diff --git a/handlers/main.yml b/handlers/main.yml index 1791821..7f6f742 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,17 +3,20 @@ - name: "Reload service file" ansible.builtin.systemd: daemon_reload: true + become: true listen: "systemctl-daemon-reload" - name: "Enable vault-certs service" ansible.builtin.service: name: vault-certs enabled: true + become: true listen: "systemctl-enable-vault-certs" - name: "Start vault-certs service" ansible.builtin.service: name: vault-certs state: restarted + become: true listen: "systemctl-restart-vault-certs" when: renew_vault_certificates_start_service diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index de48134..ae7ccb3 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -6,6 +6,7 @@ ansible.builtin.group: name: "vault" state: present + become: true - name: "Create user vault" ansible.builtin.user: @@ -13,3 +14,4 @@ group: "vault" shell: /bin/false state: present + become: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index c084dce..81bfab4 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,23 +1,8 @@ --- - name: Verify hosts: all - gather_facts: false + gather_facts: true tasks: - - name: "Test: file /etc/hosts" - block: - - name: "Stat file /etc/hosts" - ansible.builtin.stat: - path: "/etc/hosts" - register: stat_etc_hosts - - - name: "Verify file /etc/hosts" - ansible.builtin.assert: - that: - - stat_etc_hosts.stat.exists - - stat_etc_hosts.stat.isreg - - stat_etc_hosts.stat.pw_name == 'root' - - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: directory /etc/consul-template.d/vault" block: - name: "Stat directory /etc/consul-template.d/vault" @@ -34,6 +19,7 @@ ansible.builtin.slurp: src: "/etc/consul-template.d/vault/vault_config.hcl" register: slurp_etc_consul_template_d_vault_vault_config_hcl + become: true - name: "Verify directory /etc/consul-template.d/vault" ansible.builtin.assert: @@ -74,6 +60,7 @@ src: "{{ item.path }}" loop: "{{ find_etc_consul_template_d_vault_templates.files }}" register: slurp_etc_consul_template_d_vault_templates + become: true - name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl" vars: @@ -122,6 +109,7 @@ ansible.builtin.slurp: src: "/etc/systemd/system/vault-certs.service" register: slurp_etc_systemd_system_vault_certs_service + become: true - name: "Verify service vault" ansible.builtin.assert: diff --git a/molecule/default_vagrant/converge.yml b/molecule/default_vagrant/converge.yml new file mode 100644 index 0000000..897496d --- /dev/null +++ b/molecule/default_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_vault_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_vault_certificates" diff --git a/molecule/default_vagrant/molecule.yml b/molecule/default_vagrant/molecule.yml new file mode 100644 index 0000000..2b02360 --- /dev/null +++ b/molecule/default_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: default_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/default_vagrant/prepare.yml b/molecule/default_vagrant/prepare.yml new file mode 100644 index 0000000..ae7ccb3 --- /dev/null +++ b/molecule/default_vagrant/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group vault" + ansible.builtin.group: + name: "vault" + state: present + become: true + + - name: "Create user vault" + ansible.builtin.user: + name: "vault" + group: "vault" + shell: /bin/false + state: present + become: true diff --git a/molecule/default_vagrant/requirements.yml b/molecule/default_vagrant/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/default_vagrant/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/default_vagrant/verify.yml b/molecule/default_vagrant/verify.yml new file mode 100644 index 0000000..81bfab4 --- /dev/null +++ b/molecule/default_vagrant/verify.yml @@ -0,0 +1,126 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: directory /etc/consul-template.d/vault" + block: + - name: "Stat directory /etc/consul-template.d/vault" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault" + register: stat_etc_consul_template_d_vault + + - name: "Stat file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/vault_config.hcl" + register: stat_etc_consul_template_d_vault_vault_config_hcl + + - name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/vault/vault_config.hcl" + register: slurp_etc_consul_template_d_vault_vault_config_hcl + become: true + + - name: "Verify directory /etc/consul-template.d/vault" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_vault.stat.exists + - stat_etc_consul_template_d_vault.stat.isdir + - stat_etc_consul_template_d_vault.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault.stat.mode == '0755' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_vault_vault_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/vault/templates" + block: + - name: "Stat directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/templates" + register: stat_etc_consul_template_d_vault_templates + + - name: "Find in directory /etc/consul-template.d/vault/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/vault/templates" + file_type: file + register: find_etc_consul_template_d_vault_templates + + - name: "Stat in directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: stat_etc_consul_template_d_vault_templates + + - name: "Slurp in directory /etc/consul-template.d/vault/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: slurp_etc_consul_template_d_vault_templates + become: true + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl" + vars: + vault_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_cert_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl" + vars: + vault_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_key_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_key.pem.tpl' + + - name: "Test: service vault-certs" + block: + - name: "Get service vault-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/vault-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/vault-certs.service" + register: stat_etc_systemd_system_vault_certs_service + + - name: "Slurp file /etc/systemd/system/vault.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/vault-certs.service" + register: slurp_etc_systemd_system_vault_certs_service + become: true + + - name: "Verify service vault" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_vault_certs_service.stat.exists + - stat_etc_systemd_system_vault_certs_service.stat.isreg + - stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_vault_certs_service.content != '' + - ansible_facts.services['vault-certs.service'] is defined + - ansible_facts.services['vault-certs.service']['source'] == 'systemd' + - ansible_facts.services['vault-certs.service']['state'] == 'stopped' + - ansible_facts.services['vault-certs.service']['status'] == 'enabled' diff --git a/molecule/with_custom_config/prepare.yml b/molecule/with_custom_config/prepare.yml index de48134..ae7ccb3 100644 --- a/molecule/with_custom_config/prepare.yml +++ b/molecule/with_custom_config/prepare.yml @@ -6,6 +6,7 @@ ansible.builtin.group: name: "vault" state: present + become: true - name: "Create user vault" ansible.builtin.user: @@ -13,3 +14,4 @@ group: "vault" shell: /bin/false state: present + become: true diff --git a/molecule/with_custom_config/verify.yml b/molecule/with_custom_config/verify.yml index 43586ca..74e12c2 100644 --- a/molecule/with_custom_config/verify.yml +++ b/molecule/with_custom_config/verify.yml @@ -1,23 +1,8 @@ --- - name: Verify hosts: all - gather_facts: false + gather_facts: true tasks: - - name: "Test: file /etc/hosts" - block: - - name: "Stat file /etc/hosts" - ansible.builtin.stat: - path: "/etc/hosts" - register: stat_etc_hosts - - - name: "Verify file /etc/hosts" - ansible.builtin.assert: - that: - - stat_etc_hosts.stat.exists - - stat_etc_hosts.stat.isreg - - stat_etc_hosts.stat.pw_name == 'root' - - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: directory /etc/consul-template.d/vault" block: - name: "Stat directory /etc/consul-template.d/vault" @@ -34,6 +19,7 @@ ansible.builtin.slurp: src: "/etc/consul-template.d/vault/vault_config.hcl" register: slurp_etc_consul_template_d_vault_vault_config_hcl + become: true - name: "Verify directory /etc/consul-template.d/vault" ansible.builtin.assert: @@ -74,6 +60,7 @@ src: "{{ item.path }}" loop: "{{ find_etc_consul_template_d_vault_templates.files }}" register: slurp_etc_consul_template_d_vault_templates + become: true - name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl" vars: @@ -122,6 +109,7 @@ ansible.builtin.slurp: src: "/etc/systemd/system/vault-certs.service" register: slurp_etc_systemd_system_vault_certs_service + become: true - name: "Verify service vault" ansible.builtin.assert: diff --git a/molecule/with_custom_config_vagrant/converge.yml b/molecule/with_custom_config_vagrant/converge.yml new file mode 100644 index 0000000..897496d --- /dev/null +++ b/molecule/with_custom_config_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_vault_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_vault_certificates" diff --git a/molecule/with_custom_config_vagrant/group_vars/all.yml b/molecule/with_custom_config_vagrant/group_vars/all.yml new file mode 100644 index 0000000..26e11f3 --- /dev/null +++ b/molecule/with_custom_config_vagrant/group_vars/all.yml @@ -0,0 +1,18 @@ +--- +renew_vault_certificates_config_dir: /etc/consul-template.d/vault +renew_vault_certificates_vault_user: vault +renew_vault_certificates_vault_group: vault +renew_vault_certificates_vault_addr: "https://vault.example.com" +renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange +renew_vault_certificates_vault_token_unwrap: false +renew_vault_certificates_vault_token_renew: true +renew_vault_certificates_cert_dest: /opt/vault/tls/cert.pem +renew_vault_certificates_key_dest: /opt/vault/tls/key.pem +renew_vault_certificates_info: + issuer_path: pki/issue/vault-issuer + common_name: vault01.example.com + ip_addr: "192.168.1.1" + ttl: 90d + include_consul_service: true +renew_vault_certificates_consul_service_name: vault.service.consul +renew_vault_certificates_start_service: false diff --git a/molecule/with_custom_config_vagrant/molecule.yml b/molecule/with_custom_config_vagrant/molecule.yml new file mode 100644 index 0000000..890cdd0 --- /dev/null +++ b/molecule/with_custom_config_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: with_custom_config_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_custom_config_vagrant/prepare.yml b/molecule/with_custom_config_vagrant/prepare.yml new file mode 100644 index 0000000..ae7ccb3 --- /dev/null +++ b/molecule/with_custom_config_vagrant/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group vault" + ansible.builtin.group: + name: "vault" + state: present + become: true + + - name: "Create user vault" + ansible.builtin.user: + name: "vault" + group: "vault" + shell: /bin/false + state: present + become: true diff --git a/molecule/with_custom_config_vagrant/requirements.yml b/molecule/with_custom_config_vagrant/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/with_custom_config_vagrant/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/with_custom_config_vagrant/verify.yml b/molecule/with_custom_config_vagrant/verify.yml new file mode 100644 index 0000000..74e12c2 --- /dev/null +++ b/molecule/with_custom_config_vagrant/verify.yml @@ -0,0 +1,126 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: directory /etc/consul-template.d/vault" + block: + - name: "Stat directory /etc/consul-template.d/vault" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault" + register: stat_etc_consul_template_d_vault + + - name: "Stat file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/vault_config.hcl" + register: stat_etc_consul_template_d_vault_vault_config_hcl + + - name: "Slurp file /etc/consul-template.d/vault/vault_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/vault/vault_config.hcl" + register: slurp_etc_consul_template_d_vault_vault_config_hcl + become: true + + - name: "Verify directory /etc/consul-template.d/vault" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_vault.stat.exists + - stat_etc_consul_template_d_vault.stat.isdir + - stat_etc_consul_template_d_vault.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault.stat.mode == '0755' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.exists + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.isreg + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.pw_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.gr_name == 'vault' + - stat_etc_consul_template_d_vault_vault_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_vault_vault_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/vault/templates" + block: + - name: "Stat directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/vault/templates" + register: stat_etc_consul_template_d_vault_templates + + - name: "Find in directory /etc/consul-template.d/vault/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/vault/templates" + file_type: file + register: find_etc_consul_template_d_vault_templates + + - name: "Stat in directory /etc/consul-template.d/vault/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: stat_etc_consul_template_d_vault_templates + + - name: "Slurp in directory /etc/consul-template.d/vault/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_vault_templates.files }}" + register: slurp_etc_consul_template_d_vault_templates + become: true + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_cert.pem.tpl" + vars: + vault_cert_file: | + {% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_cert_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/vault/templates/vault_key.pem.tpl" + vars: + vault_key_file: | + {% raw %}{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'vault' + - item.item.gr_name == 'vault' + - item.item.mode == '0600' + - "(item.content|b64decode) == vault_key_file" + loop: "{{ slurp_etc_consul_template_d_vault_templates.results }}" + when: (item.item.path | basename) == 'vault_key.pem.tpl' + + - name: "Test: service vault-certs" + block: + - name: "Get service vault-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/vault-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/vault-certs.service" + register: stat_etc_systemd_system_vault_certs_service + + - name: "Slurp file /etc/systemd/system/vault.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/vault-certs.service" + register: slurp_etc_systemd_system_vault_certs_service + become: true + + - name: "Verify service vault" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_vault_certs_service.stat.exists + - stat_etc_systemd_system_vault_certs_service.stat.isreg + - stat_etc_systemd_system_vault_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_vault_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_vault_certs_service.content != '' + - ansible_facts.services['vault-certs.service'] is defined + - ansible_facts.services['vault-certs.service']['source'] == 'systemd' + - ansible_facts.services['vault-certs.service']['state'] == 'stopped' + - ansible_facts.services['vault-certs.service']['status'] == 'enabled' diff --git a/tasks/configure.yml b/tasks/configure.yml index 69d61ea..6108dfe 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,6 +1,7 @@ --- # task/configure file for renew_vault_certificates - name: "Configure files for vault certificate renewal" + become: true notify: - "systemctl-enable-vault-certs" - "systemctl-restart-vault-certs" @@ -36,5 +37,6 @@ owner: root group: root mode: '0644' + become: true notify: - "systemctl-daemon-reload" diff --git a/tasks/prerequisites.yml b/tasks/prerequisites.yml index d372865..b944564 100644 --- a/tasks/prerequisites.yml +++ b/tasks/prerequisites.yml @@ -7,6 +7,7 @@ owner: "{{ renew_vault_certificates_vault_user }}" group: "{{ renew_vault_certificates_vault_group }}" mode: '0755' + become: true - name: "Create directory templates directory in {{ renew_vault_certificates_config_dir }}" ansible.builtin.file: @@ -15,6 +16,7 @@ owner: "{{ renew_vault_certificates_vault_user }}" group: "{{ renew_vault_certificates_vault_group }}" mode: '0755' + become: true - name: "Ensure certificate/key directory(ies) exist(s)" ansible.builtin.file: @@ -23,6 +25,7 @@ owner: "{{ renew_vault_certificates_vault_user }}" group: "{{ renew_vault_certificates_vault_group }}" mode: '0755' + become: true loop: - "{{ renew_vault_certificates_cert_dest }}" - "{{ renew_vault_certificates_key_dest }}"