diff --git a/.gitignore b/.gitignore index 9cdd082..8431986 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ **/__pycache__ .vscode roles/ednz_cloud.* -vault_config -consul_config \ No newline at end of file +vault_config.yml +consul_config.yml \ No newline at end of file diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml index f8880dc..1c87c17 100644 --- a/playbooks/deploy.yml +++ b/playbooks/deploy.yml @@ -6,171 +6,24 @@ gather_facts: true become: true tasks: - - name: "Debug" - ansible.builtin.debug: - msg: "{{ hashi_vault_configuration.listener }}" - - name: "Import variables" ansible.builtin.import_tasks: file: tasks/load_vars.yml - - name: "Debug" - ansible.builtin.debug: - msg: "{{ hashi_vault_configuration }}" - - # - ansible.builtin.fail: - - - name: "Consul" + - name: "Deploy Consul" + ansible.builtin.import_tasks: + file: tasks/consul/consul_deploy.yml when: - enable_consul | bool - "'consul_servers' in group_names" tags: - consul - block: - - name: "Include ednz_cloud.hashistack.hashicorp_consul" - ansible.builtin.include_role: - name: ednz_cloud.hashistack.hashicorp_consul - - name: "Wait for consul cluster to initialize" # noqa: run-once[task] - ansible.builtin.wait_for: - timeout: 15 - delegate_to: localhost - run_once: true - - - name: "Initialize consul cluster" # noqa: run-once[task] - community.general.consul_acl_bootstrap: - host: "{{ hashi_consul_configuration['advertise_addr'] }}" - port: 8500 - scheme: http - state: present - run_once: true - delegate_to: "{{ groups['consul_servers'] | first }}" - # retries: 5 - # delay: 5 - register: _consul_init_secret - # until: _consul_init_secret.result is defined - when: hashi_consul_configuration.acl.enabled - - - name: "Write consul configuration to file" # noqa: run-once[task] no-handler - ansible.builtin.copy: - content: "{{ - { - 'root_token':{ - 'accessor_id': _consul_init_secret.result.AccessorID, - 'secret_id': _consul_init_secret.result.SecretID - } - } | to_nice_yaml - }}" - dest: "{{ sub_configuration_directories.consul_servers }}/consul_config" - mode: '0644' - when: _consul_init_secret.result is defined - run_once: true - delegate_to: localhost - - - name: "Load consul cluster variables" - ansible.builtin.include_vars: - file: "{{ sub_configuration_directories.consul_servers }}/consul_config" - name: _consul_cluster_config - - - name: "Create consul agents token" # noqa: run-once[task] no-handler - # when: - # - _consul_init_secret.changed - # - consul_acl_configuration.enabled - run_once: true - delegate_to: localhost - block: - - name: "Create consul agent policy" - community.general.consul_policy: - host: "{{ hashi_consul_configuration['advertise_addr'] }}" - token: "{{ _consul_cluster_config.root_token.secret_id }}" - port: 8500 - scheme: http - state: present - name: agents-policy - rules: "{{ consul_default_agent_policy }}" - register: _consul_agent_policy - - - name: "Debug Policy" - ansible.builtin.debug: - msg: "{{ _consul_agent_policy }}" - - # - fail: - - - name: "Create consul agents token" - community.general.consul_token: - host: "localhost" # "{{ hashi_consul_configuration['advertise_addr'] }}" - token: "{{ _consul_cluster_config.root_token.secret_id }}" - port: 8500 - scheme: http - state: present - local: true - policies: - - id: _consul_agent_policy.policy.ID - register: _consul_agent_token - - - name: "Write consul agents token to file" # no-handler - ansible.builtin.copy: - content: "{{ - { - 'tokens':{ - 'agent': _consul_agent_token.token.SecretID - } - } | to_nice_yaml - }}" - dest: "{{ sub_configuration_directories.consul_servers }}/consul_config" - mode: '0644' - when: _consul_agent_token.changed - - - name: "Vault" + - name: "Deploy Vault" + ansible.builtin.import_tasks: + file: tasks/vault/vault_deploy.yml when: - enable_vault | bool - "'vault_servers' in group_names" tags: - vault - block: - - name: "Include ednz_cloud.hashistack.hashicorp_consul" - ansible.builtin.include_role: - name: ednz_cloud.hashistack.hashicorp_vault - - - name: "Initialize vault cluster" # noqa: run-once[task] - ednz_cloud.hashistack.vault_init: - api_url: "{{ hashi_vault_configuration['api_addr'] }}" - key_shares: "{{ vault_seal_configuration['key_shares'] }}" - key_threshold: "{{ vault_seal_configuration['key_threshold'] }}" - run_once: true - retries: 5 - delay: 5 - delegate_to: "{{ groups['vault_servers'] | first }}" - register: _vault_init_secret - until: not _vault_init_secret.failed - - - name: "Write vault configuration to file" # noqa: run-once[task] no-handler - ansible.builtin.copy: - content: "{{ _vault_init_secret.state | to_nice_yaml}}" - dest: "{{ sub_configuration_directories.vault_servers }}/vault_config" - mode: '0644' - when: _vault_init_secret.changed - run_once: true - delegate_to: localhost - - - name: "Load vault cluster variables necessary for unseal operation" - ansible.builtin.include_vars: - file: "{{ sub_configuration_directories.vault_servers }}/vault_config" - name: _vault_cluster_config - - - name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler - ednz_cloud.hashistack.vault_unseal: - api_url: "{{ hashi_vault_configuration['api_addr'] }}" - key_shares: "{{ _vault_cluster_config['keys'] }}" - run_once: true - delegate_to: "{{ groups['vault_servers'] | first }}" - when: _vault_init_secret.changed - register: _vault_unseal_secret - - - name: "Unseal all vault nodes" - ednz_cloud.hashistack.vault_unseal: - api_url: "{{ hashi_vault_configuration['api_addr'] }}" - key_shares: "{{ _vault_cluster_config['keys'] }}" - retries: 5 - delay: 5 - register: _unseal_status diff --git a/playbooks/tasks/consul/consul_deploy.yml b/playbooks/tasks/consul/consul_deploy.yml new file mode 100644 index 0000000..4558097 --- /dev/null +++ b/playbooks/tasks/consul/consul_deploy.yml @@ -0,0 +1,125 @@ +- name: "Consul" + block: + - name: "Include ednz_cloud.hashistack.hashicorp_consul" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.hashicorp_consul + + - name: "Wait for consul cluster to initialize" # noqa: run-once[task] + ansible.builtin.wait_for: + timeout: 15 + delegate_to: localhost + run_once: true + + - name: "Initialize consul cluster" # noqa: run-once[task] + community.general.consul_acl_bootstrap: + host: "{{ hashi_consul_configuration['advertise_addr'] }}" + port: 8500 + scheme: http + state: present + run_once: true + delegate_to: "{{ groups['consul_servers'] | first }}" + # retries: 5 + # delay: 5 + register: _consul_init_secret + # until: _consul_init_secret.result is defined + when: hashi_consul_configuration.acl.enabled + + - name: "Write consul configuration to file" # noqa: run-once[task] no-handler + ansible.builtin.copy: + content: "{{ + { + 'root_token':{ + 'accessor_id': _consul_init_secret.result.AccessorID, + 'secret_id': _consul_init_secret.result.SecretID + } + } | to_nice_yaml + }}" + dest: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0644" + when: _consul_init_secret.result is defined + run_once: true + delegate_to: localhost + + - name: "Load consul cluster variables" + ansible.builtin.include_vars: + file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + name: _consul_cluster_config + + - name: "Create consul agents token" + when: + - _consul_init_secret.changed + - consul_acl_configuration.enabled + block: + - name: "Create consul agents token" # noqa: run-once[task] no-handler + run_once: true + delegate_to: localhost + block: + - name: "Create consul agent policy" + community.general.consul_policy: + host: "{{ hashi_consul_configuration['advertise_addr'] }}" + token: "{{ _consul_cluster_config.root_token.secret_id }}" + port: 8500 + scheme: http + state: present + name: agents-policy + rules: "{{ consul_default_agent_policy }}" + register: _consul_agent_policy + + - name: "Create consul agents token" + vars: + consul_full_url: "http://{{ hashi_consul_configuration['advertise_addr'] }}:8500" + consul_token_body: + Policies: + - ID: "{{ _consul_agent_policy.policy.ID }}" + ansible.builtin.uri: + url: "{{ consul_full_url }}/v1/acl/token" + method: PUT + headers: + X-Consul-Token: "{{ _consul_cluster_config.root_token.secret_id }}" + body: "{{ consul_token_body | to_json }}" + status_code: + - 200 + register: _consul_agent_token + + - name: "Write consul agents token to file" # no-handler + ansible.builtin.blockinfile: + marker: "## -- {tokens} ANSIBLE MANAGED BLOCK ##" + block: "{{ + { + 'tokens':{ + 'agent': _consul_agent_token.json.SecretID + } + } | to_nice_yaml + }}" + path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + mode: "0644" + when: "'OK' in _consul_agent_token.msg" + + - name: "Merge token configuration" + delegate_to: localhost + block: + - name: "Stat consul secrets file" + ansible.builtin.stat: + path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + register: _consul_config_file + + - name: "Load consul secrets file" + ansible.builtin.include_vars: + file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" + name: _consul_cluster_config + when: _consul_config_file.stat.exists + + - name: "Merge token configuration" + vars: + _config_to_merge: + acl: + tokens: "{{ _consul_cluster_config.tokens }}" + ansible.builtin.set_fact: + hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" + when: _consul_cluster_config.tokens is defined + + - name: "Include ednz_cloud.hashistack.hashicorp_consul" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.hashicorp_consul diff --git a/playbooks/tasks/consul_vars.yml b/playbooks/tasks/consul/consul_vars.yml similarity index 88% rename from playbooks/tasks/consul_vars.yml rename to playbooks/tasks/consul/consul_vars.yml index 672b360..db558a4 100644 --- a/playbooks/tasks/consul_vars.yml +++ b/playbooks/tasks/consul/consul_vars.yml @@ -25,24 +25,23 @@ block: - name: "Consul | Stat consul secrets file" ansible.builtin.stat: - path: "{{ sub_configuration_directories.consul_servers }}/consul_config" + path: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" register: _consul_config_file - name: "Consul | Load consul secrets file" ansible.builtin.include_vars: - file: "{{ sub_configuration_directories.consul_servers }}/consul_config" + file: "{{ sub_configuration_directories.consul_servers }}/consul_config.yml" name: _consul_cluster_config when: _consul_config_file.stat.exists - - name: "Consul | Merge token configuration" + - name: "Merge token configuration" vars: _config_to_merge: acl: - tokens: - agent: "{{ _consul_cluster_config.consul_agent_token }}" + tokens: "{{ _consul_cluster_config.tokens }}" ansible.builtin.set_fact: hashi_consul_configuration: "{{ hashi_consul_configuration | default({}) | combine(_config_to_merge, recursive=true) }}" - when: _consul_cluster_config.consul_agent_token is defined + when: _consul_cluster_config.tokens is defined - name: Debug token config ansible.builtin.debug: diff --git a/playbooks/tasks/load_vars.yml b/playbooks/tasks/load_vars.yml index affd678..82d2c47 100644 --- a/playbooks/tasks/load_vars.yml +++ b/playbooks/tasks/load_vars.yml @@ -66,14 +66,14 @@ - name: "Merge consul configurations" ansible.builtin.import_tasks: - file: "consul_vars.yml" + file: "consul/consul_vars.yml" when: - enable_consul | bool - "'consul_servers' in group_names" - name: "Merge vault configurations" ansible.builtin.import_tasks: - file: "vault_vars.yml" + file: "vault/vault_vars.yml" when: - enable_vault | bool - "'vault_servers' in group_names" diff --git a/playbooks/tasks/vault/vault_deploy.yml b/playbooks/tasks/vault/vault_deploy.yml new file mode 100644 index 0000000..0902d88 --- /dev/null +++ b/playbooks/tasks/vault/vault_deploy.yml @@ -0,0 +1,50 @@ +- name: "Vault" + block: + - name: "Include ednz_cloud.hashistack.hashicorp_consul" + ansible.builtin.include_role: + name: ednz_cloud.hashistack.hashicorp_vault + + - name: "Initialize vault cluster" # noqa: run-once[task] + ednz_cloud.hashistack.vault_init: + api_url: "{{ hashi_vault_configuration['api_addr'] }}" + key_shares: "{{ vault_seal_configuration['key_shares'] }}" + key_threshold: "{{ vault_seal_configuration['key_threshold'] }}" + run_once: true + retries: 5 + delay: 5 + delegate_to: "{{ groups['vault_servers'] | first }}" + register: _vault_init_secret + until: not _vault_init_secret.failed + + - name: "Write vault configuration to file" # noqa: run-once[task] no-handler + ansible.builtin.copy: + content: "{{ _vault_init_secret.state | to_nice_yaml}}" + dest: "{{ sub_configuration_directories.vault_servers }}/vault_config.yml" + owner: "{{ lookup('env', 'USER') }}" + group: "{{ lookup('env', 'USER') }}" + mode: "0644" + when: _vault_init_secret.changed + run_once: true + delegate_to: localhost + + - name: "Load vault cluster variables necessary for unseal operation" + ansible.builtin.include_vars: + file: "{{ sub_configuration_directories.vault_servers }}/vault_config.yml" + name: _vault_cluster_config + + - name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler + ednz_cloud.hashistack.vault_unseal: + api_url: "{{ hashi_vault_configuration['api_addr'] }}" + key_shares: "{{ _vault_cluster_config['keys'] }}" + run_once: true + delegate_to: "{{ groups['vault_servers'] | first }}" + when: _vault_init_secret.changed + register: _vault_unseal_secret + + - name: "Unseal all vault nodes" + ednz_cloud.hashistack.vault_unseal: + api_url: "{{ hashi_vault_configuration['api_addr'] }}" + key_shares: "{{ _vault_cluster_config['keys'] }}" + retries: 5 + delay: 5 + register: _unseal_status diff --git a/playbooks/tasks/vault_vars.yml b/playbooks/tasks/vault/vault_vars.yml similarity index 100% rename from playbooks/tasks/vault_vars.yml rename to playbooks/tasks/vault/vault_vars.yml