feat(consul): make ACL default to enabled with default policy to deny

playbooks/group_vars/all.yml

@@ -11,14 +11,26 @@ nomad_version: latest
 consul_version: latest
 vault_version: latest
 
-vault_versions:
-  host: "{{ vault_version }}*"
-  docker: "{{ vault_version }}"
-
 deployment_method: "host"
 api_interface: "eth0"
 api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
 
+##########################
+# Helper options #########
+##########################
+
+vault_versions:
+  host: "{{ vault_version }}{% '*' if vault_version != 'latest' %}"
+  docker: "{{ vault_version }}"
+
+consul_versions:
+  host: "{{ consul_version }}{% '*' if consul_version != 'latest' %}"
+  docker: "{{ consul_version }}"
+
+nomad_versions:
+  host: "{{ nomad_version }}{% '*' if nomad_version != 'latest' %}"
+  docker: "{{ nomad_version }}"
+
 configuration_directory: "{{ lookup('env', 'PWD') }}/etc/hashistack"
 sub_configuration_directories:
   nomad_servers: "{{ configuration_directory }}/nomad_servers"
@@ -98,8 +110,8 @@ consul_address_configuration:
 ##########################
 
 consul_acl_configuration:
-  enabled: false
+  enabled: true
-  default_policy: "allow" # can be allow or deny
+  default_policy: "deny" # can be allow or deny
   enable_token_persistence: true
 
 #####################

plugins/modules/consul_acl_bootstrap.py

@@ -0,0 +1,44 @@
+#!/usr/bin/python
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = r"""
+"""
+
+EXAMPLES = r"""
+"""
+
+RETURN = r"""
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+import traceback
+
+try:
+    import requests
+except ImportError:
+    HAS_REQUESTS = False
+    REQUESTS_IMPORT_ERROR = traceback.format_exc()
+else:
+    REQUESTS_IMPORT_ERROR = None
+    HAS_REQUESTS = True
+
+
+def run_module():
+    module_args = dict(
+        api_url=dict(type="str", required=True),
+    )
+
+    result = dict(changed=False, state="")
+
+    module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
+
+
+def main():
+    run_module()
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/vault_init.py

@@ -60,16 +60,16 @@ state:
     returned: always
     sample: {
         "keys": [
-            "70e15679de84ac951633b5a79a3b8b45fcc719c6c219d785230a230674cbdff063",
+            "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww",
-            "1a5badb309c9bf8ce384b13db28195f56c3adea70d29b58ad59ad8d573450632e2",
+            "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-            "2aa8ee4bdb87b70582e712a180720d877106b67838fcd8c606879ba462c0f6972b"
+            "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
         ],
         "keys_base64": [
-            "cOFWed6ErJUWM7WnmjuLRfzHGcbCGdeFIwojBnTL3/Bj",
+            "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww",
-            "GlutswnJv4zjhLE9soGV9Ww63qcNKbWK1ZrY1XNFBjLi",
+            "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-            "KqjuS9uHtwWC5xKhgHINh3EGtng4/NjGBoebpGLA9pcr"
+            "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
         ],
-        "root_token": "hvs.WasuYYUlbc1xsF2TIpbyNnWi"
+        "root_token": "hvs.xxxxxxxxxxxxxxxxxxxxxxxx"
     }
 """