quico-ansible/role_include_vault-check
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: quico-ansible:v0.1.0
Branches Tags
quico-ansible:master
quico-ansible:dev
quico-ansible:v0.1.1
quico-ansible:v0.1.0
...
compare: quico-ansible:master
Branches Tags
quico-ansible:dev
quico-ansible:master
quico-ansible:v0.1.1
quico-ansible:v0.1.0

11 Commits
v0.1.0 ... master

Author SHA1 Message Date
semantic-release
a2649ce429 0.1.1 
Automatically generated by python-semantic-release
 2022-07-24 01:36:50 +02:00
hygienic-books
2a49cdca39 docs(meta): Prepare changelog file 2022-07-24 00:55:44 +02:00
hygienic-books
e027a5ef54 docs(role): Use example FQDN 2022-07-23 23:15:32 +02:00
hygienic-books
8691e6a6a6 docs(role): Add example Ansible task output 2022-07-23 23:14:00 +02:00
hygienic-books
a87b75f2f0 docs(role): Bring tasks YAML file name in line with role name 2022-07-23 22:47:22 +02:00
hygienic-books
8245542ac0 docs(role): Bring tasks YAML file name in line with role name 2022-07-23 22:47:12 +02:00
hygienic-books
dbe3c66a13 docs(role): Consistently single-quote variables 2022-07-23 22:44:05 +02:00
hygienic-books
26cee49e98 docs(role): Prefix vars with role name 2022-07-23 22:34:21 +02:00
hygienic-books
cbe8d7094b fix(galaxy): Quote YAML values 2022-07-23 21:38:18 +02:00
hygienic-books
e2233308c7 fix(galaxy): Add sensible content to 'meta/main.yml' 2022-07-23 21:37:06 +02:00
hygienic-books
9801af2c78 fix(galaxy): Add empty 'meta/main.yml', see if that's good enough to import via ansible-galaxy 2022-07-23 19:42:51 +02:00
6 changed files with 92 additions and 38 deletions
Show Stats Expand all files Collapse all files

20
CHANGELOG.md Normal file
View File

@ -0,0 +1,20 @@
# Change log
Current version: 0.1.1
<!--next-version-placeholder-->
## v0.1.1 (2022-07-24)
### Fix
* **galaxy:** Quote YAML values ([`cbe8d70`](https://quico.space/quico-ansible/role_include_vault-check/commit/cbe8d7094b1fd62d88a8b55b2331278b9cc97ac5))
* **galaxy:** Add sensible content to 'meta/main.yml' ([`e223330`](https://quico.space/quico-ansible/role_include_vault-check/commit/e2233308c73b6e35a59a77197b9b61ea802ea59e))
* **galaxy:** Add empty 'meta/main.yml', see if that's good enough to import via ansible-galaxy ([`9801af2`](https://quico.space/quico-ansible/role_include_vault-check/commit/9801af2c789a24f2bbdd5263a4f82116985bfbfa))
### Documentation
* **meta:** Prepare changelog file ([`2a49cdc`](https://quico.space/quico-ansible/role_include_vault-check/commit/2a49cdca39a1b7dd56585bdefacbdfecee915f1d))
* **role:** Use example FQDN ([`e027a5e`](https://quico.space/quico-ansible/role_include_vault-check/commit/e027a5ef54e2737c40a958821545271478a9f774))
* **role:** Add example Ansible task output ([`8691e6a`](https://quico.space/quico-ansible/role_include_vault-check/commit/8691e6a6a63db3b4332b6b26f911d244561f4747))
* **role:** Bring tasks YAML file name in line with role name ([`a87b75f`](https://quico.space/quico-ansible/role_include_vault-check/commit/a87b75f2f0fc08636656bf26bce54d4852088ba8))
* **role:** Bring tasks YAML file name in line with role name ([`8245542`](https://quico.space/quico-ansible/role_include_vault-check/commit/8245542ac032688ef75bde52c976df896bd4c4b3))
* **role:** Consistently single-quote variables ([`dbe3c66`](https://quico.space/quico-ansible/role_include_vault-check/commit/dbe3c66a133381cb1c52dc3f1ace836d9c1f814e))
* **role:** Prefix vars with role name ([`26cee49`](https://quico.space/quico-ansible/role_include_vault-check/commit/26cee49e98f01bf6bae790562b3308631438e04e))

77
README.md
View File

@ -19,11 +19,11 @@ role
In `requirements.yml` add: In `requirements.yml` add:
``` ```
- src: "https://quico.space/quico-ansible/role_include_vault-check.git" - src: 'https://quico.space/quico-ansible/role_include_vault-check.git'
version: "master" version: 'master'
``` ```
Now whenver you import `role` for example via `ansible-galaxy install ...` you'll automatically get this one downloaded as well. You can optionally leave out `version: "master"` since this is the default version anyways, meaning the `role_include_vault-check` newest master commit. The `version:` attribute helps you pin a version, for example as `version: "v1.0.0"` which will instead pull `role_include_vault-check` Git tag `v1.0.0`. Side note, this role follows the [Semantic Versioning](https://semver.org/) standard. A Git tag name `v1.0.0` refers to Semantic Version `1.0.0`. Now whenver you import `role` for example via `ansible-galaxy install ...` you'll automatically get this one downloaded as well. You can optionally leave out `version: 'master'` since this is the default version anyways, meaning the `role_include_vault-check` newest master commit. The `version:` attribute helps you pin a version, for example as `version: 'v1.0.0'` which will instead pull `role_include_vault-check` Git tag `v1.0.0`. Side note, this role follows the [Semantic Versioning](https://semver.org/) standard. A Git tag name `v1.0.0` refers to Semantic Version `1.0.0`.
# Use it # Use it
@ -32,33 +32,35 @@ Now whenver you import `role` for example via `ansible-galaxy install ...` you'l
From your `role` call this one like so: From your `role` call this one like so:
``` ```
- name: "If a secret is missing: Fail progress" - name: 'If a secret is missing: Fail progress'
import_role: import_role:
name: "role_include_vault-check" name: 'role_include_vault-check'
vars: vars:
- vault_check_base_path: "{{ vault_check_base_path }}" - vault_check_base_path: '{{ vault_check_base_path }}'
- vault_check_inc_vault_data: "{{ vault_check_vault_data }}" - vault_check_inc_vault_data: '{{ vault_check_vault_data }}'
- vault_check_fail_check: - vault_check_fail_checks:
- "password" - 'password',
- "password_salt" - 'password_salt'
``` ```
This `role_include_vault-check` expects two variables in your `import_role` task for example via the `vars` statement: This `role_include_vault-check` expects two variables in your `import_role` task for example via the `vars` statement:
1. `vault_check_base_path`: The path in HashiCorp Vault's `kv` secrets engine where secrets are located. Has cosmetic purpose only to inform the user where a key-value check succeeded or failed. 1. `vault_check_base_path`: The path in HashiCorp Vault's `kv` secrets engine where secrets are located. Has cosmetic purpose only to inform the user where a key-value check succeeded or failed.
1. `vault_check_fail_check`: A list of keys located at `vault_check_base_path` for which you want to confirm that they are non-empty. 1. `vault_check_inc_vault_data`: The Vault data dictionary we want checked.
1. `vault_check_fail_checks`: A list of keys located at `vault_check_base_path` for which you want to confirm that they are non-empty.
Can either be defined in place like so: Can either be defined in place like so:
``` ```
- vault_check_fail_check: - vault_check_fail_checks:
- "password" - 'password'
- "password_salt" - 'password_salt'
``` ```
Or can use a list variable defined elsewhere: Or can use a list variable defined elsewhere:
``` ```
- vault_check_fail_check: "{{ some_list }}" - vault_check_fail_checks: '{{ some_list }}'
``` ```
## In context ## In context
@ -66,31 +68,46 @@ This `role_include_vault-check` expects two variables in your `import_role` task
In a real-world use case you'll likely first query HashiCorp Vault for key-value pairs for example like so: In a real-world use case you'll likely first query HashiCorp Vault for key-value pairs for example like so:
``` ```
- name: "Get secrets" - name: 'Get secrets'
no_log: "true" no_log: 'true'
loop_control: loop_control:
loop_var: "server" loop_var: 'server'
with_community.hashi_vault.vault_kv2_get: with_community.hashi_vault.vault_kv2_get: '{{ local_os_password_vault_paths }}'
- "some/vault/kv/path/password"
- "some/vault/kv/path/password_salt"
ansible.builtin.set_fact: ansible.builtin.set_fact:
vault_data: "{{ vault_data | default({}) | combine (server.secret) }}" vault_data: '{{ vault_data | default({}) | combine (server.secret) }}'
``` ```
The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_kv2_get_lookup.html)) iterates over variables you want loaded from Vault. For each iteration it stores the iteration's output in `loop_var: "server"`. From that output we only really care about the `server.secret` dictionary. We append that to a `vault_data` dictionary which is first initialized as an empty dictionary and then expanded per iteration. When done `vault_data` contains key-values pair for all Vault variables. The `vault_kv2_get` lookup plug-in (see [vault_kv2_get lookup documentation](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/vault_kv2_get_lookup.html)) iterates over variables you want loaded from Vault. For each iteration it stores the iteration's output in `loop_var: 'server'`. From that output we only really care about the `server.secret` dictionary. We append that to a `vault_data` dictionary which is first initialized as an empty dictionary and then expanded per iteration. When done `vault_data` contains key-values pair for all Vault variables.
The next step can be this `role_include_vault-check` to hard-fail in case a key turned out to have an empty value. The next step can be this `role_include_vault-check` to hard-fail in case a key turned out to have an empty value.
``` ```
- name: "If a secret is missing: Fail progress" - name: 'If a secret is missing: Fail progress'
import_role: import_role:
name: "role_include_vault-check" name: 'role_include_vault-check'
vars: vars:
- vault_check_base_path: "{{ vault_check_base_path }}" - vault_check_base_path: '{{ local_os_password_vault_base }}'
- vault_check_inc_vault_data: "{{ vault_data }}" - vault_check_inc_vault_data: '{{ vault_data }}'
- vault_check_fail_check: - vault_check_fail_checks: '{{ local_os_password_vault_vars }}'
- "password"
- "password_salt"
``` ```
## Output ## Output
Ansible's task output will be for example:
```
TASK [...] ****************************************************************************************
ok: ...
TASK [role_include_vault-check : If a secret is missing: Fail progress] ***************************
ok: [fully.qualified.domain.name] => (item=password) => {
"msg": "Vault has secret 'password' at 'name/domain/qualified/fully/os/root'"
}
ok: [fully.qualified.domain.name] => (item=password_salt) => {
"msg": "Vault has secret 'password_salt' at 'name/domain/qualified/fully/os/root'"
}
TASK [...] ****************************************************************************************
ok: ...
```

17
meta/main.yml Normal file
View File

@ -0,0 +1,17 @@
galaxy_info:
author: 'hygienic-books'
description: 'An include-only Ansible role to check if HashiCorp Vault variables truly exist'
issue_tracker_url: 'https://quico.space/quico-ansible/role_include_vault-check/issues'
license: 'MIT'
min_ansible_version: '2.12.6'
platforms:
- name: 'EL'
versions:
- '7'
- '8'
galaxy_tags:
- 'hashivault'
- 'hashi_vault'
- 'hashi'
- 'hashicorp'
dependencies: []

7
tasks/40-check-vault-var.yml
View File

@ -1,7 +0,0 @@
- name: 'If a secret is missing: Fail progress'
failed_when: inc_fail_check not in inc_vault_data
loop_control:
loop_var: 'inc_fail_check'
loop: '{{ fail_check }}'
debug:
msg: 'Vault has {% if inc_fail_check not in inc_vault_data %}no {% endif %}secret ''{{ inc_fail_check }}'' at ''{{ vault_base_path }}'''

7
tasks/40-check-vault.yml Normal file
View File

@ -0,0 +1,7 @@
- name: 'If a secret is missing: Fail progress'
failed_when: vault_check_fail_check not in vault_check_inc_vault_data
loop_control:
loop_var: 'vault_check_fail_check'
loop: '{{ vault_check_fail_checks }}'
debug:
msg: 'Vault has {% if vault_check_fail_check not in vault_check_inc_vault_data %}no {% endif %}secret ''{{ vault_check_fail_check }}'' at ''{{ vault_check_base_path }}'''

2
tasks/main.yml
View File

@ -1 +1 @@
- import_tasks: '40-check-vault-var.yml' - import_tasks: '40-check-vault.yml'