diff --git a/ansible/gamma-hosts/variables b/ansible/gamma-hosts/variables index 103df806..061585f2 100644 --- a/ansible/gamma-hosts/variables +++ b/ansible/gamma-hosts/variables @@ -45,6 +45,16 @@ aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q aws_secret_access_key=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 shiva_rollbar_key=0526a90faec845d796e1ef5361a00526 +[vault:vars] +vault_auth_token=e22c3ebc-11cf-653b-7df0-79d78a499458 +vault_token_01=71d7b4754686013c8b9cfb22bafae79c661849dcd67c483c89efba12c0466aa201 +vault_token_02=794d6f7a3459c332a1fd2bbcc9230a7f84f1639806039ee8be547828cd7ab03a02 +vault_token_03=2e67faeffe4343c038d0f3210bdb83f3d3a5bc468975cf13e977ce9b5922aefe03 +vault_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af +vault_aws_access_key_id=AKIAJ7R4UIM45KH2WGWQ +vault_aws_secret_key=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 +vault_aws_region=us-east-1 + [gamma:vars] ansible_ssh_private_key_file=~/.ssh/gamma.pem datadog_host_address=10.4.6.251 diff --git a/ansible/group_vars/alpha-vault.yml b/ansible/group_vars/alpha-vault.yml index aad226a8..aa34cdb3 100644 --- a/ansible/group_vars/alpha-vault.yml +++ b/ansible/group_vars/alpha-vault.yml @@ -20,3 +20,23 @@ container_run_args: > -log-level=warn -config=/vault.hcl > /var/log/vault.log 2>&1 + +# vault seed data +# pulled 2015/16/12 - Bryan +vault_seed_values: + - key: secret/loggly + data: + token: "{{ loggly_token }}" + - key: secret/rabbitmq + data: + username: "{{ rabbit_username }}" + password: "{{ rabbit_password }}" + - key: secret/github/hellorunnable + data: + token: "{{ vault_hello_runnable_github_token }}" + - key: secret/swarm + data: + token: "{{ swarm_token }}" + +# for the love of all that you find holy, don't change the following unless you _KNOW WHAT YOU ARE DOING_. +vault_seed_policy: "{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Action\\\": [\\\"ec2:DescribeInstances\\\", \\\"ec2:DescribeTags\\\"], \\\"Resource\\\": [\\\"*\\\"], \\\"Effect\\\": \\\"Allow\\\", \\\"Sid\\\": \\\"Stmt1445655064000\\\"}]}" diff --git a/ansible/vault-values.yml b/ansible/vault-values.yml new file mode 100644 index 00000000..605efe79 --- /dev/null +++ b/ansible/vault-values.yml @@ -0,0 +1,116 @@ +--- +- hosts: vault + vars_files: + - group_vars/alpha-vault.yml + tasks: + - name: make sure httplib2 is installed + sudo: yes + apt: package=python-httplib2 state=present + + - name: get seal status + tags: [unseal] + run_once: true + uri: + method=GET + url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status + HEADER_X-Vault-Token="{{ vault_auth_token }}" + return_content=yes + register: seal_status + + - name: unseal vault + tags: [unseal] + run_once: true + when: seal_status.json.sealed + uri: + method=PUT + url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/unseal + HEADER_X-Vault-Token="{{ vault_auth_token }}" + body_format=json + body='{{ item | to_json }}' + with_items: + - key: "{{ vault_token_01 }}" + - key: "{{ vault_token_02 }}" + - key: "{{ vault_token_03 }}" + + - name: put values into vault + run_once: true + when: write_values is defined + uri: + method=PUT + url=http://{{ ansible_default_ipv4.address }}:8200/v1/{{ item.key }} + HEADER_X-Vault-Token="{{ vault_auth_token }}" + body_format=json + body='{{ item.data | to_json }}' + status_code=200,204 + with_items: "{{ vault_seed_values }}" + + - name: check for aws backend in vault + run_once: true + when: write_values is defined + uri: + method=GET + url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts + HEADER_X-Vault-Token="{{ vault_auth_token }}" + return_content=yes + register: mounts + + - name: mount aws backend in vault + run_once: true + when: write_values is defined and mounts.json['aws/'] is not defined + uri: + method=POST + url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws + HEADER_X-Vault-Token="{{ vault_auth_token }}" + body_format=json + body='{{ item | to_json }}' + status_code=204 + with_items: + - type: "aws" + + - name: configure aws root credentials + run_once: true + when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws/'] is not defined) + uri: + method=POST + url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/config/root + HEADER_X-Vault-Token="{{ vault_auth_token }}" + body_format=json + body='{{ item | to_json }}' + status_code=204 + register: creds + with_items: + - access_key: "{{ vault_aws_access_key_id }}" + secret_key: "{{ vault_aws_secret_key }}" + region: "{{ vault_aws_region }}" + + - name: check for the dock-init role + run_once: true + when: write_values is defined + uri: + method=GET + url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init + HEADER_X-Vault-Token="{{ vault_auth_token }}" + status_code=200,404 + register: role + + - name: write the dock-init role + run_once: true + when: write_values is defined and role.status == 404 + uri: + method=POST + url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init + HEADER_X-Vault-Token="{{ vault_auth_token }}" + body_format=json + body='{{ item | to_json | replace("\\\\", "") }}' + status_code=204 + register: creds + with_items: + - policy: "{{ vault_seed_policy }}" + + - name: seal vault + run_once: true + uri: + method=PUT + url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal + HEADER_X-Vault-Token="{{ vault_auth_token }}" + status_code=204