quico-ansible/role_include_vault-check
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs(role): Prefix vars with role name

Browse Source
This commit is contained in:
hygienic-books 2022-07-23 22:34:21 +02:00
parent cbe8d7094b
commit 26cee49e98
2 changed files with 24 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
README.md
View File

@ -38,27 +38,29 @@ From your `role` call this one like so:
vars: vars:
- vault_check_base_path: "{{ vault_check_base_path }}" - vault_check_base_path: "{{ vault_check_base_path }}"
- vault_check_inc_vault_data: "{{ vault_check_vault_data }}" - vault_check_inc_vault_data: "{{ vault_check_vault_data }}"
- vault_check_fail_check: - vault_check_fail_checks:
- "password" - 'password',
- "password_salt" - 'password_salt'
``` ```
This `role_include_vault-check` expects two variables in your `import_role` task for example via the `vars` statement: This `role_include_vault-check` expects two variables in your `import_role` task for example via the `vars` statement:
1. `vault_check_base_path`: The path in HashiCorp Vault's `kv` secrets engine where secrets are located. Has cosmetic purpose only to inform the user where a key-value check succeeded or failed. 1. `vault_check_base_path`: The path in HashiCorp Vault's `kv` secrets engine where secrets are located. Has cosmetic purpose only to inform the user where a key-value check succeeded or failed.
1. `vault_check_fail_check`: A list of keys located at `vault_check_base_path` for which you want to confirm that they are non-empty. 1. `vault_check_inc_vault_data`: The Vault data dictionary we want checked.
1. `vault_check_fail_checks`: A list of keys located at `vault_check_base_path` for which you want to confirm that they are non-empty.
Can either be defined in place like so: Can either be defined in place like so:
``` ```
- vault_check_fail_check: - vault_check_fail_checks:
- "password" - 'password'
- "password_salt" - 'password_salt'
``` ```
Or can use a list variable defined elsewhere: Or can use a list variable defined elsewhere:
``` ```
- vault_check_fail_check: "{{ some_list }}" - vault_check_fail_checks: '{{ some_list }}'
``` ```
## In context ## In context
@ -66,15 +68,13 @@ This `role_include_vault-check` expects two variables in your `import_role` task
In a real-world use case you'll likely first query HashiCorp Vault for key-value pairs for example like so: In a real-world use case you'll likely first query HashiCorp Vault for key-value pairs for example like so:
``` ```
- name: "Get secrets" - name: 'Get secrets'
no_log: "true" no_log: 'true'
loop_control: loop_control:
loop_var: "server" loop_var: 'server'
with_community.hashi_vault.vault_kv2_get: with_community.hashi_vault.vault_kv2_get: '{{ local_os_password_vault_paths }}'
- "some/vault/kv/path/password"
- "some/vault/kv/path/password_salt"
ansible.builtin.set_fact: ansible.builtin.set_fact:
vault_data: "{{ vault_data | default({}) | combine (server.secret) }}" vault_data: '{{ vault_data | default({}) | combine (server.secret) }}'
``` ```
The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_kv2_get_lookup.html)) iterates over variables you want loaded from Vault. For each iteration it stores the iteration's output in `loop_var: "server"`. From that output we only really care about the `server.secret` dictionary. We append that to a `vault_data` dictionary which is first initialized as an empty dictionary and then expanded per iteration. When done `vault_data` contains key-values pair for all Vault variables. The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_kv2_get_lookup.html)) iterates over variables you want loaded from Vault. For each iteration it stores the iteration's output in `loop_var: "server"`. From that output we only really care about the `server.secret` dictionary. We append that to a `vault_data` dictionary which is first initialized as an empty dictionary and then expanded per iteration. When done `vault_data` contains key-values pair for all Vault variables.
@ -82,15 +82,13 @@ The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](htt
The next step can be this `role_include_vault-check` to hard-fail in case a key turned out to have an empty value. The next step can be this `role_include_vault-check` to hard-fail in case a key turned out to have an empty value.
``` ```
- name: "If a secret is missing: Fail progress" - name: 'If a secret is missing: Fail progress'
import_role: import_role:
name: "role_include_vault-check" name: 'role_include_vault-check'
vars: vars:
- vault_check_base_path: "{{ vault_check_base_path }}" - vault_check_base_path: '{{ local_os_password_vault_base }}'
- vault_check_inc_vault_data: "{{ vault_data }}" - vault_check_inc_vault_data: '{{ vault_data }}'
- vault_check_fail_check: - vault_check_fail_checks: '{{ local_os_password_vault_vars }}'
- "password"
- "password_salt"
``` ```
## Output ## Output

8
tasks/40-check-vault-var.yml
View File

@ -1,7 +1,7 @@
- name: 'If a secret is missing: Fail progress' - name: 'If a secret is missing: Fail progress'
failed_when: inc_fail_check not in inc_vault_data failed_when: vault_check_fail_check not in vault_check_inc_vault_data
loop_control: loop_control:
loop_var: 'inc_fail_check' loop_var: 'vault_check_fail_check'
loop: '{{ fail_check }}' loop: '{{ vault_check_fail_checks }}'
debug: debug:
msg: 'Vault has {% if inc_fail_check not in inc_vault_data %}no {% endif %}secret ''{{ inc_fail_check }}'' at ''{{ vault_base_path }}''' msg: 'Vault has {% if vault_check_fail_check not in vault_check_inc_vault_data %}no {% endif %}secret ''{{ vault_check_fail_check }}'' at ''{{ vault_check_base_path }}'''