wbyc/terraform-certificate-automation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add consul_template role files from master branch
Some checks failed
Code Quality & Security Scan / TFLint (push) Failing after 38s
Details
Code Quality & Security Scan / Tfsec Security Scan (push) Has been skipped
Details
Code Quality & Security Scan / Checkov Security Scan (push) Has been skipped
Details
Code Quality & Security Scan / Terraform Validate (push) Has been skipped
Details
Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped
Details

Browse Source 
- Added all files from consul_template-legacy and consul_template-org roles
- These roles are now regular directories instead of submodules
This commit is contained in:
Patrick de Ruiter 2025-11-10 22:01:17 +01:00
parent 381e1086a3
commit 3af1102377
Signed by: pderuiter
GPG Key ID: 5EBA7F21CF583321
19 changed files with 328 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
ansible/roles/consul_template-legacy/README.md Normal file
View File

@ -0,0 +1,49 @@
#consul_template
An Ansible role to install and configure HashiCorps consul-template, securely fetching TLS certificates and private keys\
from HashiCorp Vault using AppRole authentication, rendering them to disk, and reloading services when certificates change.
### Requirements
• consul-template binary downloaded from HashiCorp releases.
• Network connectivity from the target host to the Vault instance (vault_address).
• Appropriate Vault AppRole credentials (vault_approle_role_id, vault_approle_secret_id) provisioned by Terraform or other automation.
### Role Variables
The following variables are required and should be set either through inventory or as role parameters:
| Variable | Description | Default |
| vault_address | URL of your HashiCorp Vault instance | None (required) |
| vault_approle_role_id | Vault AppRole Role ID for consul-template authentication | None (required) |
| vault_approle_secret_id | Vault AppRole Secret ID for consul-template authentication | None (required) |
| environment | Environment identifier (e.g., prod, nonprod) | None (required) |
| short_hostname | Short hostname of the target server (used in file naming) | None (required) |
### Dependencies
No direct Ansible Galaxy role dependencies. However, it relies on Terraform to provision AppRole credentials and Vault secrets.
### Example Playbook
Example playbook demonstrating basic role usage:
```yml
- hosts: webservers
become: true
roles:
- role: consul_template
vars:
vault_address: "https://vault.example.com:8200"
vault_approle_role_id: "{{ vault_approle_role_id }}"
vault_approle_secret_id: "{{ vault_approle_secret_id }}"
environment: "prod"
short_hostname: "web01"
```
### License
BSD
### Author Information
Created by Patrick De Ruiter.

3
ansible/roles/consul_template-legacy/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
#SPDX-License-Identifier: MIT-0
---
# defaults file for consul_template

5
ansible/roles/consul_template-legacy/files/certificate.ctmpl Normal file
View File

@ -0,0 +1,5 @@
{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
{{ .Data.data.certificate }}
{{ .Data.data.chain_pem }}
{{ end }}

3
ansible/roles/consul_template-legacy/files/chain_pem.ctmpl Normal file
View File

@ -0,0 +1,3 @@
{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
{{ .Data.data.chain_pem }}
{{ end }}

3
ansible/roles/consul_template-legacy/files/private_key.ctmpl Normal file
View File

@ -0,0 +1,3 @@
{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
{{ .Data.data.private_key }}
{{ end }}

9
ansible/roles/consul_template-legacy/handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
#SPDX-License-Identifier: MIT-0
---
# handlers file for consul_template
- name: restart consul-template
systemd:
name: consul-template
state: restarted
daemon_reload: yes

20
ansible/roles/consul_template-legacy/meta/main.yml Normal file
View File

@ -0,0 +1,20 @@
#SPDX-License-Identifier: BSD-3-Clause
galaxy_info:
author: Patrick De Ruiter
description: An Ansible role to install and configure consul-template, fetching TLS certificates from HashiCorp Vault using AppRole authentication.
company: “Benerail N.V.”
license: BSD-3-Clause
min_ansible_version: 2.10
galaxy_tags:
- vault
- consul
- consultemplate
- tls
- certificates
- security
- automation
dependencies: []

86
ansible/roles/consul_template-legacy/tasks/main.yml Normal file
View File

@ -0,0 +1,86 @@
- name: Determine architecture
set_fact:
consul_template_arch: "{{ arch_mapping[ansible_architecture] | default('amd64') }}"
- name: Download consul-template checksum file
get_url:
url: "https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_SHA256SUMS"
dest: "/tmp/consul-template_{{ consul_template.version }}_SHA256SUMS"
mode: '0644'
- name: Extract expected checksum
shell: |
grep "consul-template_{{ consul_template.version }}_linux_{{ consul_template_arch }}.zip" \
/tmp/consul-template_{{ consul_template.version }}_SHA256SUMS | cut -d' ' -f1
register: expected_checksum
changed_when: false
- name: Install consul-template
unarchive:
src: "https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_linux_{{ consul_template_arch }}.zip"
dest: "{{ consul_template.install_dir }}"
remote_src: yes
owner: root
group: root
mode: '0755'
checksum: "sha256:{{ expected_checksum.stdout }}"
- name: Create consul-template user
user:
name: "{{ consul_template.user }}"
group: "{{ consul_template.group }}"
system: yes
shell: /bin/false
home: "{{ consul_template.config_dir }}"
create_home: no
- name: Create consul-template group
group:
name: "{{ consul_template.group }}"
system: yes
- name: Create consul-template directories
file:
path: "{{ item.path }}"
state: directory
mode: "{{ item.mode }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
loop:
- { path: "{{ consul_template.config_dir }}", mode: '0755', owner: "{{ consul_template.user }}", group: "{{ consul_template.group }}" }
- { path: "{{ certificate_paths.cert_dir }}", mode: '0755' }
- { path: "{{ certificate_paths.private_dir }}", mode: '0700' }
- name: Deploy consul-template template files
copy:
src: "{{ item }}"
dest: "{{ consul_template.config_dir }}/{{ item }}"
mode: '0644'
owner: "{{ consul_template.user }}"
group: "{{ consul_template.group }}"
loop:
- certificate.ctmpl
- private_key.ctmpl
- chain_pem.ctmpl
notify: restart consul-template
- name: Deploy consul-template config
template:
src: consul-template-config.hcl.j2
dest: "{{ consul_template.config_dir }}/config.hcl"
mode: '0600'
owner: "{{ consul_template.user }}"
group: "{{ consul_template.group }}"
notify: restart consul-template
- name: Deploy consul-template systemd unit
template:
src: consul-template.service.j2
dest: /etc/systemd/system/consul-template.service
- name: Enable and start consul-template
systemd:
name: consul-template
enabled: true
state: started
daemon_reload: yes

35
ansible/roles/consul_template-legacy/templates/consul-template-config.hcl.j2 Normal file
View File

@ -0,0 +1,35 @@
vault {
address = "{{ vault_address }}"
auth {
method "approle" {
config = {
role_id = "{{ vault_approle_role_id }}"
secret_id = "{{ vault_approle_secret_id }}"
}
}
}
renew_token = true
}
log_level = "{{ consul_template.log_level | default('INFO') }}"
template {
source = "{{ consul_template.config_dir }}/certificate.ctmpl"
destination = "{{ certificate_paths.cert_dir }}/{{ certificate_paths.cert_file }}"
command = "{{ service_reload_commands[certificate_service | default('default')] }}"
perms = 0644
}
template {
source = "{{ consul_template.config_dir }}/private_key.ctmpl"
destination = "{{ certificate_paths.private_dir }}/{{ certificate_paths.private_key_file }}"
command = "chmod 600 {{ certificate_paths.private_dir }}/{{ certificate_paths.private_key_file }}"
perms = 0600
}
template {
source = "{{ consul_template.config_dir }}/chain_pem.ctmpl"
destination = "{{ certificate_paths.private_dir }}/{{ certificate_paths.chain_file }}"
command = "chmod 600 {{ certificate_paths.private_dir }}/{{ certificate_paths.chain_file }}"
perms = 0600
}

18
ansible/roles/consul_template-legacy/templates/consul-template.service.j2 Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=consul-template TLS Certificate
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
User={{ consul_template.user }}
Group={{ consul_template.group }}
ExecStart={{ consul_template.install_dir }}/consul-template \
-config={{ consul_template.config_dir }}/config.hcl
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

3
ansible/roles/consul_template-legacy/tests/inventory Normal file
View File

@ -0,0 +1,3 @@
#SPDX-License-Identifier: MIT-0
localhost

6
ansible/roles/consul_template-legacy/tests/test.yml Normal file
View File

@ -0,0 +1,6 @@
#SPDX-License-Identifier: MIT-0
---
- hosts: localhost
remote_user: root
roles:
- consul_template

3
ansible/roles/consul_template-legacy/vars/main.yml Normal file
View File

@ -0,0 +1,3 @@
#SPDX-License-Identifier: MIT-0
---
# vars file for consul_template

5
ansible/roles/consul_template-org/files/certificate.ctmpl Normal file
View File

@ -0,0 +1,5 @@
{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
{{ .Data.data.certificate }}
{{ .Data.data.chain_pem }}
{{ end }}

3
ansible/roles/consul_template-org/files/chain_pem.ctmpl Normal file
View File

@ -0,0 +1,3 @@
{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
{{ .Data.data.chain_pem }}
{{ end }}

3
ansible/roles/consul_template-org/files/private_key.ctmpl Normal file
View File

@ -0,0 +1,3 @@
{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
{{ .Data.data.private_key }}
{{ end }}

33
ansible/roles/consul_template-org/tasks/main.yml Normal file
View File

@ -0,0 +1,33 @@
- name: Install consul-template
unarchive:
src: "https://releases.hashicorp.com/consul-template/0.37.4/consul-template_0.37.4_linux_amd64.zip"
dest: /usr/local/bin
remote_src: yes
- name: Create consul-template directories
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- /etc/consul-template
- /etc/ssl/certs
- /etc/ssl/private
- name: Deploy consul-template config
template:
src: consul-template-config.hcl.j2
dest: /etc/consul-template/config.hcl
mode: '0600'
- name: Deploy consul-template systemd unit
template:
src: consul-template.service.j2
dest: /etc/systemd/system/consul-template.service
- name: Enable and start consul-template
systemd:
name: consul-template
enabled: true
state: restarted
daemon_reload: yes

30
ansible/roles/consul_template-org/templates/consul-template-config.hcl.j2 Normal file
View File

@ -0,0 +1,30 @@
vault {
address = "{{ vault_address }}"
auth {
method "approle" {
config = {
role_id = "{{ vault_approle_role_id }}"
secret_id = "{{ vault_approle_secret_id }}"
}
}
}
renew_token = true
}
template {
source = "/etc/consul-template/certificate.ctmpl"
destination = "/etc/ssl/certs/{{ short_hostname }}.pem"
command = "systemctl reload nginx"
}
template {
source = "/etc/consul-template/private_key.ctmpl"
destination = "/etc/ssl/private/{{ short_hostname }}.key"
command = "chmod 600 /etc/ssl/private/{{ short_hostname }}.key"
}
template {
source = "/etc/consul-template/chain_pem.ctmpl"
destination = "/etc/ssl/private/le-chaincert.pem"
command = "chmod 600 /etc/ssl/private/le-chaincert.pem"
}

11
ansible/roles/consul_template-org/templates/consul-template.service.j2 Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=consul-template TLS Certificate
After=network-online.target
[Service]
ExecStart=/usr/local/bin/consul-template \
-config=/etc/consul-template/config.hcl
Restart=always
[Install]
WantedBy=multi-user.target