playbooks/generate_credentials.yml

@@ -1,16 +1,27 @@
 ---
 # hashistack generate certificates playbook
 - name: "Generate credentials"
-  hosts: localhost
+  hosts: deployment
   strategy: linear
   gather_facts: true
   become: true
   tasks:
     - name: "Generate consul credentials"
       block:
+        - name: "Generate consul gossip encryption key"
+          block:
+            - name: "Generate 24 random bytes and base64 encode"
+              ansible.builtin.shell:
+                cmd: |
+                  set -o pipefail
+                  dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
+                executable: /bin/bash
+              changed_when: false
+              register: _consul_random_base64_string
+
             - name: "Generate consul gossip encryption key"
               ansible.builtin.set_fact:
-            _consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+                _consul_gossip_encryption_key: "{{ _consul_random_base64_string.stdout }}"
 
         - name: "Generate consul root credentials"
           ansible.builtin.set_fact:
@@ -38,9 +49,20 @@
 
     - name: "Generate nomad credentials"
       block:
+        - name: "Generate nomad gossip encryption key"
+          block:
+            - name: "Generate 24 random bytes and base64 encode"
+              ansible.builtin.shell:
+                cmd: |
+                  set -o pipefail
+                  dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64
+                executable: /bin/bash
+              changed_when: false
+              register: _nomad_random_base64_string
+
             - name: "Generate nomad gossip encryption key"
               ansible.builtin.set_fact:
-            _nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+                _nomad_gossip_encryption_key: "{{ _nomad_random_base64_string.stdout }}"
 
         - name: "Generate nomad root credentials"
           ansible.builtin.set_fact: