From 8ce66d42a744ee3c86fda16c7337622902494e41 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Wed, 24 Jan 2024 23:54:58 +0100
Subject: [PATCH] feat(vault): break things trying to fix vault unseal not
 returning anything on mulitple retries

---
 playbooks/deploy.yml            | 15 ++++++++++++---
 playbooks/group_vars/all.yml    | 10 ++++++++--
 playbooks/tasks/vault_vars.yml  | 18 ++++++++++++++----
 plugins/modules/vault_init.py   |  4 ++--
 plugins/modules/vault_unseal.py | 19 +++++--------------
 5 files changed, 41 insertions(+), 25 deletions(-)

diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
index f666de8..b239b41 100644
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@@ -61,17 +61,26 @@
           ednxzu.hashistack.vault_unseal:
             api_url: "{{ hashi_vault_configuration['api_addr'] }}"
             key_shares: "{{ _vault_cluster_config['keys'] }}"
-            max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
+            # max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
           run_once: true
           delegate_to: "{{ groups['vault_servers'] | first }}"
           when: _vault_init_secret.changed
+          register: _vault_unseal_secret
+
+        - name: "Print unseal status"
+          ansible.builtin.debug:
+            msg: "{{ _vault_unseal_secret }}"
 
         - name: "Unseal all vault nodes"
           ednxzu.hashistack.vault_unseal:
             api_url: "{{ hashi_vault_configuration['api_addr'] }}"
             key_shares: "{{ _vault_cluster_config['keys'] }}"
-            max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
+            # max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}"
           retries: 5
           delay: 5
           register: _unseal_status
-          until: not _unseal_status.failed
+          until: _unseal_status.changed
+
+        - name: "Print unseal status"
+          ansible.builtin.debug:
+            msg: "{{ _unseal_status }}"
diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml
index a3e29a2..82e431e 100644
--- a/playbooks/group_vars/all.yml
+++ b/playbooks/group_vars/all.yml
@@ -53,7 +53,7 @@ hashi_nomad_start_service: true
 hashi_nomad_cni_plugins_version: latest
 hashi_nomad_cni_plugins_install_path: /opt/cni/bin
 hashi_nomad_version: latest
-hashi_nomad_deploy_method: host  # deployment method, either host or docker
+hashi_nomad_deploy_method: host # deployment method, either host or docker
 hashi_nomad_env_variables: {}
 hashi_nomad_data_dir: /opt/nomad
 hashi_nomad_extra_files: false
@@ -67,7 +67,7 @@ hashi_nomad_configuration: {}
 
 hashi_consul_start_service: true
 hashi_consul_version: latest
-hashi_consul_deploy_method: host  # deployment method, either host or docker.
+hashi_consul_deploy_method: host # deployment method, either host or docker.
 hashi_consul_env_variables: {}
 hashi_consul_data_dir: "/opt/consul"
 hashi_consul_extra_files: false
@@ -150,6 +150,12 @@ vault_logging_configuration:
 #########################
 extra_vault_container_volumes: []
 
+#####################
+# extra configuration
+#####################
+
+vault_extra_configuration: {}
+
 ###############
 # configuration
 ###############
diff --git a/playbooks/tasks/vault_vars.yml b/playbooks/tasks/vault_vars.yml
index c0ec99a..0a36873 100644
--- a/playbooks/tasks/vault_vars.yml
+++ b/playbooks/tasks/vault_vars.yml
@@ -1,6 +1,6 @@
 ---
 # hashistack configuration merging for vault
-- name: "Merge listener configuration"
+- name: "Vault | Merge listener configuration"
   ansible.builtin.set_fact:
     vault_listener_configuration: "{{
       vault_listener_configuration |
@@ -8,7 +8,7 @@
       combine(vault_extra_listener_configuration | default({}))
       }}"
 
-- name: "Merge service registration configuration"
+- name: "Vault | Merge service registration configuration"
   vars:
     _config_to_merge:
       service_registration: "{{ vault_service_registration_configuration }}"
@@ -19,7 +19,7 @@
       }}"
   when: vault_enable_service_registration
 
-- name: "Merge plugins configuration"
+- name: "Vault | Merge plugins configuration"
   vars:
     _config_to_merge:
       plugin_directory: "{{ vault_plugin_directory }}"
@@ -30,7 +30,7 @@
       }}"
   when: vault_enable_plugins
 
-- name: "Merge logging configuration"
+- name: "Vault | Merge logging configuration"
   vars:
     _config_to_merge: "{{ vault_logging_configuration }}"
   ansible.builtin.set_fact:
@@ -39,3 +39,13 @@
       combine(_config_to_merge)
       }}"
   when: vault_enable_log_to_file
+
+- name: "Vault | Merge extra configuration settings"
+  vars:
+    _config_to_merge: "{{ vault_extra_configuration }}"
+  ansible.builtin.set_fact:
+    hashi_vault_configuration: "{{
+      hashi_vault_configuration |
+      combine(_config_to_merge)
+      }}"
+  when: vault_extra_configuration is defined
diff --git a/plugins/modules/vault_init.py b/plugins/modules/vault_init.py
index 6a0a877..354f9e9 100644
--- a/plugins/modules/vault_init.py
+++ b/plugins/modules/vault_init.py
@@ -6,7 +6,7 @@ __metaclass__ = type
 
 DOCUMENTATION = r"""
 ---
-module: my_test
+module: ednxzu.hashistack.vault_init
 
 short_description: Manages the initialization of HashiCorp Vault.
 
@@ -93,7 +93,7 @@ def run_module():
         key_threshold=dict(type="int", required=False, default=3),
     )
 
-    result = dict(changed=False, original_message="", state="")
+    result = dict(changed=False, state="")
 
     module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
 
diff --git a/plugins/modules/vault_unseal.py b/plugins/modules/vault_unseal.py
index 49812c8..e5d8ed5 100644
--- a/plugins/modules/vault_unseal.py
+++ b/plugins/modules/vault_unseal.py
@@ -84,10 +84,9 @@ def run_module():
     module_args = dict(
         api_url=dict(type="str", required=True),
         key_shares=dict(type="list", required=False, default=[]),
-        max_retries=dict(type="int", required=False, default=3),
     )
 
-    result = dict(changed=False, original_message="", state=None)
+    result = dict(changed=False, state="")
 
     module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
 
@@ -108,24 +107,16 @@ def run_module():
 
     # Unseal Vault
     try:
-        retries = 0
-        vault_unseal_result = None
-        while client.sys.is_sealed() and retries < module.params["max_retries"]:
-            key_share = module.params["key_shares"][
-                min(retries, len(module.params["key_shares"]) - 1)
-            ]
-            vault_unseal_result = client.sys.submit_unseal_key(key_share)
-            retries += 1
+        key_shares = module.params["key_shares"]
+        vault_unseal_result = client.sys.submit_unseal_keys(key_shares)
+        result["state"] = vault_unseal_result
     except hvac.exceptions.VaultError as ve:
         module.fail_json(msg=f"Vault unsealing failed: {ve}")
 
-    # Check if the Vault is successfully unsealed
     if client.sys.is_sealed():
-        module.fail_json(msg="Vault unsealing failed: Maximum retries reached.")
+        module.fail_json(msg="Vault unsealing failed.")
 
-    result["state"] = vault_unseal_result
     result["changed"] = True
-
     module.exit_json(**result)