vault: add approles for pn01/pn02, fix provision playbook
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Some checks failed
Run nix flake check / flake-check (push) Has been cancelled
Add pn01 and pn02 to hosts-generated.tf for Vault AppRole access. Fix provision-approle.yml: the localhost play was skipped when using -l filter, since localhost didn't match the target. Merged into a single play using delegate_to: localhost for the bao commands. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -23,14 +23,12 @@
|
|||||||
when: ansible_play_hosts | length != 1
|
when: ansible_play_hosts | length != 1
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: Fetch AppRole credentials from OpenBao
|
- name: Provision AppRole credentials
|
||||||
hosts: localhost
|
hosts: all
|
||||||
connection: local
|
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
target_host: "{{ groups['all'] | first }}"
|
target_hostname: "{{ inventory_hostname.split('.')[0] }}"
|
||||||
target_hostname: "{{ hostvars[target_host]['short_hostname'] | default(target_host.split('.')[0]) }}"
|
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Display target host
|
- name: Display target host
|
||||||
@@ -45,6 +43,7 @@
|
|||||||
BAO_SKIP_VERIFY: "1"
|
BAO_SKIP_VERIFY: "1"
|
||||||
register: role_id_result
|
register: role_id_result
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: Generate secret-id for host
|
- name: Generate secret-id for host
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
@@ -54,21 +53,8 @@
|
|||||||
BAO_SKIP_VERIFY: "1"
|
BAO_SKIP_VERIFY: "1"
|
||||||
register: secret_id_result
|
register: secret_id_result
|
||||||
changed_when: true
|
changed_when: true
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: Store credentials for next play
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
vault_role_id: "{{ role_id_result.stdout }}"
|
|
||||||
vault_secret_id: "{{ secret_id_result.stdout }}"
|
|
||||||
|
|
||||||
- name: Deploy AppRole credentials to host
|
|
||||||
hosts: all
|
|
||||||
gather_facts: false
|
|
||||||
|
|
||||||
vars:
|
|
||||||
vault_role_id: "{{ hostvars['localhost']['vault_role_id'] }}"
|
|
||||||
vault_secret_id: "{{ hostvars['localhost']['vault_secret_id'] }}"
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: Create AppRole directory
|
- name: Create AppRole directory
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /var/lib/vault/approle
|
path: /var/lib/vault/approle
|
||||||
@@ -79,7 +65,7 @@
|
|||||||
|
|
||||||
- name: Write role-id
|
- name: Write role-id
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ vault_role_id }}"
|
content: "{{ role_id_result.stdout }}"
|
||||||
dest: /var/lib/vault/approle/role-id
|
dest: /var/lib/vault/approle/role-id
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: root
|
owner: root
|
||||||
@@ -87,7 +73,7 @@
|
|||||||
|
|
||||||
- name: Write secret-id
|
- name: Write secret-id
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ vault_secret_id }}"
|
content: "{{ secret_id_result.stdout }}"
|
||||||
dest: /var/lib/vault/approle/secret-id
|
dest: /var/lib/vault/approle/secret-id
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: root
|
owner: root
|
||||||
|
|||||||
@@ -53,6 +53,16 @@ locals {
|
|||||||
]
|
]
|
||||||
extra_policies = ["prometheus-metrics"]
|
extra_policies = ["prometheus-metrics"]
|
||||||
}
|
}
|
||||||
|
"pn01" = {
|
||||||
|
paths = [
|
||||||
|
"secret/data/hosts/pn01/*",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
"pn02" = {
|
||||||
|
paths = [
|
||||||
|
"secret/data/hosts/pn02/*",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user