diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9cb3ff9..44bf409 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -65,7 +65,7 @@ jobs: else ansible_package=ansible-core fi - python3 -m pip install $ansible_package==$ansible_version.* docker git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc + python3 -m pip install $ansible_package==$ansible_version.* docker git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc-test ansible-galaxy collection build ansible-galaxy collection install *.tar.gz diff --git a/roles/vault_auto_unseal/defaults/main.yml b/roles/vault_auto_unseal/defaults/main.yml new file mode 100644 index 0000000..ced0000 --- /dev/null +++ b/roles/vault_auto_unseal/defaults/main.yml @@ -0,0 +1,10 @@ +--- +vault_auto_unseal_transit_engine_name: "transit" + +vault_auto_unseal_key_name: "autounseal" + +vault_auto_unseal_policy_name: "autounseal" + +vault_auto_unseal_token_name: "autounseal" +vault_auto_unseal_token_period: "120" +vault_auto_unseal_token_wrap_ttl: "24h" diff --git a/roles/vault_auto_unseal/tasks/main.yml b/roles/vault_auto_unseal/tasks/main.yml new file mode 100644 index 0000000..ceb821c --- /dev/null +++ b/roles/vault_auto_unseal/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: "Ensure transit secret engine is configured" + hashivault_secret_engine: + name: "{{ vault_auto_unseal_transit_engine_name }}" + backend: "transit" + state: "present" + ca_cert: "{{ vault_ca_cert | default(omit) }}" + url: "{{ vault_api_addr }}" + token: "{{ vault_token }}" + ca_cert: "{{ vault_ca_cert | default(omit) }}" + +- name: "Create transit/keys/autounseal" + hashivault_secret: + mount_point: "transit/keys" + secret: "{{ vault_auto_unseal_key_name }}" + url: "{{ vault_api_addr }}" + token: "{{ vault_token }}" + ca_cert: "{{ vault_ca_cert | default(omit) }}" + +- name: "Create autounseal policy" + hashivault_policy: + name: "{{ vault_auto_unseal_policy_name }}" + rules: | + path "transit/encrypt/{{ vault_auto_unseal_key_name }}" { + capabilities = [ "update" ] + } + path "transit/decrypt/{{ vault_auto_unseal_key_name }}" { + capabilities = [ "update" ] + } + state: present + url: "{{ vault_api_addr }}" + token: "{{ vault_token }}" + ca_cert: "{{ vault_ca_cert | default(omit) }}" + +- name: "Create an orphan periodic client token with the autounseal policy attached" + hashivault_token_create: + display_name: "{{ vault_auto_unseal_token_name }}" + orphan: true + period: "{{ vault_auto_unseal_token_period }}" + policies: + - "{{ vault_auto_unseal_policy_name }}" + wrap_ttl: "{{ vault_auto_unseal_token_wrap_ttl }}" + url: "{{ vault_api_addr }}" + token: "{{ vault_token }}" + ca_cert: "{{ vault_ca_cert | default(omit) }}" + register: vault_auto_unseal_wrapping_token + +- name: Print vault keys + debug: + var: vault_auto_unseal_wrapping_token + when: + - vault_auto_unseal_log_token | bool + +- name: Set vault_auto_unseal_token fact + set_fact: + vault_keys: "{{ vault_auto_unseal_wrapping_token }}" + when: + - vault_auto_unseal_set_token_fact | bool + +- name: Write vault keys to a file + copy: + content: "{{ vault_auto_unseal_wrapping_token | to_nice_json }}" + dest: "{{ vault_auto_unseal_write_token_file_path }}" + mode: 0600 + delegate_to: "{{ vault_auto_unseal_write_token_file_host }}" + when: + - vault_auto_unseal_write_token_file | bool diff --git a/tests/test_vault.yml b/tests/test_vault.yml index ec908a2..6640f4a 100644 --- a/tests/test_vault.yml +++ b/tests/test_vault.yml @@ -28,6 +28,13 @@ vault_unseal_keys: "{{ vault_keys.keys_base64 }}" vault_protocol: "http" + - name: Configure auto unseal + import_role: + name: vault_auto_unseal + vars: + vault_token: "{{ vault_keys.root_token }}" + vault_auto_unseal_log_token: true + - name: Configure PKI import_role: name: vault_pki