From c21ce03ede08a72b4a1ff3b5c6b442243920cf26 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sat, 27 Jan 2024 00:54:13 +0100 Subject: [PATCH] feat(consul): make ACL default to enabled with default policy to deny --- playbooks/group_vars/all.yml | 24 ++++++++++---- plugins/modules/consul_acl_bootstrap.py | 44 +++++++++++++++++++++++++ plugins/modules/vault_init.py | 14 ++++---- 3 files changed, 69 insertions(+), 13 deletions(-) create mode 100644 plugins/modules/consul_acl_bootstrap.py diff --git a/playbooks/group_vars/all.yml b/playbooks/group_vars/all.yml index 6d393ab..8bd6b15 100644 --- a/playbooks/group_vars/all.yml +++ b/playbooks/group_vars/all.yml @@ -11,14 +11,26 @@ nomad_version: latest consul_version: latest vault_version: latest -vault_versions: - host: "{{ vault_version }}*" - docker: "{{ vault_version }}" - deployment_method: "host" api_interface: "eth0" api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}" +########################## +# Helper options ######### +########################## + +vault_versions: + host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}" + docker: "{{ vault_version }}" + +consul_versions: + host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}" + docker: "{{ consul_version }}" + +nomad_versions: + host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}" + docker: "{{ nomad_version }}" + configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack" sub_configuration_directories: nomad_servers: "{{ configuration_directory }}/nomad_servers" @@ -98,8 +110,8 @@ consul_address_configuration: ########################## consul_acl_configuration: - enabled: false - default_policy: "allow" # can be allow or deny + enabled: true + default_policy: "deny" # can be allow or deny enable_token_persistence: true ##################### diff --git a/plugins/modules/consul_acl_bootstrap.py b/plugins/modules/consul_acl_bootstrap.py new file mode 100644 index 0000000..b71d82b --- /dev/null +++ b/plugins/modules/consul_acl_bootstrap.py @@ -0,0 +1,44 @@ +#!/usr/bin/python + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +DOCUMENTATION = r""" +""" + +EXAMPLES = r""" +""" + +RETURN = r""" +""" + +from ansible.module_utils.basic import AnsibleModule +import traceback + +try: + import requests +except ImportError: + HAS_REQUESTS = False + REQUESTS_IMPORT_ERROR = traceback.format_exc() +else: + REQUESTS_IMPORT_ERROR = None + HAS_REQUESTS = True + + +def run_module(): + module_args = dict( + api_url=dict(type="str", required=True), + ) + + result = dict(changed=False, state="") + + module = AnsibleModule(argument_spec=module_args, supports_check_mode=True) + + +def main(): + run_module() + + +if __name__ == "__main__": + main() diff --git a/plugins/modules/vault_init.py b/plugins/modules/vault_init.py index 354f9e9..0ca357a 100644 --- a/plugins/modules/vault_init.py +++ b/plugins/modules/vault_init.py @@ -60,16 +60,16 @@ state: returned: always sample: { "keys": [ - "70e15679de84ac951633b5a79a3b8b45fcc719c6c219d785230a230674cbdff063", - "1a5badb309c9bf8ce384b13db28195f56c3adea70d29b58ad59ad8d573450632e2", - "2aa8ee4bdb87b70582e712a180720d877106b67838fcd8c606879ba462c0f6972b" + "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww", + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" ], "keys_base64": [ - "cOFWed6ErJUWM7WnmjuLRfzHGcbCGdeFIwojBnTL3/Bj", - "GlutswnJv4zjhLE9soGV9Ww63qcNKbWK1ZrY1XNFBjLi", - "KqjuS9uHtwWC5xKhgHINh3EGtng4/NjGBoebpGLA9pcr" + "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww", + "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ], - "root_token": "hvs.WasuYYUlbc1xsF2TIpbyNnWi" + "root_token": "hvs.xxxxxxxxxxxxxxxxxxxxxxxx" } """