Add vault_unseal role

markgoddard · markgoddard · commit 4f3b6947ade1 · 2022-09-01T14:54:58.000+01:00
diff --git a/roles/vault/README.md b/roles/vault/README.md
@@ -126,21 +126,4 @@ Example post-config playbook to enable secrets engines:
       run_once: True
 ```
 
-Example vault unseal playbook based on Kayobe's secrets.yml
-```
----
-- name: Unseal vault
-  any_errors_fatal: True
-  gather_facts: True
-  hosts: vault
-  tasks:
-    - name: Unseal vault
-      hashivault_unseal:
-        url: "https://sparrow.cf.ac.uk:8200"
-        keys: "{{ item }}"
-      run_once: True
-      with_items: "{{ secrets_vault_keys.unseal_keys_b64 }}"
-      no_log: True
-```
-
 NOTE: secrets_external_tls_cert/key are variables in Kayobe's secrets.yml
diff --git a/roles/vault_unseal/README.md b/roles/vault_unseal/README.md
@@ -0,0 +1,33 @@
+This role unseals Hashicorp Vault.
+
+Note that in a Vault cluster, each Vault server must be unsealed individually.
+
+Requirements
+------------
+
+``ansible-modules-hashivault`` PyPI package installed
+
+Role variables
+--------------
+
+* `vault_api_addr`: Vault [API addr](https://www.vaultproject.io/docs/configuration#api_addr) - Full URL including protocol and port (e.g. "http://127.0.0.1:8200"). In a Vault cluster, this should point to an individual Vault server, rather than a load balancer.
+* `vault_unseal_keys`: List of unseal key shards.
+
+Example playbook
+----------------
+
+Example vault unseal playbook:
+```
+---
+- name: Unseal vault
+  any_errors_fatal: True
+  gather_facts: True
+  hosts: vault
+  tasks:
+    - name: Unseal vault
+      import_role:
+        name: stackhpc.vault_unseal
+      vars:
+        vault_api_addr: "https://vault.example.com"
+        vault_keys: "{{ vault_keys.keys_base64 }}"
+```
diff --git a/roles/vault_unseal/defaults/main.yml b/roles/vault_unseal/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# Allow vault_vip_url and vault_vip_address for backwards compatibility.
+vault_vip_address: "{{ vault_vip_url | default('') }}"
+vault_api_addr: "{{ ('https://' ~ vault_vip_address ~ ':8200') if vault_vip_address else '' }}"
+
+# List of unseal key shards.
+vault_unseal_keys: []
diff --git a/roles/vault_unseal/tasks/main.yml b/roles/vault_unseal/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Unseal Vault
+  hashivault_unseal:
+    url: "{{ vault_api_addr }}"
+    keys: "{{ vault_unseal_keys | join(' ') }}"
diff --git a/tests/test_vault.yml b/tests/test_vault.yml
@@ -23,3 +23,9 @@
     # Idempotence test
     - include_role:
         name: vault
+
+    - name: Unseal vault
+      import_role:
+        name: vault_unseal
+      vars:
+        vault_keys: "{{ vault_keys.keys_base64 }}"
