Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 6c6e7dcb7b | |||
| 1138470580 |
16
README.md
16
README.md
@ -23,7 +23,7 @@ In `requirements.yml` add:
|
|||||||
version: 'master'
|
version: 'master'
|
||||||
```
|
```
|
||||||
|
|
||||||
Now whenver you import `role` for example via `ansible-galaxy install ...` you'll automatically get this one downloaded as well. You can optionally leave out `version: 'master'` since this is the default version anyways, meaning the `role_include_vault-check` newest master commit. The `version:` attribute helps you pin a version, for example as `version: 'v1.0.0'` which will instead pull `role_include_vault-check` Git tag `v1.0.0`. Side note, this role follows the [Semantic Versioning](https://semver.org/) standard. A Git tag name `v1.0.0` refers to Semantic Version `1.0.0`.
|
Now whenever you import `role` for example via `ansible-galaxy install ...` you'll automatically get this one downloaded as well. You can optionally leave out `version: 'master'` since this is the default version anyways, meaning the `role_include_vault-check` newest master commit. The `version:` attribute helps you pin a version, for example as `version: 'v1.0.0'` which will instead pull `role_include_vault-check` Git tag `v1.0.0`. Side note, this role follows the [Semantic Versioning](https://semver.org/) standard. A Git tag name `v1.0.0` refers to Semantic Version `1.0.0`.
|
||||||
|
|
||||||
# Use it
|
# Use it
|
||||||
|
|
||||||
@ -79,6 +79,20 @@ In a real-world use case you'll likely first query HashiCorp Vault for key-value
|
|||||||
|
|
||||||
The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_kv2_get_lookup.html)) iterates over variables you want loaded from Vault. For each iteration it stores the iteration's output in `loop_var: 'server'`. From that output we only really care about the `server.secret` dictionary. We append that to a `vault_data` dictionary which is first initialized as an empty dictionary and then expanded per iteration. When done `vault_data` contains key-values pair for all Vault variables.
|
The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_kv2_get_lookup.html)) iterates over variables you want loaded from Vault. For each iteration it stores the iteration's output in `loop_var: 'server'`. From that output we only really care about the `server.secret` dictionary. We append that to a `vault_data` dictionary which is first initialized as an empty dictionary and then expanded per iteration. When done `vault_data` contains key-values pair for all Vault variables.
|
||||||
|
|
||||||
|
## Defining defaults
|
||||||
|
|
||||||
|
Whereever you import this role you're most likely going to want to define the following variables in your role's `defaults/main.yml` file or at a similar location. Here `<role>` is a string you'll replace with the name of the role that imports `role_include_vault-check`.
|
||||||
|
|
||||||
|
```
|
||||||
|
<role>_vault_vars: ['password', 'password_salt']
|
||||||
|
<role>_vault_base: '{{ fqdn_reverse }}/os/{{ reset_password_for_account }}'
|
||||||
|
<role>_vault_paths: '{{ [<role>_vault_base + ''/''] | product(<role>_vault_vars) | map(''join'') | list }}'
|
||||||
|
```
|
||||||
|
|
||||||
|
Check out [Git repo quico.space/quico-ansible/role_common_local-os-password](https://quico.space/quico-ansible/role_common_local-os-password) for a reference of how to define `defaults/main.yml` and then to import this role.
|
||||||
|
|
||||||
|
## Vault check
|
||||||
|
|
||||||
The next step can be this `role_include_vault-check` to hard-fail in case a key turned out to have an empty value.
|
The next step can be this `role_include_vault-check` to hard-fail in case a key turned out to have an empty value.
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user