vault: Provide more ways to get root and unseal keys

markgoddard · markgoddard · commit 1493f964dc7e · 2022-09-01T14:54:55.000+01:00
diff --git a/roles/vault/README.md b/roles/vault/README.md
@@ -31,8 +31,38 @@ s (default: Omitted)
     * `vault_extra_volumes`: List of `"<host_location>:<container_mountpoint>"`
     * `vault_tls_key`: Path to TLS key to use by Vault
     * `vault_tls_cert`: Path to TLS cert to use by Vault
+    * `vault_log_keys`: Whether to log the root token and unseal keys in the Ansible output. Default `false`
+    * `vault_set_keys_fact`: Whether to set a `vault_keys` fact containing the root token and unseal keys. Default `false`
+    * `vault_write_keys_file`: Whether to write the root token and unseal keys to a file. Default `false`
+    * `vault_write_keys_file_host`: Host on which to write root token and unseal keys. Default `localhost`
+    * `vault_write_keys_file_path`: Path of file to write root token and unseal keys. Default `vault-keys.json`
 
+Root and unseal keys
+--------------------
 
+After Vault has been initialised, a root token and a set of unseal keys are emitted.
+It is very important to store these keys safely and securely.
+This role provides several mechanisms for extracting the root token and unseal keys:
+
+1. Print to Ansible log output (`vault_log_keys`)
+1. Set a `vault_keys` fact (`vault_set_keys_fact`)
+1. Write to a file (`vault_write_keys_file`)
+
+In each case, the output will contain the following:
+
+```json
+{
+  "keys": [
+    "...",
+    "..."
+  ],
+  "keys_base64": [
+    "...",
+    "..."
+  ],
+  "root_token": "..."
+}
+```
 
 Example playbook (used with OpenStack Kayobe)
 ---------------------------------------------
diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
@@ -68,3 +68,16 @@ consul_extra_volumes: []
 # Combined volume lists
 _vault_volumes: "{{ _vault_default_volumes + vault_extra_volumes }}"
 _consul_volumes: "{{ _consul_default_volumes + consul_extra_volumes }}"
+
+# Whether to log the root token and unseal keys in the Ansible output.
+vault_log_keys: false
+
+# Whether to set a vault_keys fact containing the root token and unseal keys.
+vault_set_keys_fact: false
+
+# Whether to write the root token and unseal keys to a file.
+vault_write_keys_file: false
+# Host on which to write root token and unseal keys.
+vault_write_keys_file_host: localhost
+# Path of file to write root token and unseal keys.
+vault_write_keys_file_path: vault-keys.json
diff --git a/roles/vault/tasks/vault.yml b/roles/vault/tasks/vault.yml
@@ -22,18 +22,36 @@
   register: vault_init_status
   retries: 50
   delay: 1
+  run_once: true
   until: vault_init_status.status == 200
 
-- name: Initialize vault
-  hashivault_init:
-    url: "{{ vault_api_addr }}"
-  run_once: True
-  no_log: True
-  when: not vault_init_status.json.initialized
-  register: vault_keys
+- block:
+    - name: Initialize vault
+      hashivault_init:
+        url: "{{ vault_api_addr }}"
+      no_log: true
+      register: vault_keys_result
 
-- name: Print vault keys
-  debug:
-    var: vault_keys
-  when: not vault_init_status.json.initialized
+    - name: Print vault keys
+      debug:
+        var: vault_keys_result
+      when:
+        - vault_log_keys | bool
 
+    - name: Set vault_keys fact
+      set_fact:
+        vault_keys: "{{ vault_keys_result }}"
+      when:
+        - vault_set_keys_fact | bool
+
+    - name: Write vault keys to a file
+      copy:
+        content: "{{ vault_keys_result | to_nice_json }}"
+        dest: "{{ vault_write_keys_file_path }}"
+        mode: 0600
+      delegate_to: "{{ vault_write_keys_file_host }}"
+      when:
+        - vault_write_keys_file | bool
+  run_once: true
+  when:
+    - not vault_init_status.json.initialized
diff --git a/tests/test_vault.yml b/tests/test_vault.yml
@@ -2,6 +2,14 @@
 - name: Prepare for vault role
   gather_facts: True
   hosts: consul
+  vars:
+    consul_bind_interface: lo
+    vault_bind_address: 127.0.0.1
+    vault_api_addr: http://127.0.0.1:8200
+    vault_config_dir: "/etc/vault"
+    vault_log_keys: true
+    vault_set_keys_fact: true
+    vault_write_keys_file: true
   tasks:
     - name: Ensure /etc/vault exists
       file:
@@ -11,8 +19,7 @@
 
     - include_role:
         name: vault
-      vars:
-        consul_bind_interface: lo
-        vault_bind_address: 127.0.0.1
-        vault_api_addr: http://127.0.0.1:8200
-        vault_config_dir: "/etc/vault"
+
+    # Idempotence test
+    - include_role:
+        name: vault
