diff --git a/docs/vault_guide.md b/docs/vault_guide.md index e422167..a9e053c 100644 --- a/docs/vault_guide.md +++ b/docs/vault_guide.md @@ -51,6 +51,7 @@ The following table lists the default variables that are shared between the Vaul | `vault_group` | `all` | String | The Vault Linux group. | `vault` | `vault_port` | `all` | Integer | The Vault listen port. | `8200` | `vault_root_key_dir` | `all` | String | The Vault root key directory. | `/opt/vault/keys/root_key` +| `vault_name` | `all` | String | The name of the secret engine used to configure vault and IAP | `itential` ## Vault Role Variables diff --git a/roles/common_vars/defaults/main/vault.yml b/roles/common_vars/defaults/main/vault.yml index ed9b254..e4bda85 100644 --- a/roles/common_vars/defaults/main/vault.yml +++ b/roles/common_vars/defaults/main/vault.yml @@ -12,3 +12,6 @@ vault_root_key_dir: /opt/vault/keys/root_key # Flag to manage how secret data is written to Vault with IAP version 2021.2 and later. vault_read_only: false + +# default vault name +vault_name: itential diff --git a/roles/platform/templates/2021.1-properties.j2 b/roles/platform/templates/2021.1-properties.j2 index 944cb9b..8f00677 100644 --- a/roles/platform/templates/2021.1-properties.j2 +++ b/roles/platform/templates/2021.1-properties.j2 @@ -16,7 +16,7 @@ {# Build Vault props #} {% set vaultProps = None %} {% if configure_vault | bool %} - {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data" ) %} + {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %} {% endif %} {# Build SSL props #} {% set acceptInvalidCerts = True %} diff --git a/roles/platform/templates/2021.2-properties.j2 b/roles/platform/templates/2021.2-properties.j2 index b864c41..9ecc528 100644 --- a/roles/platform/templates/2021.2-properties.j2 +++ b/roles/platform/templates/2021.2-properties.j2 @@ -16,7 +16,7 @@ {# Build Vault props #} {% set vaultProps = None %} {% if configure_vault | bool %} - {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %} + {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %} {% if vault_read_only | bool %} {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %} {% endif %} diff --git a/roles/platform/templates/2022.1-properties.j2 b/roles/platform/templates/2022.1-properties.j2 index dde7701..b716fe1 100644 --- a/roles/platform/templates/2022.1-properties.j2 +++ b/roles/platform/templates/2022.1-properties.j2 @@ -16,7 +16,7 @@ {# Build Vault props #} {% set vaultProps = None %} {% if configure_vault | bool %} - {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %} + {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %} {% if vault_read_only | bool %} {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %} {% endif %} diff --git a/roles/platform/templates/2023.1-properties.j2 b/roles/platform/templates/2023.1-properties.j2 index ed6dad0..abe19c9 100644 --- a/roles/platform/templates/2023.1-properties.j2 +++ b/roles/platform/templates/2023.1-properties.j2 @@ -43,7 +43,7 @@ defined in the host file. {# Build Vault props #} {% set vaultProps = None %} {% if configure_vault | bool %} - {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %} + {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %} {% if vault_read_only | bool %} {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %} {% endif %} diff --git a/roles/platform/templates/2023.2-properties.j2 b/roles/platform/templates/2023.2-properties.j2 index ed6dad0..abe19c9 100644 --- a/roles/platform/templates/2023.2-properties.j2 +++ b/roles/platform/templates/2023.2-properties.j2 @@ -43,7 +43,7 @@ defined in the host file. {# Build Vault props #} {% set vaultProps = None %} {% if configure_vault | bool %} - {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %} + {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = iap_vault_token_dir ~ "/token.txt", endpoint = vault_name ~ "/data", readOnly = "false" | bool) %} {% if vault_read_only | bool %} {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %} {% endif %} diff --git a/roles/vault_unseal/tasks/main.yml b/roles/vault_unseal/tasks/main.yml index 6da10a7..d802fc3 100644 --- a/roles/vault_unseal/tasks/main.yml +++ b/roles/vault_unseal/tasks/main.yml @@ -96,7 +96,7 @@ register: root_key # Check if kv-v2 engine exists -- name: Check for kv-v2 secrets engine +- name: Check for secrets engine ansible.builtin.command: vault secrets list environment: VAULT_ADDR: "http://{{ inventory_hostname }}:{{ vault_port }}" @@ -105,10 +105,10 @@ changed_when: false - name: Enable KV Secrets Engine - ansible.builtin.command: vault secrets enable kv-v2 + ansible.builtin.command: vault secrets enable -path={{ vault_name }} -version=2 kv environment: VAULT_ADDR: "http://{{ inventory_hostname }}:{{ vault_port }}" VAULT_TOKEN: "{{ root_key.content | b64decode }}" register: vault_secrets_enable_result changed_when: vault_secrets_enable_result.changed - when: '"kv-v2" not in secrets.stdout' + when: 'vault_name not in secrets.stdout'