feat(consul): make ACL default to enabled with default policy to deny

2024-01-27 00:54:13 +01:00 · 2024-01-27 00:54:13 +01:00 · c21ce03ede
commit c21ce03ede
parent 10fc308ff0
3 changed files with 69 additions and 13 deletions
--- a/playbooks/group_vars/all.yml
+++ b/playbooks/group_vars/all.yml
@ -11,14 +11,26 @@ nomad_version: latest
 consul_version: latest
 vault_version: latest

-vault_versions:
-  host: "{{ vault_version }}*"
-  docker: "{{ vault_version }}"
-
 deployment_method: "host"
 api_interface: "eth0"
 api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"

+##########################
+# Helper options #########
+##########################
+
+vault_versions:
+  host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
+  docker: "{{ vault_version }}"
+
+consul_versions:
+  host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
+  docker: "{{ consul_version }}"
+
+nomad_versions:
+  host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
+  docker: "{{ nomad_version }}"
+
 configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
 sub_configuration_directories:
  nomad_servers: "{{ configuration_directory }}/nomad_servers"
@ -98,8 +110,8 @@ consul_address_configuration:
 ##########################

 consul_acl_configuration:
-  enabled: false
-  default_policy: "allow" # can be allow or deny
+  enabled: true
+  default_policy: "deny" # can be allow or deny
  enable_token_persistence: true

 #####################
--- a/plugins/modules/consul_acl_bootstrap.py
+++ b/plugins/modules/consul_acl_bootstrap.py
@ -0,0 +1,44 @@
+#!/usr/bin/python
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = r"""
+"""
+
+EXAMPLES = r"""
+"""
+
+RETURN = r"""
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+import traceback
+
+try:
+    import requests
+except ImportError:
+    HAS_REQUESTS = False
+    REQUESTS_IMPORT_ERROR = traceback.format_exc()
+else:
+    REQUESTS_IMPORT_ERROR = None
+    HAS_REQUESTS = True
+
+
+def run_module():
+    module_args = dict(
+        api_url=dict(type="str", required=True),
+    )
+
+    result = dict(changed=False, state="")
+
+    module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
+
+
+def main():
+    run_module()
+
+
+if __name__ == "__main__":
+    main()
--- a/plugins/modules/vault_init.py
+++ b/plugins/modules/vault_init.py
@ -60,16 +60,16 @@ state:
    returned: always
    sample: {
        "keys": [
-            "70e15679de84ac951633b5a79a3b8b45fcc719c6c219d785230a230674cbdff063",
-            "1a5badb309c9bf8ce384b13db28195f56c3adea70d29b58ad59ad8d573450632e2",
-            "2aa8ee4bdb87b70582e712a180720d877106b67838fcd8c606879ba462c0f6972b"
+            "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww",
+            "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+            "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
        ],
        "keys_base64": [
-            "cOFWed6ErJUWM7WnmjuLRfzHGcbCGdeFIwojBnTL3/Bj",
-            "GlutswnJv4zjhLE9soGV9Ww63qcNKbWK1ZrY1XNFBjLi",
-            "KqjuS9uHtwWC5xKhgHINh3EGtng4/NjGBoebpGLA9pcr"
+            "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww",
+            "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+            "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
        ],
-        "root_token": "hvs.WasuYYUlbc1xsF2TIpbyNnWi"
+        "root_token": "hvs.xxxxxxxxxxxxxxxxxxxxxxxx"
    }
 """