ALL=(ALL) NOPASSWD: /vault-agent/agent-script.sh'
insertafter: '^%wheel'
become: true
- name: Copy Vault Agent service file
template:
src: vault-agent.service
dest: /usr/lib/systemd/system/vault-agent.service
owner: root
group: root
mode: 0644
become: true
- name: Create Vault Agent service
systemd:
name: vault-agent
enabled: yes
state: started
daemon_reload: yes
become: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment