wbyc/terraform-certificate-automation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
terraform-certificate-autom.../ansible/roles/vault/tasks/certificates.yml
Patrick de Ruiter 22d78bf85c
All checks were successful
Code Quality & Security Scan / TFLint (push) Successful in 24s
Details
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s
Details
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 44s
Details
Code Quality & Security Scan / Terraform Validate (push) Successful in 43s
Details
Code Quality & Security Scan / SonarQube Trigger (push) Successful in 47s
Details
Add ansible directory with vault_agent role and playbooks 
- Remove ansible/ from .gitignore
- Add vault_agent role (copied from terraform-vsphere-infra)
- Add vault_agent-playbook.yml for deployment
- Include ansible collections (cloud.terraform, ansible.posix, etc.)
- Archive consul_template role as consul_template-legacy

The ansible directory contains the vault-agent deployment automation
that replaces the legacy consul-template approach.
2025-11-10 12:33:38 +01:00

78 lines
2.2 KiB
YAML
Raw Permalink Blame History

- name: Install Python3 OpenSSL
ansible.builtin.apt:
name: python3-openssl
state: present
- name: Ensure group Certs exists
ansible.builtin.group:
state: present
system: true
name: "certs"
- name: Set permissions to group
ansible.builtin.file:
path: /etc/vault.d/ssl
owner: vault
group: vault
mode: '0750'
state: directory
- name: Create Private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: /etc/vault.d/ssl/{{ inventory_hostname }}.key
# run_once: true
- name: Set ownership of certificate key file
ansible.builtin.file:
path: /etc/ssl/private/private.key
owner: "vault"
group: "vault"
mode: "0640"
- name: Create certificate signing request (CSR) for self-signed certificate
community.crypto.openssl_csr_pipe:
privatekey_path: /etc/vault.d/ssl/{{ inventory_hostname }}.key
common_name: "{{ inventory_hostname }}.{{ vault_domain_name }}"
organization_name: "We Build Your Cloud B.V."
subject_alt_name:
- "DNS:localhost"
- "DNS:{{ inventory_hostname }}"
- "DNS:{{ inventory_hostname }}.{{ vault_domain_name }}"
- "IP:{{ ansible_default_ipv4.address }}"
- "IP:127.0.0.1"
extended_key_usage:
- serverAuth
# run_once: true
register: csr
- name: Sign certificate with our CA
community.crypto.x509_certificate_pipe:
csr_content: "{{ csr.csr }}"
provider: ownca
ownca_path: /Users/pderuiter/ca/ca-certificate.crt
ownca_privatekey_path: /Users/pderuiter/ca/ca-certificate.key
ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
ownca_not_after: +720d
ownca_not_before: "-1d"
delegate_to: localhost
# run_once: true
register: certificate
become: false
- name: Write certificate to file on target server
ansible.builtin.copy:
dest: /etc/vault.d/ssl/{{ inventory_hostname }}.crt
content: "{{ certificate.certificate }}"
owner: "vault"
group: "vault"
mode: "0640"
# run_once: true
- name: Copy CA certificate to target system
ansible.builtin.copy:
src: /Users/pderuiter/ca/ca-certificate.crt
dest: /etc/vault.d/ssl/ca-wbyc-certificate.pem
owner: "vault"
group: "vault"
mode: "0640"
Reference in New Issue View Git Blame Copy Permalink