- Migrated Ansible integration from consul_template to vault_agent
- Copied vault_agent role from terraform-vsphere-infra module
- Created vault_agent-playbook.yml for deployment
- Archived consul_template role as consul_template-legacy
- Updated Terraform configuration:
- Changed Ansible inventory group from consul_template to vault_agent
- Added vault_secret_path variable for vault-agent
- Added ssl_certs_dir and ssl_private_dir variables
- Formatted all Terraform files
- Implemented CI/CD pipeline:
- Created .gitea/workflows/pipeline.yaml
- Added TFLint, Tfsec, and Checkov security scans
- Added Terraform validate step
- Added SonarQube integration
- Created sonar-project.properties
- Documentation updates:
- Updated README.md with vault-agent information
- Added migration section comparing consul-template vs vault-agent
- Updated CLAUDE.md with vault-agent architecture
- Added vault-agent configuration examples
Why vault-agent over consul-template:
- Full AppRole support with role_id/secret_id files
- Advanced token auto-renewal with auto_auth
- Better credential security (separate files vs config)
- Actively developed by HashiCorp
Note: The ansible/ directory changes (vault_agent role and playbook) are
not committed as the directory is in .gitignore. These files exist locally
and will be deployed during Ansible runs.
