Last active
January 11, 2022 19:24
-
-
Save virtualhobbit/0356311b3ebe23b59e973c008170e1ab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- hosts: Linux | |
tasks: | |
- name: Add repository | |
yum_repository: | |
name: hashicorp | |
file: hashicorp | |
description: Hashicorp Stable - $basearch | |
baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable | |
enabled: yes | |
gpgcheck: yes | |
gpgkey: https://rpm.releases.hashicorp.com/gpg | |
become: true | |
- name: Install HashiCorp Vault | |
yum: | |
name: vault | |
state: latest | |
become: true | |
- name: Grant Vault user a login shell | |
user: | |
name: vault | |
shell: /bin/bash | |
become: true | |
- name: Create Vault Agent directory | |
file: | |
state: directory | |
path: /vault-agent | |
owner: vault | |
group: vault | |
mode: 0755 | |
become: true | |
- name: Get Vault token | |
uri: | |
url: "{{ vault_server }}/v1/auth/approle/login" | |
method: POST | |
headers: | |
Content-Type: application/json | |
body: | |
role_id: << insert sa_ansible role ID here >> | |
secret_id: << insert sa_ansible secret ID here>> | |
body_format: json | |
validate_certs: false | |
register: authResponse | |
- name: Get role ID | |
uri: | |
url: "{{ vault_server }}/v1/auth/approle/role/sa_vault-agent/role-id" | |
method: GET | |
headers: | |
X-Vault-Token: "{{ authResponse.json.auth.client_token }}" | |
validate_certs: false | |
register: response | |
- name: Output role ID to file | |
copy: | |
content: "{{ response.json.data.role_id }}" | |
dest: /vault-agent/agent-role-id | |
remote_src: yes | |
become: true | |
- name: Get secret ID | |
uri: | |
url: "{{ vault_server }}/v1/auth/approle/role/sa_vault-agent/secret-id" | |
method: POST | |
headers: | |
X-Vault-Token: "{{ authResponse.json.auth.client_token }}" | |
validate_certs: false | |
register: response | |
- name: Output secret ID to file | |
copy: | |
content: "{{ response.json.data.secret_id }}" | |
dest: /vault-agent/agent-secret-id | |
remote_src: yes | |
become: true | |
- name: Copy Vault config to server | |
template: | |
src: vault-agent.hcl.j2 | |
dest: /vault-agent/vault-agent.hcl | |
owner: vault | |
group: vault | |
mode: 0644 | |
become: true | |
- name: Copy server certificate template | |
template: | |
src: vault-agentCert.ctmpl.j2 | |
dest: /vault-agent/vault-agentCert.ctmpl | |
owner: vault | |
group: vault | |
mode: 0644 | |
become: true | |
- name: Copy server key template | |
template: | |
src: vault-agentKey.ctmpl.j2 | |
dest: /vault-agent/vault-agentKey.ctmpl | |
owner: vault | |
group: vault | |
mode: 0644 | |
become: true | |
- name: Output CA chain | |
get_url: | |
url: '{{ vault_server }}/v1/pki/ca_chain' | |
validate_certs: false | |
dest: /etc/pki/tls/certs/chain.pem | |
owner: root | |
group: root | |
mode: 0644 | |
become: true | |
- name: Copy agent script to server | |
template: | |
src: "agent-script-{{ ansible_fqdn }}.sh.j2" | |
dest: /vault-agent/agent-script.sh | |
owner: vault | |
group: vault | |
mode: 0755 | |
become: true | |
- name: Allow vault user to run this one command without a password | |
lineinfile: | |
dest: /etc/sudoers | |
line: 'vault ALL=(ALL) NOPASSWD: /vault-agent/agent-script.sh' | |
insertafter: '^%wheel' | |
become: true | |
- name: Copy Vault Agent service file | |
template: | |
src: vault-agent.service | |
dest: /usr/lib/systemd/system/vault-agent.service | |
owner: root | |
group: root | |
mode: 0644 | |
become: true | |
- name: Create Vault Agent service | |
systemd: | |
name: vault-agent | |
enabled: yes | |
state: started | |
daemon_reload: yes | |
become: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment